Analysis Date2015-10-28 17:28:28
MD518859e5fa821e8e3d3c18541838c7381
SHA1bcaf623ca651090304d0c181e5bd7a9ff3db998d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd781a8953c7676282846381cd2f585c sha1: 22f10b05e90eaea967ba788796f1e6ce4b73d378 size: 77824
Section.rdata md5: dbe3d8a97dd41fedeb789ce523313154 sha1: f347e9bbe75ada069ea44ea6a9fabc7ff44be2d0 size: 10752
Section.data md5: 85944440aeb876fb61376fe6deecc22e sha1: d6e2609778c76452bf1d49b91cc1b29276cb0dbe size: 7168
Section.rsrc md5: 201eea47f80f1ae976788ff5ac6d1358 sha1: a45169d7935615976270e9e99d9121379f79fd06 size: 573440
Section.reloc md5: 80c647c743816381d171b5fa4470220e sha1: 04d0ffdb1981465f880a46d5e03e266734136eaf size: 6656
Timestamp2015-09-10 04:33:04
Pdb pathG:\Working\SVN\vc\XP2P\NP2P\Release\NP2P.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: NP2P
FileVersion: 1, 1, 15, 910
ProductName: NP2P 应用程序
ProductVersion: 1, 1, 15, 910
FileDescription: NP2P 应用程序
OriginalFilename: NP2P.exe
PackerMicrosoft Visual C++ ?.?
PEhashd9dbc2059b107429c97c6af6a4c33d13f0e39ac9
IMPhash1f1e457af2c3479681d26d73af8e0de1
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Hijacker.Gen
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2747933
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)no_virus
AVGrisoft (avg)BackDoor.PoisonIvy.AT.dropper
AVSymantecno_virus
AVFortinetW32/Generic!tr
AVBitDefenderTrojan.GenericKD.2747933
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsTrojan:Win32/MultiInjector.A!rfn
AVMicroWorld (escan)Trojan.GenericKD.2747933
AVMalwareBytesno_virus
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVIkarusTrojan.Backdoor.PoisonIvy
AVEmsisoftTrojan.GenericKD.2747933
AVZillya!Dropper.Injector.Win32.71450
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2747933
AVArcabit (arcavir)Trojan.GenericKD.2747933:Gen:Variant.Graftor.247498
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.35178
AVF-SecureTrojan.GenericKD.2747933
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\drivers\xtfilemon.inf
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\SBYQDLP\sccon0987.txt
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.sys
Creates FileC:\WINDOWS\z9289l9\pauDp7M.dll
Creates FileC:\WINDOWS\system32\drivers\blackList.base
Creates FileC:\WINDOWS\m2u1dVT.sys
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\z9289l9\hXxXr22.dll
Deletes FileC:/WINDOWS/m2u1dVT.sys
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/z9289l9/pauDp7M.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==
Creates Processnet start xtfilemon
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/z9289l9/pauDp7M.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==
Creates MutexXROMain
Creates ServicejZ828 - C:/WINDOWS/m2u1dVT.sys
Winsock URLhttp://cdn.p2ptool.com/p2p/black.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1144

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/z9289l9/pauDp7M.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileM2ProcProt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexXMX_XP2P_YT_3275
Creates MutexXROMain
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnp2p.soomeng.com

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/z9289l9/pauDp7M.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==

Creates File\Device\Tcp
Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xtfilemon\DebugFlags ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv ➝
grpconv -o\\x00
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList\FSFilter Activity Monitor ➝
NULL
Creates Processrunonce -r
Creates Servicextfilemon - system32\DRIVERS\xtfilemon.sys

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

Creates FilePIPE\lsarpc

Process
↳ net start xtfilemon

Creates Processnet1 start xtfilemon

Process
↳ runonce -r

Creates ProcessC:\WINDOWS\system32\grpconv.exe -o

Process
↳ net1 start xtfilemon

Starts Servicextfilemon

Process
↳ C:\WINDOWS\system32\grpconv.exe -o

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\Log ➝
Init Application.\\x00

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSso.qh-lb.com
Type: A
106.120.160.134
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNSwww.baidu.com
Type: A
DNSwww.so.com
Type: A
DNScdn.p2ptool.com
Type: A
DNSnp2p.soomeng.com
Type: A
HTTP GEThttp://np2p.soomeng.com/bmy/?usr=abzhang.0&mac=XXXXXXXXXXXX&ver=1.1.15.910
User-Agent: Test
HTTP GEThttp://cdn.p2ptool.com/p2p/black.txt
User-Agent: Test
Flows TCP192.168.1.1:1031 ➝ 106.120.160.134:80
Flows TCP192.168.1.1:1034 ➝ 8.37.234.3:80
Flows TCP192.168.1.1:1036 ➝ 8.37.231.22:80

Raw Pcap
0x00000000 (00000)   47455420 2f626d79 2f3f7573 723d6162   GET /bmy/?usr=ab
0x00000010 (00016)   7a68616e 672e3026 6d61633d 58585858   zhang.0&mac=XXXX
0x00000020 (00032)   58585858 58585858 26766572 3d312e31   XXXXXXXX&ver=1.1
0x00000030 (00048)   2e31352e 39313020 48545450 2f312e31   .15.910 HTTP/1.1
0x00000040 (00064)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x00000050 (00080)   65702d41 6c697665 0d0a5573 65722d41   ep-Alive..User-A
0x00000060 (00096)   67656e74 3a205465 73740d0a 41636365   gent: Test..Acce
0x00000070 (00112)   70743a20 2a2e2a2c 0d0a4163 63657074   pt: *.*,..Accept
0x00000080 (00128)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000090 (00144)   6465666c 6174650d 0a486f73 743a206e   deflate..Host: n
0x000000a0 (00160)   7032702e 736f6f6d 656e672e 636f6d0d   p2p.soomeng.com.
0x000000b0 (00176)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f703270 2f626c61 636b2e74   GET /p2p/black.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a436f6e   xt HTTP/1.1..Con
0x00000020 (00032)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000030 (00048)   6976650d 0a557365 722d4167 656e743a   ive..User-Agent:
0x00000040 (00064)   20546573 740d0a41 63636570 743a202a    Test..Accept: *
0x00000050 (00080)   2e2a2c0d 0a416363 6570742d 456e636f   .*,..Accept-Enco
0x00000060 (00096)   64696e67 3a20677a 69702c64 65666c61   ding: gzip,defla
0x00000070 (00112)   74650d0a 486f7374 3a206364 6e2e7032   te..Host: cdn.p2
0x00000080 (00128)   70746f6f 6c2e636f 6d0d0a0d 0a69702c   ptool.com....ip,
0x00000090 (00144)   6465666c 6174650d 0a486f73 743a206e   deflate..Host: n
0x000000a0 (00160)   7032702e 736f6f6d 656e672e 636f6d0d   p2p.soomeng.com.
0x000000b0 (00176)   0a0d0a                                ...


Strings