Analysis Date2015-04-28 21:45:37
MD5aa02d9b06f5f00927eb1ff31bfaf12c4
SHA1dae98fa0339f0c5b2378fafeea49664fdc8d4e70

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0ad19776cccfb18f1b3ff734209e231e sha1: 932bb454308fa7503e421fb6bceb2c6f3c2f529b size: 41984
Section.rdata| md5: 273d5f7c00637ab642e03ddccb86cc66 sha1: aec57e271f8d72b82fb857d92ba123d8c13a0c5b size: 1024
Section.bss md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: fe79e964e947ec81f354459b12ef607d sha1: ff5877ab977f4b029510fcd7a0ed89d48bdcc4d3 size: 11776
Section.xdataC md5: 97f1e0f27140dd664cc12af92c48d2f4 sha1: c2061d030457026a76d9c52ebcae93083daa65e2 size: 6656
Timestamp2009-11-29 14:54:10
VersionLegalCopyright: 432 1997 +2006
InternalName: Shrew Crack
FileVersion: 10 4 10
CompanyName: Chemware Ltd
ProductName: Actor Veil Rays Plume
ProductVersion: 10 4 3762
FileDescription: Hener
OriginalFilename: Cigar.exe
PEhash67687f0815b8f4e1964d34168149ca15b281184f
IMPhash573066823f761f123ba4cc862787084a
AVAd-AwareTrojan.Dropper.WNO
AVAlwil (avast)Dropper-NWX [Trj]
AVArcabit (arcavir)Trojan.Dropper.WNO
AVAuthentiumW32/Trojan.CVKI-9192
AVAvira (antivir)TR/Crypt.Xpack.66287
AVBitDefenderTrojan.Dropper.WNO
AVBullGuardTrojan.Dropper.WNO
AVCA (E-Trust Ino)Win32/Upatre.BEYMAND
AVCAT (quickheal)TrojanDownloader.Zemot.MUE.C4
AVClamAVWin.Trojan.Dropper-22818
AVDr. WebTrojan.DownLoad3.33377
AVEmsisoftTrojan.Dropper.WNO
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Tiny.NKF!tr.dldr
AVFrisk (f-prot)W32/Trojan3.IIO
AVF-SecureTrojan.Dropper.WNO
AVGrisoft (avg)Luhe.Fiha.A
AVIkarusTrojan-Dropper
AVK7Trojan-Downloader ( 00499db21 )
AVKasperskyTrojan-Spy.Win32.Zbot.sbea
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeeDownloader-FSH!AA02D9B06F5F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Zemot.C
AVMicroWorld (escan)Trojan.Dropper.WNO
AVRisingno_virus
AVSophosTroj/Zbot-IGR
AVSymantecDownloader.Ponik!gen5
AVTrend Microno_virus
AVTwisterTrojanDldr.Elenoocka.A.asxe
AVVirusBlokAda (vba32)TrojanSpy.Zbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\wkssvc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dae98fa0339f0c5b2378fafeea49664fdc8d4e70.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_428781.cab
Creates File\Device\Afd\AsyncConnectHlp
Creates Process"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\dae98fa0339f0c5b2378fafeea49664fdc8d4e70.doc"
Creates Mutex48814208
Winsock DNSwindowsupdate.microsoft.com

Process
↳ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\dae98fa0339f0c5b2378fafeea49664fdc8d4e70.doc"

Creates FilePIPE\lsarpc
Creates MutexCTF.TimListCache.FMPDefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500MUTEX.DefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; cn)
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4f706572   User-Agent: Oper
0x00000020 (00032)   612f392e 32352028 57696e64 6f777320   a/9.25 (Windows 
0x00000030 (00048)   4e542036 2e303b20 553b2063 6e290d0a   NT 6.0; U; cn)..
0x00000040 (00064)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000050 (00080)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000070 (00112)   6c6f7365 0d0a0d0a                     lose....


Strings
.
.

040904B0
10  4 10
10   4  3762
432  1997  +2006
 5E0
Abed Jute Aging
Acne
Actor Veil Rays Plume
Alarm
Chemware Ltd
Cigar.exe
Clad Garish
CompanyName
Cuban
FileDescription
FileVersion
Fixed
Fund
Gauge
Habit Solar Octal
Hardy
Hener
Hire
InternalName
Itchy
Jumbo
Jumpy
Kick
Knight Waves Ruin
Knot Worn
Learn
LegalCopyright
Lift
Loren But
Metro
MS Sans Serif
OriginalFilename
Parse
ProductName
ProductVersion
Prone
Pubs Chat
Realm
Shrew Crack
Sins
StringFileInfo
Suzy
Tail
Ticket
Toads
Toll
Translation
Upper
VarFileInfo
VS_VERSION_INFO
Zigzag Cares Tgif
)|>\=_
02468:<> "$&(*,.PRTVXZ\^@
0_	d'j
0~:k[9K	
0K9rv]
]0'T]>
>0Tq T~'	
0]t[SF
0 vtk[jv
0y[u F
1BbL15T1NP
1*(Lx}
2645627542
2DHr6LOc8v
44rkvm
451317822678
5[50dFT G
5qdv0k9
5rKkoF
5Sqpks
5srqTpr
5T5G K	
$5tK:0
5 Ty>0
5Tyv$$S
5vG _'
5: vt:'j9yS
[5wtsu[
'$ 5y~
6mrgghi1cfq
746s13bh
75>>	yt
762418
7	97KdS':
$'	7>d
7d0~v[
7j'$~[	r
7Koj][w~
7q>5aqF]
~7StoT
7yk	]S
 990uy
99rvvv
	9Fvp 'ov$F
9G [_K~dTa
~$9'Gr]
9j'Skt
9[kk]~o
9rrvvv
9tS075_a
9wj	d]q
>a:5F50
a$'5G_y>
a7:v$:[0
aa_$F>Tt5Fd
a]>	d'
ad$]5S
'adqwsk
[advvK
ak$07T 
aoap7~
a[s	sa
AssignProcessToJobObject
atviaie
]auu>[
a_uu$T
	awSo$G
Axybeti
bOexjS
Buwohab
c}}}}:
ccn-ncn
ciq41d5
cjqqoiwk
cncu}:
c,nuu-X-,:
cOGnFp
CreateEnvironmentBlock
csnXnq
cvapjrqdegq
-c:X-:
da	Fa]K
'dar~p9dw]
 d$dws
d_	F>5]sd
:dFaS9
DialogBoxParamA
'']dK~
dK7w~a
:d k	$9
dotd'S0
dv7]dv
eg5yy8kfhohlv
EndDialog
Eqebuq
ExpandEnvironmentStringsForUserA
'(*,)f
>F>00k
F07a7r
F5:>[w
F7dT~~70
Fakv'T
FileTimeToDosDateTime
	[ [[	Fk_9[$
FkG:sj'
[Fp5d$
Fpjkp> 
Fqju>0	G
FreeGPOListW
Fr$Fqyov
FsosuSKS
 F_t7~
Fta'5  u
Funiriq
Fwjva$~t ~
G]50k]t9o
G'dsT7
GetAllUsersProfileDirectoryA
GetAppliedGPOListA
GetAppliedGPOListW
GetClassWord
GetDefaultUserProfileDirectoryA
GetGPOListA
GetKeyboardLayout
GetPriorityClass
GetProcAddress
GetUserProfileDirectoryA
G_Fjo	
Gk~sov
Gogugy
_GSwj'p'9p
GS$yKTd':
]Gt2F~
G~v[:k'du 
G$]vvj
Gyvo	ptt
Hevury
hFIKjWjCgPnO
hovo441kh25
HvLIFBrmwU
i6Y3wY1sYd
Ikidyza
IMM32.DLL
ImmAssociateContext
iMvEmtlARDKAH
InFfAjwq
InitializeCriticalSection
InterlockedDecrement
IsDebuggerPresent
iuefgphawsgimrn
IySBeOodtIl
Izybijy
j0F7Fut
j_aGTG
>jd:G0
j]dG7tT
JICGDVUSILQDQLP
: jK	o F
jK~qr:dd
~jooSw
Joxifij
__~j:q9[r
	jSFTj
j]t]~_
]jTd7]
juK'yt
jur7KT	
jUYRhGDDK
j_ >uysGa
j'yap'7trjs
k0>r	'~
 	k0'y
k5Kw]oT$Sjq
K5uq~Sy[
K>	:ao
kd$ SuT
KERNEL32.DLL
KFr]wr
..K.K.
Kk0sqTr
.KKKKK
..KKKKK
kKs'>95 
kpt>aS]
Kr	wF[k
k]S'9as
 KStuTy
kSwaFj
KtkGG:
KtoTpo
 KuSKp_7_
k:wjF[
K'y pT Fp
lAlloc
LsHIDdhiaan
Microsoft Visual C++ Runtime Library
m"_][Y	9)
},n}c,
,ncXuX
NdWbFhUl
NLeM$6^
n}ncnsn
nnsu,},
nq:nn}-
nqq}},u}q
n,:qsXss
nqXnq}:
NSECWLXVDMWNUU
:n-s:n
ns:-u-
:}n:u:
nunqXXXs
-nuq-:
Nuverah
nuXu}q
n},XXs
Nyfiry
Nyfyje
o6gpdq1bc1gun
:o[7o7
ods$'w$
oGru[w
]osu[~_
oTF07Tp	
p0vaw]
 :p5y9 $
:_p9sT
pddS>rr
pj~7rq
ppp8ppp8
p_qu'T$t	
pt0kts[t75vq
p[uj a
pXJpevi
p:XXVT
q[5>5[u
q9]$rF
qc:c:n
~qFqj:$
q},nnnn
q:nn,qns}
qn-sqn
qn,Xn:n}n
q[p>rw
qqn,}-
qqnsq,}
q,-q:un}q
,q:sc,
qsncqu
q}s-n:n,uX
q}snq,:nXn
}qs-usX
qtpS 	S5ot
qu}c:n
quy$w	s
qX-cn,
r0F5Kw
r557Jl
	r[5r t9
r5_T]9
	r	9 ~'S
`.rdata
[rdav0]r
RefreshPolicy
:r~Gy9pkpku
rjyG	a$
rK_p::
rKpwk'
RmyKMO|
'[r: oq$d_
ROVSBFOELGT
rq~T9sa
~]rrpGw
rrrrTvvvrvvr
rrrv9$F
rTsdju
$r>uu S
	S0KSv]
Salunu
SAssClxhdx
scX::X
SendMessageA
SetClassLongW
s[	Fruv
Sinuho
sn}nXn
snuu}snX
's[ p7
sqqc,X-
] S TSSp:[
Su7:G07q
s u7]:S 
su},nn
suq,sXq
s::usu
S$vujy[
sXnn}u
sX}usn
-sXXqn
 t5dSa
t5K~_rp
T[7ak'
T7::jvop
t7uGk[55u
Td0S]0F]
TGu'juoFa
!This program cannot be run in DOS mode.
T~j7:o[
tjT9 ]
't k7ys
tka|rq
to>	[5
to5_:u
$Tovo'
TQ=.W7 
tS5a]>
~t	sSKF
tTdrj:r
T	_$Tj
'tttS	
ttttwth
Tukiby
	t:w[_d
T'w_$ p
u$ddaS
>u[k7$
_u>KTujqTw
UnregisterGPNotification
unu,qn:s
up:G]u
Uqoxox
u--s},
u[sa]k
USER32.DLL
USERENV.DLL
}u,sn}
>us'twK
usyr5ro
' uT7G
uuoa7	a9
u'w9'0qT
	u  yK7
v 0>Gs
v7ar75T
v9w	_ a0
'vat^c
v~aydK0
Vinoqus
viWkQsKAMiiyKON
v]>jrG
VLJORMKVDGHGW
~vooGsy
vrvrvr
vsdGdcT
[vSvt5
>vswyGy~w5]TS
vTT~>0
vvvrrrr
vvvvrvrr9r
vvvvTrrr99
VYWCNWPCCJPCG
w]: 5y
w9]Guk:
w]	a5y
w'FrjK'a 'w
'>ws5[
wt]'9s
w[t$K[
wttttt
w'utw[
wv5>[7s
WVNWXTAQF
w$vou'
Wyhypa
,-:X,cn
:Xcn:-cn
XcssnX}
@.xdata
X:,n-q-
,Xqn}nn:
Xq-ssnXX
,Xscuu
X}suu:
Xu-X-s
Xu,Xus--
y5q'$~
y~77:a
y7 t9_
~]y[da_
YHPLCA
~youvGrr>
$yrt>a
ys0_KS]qT5K
yt0roS>$5
Ywuhuto
zHeETH