Analysis Date2013-11-29 21:19:58
MD5441abe0f31ecd32c88b5ee744fbeb39a
SHA1b8425314897bd7b1f91995dc6f591bcfb03d6900

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 052a91f0756b9ae15faf33e34fd4f394 sha1: c99e2e97473006e4bab8c01aac84e50808a63b92 size: 28672
Section.rdata md5: 97c206e473f15bbc44c541cdd9235823 sha1: bdd8fa4988c52f29a5c63a64a83a87e6e1f00081 size: 180224
Section.data md5: 618d37821a0241dd8cb08442403d66a1 sha1: 66e5f47a3f6ee9568be33d83c4367e0d9eeba0f5 size: 4096
Section.rsrc md5: 7dc4661aadd493fc99b2ffa0890bd2ac sha1: deeb789d9ad3c53bd875b48dc660f9a0c143efc3 size: 49152
Timestamp2013-01-10 08:22:10
PackerMicrosoft Visual C++ ?.?
PEhash5713bacdb2dc76538b4d5ff6376880af07b1632f
AVavgBackDoor.Generic16.CBVQ
AVmsseBackdoor:Win32/Plugx.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
Creates FileC:\Documents and Settings\All Users\Gtf\NvSmart.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\Gtf\boot.ldr
Creates FileC:\Documents and Settings\All Users\Gtf\NvSmartMax.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDBWinMutex
Creates MutexStartInstall

Process
↳ "C:\Documents and Settings\All Users\Gtf\NvSmart.exe" 100 1340

Creates ServiceGtfHttp - C:\Documents and Settings\All Users\Gtf\NvSmart.exe 200 0

Process
↳ C:\Documents and Settings\All Users\Gtf\NvSmart.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Process

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 220
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDBWinMutex
Winsock DNScsrss.drivedown.net
Winsock DNSdotkang.vicp.net

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\wbem\wmiprvse.exe

Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\All Users\Gtf\NvSmart.exe" 100 1340

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Debug\UserMode\userenv.log

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 220

Network Details:

DNScsrss.drivedown.net
Type: A
127.0.0.1
DNSdotkang.vicp.net
Type: A
127.0.0.1
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
(&A) ...
 (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
jjjj
<<<Obsolete>>
Shell5
SHELL5
Shell5 1.0 
(&X)
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0.2`-ei
030806000000Z
090619000000Z
0A@@Ju
0ENcY:
0*	isB
0k`2Y	3
0SSSSS
0WWWWW
0&(yjf?
110619235959Z0w1
130805235959Z0U1
1ETCjR8
(1[pCj=
=1>Vx|
201231235959Z0
2111](S
~2[cBm
2`]@F-
#2mW{p
&2`wB%
3FQI3X$
#	3GW>
}{3Q-S
4~f9.u
4Iz|C2
4y42n~
58F8|:
5b]ZBi
{5/DQq9(
5eaU[Z[
5/p#E<q
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
_:6ag2
6}"EQ 
7\?bc+p
:]7`g 
7hV/YG
7-j%9{
!|~7k6
.~|7ob
$>7rb;
$8nkA0
\8RNVy
8xDD?d
960801000000Z
9R#CM:yl
9==.UY
9xuL'i
a'3;O>v
-[]a5hD?
A7dpl;
A[\9.Z5+
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AcV	^ryX
aezx.X@X
AKoj],
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
+awHI~Z
A$y5<_b
B#-5?z
b6D62?
BBFFf;
BeginPaint
bgY%ea!
BhF3haK&"e
Bh?_h>
%bmg\G
bO3&>V
 .B^O9
+B">q&
@bwb+lP
B.y5v5Pt
c*3e\2
c9>V.n
	Cape Town1
,[?CEb
Certification Services Division1!0
CFx(y{
c^hw\?
=CJSNz
 !CLQ8
co	qAQ
CorExitProcess
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
*`[cPH 
CPXI1s(4F
CqfNBlY
CreateWindowExW
- CRT not initialized
CsBgJF
+cTKl19X*a=
//|d><
D$$_^[
d\1WqYQ
;D6QsC
D8x5^p
D$8(XC
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
de%OE{
DestroyWindow
DialogBoxParamW
DispatchMessageW
.dn2=,8
DOMAIN error
d]`whK6
D^~z`k
E3K>W 
E4FpfS{
E*7}v/1
EEFMnf|
EeI|XS
Een;WKe~D
EJlZ&+
EncodePointer
EndDialog
EndPaint
EnterCriticalSection
ExitProcess
F%0kp|
@@f98u
= fA=P
February
FfBrkWIM
Fh=8EC
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
|FM]r)A
f&PYf)
f}QS1%8D
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
g2111,
g2+wIz
g\5o$TK
g*6q&	.]
G7i0ny
G8b"*fA2
('G{b$
GetACP
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
Geumcheon-gu1
G.`[f=S
$GKp}Q
gLUh)f%
"#GntkA
'gPcb\09
[g;`^)v
gYU.;T
-h7BT=
~*h7(h)
h7o:nj
H}\bzJ?
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
HnuH$}
h|R8{6
HrCg@b	g 
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
http://ocsp.thawte.com0
hw-X~osv15hV
hXavWP/
I3')+*+)))*))()*+++,6J!54 CBA
I%Emlt
IF;PzL
I;G)(	rR
Ik@L#r>
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
io/.\UC
I{:R,]
ir"g	O
IsDebuggerPresent
j0az6QL
J@ 3A*%[
J6*S<[
J7LCf:
J|]A!L
JanFebMarAprMayJunJulAugSepOctNovDec
January
;j,bWp
jdh(XC
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
JHHGGGGGGGGHI
JI-LS{0
JJIIIIJIIIIJJ
J|]jN6 
j(j ^V
j~OVEq
Ju/@{ 
 j?#U|s
JW8r"C\
jYPQTVTSkllZTTXRTUiHceWda/
jY@/`TG'|
ke]L8H
K@eM/ZAg<w
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
KK2AH&
kOVFqeW
kPYHQu
KT$G(,@(g
@k_wr|
L1v2h6-
LCMapStringA
LCMapStringW
~ldza$
LeaveCriticalSection
l ~:EGfL
lE#[Hd
#L'ELU
<lePls
lERb;+
];,>")Lfa
l:_Izv
lJ(.]}v
LNP9lD
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadLibraryA
LoadStringW
>{-L`u@
`L>+v>
LvgL(w
Lx1fBzP
m1&je9&
%M.D`E
@m	dP#
m:EofwY>
MessageBoxA
MGAME Corp.0
MGAME Corp.1
Microsoft Visual C++ Runtime Library
mk19,!I
MM/dd/yy
MNr8Y!
Monday
MqAR>[
mscoree.dll
MT*C$E
MultiByteToWideChar
Mx4fYI
mY<lG`&
N42[:P
^,n50(
n!dJin
`.nDmz
N""fGO
' NfX0
N^L*0TyK
NmhP/:)4v
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
n.PSL%
 nTeyX 
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
o6?mSS\
O(@>=77A779?<8;$O' 
October
o'-Da7
|O, I:
O%JEEEEEEEEEFFB
OKE&`_
`O^%LO'
Op5$.7
o*/tj#
Ov%^1f
OxGX>9
OYI b&
P1111	
P /F&(.
p+	'l`
Please contact the application's support team for more information.
P\LZsE
/%pMpr5
%PN4i$
PostQuitMessage
PPPPPPPP
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
premium-server@thawte.com0
PrivateLabel2-1440
Program: 
<program name unknown>
pS6Dz,
- pure virtual function call
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
`PxdNC@e
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
PyC41&
P.YDx|
q5[?i5 
QDbQ|t
Q"g1js
}>qooggggggg1`_fhsnHK
qq1T)Q
QQSVWh
QueryPerformanceCounter
Q[`!xo-1
qy`R&j
)[.r],
|^R:0[=@
r0}Ip)
r42*q[
`.rdata
R\e.8\
RegisterClassExW
&rI<Sv
rK<5>S
r$\)	M
rN8KvFM
r)=rW;ip
RtlUnwind
runtime error 
Runtime Error!
r&uQdj
rZ#3(s
rzB>w 
!s2$m|s
s7rVP1
s*&8$*
	S>`8H
Sa1 'z
Saturday
sbl/I;
Seoul1
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
(SGTJ4zz
ShowWindow
SING error
^sLm_MS
SO>70V
Sunday
SunMonTueWedThuFriSat
S\=V?3==
SXV)kD
S@yF-n
t276M,
t^9(uZ
TA]R+(
tbg	<S(W
tD9(u@
{TD iR
TerminateProcess
T!e:/S/bT
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t<+N>>
?#T$,o1
&TOG*k
TranslateAcceleratorW
TranslateMessage
ttf_Ho$
Tuesday
;t$,v-
"Tv=%3#*
t+WWVPV
Udh<4]
Uj#'~a#^S
[Uk^j]I
uL9=lWC
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
u;Qc;|
UQPXY]Y[
U^+r<_
URPQQhlS@
]##Us$
USER32.dll
USER32.DLL
`uvoM$ZVf
uw	P'l
Uys;6F
U@zG~mf
v$;5TKC
V)c,js
VirtualAlloc
VirtualFree
VMxZ}Ep
v	N+D$
vO)<a<X
vS#4y^
{V,UEL:<
vY$/pJhv_
v	{YXTVn`
W6P_Tf
{+W.'b
~WdxYxE
Web Dev Team1
Wednesday
Western Cape1
WideCharToMultiByte
WkV21TSav^8{
*,WOh82
w,|ovD6
]w.#p*
w|QMHi
W=Qq\;
WriteFile
wrU0eymr
Wto=0KC
WV0rJ8
wwwwwwwpx
wwwwwwwwwwwwwwwpx
,x	"!1
{`[x1F
X	GvTu,
xIER?C~
X:/J,7R
xL0WlE
x&LS]nr{
XM>}.x
x`^^n7c"w6~
Xz	=^H5
~&Y8?lu
:Ya[_s
Y;=(EC
YF'$JTl;<
|$#yjat
yJPh.o
Y[M	]dY
^YNObAu<
yO/9s-
yrRx\R
>=Yt/j
yvLHjy
{|yvrrwsqpon
|;Y+wck
@yxx/A=
YYu-9D$
YYuTVWh
y(z%tR&l
ZA1%0#
@Zd*Cj
ZLD\;oTt
zO3IdX
zPn&us*
Zqk	bd
Z)U8>BQ
(zUofOt
\Zy %f]
}zy|yx~