Analysis Date2015-01-06 11:30:40
MD51d5f1f0cbc04ded9d5c80473a2b9fd1c
SHA1b574835f745a3c36135124c2ed03de7d25ab655a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: edf99746478ec4f22d3f839540b0378e sha1: 6579bdabbcefb92499f5f3bdae72d024a0a907c6 size: 24064
Section.rdata md5: e1b381c03cad2ee5a1d8b8d88a277d84 sha1: c21648f1e6265be80abc949953b2cdeca76832bc size: 5120
Section.data md5: 72224490b487b215a4fcfaa7237504f6 sha1: d920a0be03a5735543506cd69d318e8f1a629453 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 8aa15482db3ec2adfc4f0a1729de5bd9 sha1: 1d8de4da37031a25ee2a8e8320550c5c8477633e size: 179200
Timestamp2009-06-18 21:33:32
PackerNullsoft PiMP Stub -> SFX
PEhash94d1855221e73abf30e06c77f5465cdc7cf05198
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1920325
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.1920325
AVAuthentiumW32/Trojan.GTZD-9233
AVAvira (antivir)no_virus
AVBullGuardTrojan.GenericKD.1920325
AVCA (E-Trust Ino)Win32/ASuspect.HHDYL!genus
AVCAT (quickheal)Downloader.NSIS.r5 (Not a Virus)
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1920325
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1920325
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan-Downloader ( 004af0161 )
AVKasperskyDownloader.NSIS.Feasu.s:HEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeRDN/Downloader.a!tn
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.GenericKD.1920325
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filesetup_001.exe
Creates FileBaiduPlayerNetSetup_472.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\3.ico
Creates FileIQIYIsetup_l_spl004@kb010.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates Fileins1256858.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\nsProcess.dll
Creates FilePIPE\wkssvc
Creates File2345Explorer_329242_silence.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileG30769_s_0529.exe
Creates File\Device\Afd\Endpoint
Creates File9377mycs_Y_mgaz2_01.exe
Creates FileG0828_s_70988.exe
Creates Filesetup_3386.exe
Creates FileWanDouJia_runk4_kb.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\Inetc.dll
Creates FilePIPE\srvsvc
Creates FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Creates FileBrowser_V3.0.1167.3_r_4279_(Build14091614).exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\i.rar
Creates FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Creates FileQQBrowser_Setup_Hk_78653.exe
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\1.ico
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\YinSoft\uninst.lnk
Creates FileC:\Program Files\YinSoft\Uninstall.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp
Deletes Filesetup_001.exe
Deletes FileBaiduPlayerNetSetup_472.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\System.dll
Deletes FileIQIYIsetup_l_spl004@kb010.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsp1.tmp
Deletes Fileins1256858.exe
Deletes File2345Explorer_329242_silence.exe
Deletes FileG30769_s_0529.exe
Deletes File9377mycs_Y_mgaz2_01.exe
Deletes FileG0828_s_70988.exe
Deletes Filesetup_3386.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\Inetc.dll
Deletes FileWanDouJia_runk4_kb.exe
Deletes FileBrowser_V3.0.1167.3_r_4279_(Build14091614).exe
Deletes FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\i.rar
Deletes FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa2.tmp\1.ico
Deletes FileQQBrowser_Setup_Hk_78653.exe
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexYinSoft
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSint.dpool.sina.com.cn
Winsock DNSxiazai.9377.com
Winsock DNSdown.yinyue.fm
Winsock DNSw.x.baidu.com
Winsock DNSpconline.org.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
DNSpconline.org.cn
Type: A
222.186.60.69
DNSaaa.163vv.com
Type: A
222.186.60.18
DNSaaa.163vv.com
Type: A
222.186.60.23
DNSaaa.163vv.com
Type: A
222.186.60.60
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.3
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.4
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.2
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.3
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.5
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.6
DNSswwx.n.shifen.com
Type: A
123.125.65.175
DNSdl.p2sp.n.shifen.com
Type: A
61.135.185.123
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.247
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.144
DNSg.quwen320.com
Type: A
219.238.237.210
DNSdown.gtm.ucweb.com
Type: A
120.196.208.98
DNSdown.gtm.ucweb.com
Type: A
211.103.82.247
DNSna.b9.aicdn.com
Type: A
108.186.7.129
DNSna.b9.aicdn.com
Type: A
108.186.7.130
DNSna.b9.aicdn.com
Type: A
108.186.7.131
DNSna.b9.aicdn.com
Type: A
72.8.188.90
DNSna.b9.aicdn.com
Type: A
72.8.188.94
DNSna.b9.aicdn.com
Type: A
72.8.188.98
DNSdownload.pps.tv.webscache.com
Type: A
119.188.40.81
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdl.wandoujia.com
Type: A
125.39.216.11
DNSs.lllsoo.com
Type: A
42.120.61.139
DNSdown.yinyue.fm
Type: A
DNSxiazai.9377.com
Type: A
DNSw.x.baidu.com
Type: A
DNSdl.p2sp.baidu.com
Type: A
DNSdldir1.qq.com
Type: A
DNSdown2.uc.cn
Type: A
DNSsoft.lvbaoranshiye.com
Type: A
DNSdl.static.iqiyi.com
Type: A
DNSdownload.2345.cn
Type: A
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down.yinyue.fm/open/setup_3386.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/full/2/30769
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/full/1/70988
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_472.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://g.quwen320.com/d/ins1256858.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down2.uc.cn/pcbrowser/down.php?pid=4279
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/mini/8/30000046
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://download.2345.cn/silence/2345Explorer_329242_silence.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://s.lllsoo.com/click/66947
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1034 ➝ 222.186.60.70:21
Flows TCP192.168.1.1:1039 ➝ 222.186.60.18:80
Flows TCP192.168.1.1:1040 ➝ 8.37.234.3:80
Flows TCP192.168.1.1:1041 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1042 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1043 ➝ 61.135.185.123:80
Flows TCP192.168.1.1:1044 ➝ 174.35.56.247:80
Flows TCP192.168.1.1:1045 ➝ 219.238.237.210:80
Flows TCP192.168.1.1:1046 ➝ 120.196.208.98:80
Flows TCP192.168.1.1:1047 ➝ 108.186.7.129:80
Flows TCP192.168.1.1:1048 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1049 ➝ 119.188.40.81:80
Flows TCP192.168.1.1:1050 ➝ 61.160.245.11:80
Flows TCP192.168.1.1:1051 ➝ 125.39.216.11:80
Flows TCP192.168.1.1:1052 ➝ 42.120.61.139:80

Raw Pcap

Strings