Analysis Date2015-05-13 09:37:56
MD5f938464193789b81df8e03d5b3754e3d
SHA1cfcf1ca95daa3b1ae85a4b1e84a6414151f53bef

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5c11121f4553c7363c2e66de2a235bc sha1: cf6c127971779c754c5fa503ac2a25d9b6fd3ea1 size: 4096
Section.rdata md5: b66aa727eec4ad370967b22bccafa46c sha1: 464f95475b82f4ede9f2ebe20e7cda86ac0f72c0 size: 512
Section.data md5: 2dc90d3949002ec4c5abbf5005deb5ab sha1: 9f2c6e2037d2144196c109ff509f97493263acfd size: 3584
Section.rsrc md5: 52e9f293b0f3ceb38a8276919e0db15c sha1: 9cf1515bf49f9f8c9d9d7a4217e40757f292ab56 size: 10752
Timestamp2014-01-08 15:19:02
PEhashefe61ca12c33967d21548dc958e02913dd281c54
IMPhash7f6ca38551f552e03c882c782556cd58

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSintracawood.co.id
Winsock DNSwarungjambu.com

Network Details:

DNSintracawood.co.id
Type: A
75.98.233.9
DNSwarungjambu.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1032 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1033 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1034 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1035 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1036 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1037 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1038 ➝ 75.98.233.9:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
C:\025daf1118d10ef9aa74204bb98237e05533bc7b64e740f668bcb254788db80d
C:\12a960400bd798c14ad155944ad2d699f63d87319078810b3203ef1ff4f7805d
C:\1d342b599f3cdb1eeaed20e1ce0046432f54f7d9174da14c48a7e1ae59a9761c
C:\20c7X3YT.exe
C:\2muwt6tq.exe
C:\5_jzPReh.exe
C:\65761fca6427400077d27172512e972a493abf9282f29344f5c2819d70fea6fa
C:\698eb68b1684072c28da215ed16e00a2c78e1325159e1de8d69d0ddac2fc18bb
C:\6e259705fa68987ce5ea6594fc34eeb91d60607abe09e016e439ca7149e58f3f
C:\8bb2450fd6d9e7920c5d216916a2d79b5d1f70a9e61d729d071cb534d5ed93a9
C:\a65723068f0125e2542e7a6311865f8a7b2e070b2381ea4f32b8206cb39423a9
C:\bf32d3b0\b662ef49.exe
C:\BpjCeAnU.exe
C:\cbXUdgIp.exe
C:\dcb2ecdc5e0d44fee47d4c5fca065c15ae4fac5912b34869c3efbb9a7aa1f8a3
C:\DiRAbHoH.exe
C:\dLoagfb7.exe
C:\e7c474c2443b32bf6875b4e740befd9cebcafa76233ea393f19e223a7532da5d
C:\e9987bf1f50eda797ae88687a0a11fcbb552610fe7a4b25e30c80fc6c44fd645
C:\f54837e11613e33e241ad9692025d042187e20e1a2b7b9187c969ccc314aa092
C:\f862f94eba1e5c17c30105ca779ec515b3049ef22df32e9e6bdba353e5e32444
C:\FIulsk8J.exe
C:\FSagZ4lj.exe
C:\GXoe99Le.exe
C:\iZkHYNft.exe
C:\Jcs0Cbnp.exe
C:\MVUKAjEb.exe
C:\RFHv2dgH.exe
c:\u6ac9o\rq420n.exe
C:\uhcZ5aTU.exe
C:\XikMkfI_.exe
C:\XjueLYqb.exe
D3D8.dll
VERSION.dll
0"3)3}3
3A2U2H4|4t0x0;4&4
apHeileF
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADC
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
CharLowerBuffW
CharUpperBuffW
@.data
drntetQueG
eapHlloAfW
etCoenW
etOpUQ
ExitProcess
FilteetR
FitercmteWdl
foWntOSettpHrcto
GetCommandLineW
GetCurrentProcess
Ge[Temt
GetModuleHandleW
GetProcessAffinityMask
GetSystemInfo
Hanele
HtYpQut
jryOetiopW
KERNEL32.dll
llEeecuxeW
LoadLibraryW
Modtesoc
NELR2.d3
nnectW
nOptpernt
nteInetrE
PCurtentrireDW
quReetMGdulo
`.rdata
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
rletmeWah
    </security>
    <security>
SERUendS
!This program cannot be run in DOS mode.
;+tPriS
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
}uleNiP
USER32.dll
VnReeuesqW
WINIernt
yIerll