Analysis Date2015-10-11 19:00:53
MD5575db321ec6b302e22753bfb995ab407
SHA1c8aa8e48f8fe85281c61db0f5cff9e5da2e79e65

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd781a8953c7676282846381cd2f585c sha1: 22f10b05e90eaea967ba788796f1e6ce4b73d378 size: 77824
Section.rdata md5: dbe3d8a97dd41fedeb789ce523313154 sha1: f347e9bbe75ada069ea44ea6a9fabc7ff44be2d0 size: 10752
Section.data md5: 85944440aeb876fb61376fe6deecc22e sha1: d6e2609778c76452bf1d49b91cc1b29276cb0dbe size: 7168
Section.rsrc md5: 201eea47f80f1ae976788ff5ac6d1358 sha1: a45169d7935615976270e9e99d9121379f79fd06 size: 573440
Section.reloc md5: 80c647c743816381d171b5fa4470220e sha1: 04d0ffdb1981465f880a46d5e03e266734136eaf size: 6656
Timestamp2015-09-10 04:33:04
Pdb pathG:\Working\SVN\vc\XP2P\NP2P\Release\NP2P.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: NP2P
FileVersion: 1, 1, 15, 910
ProductName: NP2P 应用程序
ProductVersion: 1, 1, 15, 910
FileDescription: NP2P 应用程序
OriginalFilename: NP2P.exe
PackerMicrosoft Visual C++ ?.?
PEhashd9dbc2059b107429c97c6af6a4c33d13f0e39ac9
IMPhash1f1e457af2c3479681d26d73af8e0de1
AVEmsisoftTrojan.GenericKD.2747933
AVBitDefenderTrojan.GenericKD.2747933
AVPadvishno_virus
AVTwisterno_virus
AVIkarusTrojan.Backdoor.PoisonIvy
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVF-SecureTrojan.GenericKD.2747933
AVBullGuardTrojan.GenericKD.2747933
AVGrisoft (avg)BackDoor.PoisonIvy.AT.dropper
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVMalwareBytesno_virus
AVTrend Microno_virus
AVMicrosoft Security EssentialsTrojan:Win32/MultiInjector.A!rfn
AVMcafeeno_virus
AVEset (nod32)no_virus
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVMicroWorld (escan)Trojan.GenericKD.2747933
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVDr. WebTrojan.DownLoader16.35178
AVZillya!Dropper.Injector.Win32.71450
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVFortinetW32/Injector.NKFL!tr
AVKasperskyTrojan-Dropper.Win32.Injector.nkfl
AVK7Riskware ( 0040eff71 )
AVAd-AwareTrojan.GenericKD.2747933
AVArcabit (arcavir)Trojan.GenericKD.2747933:Gen:Variant.Graftor.247498
AVSymantecno_virus
AVClamAVno_virus
AVAvira (antivir)TR/Hijacker.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\w8178i8\mxrAm6J.dll
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.inf
Creates FileC:\WINDOWS\w8178i8\eUuUo11.dll
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\j1r0aSQ.sys
Creates FileC:\WINDOWS\SBYQDLP\sccon0987.txt
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.sys
Creates FileC:\WINDOWS\system32\drivers\blackList.base
Creates File\Device\Afd\Endpoint
Deletes FileC:/WINDOWS/j1r0aSQ.sys
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/w8178i8/mxrAm6J.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates Processnet start xtfilemon
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/w8178i8/mxrAm6J.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==
Creates MutexXROMain
Creates ServicegW717 - C:/WINDOWS/j1r0aSQ.sys
Winsock URLhttp://cdn.p2ptool.com/p2p/black.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-16097A94.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-45F0D13A.pf
Creates FileC:\WINDOWS\Prefetch\C8AA8E48F8FE85281C61DB0F5CFF9-056766E2.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-45D20510.pf
Creates FileC:\WINDOWS\Prefetch\GRPCONV.EXE-111CD845.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-2FD9DDCF.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1212

Process
↳ Pid 1328

Process
↳ Pid 1868

Process
↳ Pid 1248

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/w8178i8/mxrAm6J.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileM2ProcProt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexXMX_XP2P_YT_3275
Creates MutexXROMain
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnp2p.soomeng.com

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/w8178i8/mxrAm6J.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==

Creates File\Device\Tcp
Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

Creates FilePIPE\lsarpc

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xtfilemon\DebugFlags ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv ➝
grpconv -o\\x00
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList\FSFilter Activity Monitor ➝
NULL
Creates Processrunonce -r
Creates Servicextfilemon - system32\DRIVERS\xtfilemon.sys

Process
↳ net start xtfilemon

Creates Processnet1 start xtfilemon

Process
↳ runonce -r

Creates ProcessC:\WINDOWS\system32\grpconv.exe -o

Process
↳ net1 start xtfilemon

Starts Servicextfilemon

Process
↳ C:\WINDOWS\system32\grpconv.exe -o

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\Log ➝
Init Application.\\x00

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSa1574.b.akamai.net
Type: A
23.15.9.171
DNSa1574.b.akamai.net
Type: A
23.15.9.178
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.239.17
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.239.17
DNSwww.baidu.com
Type: A
DNSwww.qq.com
Type: A
DNScdn.p2ptool.com
Type: A
DNSnp2p.soomeng.com
Type: A
HTTP GEThttp://cdn.p2ptool.com/p2p/black.txt
User-Agent: Test
HTTP GEThttp://np2p.soomeng.com/bmy/?usr=longtrans.0&mac=XXXXXXXXXXXX&ver=1.1.15.910
User-Agent: Test
Flows TCP192.168.1.1:1031 ➝ 23.15.9.171:80
Flows TCP192.168.1.1:1034 ➝ 8.37.239.17:80
Flows TCP192.168.1.1:1035 ➝ 8.37.239.17:80

Raw Pcap
0x00000000 (00000)   47455420 2f703270 2f626c61 636b2e74   GET /p2p/black.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a436f6e   xt HTTP/1.1..Con
0x00000020 (00032)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x00000030 (00048)   6976650d 0a557365 722d4167 656e743a   ive..User-Agent:
0x00000040 (00064)   20546573 740d0a41 63636570 743a202a    Test..Accept: *
0x00000050 (00080)   2e2a2c0d 0a416363 6570742d 456e636f   .*,..Accept-Enco
0x00000060 (00096)   64696e67 3a20677a 69702c64 65666c61   ding: gzip,defla
0x00000070 (00112)   74650d0a 486f7374 3a206364 6e2e7032   te..Host: cdn.p2
0x00000080 (00128)   70746f6f 6c2e636f 6d0d0a0d 0a         ptool.com....

0x00000000 (00000)   47455420 2f626d79 2f3f7573 723d6c6f   GET /bmy/?usr=lo
0x00000010 (00016)   6e677472 616e732e 30266d61 633d5858   ngtrans.0&mac=XX
0x00000020 (00032)   58585858 58585858 58582676 65723d31   XXXXXXXXXX&ver=1
0x00000030 (00048)   2e312e31 352e3931 30204854 54502f31   .1.15.910 HTTP/1
0x00000040 (00064)   2e310d0a 436f6e6e 65637469 6f6e3a20   .1..Connection: 
0x00000050 (00080)   4b656570 2d416c69 76650d0a 55736572   Keep-Alive..User
0x00000060 (00096)   2d416765 6e743a20 54657374 0d0a4163   -Agent: Test..Ac
0x00000070 (00112)   63657074 3a202a2e 2a2c0d0a 41636365   cept: *.*,..Acce
0x00000080 (00128)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000090 (00144)   702c6465 666c6174 650d0a48 6f73743a   p,deflate..Host:
0x000000a0 (00160)   206e7032 702e736f 6f6d656e 672e636f    np2p.soomeng.co
0x000000b0 (00176)   6d0d0a0d 0a                           m....


Strings