Analysis Date2013-11-08 01:48:13
MD51882a9cc67f7779beb2201f7e3945e93
SHA1db5f9f068211c5b506d1d0adac4788229d378745

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionpcs1 md5: e331a814c1af2294315113f0ac082476 sha1: e61b66fb46deed3c39be6785c4a9803318621529 size: 174080
Sectionpcs2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs3 md5: 7669075556844891e4d1c4d845171ca9 sha1: ebe04cb293f8deea33430abdfb2d4881d7582b05 size: 3584
Sectionpcs4 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs5 md5: 7adf604366d96d553627cad4b7b0e8e3 sha1: 3b2cc736cd4eff6da88b205f8c605aeae3362d32 size: 512
Sectionpcs6 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Sectionpcs7 md5: 21cd26f51d394584725a7417143d12fc sha1: a6217b65ca909f72d100f860085b4c5b4097d20d size: 18944
Timestamp1992-06-19 15:40:48
PackerNsPacK V3.3 -> LiuXingPing
PEhash88ea1deb6e0c5d652e21c6c0991e42032f21436f
AVavgDownloader.Banload.XEF
AVaviraTR/Crypt.XPACK.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processc:\windows\system32\Javaxc.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.box.net

Process
↳ c:\windows\system32\Javaxc.exe

Network Details:

DNSwww.box.net
Type: A
74.112.184.83
DNSwww.box.net
Type: A
74.112.185.83
Flows TCP192.168.1.1:1032 ➝ 74.112.184.83:443
Flows TCP192.168.1.1:1033 ➝ 74.112.184.83:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
333f3
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
DLGTEMPLATE
DVCLAL
f3fff
MAINICON
PACKAGEINFO
PREVIEWGLYPH
TANEXO
 !"#$%
-"-(-=""
/_---.
.=".(-"
$0|	4]
"	0DAR
0"DD(<
""0DHV
	0]dT	
|0h,!V
0qpeWZk
0r,8<d
0%w	#^0xTopp
$	%0x?
~%19_k
1Ati0|
1" B( 2DX0
:1~DA8
{1ei\".#5
1-:eQL
1fAGAck
1'J)5Tf
_]1[)LId*
1No@fyM
1:R|%5
1W#$,U
	^(2(,
2$0PMASC,
2 <A8x
2B*:^v
2CWZql
~2dApE
2`JI%u
2"MXuS
2~@?	{O
`2P	t$
2rfD!)F
|2!%VKw
2_@zl!
>"	@3B
3Dad3	 
#?.3@F
3U.[i|
3	w!ZH
4"	2T0
4_a)Vb|
4C)d?e
,4}E4RQs)
&"	4EBR
4G0yFy
	4mP$(
4MuZ!pJ
5820W+
67890ABC
"6:B$w
6Ielpcft]vm
6QpAS/
6u.J5H$
-7+3dS
~.7H	e
7J2u1}NR@l%
7\kIud3"
7/q<T>
7S*<3G8*
88'878
 8	a8n*s
8A]:HX
8<B)!A
 8dd"i
*"8DJZ
("8D@T
8~gKsB
("	8i|1R
8Wv$Ba
&8Y: u]I
8^'.zW
%%98`;P
&\9c,	
9CT&NH
	^9fUz
	9GnDq
9Ls'i;
9sK$yb8
<	)a*,
{a2*C4B{
A2PI,&
A(3YLA
a|AdU(
Ae97$2
A.eow,
aj S$<f
aka9S0##)
Align$d
AMAPI/
.`a$NGE
ANSI_CH
Aorm0f
'_A	r(l
Ati/Z@
a:Xi *
	a}Y+:
&=B[<	
;B0u~G
B0~'uz
B1FK*u
B 2$d,
~B2tOR[
%$b8	K
b9;:wl
BAyJ,!l
BB{hUa3
=bdLc3ws
Be"1B#!f=D$
)b"%eZ
)b~,F7F
BFzJm#
=.b=H&#
<bhf1Ct*en	
bh$nee
B_)$LlMK
`bnb$d
;B@N\K
\Borland
boXQum
%bqrV%
B&;QtiS"
)BR)D,2
&BvH}[
c(	*	1
C2uf	v$~D
C& 8r@
cA,Vx,
CBxP\J
 c\CuJr
&Cf/uLh
ch7dZ$
;/C@ii
.?ck&bw"
clI4X<
C>$lQ0>#9
CNaRm$
cp5h`H
Cri^Gca
CT b\G
CTXXtF
<Cw=V6C~
"	 D0>
 "(D08
D0 \Tb
D`2P9L
%.*d30lH8v	
("<D 4
d5"l?^%
D6qh@D
D8,bh3
d9)U,A
daps@c
da(Tea
"d*)CE+
dDMR*v
D=E(5x
defghijk
DEFGHIJK
Design
d"	$F&
DF0Zkd
d_F={`w
d)#HD5
d&!l2K
DLAb8%
dlg_Nhe
dLrH9D
DnPTVs
(dNQ'SD
dowOrg
,"@DPd
d?r 9!
`=	dSm[b
Dt:PNPbt
Dv!y\Bf
.)]D},w
DxWOKQ^A'
dZ/)df
?=E"1Z
E1ZBr(i3
)!+E\2
,e$2Htf0
e{cMzim
@eC@S{Q
eg( hj
*e"Ku&
e\>)]M
eN)0tK
EpFe&k
eptionL
eru+Rx'
eUO$-,
,EV8EP"
Ex\i3OH
ExitProcess
e|	Y^;
F#320{;
f3%Ch_
!{/F4L
f*9\b$w?4@
fafltS}H
FAULT_CH
	;"FD^i
FJO"RB1
-Fl!i+K
 `foBk
@f;-Ph
"FPUFk
FQH"+HF
FQHn;	
f$sBe6
$FT$/VkJF
{(ftW$
 FUoFE
fXi_Tb
G4]nqSY
g/7|!Ew
g;9s*")
$gA*6W
g!AFKu
(gd<CV
GetProcAddress
geT'ypB
gGroup+
!/gL&a
GlobalAlloc
g%yd(!
H2c_]Q`
H9LpH6g(
hangeV
h"|D`t
H"\D@T
HelpCTo
h|erH@4df1
HeuXzf
	Hf6)gA
hF@YM D
*	+HI~8m
"))$Hj&
Hk/Rfb
hLisFt
H#M)od
"H#m [T
H !Mw?
$,>H)o
ho*k$CsHH
@hQ-!c
H!'r*;
hread_
H'r$lzY
HSplit
hTlk<Oc>ut
HtLO$u
HuH,qIV
H{v)piHAReg#
?Hx2Y4
&HX;CqtW?
Hxe"lTm
H XT<ZBtoq
!i!	"<
i$<0*!
I1b"AZ
i8$R'b-J
I.a*8/
IBe%am
IgnBeJd
ih	B8Ws,
Ih;vJ)u
!\II	QG
i"L0+S
il;^oC
i-L"uC
-	I)m[
	Imeg'
ImplXd
"INE;$B
](ioP?X	t5
ipboardg	O
ipbr&XY*
iSyXsP-mTa
ITB9\G$hI
iv](i/
I=@wda
I_YhKZ
|J2e?a
J2`Vr`
J^4ZXp
:J;8lA
+jB4/Q9FrE&
j)egUt
jeN'(]
J (Kv$
jL<kv	
jQ|'qd
jSdmdR-
Jts4&a4
jtUIwq
JumpID
jVUnutY
)JWqXi
j(X~%O
J)XXFA
JyExAJ
jY MPI0B8
k3yIo3yd!sd-$c
KCd_	qH
Ke!I_	uZ/
KERNEL32.DLL
k)\kslep
&@+kLVUp"N
	 K @MD
k	~#nH:
k/RwR4,
l2xR	A
L!;D2b
#LD=<P
l)$EBT
lEi,@,
L;FD?G
lignmse7t
LimSe4
]+LIP;
lkp:Ld
=LKW"d
lmnopqrs
LMNOPQRS
!lNzHl+
L!~/o2
LoadLibraryA
lowJtx\
LpSkRy_R<
L	TBiD
/L@<u:{D
  ~ Lx 
 m,4u4q
.|m&%6E
|`M:a"
Mag-ela) 
MAIN#CO
MaInIy
mBlack
M)d:6L
mjCC|t[
'ml,Sk
MON;.Dw
mp/fHo
mrj'd|
$NETx'"x
 N>_:f
n{F$<p
N=,LG`
*,"NML$
No*JHH
`{Nu+h
}"O2v-
.O~4t |
-o$ 87
 OBitm8app
O	EYEIxLe
$OH8"~@$ 
oHE0oA
o:.Lk>d
owa`Deci
*oWBmW
P?,/;=
p"1xo(
p=@d%V(
p#}E5~
peprpi[f
@phaBYA
pj6!.+
,pl*~[t
PP-}9@
p^&	pq
Priylk
PropFixu
pTwFs#%
p\Uh2J
	$PzE0
Q03es8ivx
Q2xH7+E
Q7HqS@CwBo
	]q8i'1
q@cl;%@
	QHIox
Q@	>!N
q-!T~a
QurSyI
^Qwx5G
Q!x@<%}
QzV0$p
^)_[$R
r_1hmo
r>1	LN
R24W/P
R32.8DL
	R6*6F
Range1
rd)gAL
Reif _
Requir
ReXL!f
%R`IE+
rJ<TCy
Rl)!X+
)ROP2'
RP d^"
RP(POD
RRQS`2|L
RSoftw
rW|PCr
/ry^4T
RZX[UM
"%s1,4)
S8p"CO$
S"	]D=g
SER32.
Sf	|z_
s"gx@;s
Sh$fgG
SLqbEH4z
SNvEpW
SOFTWA~R
SRBI*U
sRy;qc
!SWVcA
S~\'z0
SZ~O+Pdw
/)(% T
{T%}*0
t0'AGpf
t0*"W*
T1fuM*
" t.?5
t5}d[p
T8R}K$
TAdznG
?$,TBo
TCol$r
_T%']d
$t('e"%
Te0udG
TFY< g
<_TgBa
This program must be run under Win32
!T	H@j
TIcoMn
+t;Id+x
#tI\Hd
tI%Kp#
,*t$Jfg0
tLong;Pa
tMP4>1
TObjecto
t@<ONn&.
T|PFz3
tPsi%ch
(T`q&K
T/qlBv
tQq)`8
	T$r$%3
ts\%.8x
TScrol
TuAcom
T	uBVO
TUVWXYZGx
tuvwxyz+p/
tW_-Y((
!)tW&Z	;
	U3w^2)B?e
UCujDJ
u$d	3F
udvqx=
u:ilH*(
uJf"M%
uj	uI`
)u/L%SH
UP$p=8
USER3@2W8IN
ushYuB
u\% sx
usyWP :pS>z
UTy3pe
@U#%uX
:U%"}W
uxth9emO$
]uYp[N
UZ1X{(
V0rx=99w?i[O<,
v,9:Pkt*
+vAa&j
'V!>B5U
Visual
>\VjS'
	V:P\t4
Vp'tc>
%:V`Pu
v)qCw 
VS2&Jo
]VsN1B
VXI-(>(-I
Vyc|8jWF
Vzrgu"Fge
`|%W`;
W5ppN9
W$& <C
@%wg$49
w"}h3~
WINHELP
)Wkb@V
w"m1-%
wnRxob F`S
wP!QJls
w'|QO*
W|@rkK
WRT-Tv^
/)WSeG
;	w$t|$
WVWUWV
WzUzXP
;XB*)$
xbkF1!L
XjtO_3
XL2Z`z$
 x@-s$
+xuICSj
!X-U$u]
@XX\< 
= XXq\'
Xy.]=Q5)"
{^xzw|
(y dD3
yDh*!(@	'
YDJ%Xax
YH$=H(
]yk"	u
y^Q9!!	f
yS FdBpu
y*:V{	4
_YY <PZ
yys ema
yyyyttttt
yyyyyyyttttt0s0ss
y	:zUe
|z4{]h
zblEa&l
Z!hLetW
zOVGWe!	
\Zp4%s_
ZTUW,VS
[|`zUv
Z? !/vF0
#ZY	$Tyq5B
ZZ"	[_