Analysis Date2013-09-06 02:54:09
MD578992bd3080798e6ddec2031b05dce25
SHA1bdb9079ef9e3ac73c36aba071d7c046ab530cd4d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: e30e84f4a6d80c6c14d4f278602fd204 sha1: 4474b7e6e35b78877bc013935865ec800df074cf size: 73728
Section.vmp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.tls md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.vmp1 md5: abba459f6959541d41e10edc1ad976e3 sha1: 312910a41bb39366ed83894149825a21fbdd4f25 size: 745472
Section.reloc md5: ef068995177bc3c62aa6a0d88af505dc sha1: e2d73e4ab1da582a2424fa00dbe45c031fddfdd2 size: 4096
Timestamp2012-12-06 18:53:07
PEhash2f516e6ff9b02dc01a5307117c8f60591be5a35c
AVaviraTR/Crypt.XPACK.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝
31,31,31,31\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileSkinH_EL.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\eyybc[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lj-cx[1].htm
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileAero.she
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.eyybc.com
Winsock DNSwww.lj-cx.com

Network Details:

DNSwww.lj-cx.com
Type: A
147.255.29.124
DNSwww.eyybc.com
Type: A
180.153.235.140
HTTP GEThttp://www.lj-cx.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.lj-cx.com/xiaomo.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.eyybc.com/?fromuid=3034432
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 147.255.29.124:80
Flows TCP192.168.1.1:1032 ➝ 147.255.29.124:80
Flows TCP192.168.1.1:1034 ➝ 180.153.235.140:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 6c6a2d63 782e636f   st: www.lj-cx.co
0x000000c0 (00192)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f786961 6f6d6f2e 68746d6c   GET /xiaomo.html
0x00000010 (00016)   20485454 502f312e 310d0a41 63636570    HTTP/1.1..Accep
0x00000020 (00032)   743a202a 2f2a0d0a 41636365 70742d4c   t: */*..Accept-L
0x00000030 (00048)   616e6775 6167653a 20656e2d 75730d0a   anguage: en-us..
0x00000040 (00064)   41636365 70742d45 6e636f64 696e673a   Accept-Encoding:
0x00000050 (00080)   20677a69 702c2064 65666c61 74650d0a    gzip, deflate..
0x00000060 (00096)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000070 (00112)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000080 (00128)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000090 (00144)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x000000a0 (00160)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x000000b0 (00176)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x000000c0 (00192)   77772e6c 6a2d6378 2e636f6d 0d0a436f   ww.lj-cx.com..Co
0x000000d0 (00208)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000e0 (00224)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f3f6672 6f6d7569 643d3330   GET /?fromuid=30
0x00000010 (00016)   33343433 32204854 54502f31 2e310d0a   34432 HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000030 (00048)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000040 (00064)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000050 (00080)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000060 (00096)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000080 (00128)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000090 (00144)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000a0 (00160)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000b0 (00176)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000c0 (00192)   73743a20 7777772e 65797962 632e636f   st: www.eyybc.co
0x000000d0 (00208)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000e0 (00224)   6565702d 416c6976 650d0a0d 0a6c3e0a   eep-Alive....l>.
0x000000f0 (00240)                                         


Strings