| Analysis Date | 2013-09-06 02:54:09 |
|---|---|
| MD5 | 78992bd3080798e6ddec2031b05dce25 |
| SHA1 | bdb9079ef9e3ac73c36aba071d7c046ab530cd4d |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | .rdata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | .data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | .rsrc md5: e30e84f4a6d80c6c14d4f278602fd204 sha1: 4474b7e6e35b78877bc013935865ec800df074cf size: 73728 | |
| Section | .vmp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | .tls md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096 | |
| Section | .vmp1 md5: abba459f6959541d41e10edc1ad976e3 sha1: 312910a41bb39366ed83894149825a21fbdd4f25 size: 745472 | |
| Section | .reloc md5: ef068995177bc3c62aa6a0d88af505dc sha1: e2d73e4ab1da582a2424fa00dbe45c031fddfdd2 size: 4096 | |
| Timestamp | 2012-12-06 18:53:07 | |
| PEhash | 2f516e6ff9b02dc01a5307117c8f60591be5a35c | |
| AV | avira | TR/Crypt.XPACK.Gen |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\vga.drv 1024x768x24(BGR 0) ➝ 31,31,31,31\\x00 |
|---|---|
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | SkinH_EL.dll |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\eyybc[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lj-cx[1].htm |
| Creates File | \Device\Afd\AsyncConnectHlp |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | Aero.she |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Winsock DNS | www.eyybc.com |
| Winsock DNS | www.lj-cx.com |
Network Details:
| DNS | www.lj-cx.com Type: A 147.255.29.124 |
|---|---|
| DNS | www.eyybc.com Type: A 180.153.235.140 |
| HTTP GET | http://www.lj-cx.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
| HTTP GET | http://www.lj-cx.com/xiaomo.html User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
| HTTP GET | http://www.eyybc.com/?fromuid=3034432 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
| Flows TCP | 192.168.1.1:1033 ➝ 147.255.29.124:80 |
| Flows TCP | 192.168.1.1:1032 ➝ 147.255.29.124:80 |
| Flows TCP | 192.168.1.1:1034 ➝ 180.153.235.140:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 41636365 70743a20 2a2f2a0d 0a416363 Accept: */*..Acc 0x00000020 (00032) 6570742d 4c616e67 75616765 3a20656e ept-Language: en 0x00000030 (00048) 2d75730d 0a416363 6570742d 456e636f -us..Accept-Enco 0x00000040 (00064) 64696e67 3a20677a 69702c20 6465666c ding: gzip, defl 0x00000050 (00080) 6174650d 0a557365 722d4167 656e743a ate..User-Agent: 0x00000060 (00096) 204d6f7a 696c6c61 2f342e30 2028636f Mozilla/4.0 (co 0x00000070 (00112) 6d706174 69626c65 3b204d53 49452036 mpatible; MSIE 6 0x00000080 (00128) 2e303b20 57696e64 6f777320 4e542035 .0; Windows NT 5 0x00000090 (00144) 2e313b20 5356313b 202e4e45 5420434c .1; SV1; .NET CL 0x000000a0 (00160) 5220322e 302e3530 37323729 0d0a486f R 2.0.50727)..Ho 0x000000b0 (00176) 73743a20 7777772e 6c6a2d63 782e636f st: www.lj-cx.co 0x000000c0 (00192) 6d0d0a43 6f6e6e65 6374696f 6e3a204b m..Connection: K 0x000000d0 (00208) 6565702d 416c6976 650d0a0d 0a eep-Alive.... 0x00000000 (00000) 47455420 2f786961 6f6d6f2e 68746d6c GET /xiaomo.html 0x00000010 (00016) 20485454 502f312e 310d0a41 63636570 HTTP/1.1..Accep 0x00000020 (00032) 743a202a 2f2a0d0a 41636365 70742d4c t: */*..Accept-L 0x00000030 (00048) 616e6775 6167653a 20656e2d 75730d0a anguage: en-us.. 0x00000040 (00064) 41636365 70742d45 6e636f64 696e673a Accept-Encoding: 0x00000050 (00080) 20677a69 702c2064 65666c61 74650d0a gzip, deflate.. 0x00000060 (00096) 55736572 2d416765 6e743a20 4d6f7a69 User-Agent: Mozi 0x00000070 (00112) 6c6c612f 342e3020 28636f6d 70617469 lla/4.0 (compati 0x00000080 (00128) 626c653b 204d5349 4520362e 303b2057 ble; MSIE 6.0; W 0x00000090 (00144) 696e646f 7773204e 5420352e 313b2053 indows NT 5.1; S 0x000000a0 (00160) 56313b20 2e4e4554 20434c52 20322e30 V1; .NET CLR 2.0 0x000000b0 (00176) 2e353037 3237290d 0a486f73 743a2077 .50727)..Host: w 0x000000c0 (00192) 77772e6c 6a2d6378 2e636f6d 0d0a436f ww.lj-cx.com..Co 0x000000d0 (00208) 6e6e6563 74696f6e 3a204b65 65702d41 nnection: Keep-A 0x000000e0 (00224) 6c697665 0d0a0d0a live.... 0x00000000 (00000) 47455420 2f3f6672 6f6d7569 643d3330 GET /?fromuid=30 0x00000010 (00016) 33343433 32204854 54502f31 2e310d0a 34432 HTTP/1.1.. 0x00000020 (00032) 41636365 70743a20 2a2f2a0d 0a416363 Accept: */*..Acc 0x00000030 (00048) 6570742d 4c616e67 75616765 3a20656e ept-Language: en 0x00000040 (00064) 2d75730d 0a416363 6570742d 456e636f -us..Accept-Enco 0x00000050 (00080) 64696e67 3a20677a 69702c20 6465666c ding: gzip, defl 0x00000060 (00096) 6174650d 0a557365 722d4167 656e743a ate..User-Agent: 0x00000070 (00112) 204d6f7a 696c6c61 2f342e30 2028636f Mozilla/4.0 (co 0x00000080 (00128) 6d706174 69626c65 3b204d53 49452036 mpatible; MSIE 6 0x00000090 (00144) 2e303b20 57696e64 6f777320 4e542035 .0; Windows NT 5 0x000000a0 (00160) 2e313b20 5356313b 202e4e45 5420434c .1; SV1; .NET CL 0x000000b0 (00176) 5220322e 302e3530 37323729 0d0a486f R 2.0.50727)..Ho 0x000000c0 (00192) 73743a20 7777772e 65797962 632e636f st: www.eyybc.co 0x000000d0 (00208) 6d0d0a43 6f6e6e65 6374696f 6e3a204b m..Connection: K 0x000000e0 (00224) 6565702d 416c6976 650d0a0d 0a6c3e0a eep-Alive....l>. 0x000000f0 (00240)
Strings