Analysis Date2015-02-25 21:55:23
MD56049a8d4403d0ca253b292b9a9b6c9bf
SHA1bbf2b8dc2ff0cb735eb2402371dd14e9bb4ced62

Static Details:

File typeMS-DOS executable
Section_FLAT md5: 28d847d2ab53a746f6d1743ccdeedb20 sha1: b94e6bdb089c1e019ded47b3599b5b62d8a242d0 size: 188416
Section.imports md5: a101da77ee282fcc975cd1240d40aa45 sha1: 72bcefa3bcc49f98e69716593f6d330e5ae8f839 size: 8192
Timestamp1970-01-01 00:00:00
PackerBorland Delphi 3.0 (???)
PEhash263df0b9652eec113f29c85c43fb22e90c497283
IMPhash0ca42a2a85d940e964f4ef58d510c849
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.551846
AVAlwil (avast)PlugX-A [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.551846
AVAuthentiumW32/Kazy.CW.gen!Eldorado
AVAvira (antivir)TR/Spy.Gen
AVBullGuardGen:Variant.Kazy.551846
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.551846
AVEset (nod32)Win32/Korplug.A
AVFortinetW32/Korplug.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.551846
AVGrisoft (avg)no_virus
AVIkarusTrojan-Downloader.Win32.Thoper
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeError Scanning File
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Gen:Variant.Kazy.551846
AVRisingno_virus
AVSophosMal/Behav-010
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Network Details:


Raw Pcap

Strings
\??\
1234
%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
%4.4d_%2.2d_%2.2d ^ %2.2d:%2.2d:%2.2d
AEEC29F6411F6758
%ALLUSERSPROFILE%\graphedt
%ALLUSERSPROFILE%\SxS
boot.cfg
CLSID
CMD.EXE
CompanyName
CONIN$
CONOUT$
ConsentPromptBehaviorAdmin
CRYPTBASE.DLL
\Device\Floppy
dhn*hn
DISPLAY
EnableLUA
FileDescription
FileVersion
Global\DelSelf(%8.8X)
graphedt
graphedt.exe
HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
hSeDebugPrivilege
?jjj
jjjj
LNULL
l%s\sysprep\CRYPTBASE.DLL
~MHZ
Microsoft Windows Graphedt Services 
Mozilla/4.0 (compatible; MSIE 
NvSmart.hlp
\Parameters
PI[%8.8X]
\\.\pipe\a%d
\\.\pipe\b%d
\\.\PIPE\RASUSER(%d)
PiriformCCleaner
Piriform CCleaner
ProductName
ProductVersion
pUAC.TMP
QUARTZ.dll
QUARTZ.dll.lib
RUNAS
S-1-16-12288
%s\%d.plg
ServiceDll
SeShutdownPrivilege
SeTcbPrivilege
%s\msiexec.exe UAC
sNT AUTHORITY
Software\CLASSES\MJ
Software\CLASSES\MJ\PROXY
SOFTWARE\Microsoft\Internet Explorer\Version Vector
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Run
%s\sysprep
%s\sysprep\sysprep.exe
static
\StringFileInfo\%4.4X%4.4X\%s
System
SYSTEM
System\CurrentControlSet\Services
SYSTEM\CurrentControlSet\Services\
\SystemRoot\
tSystem Idle Process
\VarFileInfo\Translation
%windir%\explorer.exe
%windir%\System32\msiexec.exe
%WINDIR%\SYSTEM32\SERVICES.EXE
%windir%\system32\svchost.exe
%windir%\SysWOW64\msiexec.exe
; Windows NT %d.%d
WINSTA0
<!<(</<
0$0)0G0Z0~0
0$0:0K0Y0
0.0=0O0d0
!0.060?0)1g1
0$080C0
0/0A0_0
0,0B0O0]0z0
0+0D0]0n0
0.0G0V0c0
0$0H0o0
0-0o0|0
0;0U0[0`0s0
0-1>1c1o1}1
0?1L1p1
0>1N1^1q1
040>0w0
041;1N1s1}1
=$=0=5=;=B=G=x=
:0:5:N:
070H0x0
0B0U0b0|0
:0:>:\:d:j:x:
>!>'>0>F>X>^>g>}>
0t<It#ItFIu
;!;0;X;g;u;J<T<%>@>F>r>
102@2V2`2y2
1 1/1A1P1
1#1^1m1
1"1=1P1U1n1
1$141P1j1z1
1)171E1S1a1s1
1(171z1
1*191X1
1-1C1[1j1
1'1H1w1
1$2(2,2024282<2@2D2H2L2P2T2X2p2|2
1$2-262<2A2F2M2R2d2v2
1.2=2a2~2
127.0.0.1
1$2B2J2O2W2_2u2
1.2S2]2x2
131<1A1^1
141D1h1o1v1}1
141M1_1m1
151W1y1
152<2\2
>">+>1>6>;>B>G>T>
> >%>,>1>8>=>D>I>Q>a>l>s>y>
<!<'<,<1<9<L<U<^<d<i<n<v<
<1=:=I=d=
>&>1>K>]>h>x>
<1<O<m<
1Q1`1m1
1Q1X1|1
=1=R=X=`=y=
1T1a1j1p1u1z1
?1?X?~?
2$20292?2D2I2P2U2a2
2%222V2
2$2*2F2N2T2p2x2~2
2#2/2N2w2
2%242a2y2
2"262?2D2^2
2(2C2R2a2p2
2#2E2g2
2(2L2Y2x2
232?2M2f2
283A3J3P3U3Z3a3f3
:+;2;9;@;G;
='=,=2=9=>=L=S=
>'>,>2>9>>>L>S>
?'?,?2?9?>?L?S?
=%=+=2=A=G=L=
=2=I=q=
2T3f3o3v3
30353N3
324N4_4p4
3$3+30383G3P3Y3`3e3m3
3-333;3@3O3]3s3y3
3)333u3
3'3/3B3`3q3
333R3x3
3+353?3N3]3m3
3*373\3r3
3*393g3u3
:":':,:3:8:J:
3A3K3j3
3B3Q3e3
<$=3=G=M={=
<3<I<j<
:":':3:I:U:b:}:
3M4W4w4
?#?)?.?3?:???T?]?f?l?q?v?}?
3V3`3h3t3
3Y3d3j3}3
40C0h0w0
414>4W4
4"40494Z4
4,424A4G4V4\4k4p4
4%4,414B4J4Y4
4 4%4>4
4)444=4
4"4-4<4I4l4
4/464=4D4K4R4
4(474G4
4+4K4T4Y4_4f4k4
4<5[5j5
4$5G5[5d5j5o5t5{5
494E4\4i4~4
;%;.;4;9;>;E;J;i;w;
4B4d4u4
=(=4===C=H=M=T=Y=t=y=
4D4^4d4i4
:.:4:d:v:
=4>F>O>V>g>v>
?4?G?V?
4i5y576
4J4O4U4_4k4p4u4
=(=4=@=k=
<4<R<m<
515]5{5
545F5O5V5g5v5
546;6M6s6
5%535=5L5X5d5|5
5"5'5.535R5W5b5s5
5@5\5i5
5<5A5X5a5g5l5q5x5}5
5$5H5P5[5i5
5(5h5w5
5.5O5^5j5
5>6`6s6
5&6F6w6
>)>5>B>]>p>u>
5C5P5Y5b5h5m5r5y5~5
;,<5<><D<I<N<U<Z<
5U6_6m6
606;6O6a6l6
60676=6J6T6[6e6q6~6
6,61676>6C6T6\6k6
6#6,656;6@6E6L6Q6
6!6(6-6K6T6]6d6i6p6u6
6&676]6
6&6R6j6
6-7d7v7
686c6r6
696C6M6\6n6}6
<"=-=6===B=J=n={=
?/?6?=?D?K?R?Y?`?g?n?u?|?
>6?E?d?s?
: :-:6:?:E:J:O:W:l:
<&</<6<G<V<r<w<
6o607H7
:):6:<:O:\:b:|:
?!?+?6?W?f?p?{?
>6>^>y>
717[7k7{7
747=7F7M7R7Y7^7
758;8F8[8p8
7+707@7J7h7
7"727B7R7a7k7
7&72888=8D8J8O8[8a8j8
7$737O7Y7t7
7-747:7k7u7
7&7/757:7?7F7K7e7s7
7(7.767U7p7
7-7<7U7d7s7
7"7C7d7
7&7H7q7
7?7I7W7f7x7
7=7T7s7}7
7?7V7[7w7
787G7^7m7
7*8;8I8U8[8d8m8t8y8
7,8I8d8
>.>7>=>B>G>N>S>w>
:%:.:7:>:C:K:f:p:|:
;#;*;/;7;e;
7e8u8~8
>7>`>j>
:':7:v:
80858N8
829A9j9
8*828J8W8n8
8%828M8`8e8~8
8*878@8I8P8U8]8s8
8"8'8,83888J8
8!8.8<8C8O8^8
8 8%8<8X8k8
8*8>8E8N8]8k8~8
8%8>8K8T8]8d8i8q8
8/898Z8d8
8:8I8W8p8
898>8G8L8R8Y8^8
8A8]8q8
8E8Y8b8h8m8r8y8~8
8GULPt
8GULPu#
8M8l8z8
=-=8=z=
909n9y9
90wares.sv9u.com
929D9t9
9+:8:E:^:
9"9'939<9B9G9L9S9X9x9
9&9/989?9D9L9j9v9
9"9'9.939T9j9
9/999?9R9Y9e9
9#9(9;9d9m9v9|9
9#999E9R9m9
999`9s9
9+9>9D9S9a9p9
9!9[9m9u9
9-9:9U9o9u9z9
9-9<9W9
9):9:c:s:
9*9G9m9{9
9E9Q9`9j9
9E9V9[9a9h9m9
9L:P:T:X:\:w:
:&:9:Q:f:
<&=9=r=
AdjustTokenPrivileges
advapi32
advapi32.dll
ADVAPI32.dll
<<<A<G<P<Y<`<e<l<q<
<A<K<s<
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
AllocateAndInitializeSid
AllocConsole
AttachConsole
>A>V>g>
BitBlt
<!=.=B=K=Q=V=[=b=g=
?	?"?=?B?N?\?e?
bootProc
?'?=?c?
:C;a;|;
CallNextHookEx
;C<\<e<
ChangeServiceConfig2W
ChangeServiceConfigW
;+;^;c;k;t;};
CloseDesktop
CloseHandle
CloseServiceHandle
closesocket
CloseWindowStation
;!;C;M;o;v;{;
CoCreateInstance
CoInitializeEx
connect
ConnectNamedPipe
CONNECT %s:%d HTTP/1.1
Content-length: 0
Content-Type: text/html
ControlService
ConvertStringSidToSidW
CoUninitialize
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
CreateDesktopW
CreateDIBSection
CreateDirectoryW
CreateEnvironmentBlock
CreateEventW
CreateFileMappingW
CreateFileW
CreateIoCompletionPort
CreateMutexW
CreateNamedPipeW
CreateProcessAsUserW
CreateProcessW
CreateRemoteThread
CreateServiceW
CreateThread
CreateWindowExW
D$4PhH
DefWindowProcW
DeleteCriticalSection
DeleteDC
DeleteFileW
DeleteObject
DeleteService
DestroyEnvironmentBlock
DestroyIcon
DisconnectNamedPipe
DispatchMessageW
<D<J<P<a<
dllmain.cpp
="=D=M=V=\=a=f=m=r={=
dnsapi
DnsFree
DnsQuery_A
<%<?<_<d<o<{<
DoImpUserProc
>->D>P>s>|>
D$tPSh
DuplicateTokenEx
d:\work\plug4.0(shellcode)(
D$<WPW
EName:%s,EAddr:0x%p,ECode:0x%p,EAX:%p,EBX:%p,ECX:%p,EDX:%p,ESI:%p,EDI:%p,EBP:%p,ESP:%p,EIP:%p
EnterCriticalSection
EnumProcesses
EnumProcessModules
EnumServicesStatusExW
>E?N?W?]?b?g?n?s?
=(>E>N>Z>|>
EqualSid
> ?E?T?k?
ExitProcess
ExitThread
ExitWindowsEx
ExpandEnvironmentStringsW
ExtractIconExW
:";';,;F;`;~;
f9~4t"
F(h((?
file: %s, line: %d, error: [%d]%s
FindClose
FindFirstFileW
FindNextFileW
>'>=>F>K>j>v>
FlushFileBuffers
<;<f<n<
FormatMessageA
FreeConsole
FreeSid
<=<F<U<v<
gdi32.dll
GDI32.dll
GdiFlush
GenerateConsoleCtrlEvent
GetAsyncKeyState
GetClassNameW
GetCommandLineW
GetComputerNameW
GetConsoleCP
GetConsoleCursorInfo
GetConsoleDisplayMode
GetConsoleMode
GetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDeviceCaps
GetDIBits
GetDiskFreeSpaceExW
GetDriveTypeW
GetExitCodeThread
GetExtendedTcpTable
GetExtendedUdpTable
GetFileAttributesW
GetFileSize
GetFileTime
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetForegroundWindow
gethostbyname
GetIconInfo
GetKeyState
GetLastError
GetLengthSid
GetLocalTime
GetMessageW
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetModuleInformation
GetNativeSystemInfo
GetOverlappedResult
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetQueuedCompletionStatus
GetRawInputData
getsockname
GetStdHandle
GetSystemDefaultLCID
GetSystemDirectoryW
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetTcpTable
GetThreadDesktop
GetTickCount
GetTokenInformation
GetUdpTable
GetUserNameW
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowTextW
GetWindowThreadProcessId
GlobalMemoryStatus
GlobalMemoryStatusEx
>GULPt
:G;X;a;j;p;u;z;
?(?H?_?}?
HeapFree
= =:=H=f=n=
=h>l>p>t>x>|>
Ht)Ht&Ht
HTTP://
HTTP/1.0 200 
HTTP/1.1 200 
HttpAddRequestHeadersA
HttpEndRequestA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
?,?@?\?i?
ImpersonateLoggedOnUser
.imports
InitializeCriticalSection
InitiateSystemShutdownA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetOptionA
InternetWriteFile
:#;I;p;~;
iphlpapi
IsWow64Process
? ?'?,?\?j?~?
<&<;<J<[<j<y<
JtnJtTJtAJt
jWX_^[
jWX_^[]
<^=j=x=
>">/>K>a>j>o>
kernel32
kernel32.dll
KERNEL32.dll
	keybd_event
keybd_event
KeyLog
KillTimer
KLProc
;%;K;S;\;q;~;
:-:k:v:
L0[0T1c1
LdrLoadShellcode
LeaveCriticalSection
='=L=^=g=~=
L$lhD%?
LoadCursorW
LoadLibraryA
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalUnlock
LockWorkStation
LookupAccountSidW
LookupPrivilegeValueW
lstrcmpA
lstrcmpiW
lstrcpyA
lstrcpynA
lstrcpynW
lstrcpyW
lstrlenA
lstrlenW
<"<.<L<T<_<f<r<
L$tQSh
MapViewOfFile
memcmp
memcpy
memset
MessageBoxW
	mouse_event
mouse_event
>.><>M>o>x>
msvcrt.dll
MultiByteToWideChar
Nethood
Netstat
ntdll.dll
NtQueryInformationProcess
: :o:~:
O0m0u0
odbc32.dll
ODBC32.dll
<O=d=m=s=x=}=
ole32.dll
OlProc
OlProcManager
OlProcNotify
OpenFileMappingW
OpenInputDesktop
OpenProcess
OpenProcessToken
OpenSCManagerW
OpenServiceW
OpenWindowStationW
Option
OutputDebugStringA
OutputDebugStringW
<P<b<k<q<v<{<
PlugProc
PortMap
PostMessageA
PostQueuedCompletionStatus
PostQuitMessage
@PPRWSPP
Process
ProcessIdToSessionId
Protocol:[%4s], Host: [%s:%d], Proxy: [%d:%s:%d:%s:%s]
Proxy-Authorization: Basic %s
Proxy-Connection: Keep-Alive
psapi.dll
="===P=U=n=
PVVVVVVh 
;$;@;Q;
?$?)?Q?
;,;Q;a;
QRPh03?
QSSSSSSWS
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
QueryServiceConfig2W
QueryServiceConfigW
QueryServiceStatusEx
QueueUserAPC
<,<Q<V<}<
QWgPlch
QWWPWW
;);:;R;b;k;q;v;{;
ReadConsoleOutputW
ReadFile
ReadProcessMemory
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEdit
RegEnumKeyExW
RegEnumValueA
RegEnumValueW
RegisterRawInputDevices
RegOpenCurrentUser
RegOpenKeyExW
RegOverridePredefKey
RegQueryValueExW
RegSetValueExW
RemoveDirectoryW
ResetEvent
ResumeThread
RevertToSelf
RtlCompressBuffer
RtlDecompressBuffer
RtlGetCompressionWorkSpaceSize
RtlMessageBoxProc
RtlNtStatusToDosError
;<;R;X;];v;
>)?;?R?Y?h?
Screen
ScreenT1
ScreenT2
%s: %d
SelectObject
Service
SetCapture
SetConsoleCtrlHandler
SetConsoleScreenBufferSize
SetCursorPos
SetEndOfFile
SetErrorMode
SetEvent
SetFileAttributesW
SetFilePointer
SetFileTime
SetLastError
SetProcessWindowStation
setsockopt
SetTcpEntry
SetThreadDesktop
SetTimer
SetTokenInformation
SetUnhandledExceptionFilter
SetWindowLongW
SetWindowsHookExW
SfcIsFileProtected
SHCopyKeyW
SHCreateItemFromParsingName
SHDeleteKeyW
SHDeleteValueW
shell32.dll
SHELL32.dll
)\shellcode\shellcode\XPlug.h
)\shellcode\shellcode\XSetting.h
ShellExecuteExW
ShellT1
ShellT2
SHEnumKeyExW
SHEnumValueW
SHFileOperationW
SHGetValueW
shlwapi
ShowWindow
SiProc
<;<S<k<
socket
SQLAllocEnv
SQLAllocHandle
SQLColAttributeW
SQLDataSourcesW
SQLDisconnect
SQLDriverConnectW
SQLDriversW
SQLExecDirectW
SQLFetch
SQLFreeHandle
SQLGetData
SQLGetDiagRecW
SQLMoreResults
SQLNumResultCols
SQLSetEnvAttr
SSSSQSj
StartServiceW
SVSSSPQ
|SVWhD
 SVWP3
 SVWPj
SWh`u>
SxWorkProc
>#>S>Z>n>x>
>	>%>t>}>
\$T9\$<u
=:=T=]=c=h=m=t=y=
T$DRWWW
Telnet
TelnetT1
TelnetT2
TerminateProcess
TerminateThread
t>f9Q*u8
T$\hp%?
t*Ht=Ht:Ht7Sh/
t'jhWV
tLHtI-
tMHt=Ht/Ht"j
TranslateMessage
t$ WPVj
tXHtU-
:u_f9G
u h<,?
u h|2?
UnhookWindowsHookEx
/update?id=%8.8x
user32
user32.dll
USER32.dll
userenv
VerQueryValueW
version
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualProtectEx
VirtualQueryEx
;?;V;`;k;
Vt9It"It
Vt;Ht$Ht
VVPQVR
<-<<<W<
WaitForMultipleObjects
WaitForSingleObject
wares.sv9u.com
</<W<f<
WideCharToMultiByte
WindowFromPoint
	WindowFromPoint
wininet
wininet.dll
WNetCloseEnum
WNetEnumResourceW
WNetOpenEnumW
WriteConsoleInputW
WriteFile
WriteProcessMemory
ws2_32
ws2_32.dll
WS2_32.dll
WSACleanup
WSAGetLastError
WSAGetOverlappedResult
WSAIoctl
WSARecv
WSARecvFrom
WSASend
WSASendTo
WSASocketA
WSAStartup
wsprintfA
	wsprintfA
wsprintfW
	wsprintfW
wtsapi32
Wtsapi32
wtsapi32.dll
WTSEnumerateProcessesW
WTSFreeMemory
WTSGetActiveConsoleSessionId
WTSQueryUserToken
<w\u(3
WWWhp+?
WWWQWR
XBase64.cpp
XBoot.cpp
XBuffer.cpp
:X:\:`:d:h:}:
XDList.cpp
XException.cpp
XHide.cpp
XInstall.cpp
XInstallUAC.cpp
XJoin.cpp
XOnline.cpp
XPacket.cpp
XPlgLoader.cpp
XPlug.cpp
XPlugDisk.cpp
XPlugKeyLogger.cpp
XPlugNethood.cpp
XPlugNetstat.cpp
XPlugOption.cpp
XPlugPortMap.cpp
XPlugProcess.cpp
XPlugRegedit.cpp
XPlugScreen.cpp
XPlugService.cpp
XPlugShell.cpp
XPlugSQL.cpp
XPlugTelnet.cpp
XRTL.cpp
XSessionImpersonate.cpp
XSetting.cpp
XSo.cpp
XSoPipe.cpp
XSoTcp.cpp
XSoTcpHttp.cpp
XSoUdp.cpp
XThreadManager.cpp
? ?.?<?Z?b?l?s?z?