Analysis | #totalhash

Analysis Date	2013-11-04 15:05:19
MD5	5990c59728e9d63db33aaae5e8eace05
SHA1	bdbc10692e55e276a0249c82f1b6369eb00b3405

Static Details:

File type	MS-DOS executable, PE for MS Windows (GUI) Intel 80386 32-bit
Section	md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section	md5: 7f933afd5b3e319046842bbc6844fa7a sha1: 0d2e71d14cd1bebece3a296b8d0ca0259abb28b9 size: 44933
Timestamp	1987-09-11 01:35:02
Version	InternalName: setup1002 FileVersion: 1.00 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System ProductVersion: 1.00 OriginalFilename: setup1002.exe
Packer	FSG v2.0
PEhash	16a89834ae69872cbdd5c8ce080b1ff18e60bb1f
AV	msse	Worm:Win32/Nuj.B
AV	avg	SHeur2.CFLA.dropper
AV	avira	TR/Crypt.FKM.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.bin

Creates Process	C:\malware.bin

Process
↳ C:\malware.bin

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	PIPE\wkssvc
Creates File	C:\WINDOWS\system32\cideamon.exe
Creates File	C:\WINDOWS\system32\winIogon.exe
Creates File	C:\WINDOWS\system32\syswindows.ini
Creates Process	"C:\WINDOWS\system32\winIogon.exe"

Process
↳ "C:\WINDOWS\system32\cideamon.exe"

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE1D4.tmp
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	\Device\Netbios
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip138[1].htm
Creates File	C:\WINDOWS\system32\qqver.txt
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	WininetConnectionMutex
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	www.ip138.cn
Winsock DNS	www.ip138.com
Winsock DNS	u.nowpride.com

Process
↳ "C:\WINDOWS\system32\winIogon.exe"

Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	PIPE\wkssvc
Deletes File	C:\WINDOWS\system32\syswindows.ini
Creates Process	"C:\WINDOWS\system32\cideamon.exe"
Creates Service	Network Access Security Agent - C:\WINDOWS\system32\winIogon.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File	WMIDataDevice

Process
↳ Pid 840

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1096

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1844

Process
↳ Pid 1116

Network Details:

DNS	yd.ecoma.glb0.lxdns.com Type: A 209.170.78.73
DNS	yd.ecoma.glb0.lxdns.com Type: A 209.170.78.72
DNS	www.ip138.cn Type: A 218.133.22.66
DNS	www.ip138.com Type: A
DNS	u.nowpride.com Type: A
HTTP GET	http://www.ip138.com/ips.asp User-Agent: MyAgent
HTTP GET	http://www.ip138.cn/ User-Agent: MyAgent
Flows TCP	192.168.1.1:1031 ➝ 209.170.78.73:80
Flows TCP	192.168.1.1:1032 ➝ 218.133.22.66:80

Raw Pcap

0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 74657874 2f68746d 6c0d0a44   ....text/html..D
0x00000060 (00096)   6174653a 204d6f6e 2c203034 204e6f76   ate: Mon, 04 Nov
0x00000070 (00112)   20323031 33203134 3a35333a 33382047    2013 14:53:38 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

Strings

080404B0
1.00
CompanyName
CUSTOM
FileVersion
InternalName
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
setup1002
setup1002.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0">Dx}
:"1\En
1l	{K 1
@1<S	D'F
`21h	x$
_2)4#=
{ 2$c%m
2-!\;N
2)PL%R
".39YV"	qD
3B!O"	\Div
3y4N|!0
$<"\,4
*40C0)
<4f(8	D<L
<4LhiP
4pYm*x
4Rm<!h}q(
($5\)x
6++* `
6LTC	P
6.=OLZ
7"NEHqei2<
7)r3 cOp
8(+3q+
`8pe\nrp
8YVR0sGh
<9@vBEX
a4@)A?
A6.8DL
Ab/p,L
acVvN|
adv2piu
AHsi#:
^&aqRs
b# `'_6
BXh`#i
By,i@YT#~+t
CacheE{n
!\>C|BH|D83L
#cef7l
;`C'Eu
^CF!`D0m
chs.d]fFS*"
chs.dl
}CRO8I(D
C,*x$C(*
d0jbW 
d\&1GL)H
d4Z[!{Qh`K-Il
D6hdIm"
]d`92S
-Dfl!H+
dfyT^(
DlDFun
D?OS%mXI8.
e6&i.U
!ej L(S
eN2\1_
er)M%<S
E"	SDeg
ET]QH:
EV NT_SuIuK
\{Evu~
ExScu2
*eXyMPI
#f&4TRn_S
f8>aRa,
fb9dx	
$f"&CT
fold!I-
f*Tjpg
%<^FU!
 !]G&#`
GetProcAddress
%_gLI]QH
gMyxaO(
'g	t6|
gTQPRR
H'|dUP"!
+Hex%l
h`m+pN\
HW-96s
&\	I+@
I1 \LD
I9 &'|R
#I+d9	
IHX0Wr@Y/
itAYR+
IwZy%U
I]Y:h4RWV
j46}#2.
:"	JDT^
jEZ@=D|
<Jf Q	D`
KERNEL32.dll
"{Kl>#
):l4tpsTh
Ld<2,)
L d4/%oW
!LeIWY
Li)gJX
LoadLibraryA
Lueg1lr
lX;<TV
m|~-!>?
]mpHZ]
MtFd U{
	+\"n|
N'e79,
NIrb82
NXV^QP
O"P#<3
@`OS_)MRx	:N(
Ox-\ t
p:E/	L
PL]k+]7e	<+
pN81w%W_
PP8M5AC
ppVpBp9g8
 prog3am
+(P.t9ex
pzqSdpl`
q"\dp	zH
qhcEk"
RaC`0q
R/ouB;Mw
.rrspc
(r'*Rv
%RuE2%um
SHDocV
?s;M7c ~Bft 
sR;qu)sLD
 sultCh
' t( F*D]|
Th	is p
T-_kgn
tL(P%ct
!TQ_	^
!tZ.<"
=T'Zuv
VB5!6&:vb
vb^J60
VE3D"	3RG
V'.p.G
Vymp~X
	wdZE,`
+WE|j;
winIorg
,wnh1 9
&xBtCJ
Y4$p(&
YK<Q68
yO1v`K
Z&(#)?C