Analysis Date2013-10-23 19:59:46
MD59d62b4ab9f7c9f66d3053bd966723965
SHA1d0478dfe4eb3efa51d05c1fbb8cfec55230abb79

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: a87c34236c4be8a870b15c183796b48a sha1: 1dc398df432af7a0a5d72f7ff733b1a4d29251b3 size: 468480
Section.rsrc md5: 7b4637000afaaa5f9d3f6b1437a6ae73 sha1: 3343fe2106231e49e4cc1d4d41c29091c93b0698 size: 107008
Section.reloc md5: 1f9b4e35ed20d9ec0f630ddba9dbd853 sha1: a802ed31f04a3b265b16670334ed14126bc67217 size: 512
Timestamp2013-10-11 08:55:08
VersionLegalCopyright: Microsoft Corporation. All rights reserved.
Assembly Version: 8.0.7601.17514
InternalName: Javas.exe
FileVersion: 8.0.7601.17514
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporatio.
Comments: IE Per-User Initialization utility
ProductName: Windows Internet Explorer
ProductVersion: 8.0.7601.17514
FileDescription: IE Per-User Initialization utility
OriginalFilename: Javas.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash859db91221d67c045ce4c0844d870ba27abaafde
AVavgBackDoor.Generic17.BVOS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IE Per-User Initialization utility ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\JavaUpdaters.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\JavaUpdaters.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\JavaUpdaters.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
Creates ProcessC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
Creates ProcessC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
Creates MutexEd7IneM!=[_|8x9avt&+

Process
↳ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Process
↳ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Process
↳ C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

Network Details:


Raw Pcap

Strings
000004b0
0R4Pvs4L6ESDVfsaVKUIAw==
8.0.7601.17514
AppLaunch.exe
Assembly Version
Comments
CompanyName
CvWDgT+ei6b+2ys3Mu9TBQ==
dScvEwWFH6tud10m+wAkolCvSkp2/1b9xiPztuGYEN4fkmxj6NuqfjXNn3LGxoU8zr0UqT6yZmfE0nMeGqaudA==
dScvEwWFH6tud10m+wAkolCvSkp2/1b9xiPztuGYEN7d3dGq9hjjLdWjep5k+CHD
Ed7IneM!=[_|8x9avt&+
FileDescription
FileVersion
Help.Lib.Run_It
IE Per-User Initialization utility
InternalName
Javas.exe
KGrOFtJ.resources
LegalCopyright
LegalTrademarks
Microsoft Corporatio.
Microsoft Corporation
Microsoft Corporation. All rights reserved.
OriginalFilename
ProductName
ProductVersion
.resources
StringFileInfo
TDDnaDY.resources
Translation
UMjBqcLNgKPblIVJsVqpTCSFJgJTOe
UT0KnJoqvcskiscVBzGT6zg/rtbLqww56gIRACe5rDQ=
VarFileInfo
VS_VERSION_INFO
Windows Internet Explorer
]+,++++=
+,,+,=
00088898998;9;;;;:;55@4;5r
0<|<;hi
0M3<vjj
?>>0z%
(:;;1;;
1&5WAU
1,gfU H
1LMMajj
1pt)4D
`$*1sX
<1y~SC3j
2[O,;t
3132220HB
("33<>
3RA4i2
3ZY:}t
^4==}&
-%4+0)G
("43<=
(#43<=
4}%dK)
 &4gbi!
4%k2#]
]4oyMkE9
4p^~{j
4System.Web.Services.Protocols.SoapHttpClientProtocol
^{~\5 
5~]fD|
(5%"KkY
5MRL5,L5DF
5~SmmddE
5sZAG(
>6D{g&
7Ao$Td
\+7	bM
7B"-	v
7?=[^fe1#)
@7Vf==
}7VJ-I)
7xR<-`a
8.0.0.0
8.0.7601.17514
.83d0~
/83]]GS
8!Gm~mj
8 HWjU
8N$yK&|u
8UoF,U
8:Y`r"
%#-94$
'%%%%(*)))9**99*9+79R
9o>$8iF
#^9X-\
?$9&YE
9.=ZG>l
A8Xf==
_a9d@!imn
AABr(Wg~
AccessedThroughPropertyAttribute
Activator
A<D3&>
add_Tick
|aI0^NL.
_aM PF
^)am^q
a'o^=?
#AOe@n
ApartmentState
AppDomain
Application
ApplicationBase
\AsLHs
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
;a\u=\
aUkb)r _
a\YY^f
 B1Kwww
bfuPrPbT
BitConverter
bitmap
Bitmap
BlockCopy
>\Bn !
B>OH*X`i
+bTR#:q
Buffer
bVNHfv96
c&&&011
c?'c~J/aA
.cctor
CipherMode
ckAah2
ClearProjectError
_Closure$__1
'&	CM#
Combine
CompareString
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
CompressionMode
ComputeHash
Computer
ComVisibleAttribute
Control
Conversions
Convert
CopyArray
_CorExeMain
c${)qL
CreateDecryptor
CreateInstance
Create__Instance__
)^cuMO
CurrentUser
C^Y{CZ
DebuggerHiddenAttribute
DebuggerStepThroughAttribute
Dispose
Dispose__Instance__
D&vu}@ 
@dwJIpn+FD
:	@e"^
E1ocuI
?E9 x]
EditorBrowsableAttribute
EditorBrowsableState
ed	~#ZK
--.eF9
\^,Ef9Y
E)k0h/
EnableVisualStyles
Encoding
EndApp
Equals
EventArgs
EventHandler
Exception
eY(eJq
-(=`F|
f0aF=f^
/^f51(u
F7gpKkBn
\`f:=8
>[^fe1
|~>Fezbr
f<<<<<fOugvviivhuuhhhhjjh_jjj
<fgfQ(
Fh,]hRhF
FileAttributes
f!".j7;
")FKp]\	
F?L13UE
FormBorderStyle
FormWindowState
FromBase64String
FromStream
f`T=87
f`V=T~
%F___WOO
G+,+++=
{:gbB]_
}]GBNg
GeneratedCodeAttribute
get_Application
get_ASCII
GetAttributes
GetBytes
get_Computer
get_CurrentDomain
GetExecutingAssembly
get_GetInstance
GetHashCode
get_Height
get_Id
GetInstance
get_Location
GetMethods
get_myTimer
get_Name
GetObjectValue
GetPixel
GetProcessById
GetProcesses
get_ProcessName
GetRuntimeDirectory
GetStream
GetString
GetTempPath
GetType
GetTypeFromHandle
get_User
get_WebServices
get_Width
@gg':::
Gi_&~C
:!GKbs2O"
GMAZ+&0
gnfyANw8
G;R$A6N&@6N&J@W&
gw|;S4`
-gY={YW
GZipStream
h4#\G2Z
HashAlgorithm
(*h~C~
HelpKeywordAttribute
HideModuleNameAttribute
hXkfmZ
hXkfmZ1
hXkfmZ2
I``a`@@=^^^X
ICryptoTransform
IDATh[
IDAT?H
IDisposable
I`^^-''DQX^I
I^D'###! +XI
"IE Per-User Initialization utility
?{Ihy<
?IibHA
|IidN=
IIIIIIIIIIG
InitializeComponent
iNLN}*U
instance
Invoke
?I_QPH@~
IwNA=z
I^^^XQQQXXXI
I``Y!/CK^#YX
iZpT/@YK
j"9peD
Javas.exe
)@J# l
J@NjcO@
J,>	=o
jPth@F:
J*s,K%
jXQiD4
*K1ca0
:k,-2/~
kBgwj.resources
K~_`Bm~
K)C)eP,
k%d+u+@
;KeLoR
KGrOFtJ.resources
?K`)P|
]KqJ>so
_k__r_
#,KR	"
ksunbw
kZQ9'm
?L^:?|
L`1^gL
_Lambda$__1
L*^IyI+
\LkDF<f
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
\LSz|0
l..TT0S
 M3DI&
m_AppObjectProvider
mbbffff_XXV
m_ComputerObjectProvider
MD5CryptoServiceProvider
MemberInfo
MemoryStream
MethodBase
MethodInfo
%%MH*~
mh+p+	
Microsoft Corporatio.
Microsoft Corporation
+Microsoft Corporation. All rights reserved.
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.Win32
m_MyWebServicesObjectProvider
<Module>
&'m+^OM
mscoree.dll
mscorlib
m_ThreadStaticValue
m_UserObjectProvider
M%{#V4c
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
myTimer
_myTimer
My.User
MyWebServices
My.WebServices
,++,+++N
+++++N
n_0gF\`pR
<^N~9Y)
NBc]=<
?nE?Wn~
njZ5r2Fw
NLL`rr
>;n}|n
*nNy``
Nv&p22
Object
objMutex
O<br(~
oc i]f
o#ezt8
o?I3D-%
oIx_O3
~oJD~E
oJrJq;
o<?&MO
OpenSubKey
Operators
O`-qq~9
o~+r+;)
OtE@V_
ovJzj	
oVSnM?
OZ{E`n
p"""...$.&'&&&&(((((((((++(++++=
@	p1cR
P%|5=8
p]7Srs
PADPADP&S
p]K~>.
p""#.M4'1F$'&F?(*K)(GH(++L,+++,=
!\\	pq%
Process
ProjectData
P&^VW3
:px31{
p.zK^^
q""$..
q""#..
q""#..$$.&'''&&%((((((++(++++++=
q""#$.
q""##.
]q0??/
QaP8HK
QaP8HK1
QaP8HK2
?Ql/q5
q"Lsdm
-$QsJo
q""##"ww''D
^>:%qZ
_~]R0'
?rbM: 
Rdy_Data
Registry
RegistryKey
@.reloc
remove_Tick
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
ResourceManager
ResumeLayout
RijndaelManaged
}RJ-Ql
r""#$#$$$.&''%%()))(((++++,+S++O
`.rsrc
RuntimeCompatibilityAttribute
RuntimeEnvironment
RuntimeHelpers
RuntimeTypeHandle
S!`[&|
    </security>
    <security>
sender
SetApartmentState
SetAttributes
set_ClientSize
SetCompatibleTextRenderingDefault
set_Enabled
set_FormBorderStyle
set_Interval
set_Key
set_Mode
set_myTimer
set_Opacity
SetProjectError
set_ShowInTaskbar
SetValue
set_Visible
set_WindowState
sgV%_@/H
si&=;f
++++S+N
sRmMFBMcqNCL
StandardModuleAttribute
StartsWith
STAThreadAttribute
Stream
String
#Strings
SuspendLayout
}S~;/W
S"!Yc,
SymmetricAlgorithm
System
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
System.Threading
System.Windows.Forms
TDDnaDY.resources
TG#m~b
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStart
ThreadStaticAttribute
Timer2_Tick
t-Mnff
-T*NaE_b
ToInt32
ToInteger
ToString
TransformFinalBlock
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TXtJzfvU
TXY\\XUUY\mj
UA7H$g
_$uD~Z
uK#q{A
_=?um~
UnmanagedMemoryStream
^u&pbU
U~Q4m}
uU4]=.
=/&uV_s,j
uwqwWwWwwwwsssW
v2.0.50727
?v5;l~
V]?9zxtz
$VB$Local_namez
$VB$Local_valu
$VB$Me
vcaRqym
~#VF6V
V?~f?~L
v`{.*NE*
$vOV03
[v`q%C/
Vu!PTg
]VWNO}y~^
+'&VXv
VZ~SK&
,>w-']
w09Zu~g
WaitHandle
WaitOne
wa'~SZPi~
[>w`E$#
WebQO|
WebServices
WG?u49
Win32_Registry
Win32_value
WinApp32x64
Windows Internet Explorer
WithEventsValue
WKt28jM:
w~k^wG0
	wplKL
w_{pv_
WrapNonExceptionThrows
WuFHVxMk
wwwwwwww
w!xq.@
>@```X
<X^}at
X`baU<
xi[UJ94
X\m+\5
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
X``-M]SEY*YX
%Xo~^`
XVT_RP
XVXVXVIX
Y8NhCEeC
^-y_?C
Y!c<.d
 YgOk;
yKcE4.
Y}=~^L
Y$&sViK
Ytz}t{
	YunIu
y^XfL,SN)
yxxxxxy
yyoo<+K
@y+/Ytqo7
z9G{^F
z9xuEPEt
|]z>bz
Zdd~]/_
Z[dTV?@
_ZeJc\
ZHA+??
#)zqLe]
#ZsjaN
ZW4cpb2v