Analysis Date2014-01-07 12:04:57
MD567adf9e68b98cc78b74132eabcc988c1
SHA1ba110b291c9cd9e836a22c82f5caf4d8f7961c59

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 954e916374c5acf757b4c4f0b25f48c9 sha1: 5e3fe9289c0794f548baa8fb417dec75d71be723 size: 74240
Timestamp2002-02-10 13:15:37
PackerSafeguard 1.03 -> Simonzh
PEhasha651c2d43e1036aeef3d504441b005e1fe1c9cc2
AVavgWin32/Sality.dropper
AVclamavTrojan.Agent-168681
AVaviraW32/Sality.AT
AVmsseVirus:Win32/Sality.AT

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\A1_0 ➝
3299283285
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\-993627007\1768776769 ➝
136
Creates FileC:\TEMP\FILES\monitor.exe
Creates FileC:\TEMP\FILES\malware.exe
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winoelih.exe
Creates FilePIPE\SfcApi
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FilePIPE\wkssvc
Creates FileC:\TEMP\FILES\AcroRd32.exe
Creates FilePIPE\lsarpc
Creates FileC:\TEMP\monitor.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winoelih.exe
Creates MutexuxJLpe1m
Creates Mutexexplorer.exeM_348_
Creates Mutexservices.exeM_616_
Creates Mutexreader_sl.exeM_976_
Creates Mutexmalware.exeM_1436_
Creates Mutexsvchost.exeM_1160_
Creates MutexAp1mutx7
Creates Mutexlsass.exeM_628_
Creates Mutexsvchost.exeM_808_
Creates Mutexalg.exeM_1856_
Creates Mutexsvchost.exeM_1168_
Creates Mutexspoolsv.exeM_1300_
Creates Mutexmonitor.exeM_1208_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_1112_
Creates Mutexuserinit.exeM_256_
Creates Mutexsvchost.exeM_852_
Creates Mutexsmss.exeM_500_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_1020_

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates MutexuxJLpe1m
Creates Mutexuserinit.exeM_256_

Process
↳ C:\WINDOWS\Explorer.EXE

Creates MutexuxJLpe1m
Creates Mutexexplorer.exeM_348_

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates MutexuxJLpe1m
Creates Mutexreader_sl.exeM_976_

Network Details:

Flows TCP192.168.1.1:1042 ➝ 108.162.199.18:80
Flows TCP192.168.1.1:1044 ➝ 85.233.160.22:80
Flows TCP192.168.1.1:1053 ➝ 157.7.160.37:80
Flows TCP192.168.1.1:1052 ➝ 108.162.195.157:80
Flows TCP192.168.1.1:1054 ➝ 74.119.145.130:80
Flows TCP192.168.1.1:1055 ➝ 208.80.11.144:80
Flows TCP192.168.1.1:1056 ➝ 67.192.235.61:80
Flows TCP192.168.1.1:1057 ➝ 210.172.144.247:80
Flows TCP192.168.1.1:1063 ➝ 50.62.125.1:80
Flows TCP192.168.1.1:1043 ➝ 184.168.233.1:80

Raw Pcap

Strings
Caption
Hello world!
%(| '~
08d58i
*0?,IN	
1AO8B>
,1r8%D
'2wE&{
3yP@X=
3&Z<^!
*4`{4P
4et3?;
4]R7rR|
`	~524v
^-59n=
5Vq=YM
?6[5)kOK
6?6s02
[6&+d[
6fUI>oI
!6'oP1
6<uxiO
72tB&*
7hh+{'
82h+5n
*8 5@1
{8ChRa
8>=dr 
8 h4Y(
8_q/,yJ
8z&lw	
!9N>G<
^9ta',
=9xE_u
9ZSI/:
a9@%mS
a_Drkq
A^necJ
	<@A!|X
`#&be}$
BF&.u!
BJUwzo
BLlI*7
(BUW+j
C!c%38
c	dSALh|
C*KaKX
<*cm8fa
%Cp|-b
CPPe)u?J<
Cp^}w.^F
cXGxtG
"d>}cX
dl}[5,_[
D!Ln}0
^`dlY*
D=sh,q
dT%>r Gy
)]dyUh
E)")a2
EEu&So
Eg' b6
EI3-S4
e@^ ~J
&eQ	Auf!:
ExitProcess
Ey81G:k
eZ'TPM
fAo/P|v
:Fe+bG~
,FhM=v
fI.WJ	
G+j]8E
g$k-E|
GNiQSwv
G-oO58
gx*.kH
h2.0-.
.{@H27
}/?HgJT
h`gU?[3
H	{qHb
	!H]'r
hW>OC4
ib\3($f
'\Ic*V
iF~G|y
iK6sA~
I!Q\}D
I?>rC!
IYp#5[k
@j?-\9&a
  jBtl
JH3`*f
jHop}LS
j	#xRLr
j%YhZ\u
^\k4;!
K4%]Bg
KERNEL32.dll
 KJeFQ
?kun@\| -
>?l:5I0
L]F)YN
=lR?M 
LV P05luey
L?x@8	
MessageBoxW
ML=k}|
\MP&LU
MsexQ 	
MV{wfPDp9
~-mwRzF
_ _n\9
-nJzA;H5
N\p]'8
nPyuZp
nuI \5
NU/zd?
NW1AzX$
]OD#k&G
oPFL9H
Or^{jO
?OV}vU
=p+5u[
~Pe/Q$
p@|@f=
pmOaF2m
p$xY!r
p#zs*ux
**`Q3A%@{
q]B@C@0
Q"DPuVU
Q/e2e'%
q\l7l[`C
qR4ErG`
Qw"h'kQD
rlF,4W
RpnaCa
RTNlET
rVR #nf;M
 R/;z]
s|8GS$)
sBD[8+qh
si.r(Y
}snb$H
S&Sj:WZ
<TB7zXMW2
tTm7UG<
tW3KP2
,(tX/xk
txYlkg1
u7V`y$
UAfGv6
UBhx5*
USER32.dll
VHPW@`
vitx )S
V`sQi`
vu1 ~M
vV/\ME
:@]VwXq?
>w0{a\Y
Wf{KsW
;<w@jV
|$ Wk"*D>
w<o[00
|w_@V(
wvMur"V-
:W ,XJ6D
Xi;Y8t
xR[S^!
	XsdCZ|@_:
y0KlOR
y5GDTY
y7uCVR
;Yj1j`
yrf<[LordPE]
Yt}aCi
z5y v?
zmh#k-
z }~W@
ZXt=Gt