Analysis Date2014-08-26 20:18:44
MD577136922f5fda53cb09af264bb08e8a9
SHA1adc8df34fe731e41098a8d78e7646b7a50e4ea67

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 911892ec5c31a2cb5ff2b9560b512335 sha1: fd5f2758be6e19abc7a872269b953698b1aab4a9 size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: c469c905d08f315b63bb9d526991bfd0 sha1: 1c6a8522246a9cee6de04b697ad1c0b3018eb283 size: 66560
Timestamp1997-04-19 01:32:32
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashd637b5579d71420752db1f372723efa95ec96aaa
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\fagsazpyweaf ➝
C:\Documents and Settings\Administrator\fagsazpyweaf.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mmnabytek[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\teamco.com[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\peterday.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\foundationix[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovetiles[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Creates FileC:\Documents and Settings\Administrator\fagsazpyweaf.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tokaihorei[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rbrides[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\daltontokyo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kwcomputers[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\belleaire[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\higienika[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dt.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\peterday.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovetiles[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\foundationix[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tokaihorei[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\rbrides[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mmnabytek[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lovelaceinteriors[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\daltontokyo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kwcomputers[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\belleaire[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\higienika[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dt.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\teamco.com[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexfagsazpyweaf
Winsock DNSlovetiles.com
Winsock DNSgsprinters.com
Winsock DNSdaltontokyo.com
Winsock DNSkwcomputers.com
Winsock DNSteamco.com.tw
Winsock DNSsuno.edu
Winsock DNSfoundationix.org
Winsock DNSbelleaire.org
Winsock DNSgtsinteriorsupply.com
Winsock DNSwsdbw.com
Winsock DNSlovelaceinteriors.com
Winsock DNSrbrides.com
Winsock DNShigienika.pl
Winsock DNStokaihorei.com
Winsock DNSdt.com.pl
Winsock DNSmailhost.midwestlabs.com
Winsock DNSbigbluetours.com
Winsock DNSpeterday.co.uk
Winsock DNSfruzel.com
Winsock DNSmmnabytek.cz
Winsock DNSfvs-net.co.jp

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSrbrides.com
Type: A
67.225.202.186
DNSsuno.edu
Type: A
166.63.13.96
DNSdt.com.pl
Type: A
213.189.53.79
DNSmidwestlabs.com
Type: A
66.37.233.242
DNSgsprinters.com
Type: A
50.193.47.120
DNSlovetiles.com
Type: A
188.93.236.66
DNSlovelaceinteriors.com
Type: A
192.237.224.234
DNSwsdbw.com
Type: A
69.67.27.143
DNSdaltontokyo.com
Type: A
219.94.129.78
DNSfoundationix.org
Type: A
68.169.73.226
DNSfruzel.com
Type: A
98.158.149.28
DNSkwcomputers.com
Type: A
64.139.131.167
DNSgtsinteriorsupply.com
Type: A
23.229.171.214
DNSbigbluetours.com
Type: A
85.10.192.200
DNSfvs-net.co.jp
Type: A
157.112.158.27
DNSteamco.com.tw
Type: A
60.250.199.64
DNShigienika.pl
Type: A
213.239.194.252
DNSpeterday.co.uk
Type: A
78.129.247.138
DNSmmnabytek.cz
Type: A
89.185.239.184
DNStokaihorei.com
Type: A
210.172.144.246
DNSbelleaire.org
Type: A
67.192.235.57
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSmailhost.midwestlabs.com
Type: A
HTTP POSThttp://rbrides.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://daltontokyo.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://foundationix.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://kwcomputers.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lovetiles.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mailhost.midwestlabs.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://gsprinters.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://dt.com.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lovelaceinteriors.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://bigbluetours.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://suno.edu/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://wsdbw.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fruzel.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://gtsinteriorsupply.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fvs-net.co.jp/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://teamco.com.tw/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://higienika.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://peterday.co.uk/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mmnabytek.cz/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tokaihorei.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://belleaire.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1034 ➝ 67.225.202.186:80
Flows TCP192.168.1.1:1038 ➝ 219.94.129.78:80
Flows TCP192.168.1.1:1040 ➝ 68.169.73.226:80
Flows TCP192.168.1.1:1041 ➝ 64.139.131.167:80
Flows TCP192.168.1.1:1043 ➝ 188.93.236.66:80
Flows TCP192.168.1.1:1044 ➝ 66.37.233.242:80
Flows TCP192.168.1.1:1046 ➝ 50.193.47.120:80
Flows TCP192.168.1.1:1045 ➝ 213.189.53.79:80
Flows TCP192.168.1.1:1047 ➝ 192.237.224.234:80
Flows TCP192.168.1.1:1048 ➝ 85.10.192.200:80
Flows TCP192.168.1.1:1049 ➝ 166.63.13.96:80
Flows TCP192.168.1.1:1050 ➝ 69.67.27.143:80
Flows TCP192.168.1.1:1051 ➝ 98.158.149.28:80
Flows TCP192.168.1.1:1052 ➝ 23.229.171.214:80
Flows TCP192.168.1.1:1053 ➝ 157.112.158.27:80
Flows TCP192.168.1.1:1054 ➝ 60.250.199.64:80
Flows TCP192.168.1.1:1055 ➝ 213.239.194.252:80
Flows TCP192.168.1.1:1056 ➝ 78.129.247.138:80
Flows TCP192.168.1.1:1057 ➝ 89.185.239.184:80
Flows TCP192.168.1.1:1058 ➝ 210.172.144.246:80
Flows TCP192.168.1.1:1059 ➝ 67.192.235.57:80

Raw Pcap

Strings
..
_'
f.
041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
0-+.})
2)9_?J
.2%ew+&	cj
2#GNLYe`86lq
3EcJM1
4|h7d,
6"<w2O
<{6wdR\
6Zc)O_Z
7"5[0Nu-Ib
75n	v:
76hC^j
7&,[g!
7i01 0S
8rUbU9
97T[<qm
,'9uK_
/AH;1\
AKFB_U\
b9ik8<
Bf2TBR
@:Bz	g
BZv!kdZp
bZZrhAxAlI
CA8cp[m
C>NK+~
}}c$OX
CreateWindowExA
_}CrHm
Ct,;5Fn
d5U;a!
@.data
DefWindowProcA
dfqWR1
DispatchMessageA
.D|kcQ
dmoQh*
dp^\33
dub5}'
ee18w<
;e:"in
=eKw[.
@e_&lM,
eq^Us1
-E!+~t@
ExitProcess
f8>:J1{K
FindResourceA
"G05TB
g^0LM4
g0m~BL
G4@KQ:
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
G`>Kc'm~
*!GLD'!
`<}gTlm
*gx.V)
H{2Ua~
HeapAlloc
(i,nzQ
]iU afZP7
j|2DQ0
/J6jcx
J|Fgq>7
.kdh$#H
kernel32.dll
 ]Kfb{
KillTimer
Kw0VWu
)]KwQHS
L4	r7X
lAaV-M
lM(7LP
LoadCursorA
LoadIconA
LoadResource
L|%{+u*
mEG7K>
m=XZM3
nB9kdgfrwerbbbmddd
&?NHA*
OdRh7"
O)n)E=
oo5$V)
o+'QyR
o~Y@-V
p5O@O6
PostQuitMessage
&p*slW
q$8n?'
Qf1@a}
QMX,XQ1
QO-ut\
R4CIXM
:r>4fd
.rdata
RegisterClassExA
SetTimer
Sg)%-9Y
sh7Q/2
ShowWindow
Sm_F@[QL
 T	_+]
&t9NY=
+t%	<;A
t^eu0D
!This program cannot be run in DOS mode.
tI	Q}ypO#
,>tK{U
#"TMIT"
TranslateMessage
$TUGZ^c
u})?'7
U&kF3&
[U}:o&
uO!Zqq 
UpdateWindow
up[KgP:
user32.dll
UWV4<f
V_3;%7
V'C6% 
VIKQcO
vloFzYe
(VUAjs6.
WH?>jq
wi`ID6
W)}j@9
W\Ra*|
X`'*-`
 y ^]0
yf<k&u<
+.`y-N%
YT$yg/
yXX^w:
z`Cg0N
ZF}v,QA
zi[ 0{yj
&{Zpz_
Ztu-	 
Zt)Zbl4
?z%VC,a
ZY0#nm
ZZi'()