Analysis Date2014-11-22 04:47:04
MD528d4d5634341f13d5e32f8f64fe12166
SHA1bb714d0173fcf21e4d83e6d06a1fe0c6d3b17d6b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 130f62b525cdea751d0de0ca0f11befd sha1: 06b2f7ecec021cd88dba2d61f0aac0472c203d0a size: 15872
Section.rdata md5: 2fdfce239720e625b62b22a1eedfcf3b sha1: 360ed1004f96a8ac8909deb2de093e933c488a01 size: 1536
Section.data md5: 20b3067e4f21512b8fe9da6dabf6bf46 sha1: 92e7bca42306f4fca7eab930654d2c6485fbece0 size: 111616
Section.rsrc md5: dc457063bf249e71569ac96989f3e0a4 sha1: 813f176f7e9e15f89d56894bdb445e22f5db77fa size: 5120
Timestamp2009-07-14 02:12:06
VersionLegalCopyright: Copyright © 2009 o setup technologies r
InternalName: e iphone setup win32 7H1
FileVersion: 4.4.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: 40 internet security V
ProductVersion: 4.4.0.0
FileDescription: eg Setup Self-Extractor
OriginalFilename: e iphone setup win32 7H1
PackerBorland Delphi 4.0
PEhashad4d43cdd8c6ffb2431fef32694eed274a6ba81f
IMPhash912a0aba363b678337b04751bfc2e7de
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader4.27880
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/Kryptik.MTM
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan ( 00244c311 )
AVKasperskyWorm.Win32.Skor.cgp
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.128B8FE7
AVSophosMal/FakeAV-IZ
AVSymantecno_virus
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)BScope.P2P-Worm.Palevo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   30704233 6b4f4870 37655263 48506959   0pB3kOHp7eRcHPiY
0x00000150 (00336)   6f393930 4d55756a 67555734 62765449   o990MUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   49367034 366e3336 642f3334 6b705656   I6p46n36d/34kpVV
0x00000240 (00576)   32623651 672f413d 3d                  2b6Qg/A==


Strings
=
-.

040904E4
0Get
 2009 o setup technologies r
2U0s
40 internet security V
4.4.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
eg Setup Self-Extractor 
e iphone setup win32 7H1
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
M0uQ
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
0n8XD4P
0tGX4,%pu
1=kWkV
1nMWZqMJ
1WK%@v
1XqtRM
2*4#VE
,2dLVRsio%n
2UfC3fyJj
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3_cR?{Y~
+3	S*S&f
	=4;]658A
48<^D^
(^48<L
4ArY(!
@,:@4:@<:@D:_L
>,]4m<m
4%-(r3
`4w<Kh
]+5/@4
5k$HJN
5m$^88L`
5w({h$w^
*5!-/Y
6I(i/%
:@!6PD
6+=pv@
6U-fP_
>:7^}6
7e-cwn9)
!*7(l8
7o3eyJB
7X`R d
 ^(808
*}8BR"
\8d^lmtt|
8EA0tJ
8_f$tE
8FuOy|
8>hDj9
8^L8`p
]{8LX@
[8@^rn
_8YBcP4No6XJ
90tP8$
@!:@-:@9:^D
9ImXXWV.0F9Ty
9pj4tT*A
9.]r~H
9T7t=h"wt?
9~t	=B_
_9^(u!n
,=~9xH
aBQASV2
${AH@w9
aM9b^:c
b\*9&U
BaEIPaDF
b!igs\
bLxwQt
BMRRKPt.
BwU \$
=BZ'UBD
C3<`dS
CEIvKjc
CharNextA
CharNextW
CharToOemA
}CL$ V
cqy7ujgB
c<.tex
CW'M8F(
CwoGzU
CX[YZ>
D4Y5tY
|^d8P:
$d9\D?k
@.data
dhv}mL%
dH#Yn/
>\]dll
>D]LmTm
Dn075j
DN0eHp8
dnP8@:
DnPXX4d
DOhD"2
DV]b8A
DwC sp
(e`__:
^E4@y(;
E89xtd
e]>9-(0e
$eaD$U
E,b]Xl
e iphone setup win32 7H1
EnableWindow
Ew)0{W=
ExitProcess
f4fS(>
fGC8WE
F<P,w.
fSN3kG1
f!SoS 
F#zv]o
G13e25z7<0Apr
 G] 3L|
#\'G7d\
G8T6SZ>
GetCommandLineW
GetDesktopWindow
GetMenu
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcessHeap
GetStartupInfoA
GetTickCboun
gFnPUA0wH
	gV_QD~
@,}@H*
%h02xtf?#
\^h8t|
hbfjj@
_hEtZkJLvC
:hNoj@_
Hn`Xl4x
HnXXh4x
hO4Ykq
H>`oq'
H-plAtT
hP^TRh}
`)_@%hv
hXWj$O
[-I5(&
`I5bc?h
.>i^?A
iBy&bToWad
IGS(L8Z
ihCJa(
i_L.^uQ8r
IsCharLowerA
IsWindowUnicode
\ITx{h
i-\vt8
,izt,x
j9^ U*
Jfkj@S
Jgdi32
JN^u(P
j|[P5d>
jqh8Ej
juhx]P
$j[xrs
{?k1N$b>
k6h%<n Y
K$}8uJ
!KCN2XU+99
kernel32.dll
KillTimer
k%]S:]h<
L0S)TF
L$3Mjy
(]@l5"2
lfX\SoHLW
l?`^h]
'l@KbRN
Lm):/L
lntX|4
LoadBitmapA
LoadLibraryA
.lP1rbi_
l]ufoqT
LV\~w<
lX\zI~
L%z6x7f
M=5Deg
M]5T">6
m5"U6P
=m8Yi{
MaZagH9]E
M@Dmv7
>	"M:Fo
Mh!9l4zp
mm0K3v
mOH,y`0H
M`p_TD
N>:2]B
N8y8j<I
:nDXT4^
`N(ehp,
Ne.`v]
@nHX`4t
`nlXx4
@nTX`4t
@nTXh4x
n,X84H
N~$z(x,
Nz\Yf;
OpenIcon
opRumd&
ow^ 5PPVc
oY(tc9
?][ p`
P^7`Y;0
pf<.79
"pf!K!t
&Pjw>`*$
&P(Kh_
\\plnX
Pmou|o>h
PnhX|4
`%@>_Po
[POv]8
_pRJGLM0v9awUdC@4
p	.wVO
P^X8`d
q40&r04s
qAlpp.`
Q~	Bw)9
<QCx$@
Q)(H*5
/ql:t_z
%	>`Qq
QT1@g8o@q
=/>r}:&
r0P<}zF
R'4K/MG
rbPYgY6
`.rdata
>R^foj
r-Go_+
&!#<rjk<
]Rn`$"
Rnbx;*
r;nF\}Z
^RQzSP
;`-RSP
r%|zF~
S44[X>
SG4enQQc
S]kWY,}
s{.m18
SRQ}PWja
S`@Sfl
s}WF~X
t0YMDFj
&t1EM<^
>TcOS#X(
TeWINxEZ_[
/^t^g8
t.H"4R
t;@^H8
This program must be run under Win32
%thv}}
ToDd1OLvEAUT&
tpl4wNHuVXn4|
tTlm}^
t^z:m6_U
u4XH4T
U\b!Z$
$u@C[pQ
Ud539B
	UdAQP SR
UDimE\
UI7qym
U*kh',
UN{IQSTR"
u#)olno
UoWZ,%9'~
u<^P8d|
@uQm6t
UR:hS(
user32.dll
Ux%(;=
u X<4T
(&.|UY(
:UZ&^M}}
}./vfY36,
VGOk'YQ>
VirtualAllocEx
vjHao"
VL8L(<n
vl8"NPm<T5
V~m~ W\}.
v $n6mz
'vTc;p5
Vt!uAs6
V tY(Jw
vX_8Y4
V}\>Yt
V.y{UzCm{
VZq,95
W)5Q$gW
W-6rQW
-w#8E|
wdE5K6
%Wf$ex{
wfPxt%\
	?\whJ
%;`wiMP4
WQV4l;
}.W>%r'*
/WUSFhL\
wwwwjlj
,~ X44L
X^`9ev
x:C#d8
\	{Xe-}I
xf:3Tpf96pdN
X>i$fxh
([x$(m
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XNPe|pX
/x};pDtgW
%XZOG}
y9oz0Q
)Y?A.X
yd1NRu8
\y>D]LlT
yjgGv>
y.M#7V
Y(m!nP
ynM>MM
Y;nn8B
ytD"hdT
Y]vGS@4DuP[+
Yz,"-.0C7w
@Z+C?k
z`.rdEat
zUIM }
%`zVb9
zXWJCw