Analysis Date2014-02-10 10:41:37
MD522a4e49c32c81052f5ddf615a1f9aba5
SHA1bae1fcafea42f7eb3f7abbe91aba8922fbc670f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: e311720f746d90918404cb57630fd24d sha1: d13411e8f4018c88b4a955037399b86ea5840af2 size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
AVavgWorm/Generic2.BLRH
AVaviraBDS/Backdoor.Gen
AVmcafeeW32/Generic.worm!p2p
AVmsseWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{8DBCFBD4-CFAB-FECB-EDCA-BC49FDFABA0A}\StubPath ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\G4Q4ERKBP8 ➝
February 10, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\G4Q4ERKBP8 ➝
System Host\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8DBCFBD4-CFAB-FECB-EDCA-BC49FDFABA0A}\StubPath ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\recycle
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexG4Q4ERKBP8

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\scvhast.exe:*:Enabled:Windows Messanger\\x00

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

DNSwatawciatciat.no-ip.org
Type: A
223.25.106.185
DNS1watawciatciat.no-ip.org
Type: A
Flows TCP192.168.1.1:1031 ➝ 223.25.106.185:3333
Flows TCP192.168.1.1:1035 ➝ 223.25.106.185:3333

Raw Pcap

Strings
&
@
,O
.r
.
.
.C:T.
f
`.
.
._
&
@
,O
.r
.
.
.C:T.
f
`.
.
._

PERS
SETTINGS
^^ >(>
 )@0@>
004P+Ic/
05mA*XO
' 08lq
<0/_.<9
0cmu<\
0Cx: L<
&]*0DFsAT,
$0DW$p0
0gX H51
)	0#.i.
.?0%mPLa=
 0OtBo
0P$PHD
0SJsam
0sL*#X|ck
^0%/$v4
0WD@f1
1234"p
15dF8F91AEE<A
1 $7J/
1c2->a"6{
./1hgX)
1lT3gF
1pm(&^
1uWjC*
20C<|0d
22A368949C0&9
 |2$5%`
#27I:Ng,9-}
27OnQu
2]	9r0(
2>e%Xdq
32EDE121D9E2
$345RL
\3``h\nT
(3*/i.
3l/A,7!0AC
3.-mohl
 3ug8g
($ 4=-
/#&42|
 447w;
4'4ShwlNo
%&'()*456789:CDEFGHI@m
};4716
47A4B6739316C4F5B5C5*14
4A3r4B`(0
\4cF`%O$
4[cv4=bGa
4H4sg%
4TM83$- 
4Yhf2v
!4yvT")
501E:9~
/5Bc3f
5MV(r\h
,5t)eXj
(+6_ ~
-6/5G"H{
[6ENC^fADClifSt
6n1?e:-VS
6o2&9X
6ss/\4Z
6T&p	 
6V2Ziz<
7033413A6
72w2\r
7@68A_
774NE55*237X2
7b8x3 L
7niffOS4
[7owIIn:
7p}! `
/-7XhM
^81f?g?
<840,M\
8#6<,f
87T`P5S)
8HVq2]
 8*&*l
~8N{f'N
9d\4a`Q
%'9`eD[
9HPTj9
9liWGr
9lR&F*
a4.U}N
AbUWgtp
AddMsg
AddRefA
#AdjuFPjr
ad<l09
A},HwX
ais{pQ
AJ{ZdT
allBaK
alUpda
aMtHH 
aO$^#o{
AO[S}<
A\t5UHL$
a Te"l
Audio.
awuois=
BEFF(N:
B?fA6T
BG*~*R
BIAq$=
BJ)5TZ
=B \lG
b' lL'
BOk$\#
+$]bQp
bss_ser'
% Bt/8
BtKill
}B#W8Y	
/b!XDv
\c2AUt
c3d(v0
;]C9HYH.
c`aw9h
Cg\`@I
/Chat'
<Ciuqa
Compzb7>
+C	=Oo_p
COoto!t>g"K
C:\Prog
cSubCl
cukw/K
`Cu>@Po
C;uYBW
<D0E|+&
`ddpv"
DE/$yEzL
df"FC^YO
|d@Fvg
@?DL|+
DL_:P&<
}dME,e
d ''#O
:`dp`37
dQx5@z
DragQuery
dr>jBy
\d(#t\.
Dt0/w(
DV,7S6
,d`W(_xg
DZPp_|%
e(1)!C
E4:|	"=
<e4ym5
E$6/ql[
_E(8:>6WcD
E-,8$uw
eamGook?RS`cur
E^CQ<,
ect?TorrentS
EFB$9$xU
egHija.
-e<k&(
E/L7wW
ENGZdN
EVENT_SINK_Ge
'EV?L_]
ExitProcess
@:<F(:,
F062D2BD
F4?bA+.
f4rHgA\
F6E4ZF7C8
:F6I q
F_6nO{
f7J::c,
F:9=.g
_FACEBOOK_START
f{@cvssPATH_WINLOGON5
fD_/ lJ7
^>FeAz
F> FDD
 Files (x86)\Mic
$,FLLe
#)$<Fo0
-f)pP&BcI[,.)
FP<pT6=
FrBf>Z
frmMain
"")fv.:
Fx>>an
Fy.#fbv
g3#hh+HXKX(6q
#(g##;A
GbkUFW
gBN^8n
@G~>c Gf
GetProcAddress
gHRL2 #
\GvJN2d
GWSOCK
g,!W!W0(
H177P:
^,h1Ko
$$&\H2
$!H33!$
h3a"Z0*O
|H7~JN2P
)h83(9
H{a2p`
h' #FX
 hGed /H
hG,INr
hJATXf
H.J.JL<
hK&x(&
H#p@'M
@@H^r!@
~hunkt
H,V%p!<V
i. [\a
icalDr
ICK_DELA
ICk)S%
InfoTO
InvokeV
iO E%\
iPlPb!
\Ip]&<M)
i,pxrJ
I@Q*/a
I]^QZ4
I(>//R
IyEhGp
j1gHJy
@J\cD.
&)JdHw
 JDxH17/
J[iL\G]
jl Kd)x
$JOR,~,
JSTUVWXYZcdefg
JUJuQ(t);k
K03RJ<c
K]>1h-
K2rT4x
K6&?SC
KERNEL32.DLL
k*MDHL
-k$(.SrIs
\k.("SS=Is
\KuewD
`>L(@,
L@<1_img|
l^9!<qK
L&d/Oy.y
>ld}p4
Ldt&Le
|lEnghe
lf^NJ5
lgE;M;
{$Lh|N
lIh: N
Lla+(B
L:lngg7x
LLTH!9L
LMUL?6
l-n/on
&l&N(q6
Lntlt0$
LoadLibraryA
_lobalAl
lOU!a+B
LSI+z@
L)^Y"aA
m	5N{a
mC{AJ)
MF<-N4
mG#[G-
m[G?GE$'
-M.H<Pk
_@$_mi8
MJQ+Dq 4I0
^__^Mkok$P
	mMl%6`
modFucrons
MS SaX
MSVBVM60
MSVBVM60.DLL
\msvbvm60u-l
mswin .
Mv#(i(
M&Xu%:]
:M+.z,#
:="MZp~qH
N' ~0~%
"N2]F|
N2 #LT@
nc?PWs
NhV(|f^
nm0Sw_$
NmZ#_k
NOMoWaiqS;
@nq\yAa
)n r9(+
NRR'=@
NTDLL>
N^(tLg
n*/TrX
`,''#O
o04M>H
?o`?[+1
o7^DrU(
*O8^.N
OafFoc
'o"BgBvtyBO
-obh.&
oCHAT_A
Oh1LDMd
O$jAJ+
Okf	Qi~K
oM7Pn`
#ONFd0
op-/E:
O peer
OP-T3.
o*soft Visual Stz\
os#+Om
oT<]'W
o(Uo@6/
ovbv)I
OwnZ64u;
oXCCdC~h
$.OY@+
}?+p+ 
.<@P,{
p^`.@]2X
P8N(wP
pb`ffvl
PBPB~S
P/\dT4
`pE~A<
;*PF6_
P#)G_K-
*p].i.
picThumb
}plbc]
<PLHD@
'p\lor
~<p'M3%pDD@U
Pp=+7Z
PRINT_
P%S*	B|
p'sIW	#V
QaW	U7
q$nUHVS
"\$r/ 
}r\'//]
r!11r!
r!22r!
R6eYHH1
raTagI
rAUb9]^9t]
R	$'Cr
R/D-j7
Rd:\SysWOW64\N
Re^@Nn"
R_FB77
R_gf=4^
rIsA/uV%
rJvj_Vd
r;&L-fP
;R,([n
RO9[(%
Ro\eOP3C
/Rr@M<77
.rsrch
rvqueezer\
rYZl,v
S1!	{,
s_%6hW
:ScanLz
SCManPr
s:.cpV
Screensho
seHandJ
's<e/SrcLef]`
 *.S{f
Sf'$sJ
SHDVVwCtl~ebBrow
$}SkP{
SN.Lx&
Socket
SpAIHo
>spu"G
sra$Wx
Sr$$se\
s the p@
STRUCTIO
stV&y<
S]w*t.
t)5H%a"
T	!'B@j
td@^%"
TEgw *
@/tFGL~
tF&;NF
!This program cannot be run in DOS mode.
ti&Ci7
Tim[?Sh
TKDQHs
:;tkEe}
TLn+xpX6
tmrLivLogg+
^T)M_S
t@'#ON
T r%9<
tSd `\3
tT7lzl
tvieframe.dl
% |.T	ZV
&U0d/J
$U0m6k
uB\R#I
u/D+]d
  UJ?G(
%[U#m'
;uO:' 
URLDVnl
UWH^)\<
`u@XXT
UYl1X4mLn_L;
v.Bf&|
vBIV9*O
%VC`x)
vECZGF
ve`*P&
vf`M1P
V%h0SQ
V$[hn{
VirtualAlloc
VirtualFree
VirtualProtect
v`jc`*
vJQ:[\
	VMSS\p
',V@N2
v)&u^8uF
VUc!V_0
vuHR2\?
&Vw7CN
V$wN$N$
;W0G@<
w- 5'`
WAcquR2{
wapMo~W8
WcImage'%`
WD.0K:g
WdgljG
_WebHide
wfS~ijnG
wLBW_`6
-_WMqo
^)w*n]
w,p0[%
wq1RCF
w\ZT'F
X2!dMPA
}\xEm>
x"*ibR
XJB5NZ
XJB:,v
X@jO0l
)XK7la
XPTPSW
xQ?|)y
+XT<LU
$X v54
xV)mBC
X!wD`*
XWhC)D
####XX
_xXVGa
-}%_%y
y6PBGM
y(8HX5n2K
Y8"nWq
@Y'a6t
&?yB:0H
yGrabbOg	V
y.hXfX8
 Yk/ qu
YP+:S@@DfX
y%t1\N
Y]T#&D
YXF?xw
yxhXH^
Z|+:4	
zF>[hS
Z$}tw3
Z+wFOP<
(zW`"Xy