Analysis Date2015-05-17 17:23:20
MD5d83cbe9a24b7fc802d7e10a2ddaa0492
SHA1b4962958f8845b79f117c2993136731b87ea0b0b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a3f03f409fe6fc88d4c86a542f11e9b5 sha1: 3e3496a1774b3f57625b6fadf6271e7bdd5db60b size: 4096
Section.data md5: 5bc1f72812d7de79f22fcfe3ba6fe513 sha1: 3165b846751f7a57f102816bfb603fe09b2b147b size: 2560
Section.rsrc md5: c3a490070f55a88893bc3411ee8e6319 sha1: 9109c70e0c41d374376e7fe93486f0fd21e5145f size: 9728
Timestamp2012-08-22 08:33:57
PackerMicrosoft Visual C++ v6.0
PEhash11a0f30db4be14079323b09c4e3b641a1079e6b0
IMPhash1daa496caaaddcfabb11d00256706dda

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\viewpdf_update.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\viewpdf_update.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\viewpdf_update.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSswasticpathik.com
Winsock DNS2wayview.com

Network Details:

DNSswasticpathik.com
Type: A
209.99.40.225
DNS2wayview.com
Type: A
184.172.57.26
HTTP GEThttp://swasticpathik.com/wp-content/uploads/2014/02/17UKp.txt
User-Agent: Updates downloader
HTTP GEThttp://2wayview.com/images/logos/17UKp.txt
User-Agent: Updates downloader
HTTP GEThttp://swasticpathik.com/wp-content/uploads/2014/02/17UKp.txt
User-Agent: Updates downloader
HTTP GEThttp://2wayview.com/images/logos/17UKp.txt
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 209.99.40.225:80
Flows TCP192.168.1.1:1032 ➝ 184.172.57.26:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.225:80
Flows TCP192.168.1.1:1034 ➝ 184.172.57.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303134 2f30322f   uploads/2014/02/
0x00000020 (00032)   3137554b 702e7478 74204854 54502f31   17UKp.txt HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000040 (00064)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000050 (00080)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000060 (00096)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000070 (00112)   720d0a48 6f73743a 20737761 73746963   r..Host: swastic
0x00000080 (00128)   70617468 696b2e63 6f6d0d0a 43616368   pathik.com..Cach
0x00000090 (00144)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000a0 (00160)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303134 2f30322f   uploads/2014/02/
0x00000020 (00032)   3137554b 702e7478 74204854 54502f31   17UKp.txt HTTP/1
0x00000030 (00048)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000040 (00064)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000050 (00080)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000060 (00096)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000070 (00112)   720d0a48 6f73743a 20737761 73746963   r..Host: swastic
0x00000080 (00128)   70617468 696b2e63 6f6d0d0a 43616368   pathik.com..Cach
0x00000090 (00144)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x000000a0 (00160)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   732f3137 554b702e 74787420 48545450   s/17UKp.txt HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a207465   /1.1..Accept: te
0x00000030 (00048)   78742f2a 2c206170 706c6963 6174696f   xt/*, applicatio
0x00000040 (00064)   6e2f2a0d 0a557365 722d4167 656e743a   n/*..User-Agent:
0x00000050 (00080)   20557064 61746573 20646f77 6e6c6f61    Updates downloa
0x00000060 (00096)   6465720d 0a486f73 743a2032 77617976   der..Host: 2wayv
0x00000070 (00112)   6965772e 636f6d0d 0a436163 68652d43   iew.com..Cache-C
0x00000080 (00128)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000090 (00144)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   732f3137 554b702e 74787420 48545450   s/17UKp.txt HTTP
0x00000020 (00032)   2f312e31 0d0a4163 63657074 3a207465   /1.1..Accept: te
0x00000030 (00048)   78742f2a 2c206170 706c6963 6174696f   xt/*, applicatio
0x00000040 (00064)   6e2f2a0d 0a557365 722d4167 656e743a   n/*..User-Agent:
0x00000050 (00080)   20557064 61746573 20646f77 6e6c6f61    Updates downloa
0x00000060 (00096)   6465720d 0a486f73 743a2032 77617976   der..Host: 2wayv
0x00000070 (00112)   6965772e 636f6d0d 0a436163 68652d43   iew.com..Cache-C
0x00000080 (00128)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000090 (00144)   0d0a0d0a                              ....


Strings
C:\00oDabj9.exe
C:\0b46eef1b8af30b4af048647dd977858ff0346e373fe564f005c9a90de1d72c8
C:\0fa677a52e83c90525ef7676c1f394c54824c7c8816c9b5e2743fce86aba8b52
C:\0JObhkiL.exe
C:\0qhR8suG.exe
C:\1fb3fbf12042f35cd5acc27c79776a0692c53e4af090a2d26d62fff96d5070b6
C:\1ZtrzDLl.exe
C:\3232213c58144332ce107fa59ed61992d9ed4616537532fc928941a6f6b20c16
C:\32mvheZ4.exe
C:\387b7e839e0b7bd3f934bca8b37d4d2c6cf44b5982f4731f8461467a6f8b0219
C:\3ce7f41007cb47dffa7141efe8a271e6c136e189d58e3590d2d51984bb2d5cbb
C:\4ilO8W7a.exe
C:\538b78255b610d12628701b03679a6dfb399f8484f764d1b4bdd850a344a1192
C:\56d3d21c32a04a71fdacd773b7ea5f3f3fdeafc9a08ff4a28c9fe81b5b7e16d6
C:\78d4bbdeaced87d2ced48b8113517e910288512822cbb6b8f587add754c88b8f
C:\88ee65ac19ef339c9820056c41a425a70f406809f4553e919db737881a41211e
C:\8kRK_WwA.exe
c:\a86326f99e5e0a8d30a297c7799de87a.exe
C:\af63742c866c539f697bcfefa047a030f61294d52c072ad2b5e7f8419598523b
C:\bea5ca0d71f5c959b07856490466b06e2d1ec4e5916c8f6886870472c4f9ffae
C:\DOCUME~1\cuckoo\LOCALS~1\Temp\e6467ca83e184dc1f4011b20b21e82b7b38d69c0
C:\EUyIDZKF.exe
C:\fb701267c1c164ab6127695375471b69722ba9227daed00543e7290d766fc66f
C:\fm2EPvV2.exe
C:\Fy3BQJui.exe
C:\I2iXmteI.exe
C:\IgPqs4Ml.exe
C:\JOAxIUKD.exe
C:\K0X9dHfo.exe
C:\KjfFB7jW.exe
C:\kqfTXRrD.exe
C:\kU0sLTdZ.exe
C:\LGmRYf7Z.exe
C:\MrzeYs99.exe
C:\nGxGgGkQ.exe
C:\nn37Skom.exe
C:\qACTnJxH.exe
C:\qvmILWgX.exe
C:\rYQq6sSK.exe
C:\RzcHnL2f.exe
C:\Sxp6OqTu.exe
C:\tBcuwoAm.exe
C:\ThigRxHy.exe
C:\Udolp8Ju.exe
C:\Users\accounts\AppData\Local\Temp\Temp1_Invoice_2084840.zip\Invoice_02172014.exe
C:\v742tFuo.exe
C:\vS950RGt.exe
C:\W3BQKjPl.exe
C:\WapCQTqL.exe
c:\work\578445\eb105da7c98d345332cb1d90f865bb4c.exe
C:\wzr0ycAl.exe
C:\WZSyhRY4.exe
C:\xMwbL0tu.exe
C:\ZqYfXL7X.exe
MS Sans Serif
Push to exit
Wolmo
"""""""
"""#"""
""$"$""
&0 :B6<1$3=
2<21!:/+7
$4<? *
;45>) 
&4	8(6
5D8-B7,E$=
(	 ,'7
7?8	)0"
=8/B-#A"8
.-A2"3B
?A,2"D0=
_acmdln
_adjust_fdiv
AWVAf9
B9,=10
"""BB""
""$BD""
@	!*$C
ClientToScreen
CloseHandle
_controlfp
CreateFileW
`.data
"""DB""
DialogBoxIndirectParamW
%D(\>j
(;E/3#@ 
E<;E@!
EndDialog
_except_handler3
GetDialogBaseUnits
GetDlgItem
GetFileSize
__getmainargs
GetModuleHandleA
GetStartupInfoA
_initterm
KERNEL32.dll
KXG[O_
MessageBoxW
MSVCRT.dll
__p__commode
__p__fmode
SendMessageW
__set_app_type
__setusermatherr
!This program cannot be run in DOS mode.
USER32.dll
uu u@u
@@u%%uu%uu
wsprintfW
_XcptFilter