Analysis Date2014-11-21 14:37:35
MD5fac5b4bde555358dcd6c6cad2b2afc7e
SHA1c0796eba70ba7eb5f87139d6076c227700cd4918

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5268757ba17ddbc7aee5eefdb4b3aacd sha1: 8857a65f570f2b39ed987d9e3db279d2755dccac size: 15360
Section.rdata md5: f2206f7efa4b207234986d0fa99f158d sha1: 0405d426427298d336f43929b4d9c2a22c545869 size: 1024
Section.data md5: 42195a97a446a16f7e0b69d2855c7070 sha1: e79fee24d944b4f809eec4853c267fb622be34be size: 113664
Section.rsrc md5: b237c54b5156ffca9ce2bf53ccab663f sha1: 161c0a27641865df1056d8347c492d1b0c96f377 size: 5120
Timestamp2009-06-30 16:01:00
VersionLegalCopyright: Copyright © 2009 XM setup technologies j4
InternalName: yF iphone setup win32 JJe
FileVersion: 4.4.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: internet security Tz
ProductVersion: 4.4.0.0
FileDescription: Setup Self-Extractor j
OriginalFilename: yF iphone setup win32 JJe
PackerBorland Delphi 4.0
PEhashf30d40efbbb54a20e97119a28e01c72f68f01076
IMPhash68ea27486ebdc8308f6b7ba9eba25b38
AV360 SafeGen:Heur.FKP.1
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.35395
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyWorm.Win32.Skor.cfv
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.12858C14
AVSophosMal/FakeAV-IZ
AVSymantecno_virus
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSfalallen.com
Winsock DNStopkio.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSfalallen.com
Type: A
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A

Raw Pcap

Strings
W.W..
Q....
v
Yp0
!kr
B
.
.
..

040904E4
 2009 XM setup technologies j4
4.4.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
 internet security Tz
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
s1lm
 Setup Self-Extractor j
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
yF iphone setup win32 JJe
0\2NVw
0u83tS
@1yST!
2\E|dXm
2\lVS^
2rSn1TH
2WQUyo
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
*_^3E`E
4-aki^
"4BO-EHS~y
^~/4(W
4"x<"'
+5^25Q
5DSM0F/
5`RC-#
5Ywprkd6
~6G2Y9
;`6S/,
75	4S2
$7!Jx>[
8"6W_:
'8A^\[=7
8FEznnE
8g	%G@
8j|S_8
8^:RS<
@8y.LI
9x~`@`
a<5Jk~5
{AdXP0
Aj@So;"0
az*`"+
b(|iE$
bjqQuJ
bp0hG0
B,R`tOO
bZjkyX
>`c9i!
%C+I|.
~~CiYj
CloseHandle
CompareStringA
CreateEventA
CreateFileA
criNVx
((CS$Z
@.data
DhAll9
DrawFrameControl
DrawIconEx
DrawMenuBar
DrawTextA
E1vUM4
eng>K}
e&rGQ*
ExitProcess
ExitThread
ExnM_t
`f0q	L
F|10YO(
_fb?2%
FF+Thn
f=I+`I
F%r2jk
F?VHO-
fxnbu	f{
g0kq5@24
G9*765
GetCommandLineW
GetFocus
GetLas2E
GetMenu
GetModuleHandleA
GetSysColorBrush
GetThreadLocale
GetTopWindow
GetWindowTextLengthA
GlobalAlloc
g!YT;q
[G? ?YwHO
h?\[_*
|H^	2W
`^h{4}
h4C-X3
H5mbH;
Ha1~#388
h<I-Na
h$^Iu)
^h"Mr 
I8AhS6P
~#IOOs
IsWindowUnicode
I&U\B?
iU	uVE~
IxIH!D
IZZAQw
ju5X:P
@|,J:X
j^x`^p
KERNEL32.DLL
lgdi32
-}'L:J
l)L$5R
LoadLibraryA
L`pTaM~
lr	4-|
=lRsQtn
L!V39h
=LXZ[M
M,_iR%
Mjqts9
MSXCP60
mtZtx+)
&Mx|CV
^n9 =>$
NFrD3?
-N,HS"
NIQSTRu
+Nru	Y2
oF}gJ{I
)OHG'7
oN4rUH2
&OobiD
^"P'@~
>pdB*.DC
pMdMNc
p-"np,/W
pQKHN2
Q~3X.%
Q}#'6l
_.q8:J_
QJVVErCu
~|	Q.P
qS**69
^qWd)wM!
]R*A\x
`.rdat
`.rdata
RH%xb+
rN|r8=
%R_q0)
rsVhX_
(*s^/=
_S2px_J@24
s"E&b8W
ShQ{F9}
SP}T*,
=SSqN0^t
SVjgo#
Sx>k, E
#SZ?S?
=t0>!R
t8	9&&
This program must be run under Win32
tLKx^/
~T>Su9.
?TUJgnn+pBrV1
uE[qHd
u,OI`=
{u-RHr
user32.dll
v0z5ax
v1n`i@K
|	Vd.6Y$
VirtualAllocEx
(V%k"5uf
 \vT,yaQ
w|%2,8
w6rbOzWH
W/k-fb
_WPtSTpU100R
XD4	z|~
_Xfe|Bf
xlEREp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
=xqHr<~
X@Qm6t
xT].Lal
xVvY3XX
Y)<Ba!b
YE&^'e
yF iphone setup win32 JJe
YSGquG
z6gMHm
_`ZNtOV
ZOLEAUTv
ZQSPH+
zR'{cv
zt7Kh8d