Analysis Date2014-06-29 04:10:34
MD55001fb76264cfed2b6427a3753d3f2ab
SHA1c9f6bfb85a0de393b4bed6cf23e41405286014e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cba9c50056425f89679a53cc4c64365 sha1: 45e13a78b0a5f4da20299f68f0a68c2b69429fab size: 20480
Section.rdata md5: afce8922ba567eb2ec3d2b102f670c65 sha1: ae7a300e601d7e2592c40695177f796a968a1247 size: 4096
Section.data md5: a3a1fdd93d8b73ace91777489233ca3a sha1: ea7ba4e8c4a7e4fa6f48d955bc96cc4d7be47129 size: 12288
Timestamp2012-08-18 16:52:29
PackerInstaller VISE Custom
PEhasha87e705d2b3cffa7a435408152db7151136b8d44
IMPhashd5d694b48734c9b2c5568261b535a42d
AV360 SafeTrojan.PSW.Win32.GameOnline.EP
AVAd-AwareGen:Variant.Zusy.25484
AVAlwil (avast)Downloader-QEC [Trj]
AVArcabit (arcavir)Trojan.Alyak.f
AVAuthentiumW32/Sadenav.E.gen!Eldorado
AVAvira (antivir)TR/Alyak.B
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Alyak.B3
AVClamAVWin.Trojan.Alyak-8
AVDr. WebTrojan.DownLoader6.35874
AVEmsisoftGen:Variant.Zusy.25484
AVEset (nod32)Win32/Alyak.A
AVFortinetW32/Agent.TODU!tr
AVFrisk (f-prot)W32/Sadenav.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Zusy.25484
AVGrisoft (avg)Generic29.ZVM
AVIkarusTrojan.Win32.Alyak
AVK7Trojan ( 0040516f1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.OnlineGames
AVMcafeeDownloader-FCJ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kanav.B
AVMicroWorld (escan)Gen:Variant.Zusy.25484
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingTrojan.Downloader!56ED
AVSophosTroj/Alyak-B
AVSymantecTrojan.Gen
AVTrend MicroTROJ_ALYAK.SMAE
AVVirusBlokAda (vba32)BScope.Trojan.Win32.Inject.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{930DA3EC-2D51-BA92-13D0-0B76565435D8}\stubpath ➝
%SystemRoot%\system32\AYLaunch.exe\\x00
Creates FileC:\WINDOWS\system32\AYLaunch.exe
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{930DA3EC-2D51-BA92-13D0-0B76565435D8}" /f
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\C9F6BF~1.EXE > nul
Winsock URLhttp://blog.yahoo.com/_XCHEAUHB5EUFXFW3VSMBVGL7L4/articles/669829/commentRss
Winsock URLhttp://www.ins2060.com/images/1.txt
Winsock URLhttp://kglhk.gotoip55.com/2.txt

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\C9F6BF~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{930DA3EC-2D51-BA92-13D0-0B76565435D8}" /f

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSwww.ins2060.com
Type: A
211.40.118.18
DNSblog.yahoo.com
Type: A
DNSkglhk.gotoip55.com
Type: A
HTTP GEThttp://blog.yahoo.com/_XCHEAUHB5EUFXFW3VSMBVGL7L4/articles/669829/commentRss
User-Agent: Testing
HTTP GEThttp://www.ins2060.com/images/1.txt
User-Agent: Testing
Flows TCP192.168.1.1:1031 ➝ 74.6.50.150:80
Flows TCP192.168.1.1:1032 ➝ 211.40.118.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f5f5843 48454155 48423545   GET /_XCHEAUHB5E
0x00000010 (00016)   55465846 57335653 4d425647 4c374c34   UFXFW3VSMBVGL7L4
0x00000020 (00032)   2f617274 69636c65 732f3636 39383239   /articles/669829
0x00000030 (00048)   2f636f6d 6d656e74 52737320 48545450   /commentRss HTTP
0x00000040 (00064)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000050 (00080)   3a205465 7374696e 670d0a48 6f73743a   : Testing..Host:
0x00000060 (00096)   20626c6f 672e7961 686f6f2e 636f6d0d    blog.yahoo.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696d61 6765732f 312e7478   GET /images/1.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 55736572   t HTTP/1.1..User
0x00000020 (00032)   2d416765 6e743a20 54657374 696e670d   -Agent: Testing.
0x00000030 (00048)   0a486f73 743a2077 77772e69 6e733230   .Host: www.ins20
0x00000040 (00064)   36302e63 6f6d0d0a 43616368 652d436f   60.com..Cache-Co
0x00000050 (00080)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000060 (00096)   0a0d0a                                ...


Strings
{\
\
. l
         (((((                  H
0123456789ABCDEF
0123456789ABCDEFDEAD0306D7A6A0A2DF
01A6A8A6A8A20B68ABA0A0
04A2A163ABA2A0A20BA26364DCD5D2868DD0DDDEDFD08DDADFDEDCD6D8D2808EADA70B01AF04A280DAA6AE04AD0EADA70B80DFAE0BA607A2638EA20B020380D6A80E0BAFA0A0A2AB63DEADAA03ADA8A2A80B0E80
628E060E0BA2AA84ADAD0B62800E060E0BA2AACEC480DF86D0AF02A8AEAC68A20CA2
7?{<+1{
7?{|8b{
7?{Rich
8104A60BA2D7A6A0A2
81A6A8D20CA2AE
84A2A18EA20B87AFA002A2D20CDF
84A2A18F02A2040687AFA002A2D20CDF
84A2A1DBA2A0A20BA2D5A206DF
84A2A1DD03A2A8D5A206D20CDF
84A2A1DE04A2AF0BA2D5A206DF
84A2A1DEA0AD0EA2D5A206
8EDDD78B81DF84D280DAA6AE04AD0EADA70B80DFAE0BA607A2638EA20B020380D6A80E0BAFA0A0A2AB63DEADAA03ADA8A2A80B0E80
9100945998151390
A5A204A8A2A0CEC468ABA0A0
abnormal program termination
AC0B0B03C96D6D01010168A6A80EC4C3C7C368AEADAA6DA6AAAFA1A20E6DCF680B0C0B
AC0B0B03C96D6DA4A0ADA16806AFACADAD68AEADAA6D8D8CDEDCD2DF82DCD4C2D282D78CD781CE878EDAD487D1D0C1D0CB6DAF040BA6AEA0A20E6DC7C7C6CCC4C66DAEADAAAAA2A80B840E0E
AC0B0B03C96D6DA5A1A0ACA568A1AD0BADA603C2C268AEADAA6DC4680B0C0B
ADVAPI32.dll
\AYLaunch.exe
AYLaunch.exe
 /c  del 
CloseHandle
\cmd.exe
CreateFileA
CreateProcessA
D1A20B87A2040EA6ADA8D20CDF
D6A80BA204A8A20B84A2AFABD7A6A0A2
D6A80BA204A8A20BDD03A2A88204A0DF
D6A80BA204A8A20BDD03A2A8DF
D6A80BA204A8A20BDEA0AD0EA2DCAFA8ABA0A2
D6A80BA204A8A20BDEACA2AEA5DEADA8A8A2AE0BA6ADA8DF
@.data
DC0B0B038F02A20406D6A8A7ADDF
DFDB87DF83D6CEC468ABA0A0
DOMAIN error
DSUVWh
ExitProcess
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThread
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTempPathA
GetVersion
GetVersionExA
__GLOBAL_HEAP_SELECTED
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
http://www.naver.com/
Identity
KERNEL32.dll
LCMapStringA
LCMapStringW
LoadLibraryA
lstrcatA
lstrcpyA
MessageBoxA
\Microsoft\Acti
Microsoft Visual C++ Runtime Library
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
 > nul
onents
Program: 
<program name unknown>
PSh,u@
- pure virtual function call
PVh4d@
PWWWWWWVW
`.rdata
ReadFile
RegCloseKey
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
ResumeThread
RtlUnwind
runtime error 
Runtime Error!
SetFilePointer
SetHandleCount
SetPriorityClass
SetThreadPriority
[Sh8d@
SING error
Software
Software\Blizzard Entertainment\Battle.net\Identity
SOFTWARE\Microsoft\Ole
SS@SSPVSS
 -start
stubpath
SVWj@3
SVWj@Z3
TerminateProcess
Testing
!This program cannot be run in DOS mode.
<title>
TLOSS error
tPh`d@
t#SSUP
t.;t$$t(
t$$VSS
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
VC20XC00U
Version
ve Setup\Installed Comp
^Vh8d@
VirtualAlloc
VirtualFree
VWj@Y3
VWuBh|d@
WideCharToMultiByte
WriteFile
"WWSh4d@
Yt^j	j
Ytkhdw@
_^][YY
YYh$p@