Analysis Date2014-09-15 02:21:19
MD588e473a418396cdada6506b8054a16a5
SHA1df13732afdb06ad8982e6fd8ce2e69069cbac49b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7d56bd6df0e9e3a11da488cae99cf49e sha1: 476119f169b7cb820cdfc238ce0f541d487d4713 size: 1024
Section.rdata md5: a2feaf3ba629027ed0b7b0663a4836e0 sha1: 3b0ef5c293336d1f6446110672af463e64f55392 size: 512
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 1a5741b008f0e9b203b55a9daf8c5e2f sha1: b5370bf088bf43e6d697bd734d014efb86bce343 size: 37888
Timestamp2004-06-05 15:24:52
VersionLegalCopyright: Copyright (C) 2000
InternalName: MPIRing
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: MPIRing Application
ProductVersion: 1, 0, 0, 1
FileDescription: MPIRing MFC Application
OriginalFilename: MPIRing.EXE
PEhashbf471dc64704c73f2e726b42040b59207263ad33
IMPhash8aa48b00dd80d2085cbbd81726a688be

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\toludcukadhy ➝
C:\Documents and Settings\Administrator\toludcukadhy.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\badactor[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\grandecom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\mville[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mzsg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\yahoo.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\optonline[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\mncable[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\metrocast[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\ninemsn.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\sexstories[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fedex[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\srcaccess[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\eastlink[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\eznet[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\mtsu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\ciudad.com[1].htm
Creates FileC:\Documents and Settings\Administrator\toludcukadhy.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\ohiou[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\vol[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\walmart[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutextoludcukadhy
Winsock DNSmetrocast.net
Winsock DNSwalmart.com
Winsock DNScnet.com
Winsock DNSasteriks.be
Winsock DNSeznet.net
Winsock DNSgrandecom.net
Winsock DNSroadrunner.com
Winsock DNSrucls.net
Winsock DNSsexstories.com
Winsock DNSvci.net
Winsock DNSmville.edu
Winsock DNSvol.com
Winsock DNSsrcaccess.net
Winsock DNSninemsn.com.au
Winsock DNSeastlink.ca
Winsock DNSmzsg.at
Winsock DNSciudad.com.ar
Winsock DNSfedex.com
Winsock DNSyahoo.com.cn
Winsock DNSohiou.edu
Winsock DNSpt.lu
Winsock DNSmncable.net
Winsock DNSuncc.edu
Winsock DNSoptonline.net
Winsock DNSmtsu.edu
Winsock DNSbadactor.us

Network Details:

DNScatholic.org
Type: A
66.219.98.2
DNSprimeline.com
Type: A
69.74.231.232
DNSusintouch.com
Type: A
70.34.34.93
DNSbtopenworld.com
Type: A
193.113.4.102
DNSohiou.edu
Type: A
132.235.8.53
DNSnmsu.edu
Type: A
128.123.3.2
DNSconnections-etc.net
Type: A
162.39.145.20
DNSxtra.co.nz
Type: A
202.27.184.102
Flows TCP192.168.1.1:1035 ➝ 202.27.184.102:25
Flows TCP192.168.1.1:1036 ➝ 162.39.145.20:25
Flows TCP192.168.1.1:1037 ➝ 128.123.3.2:25
Flows TCP192.168.1.1:1038 ➝ 132.235.8.53:25
Flows TCP192.168.1.1:1039 ➝ 69.74.231.232:25
Flows TCP192.168.1.1:1040 ➝ 66.219.98.2:25
Flows TCP192.168.1.1:1041 ➝ 70.34.34.93:25
Flows TCP192.168.1.1:1042 ➝ 193.113.4.102:25

Raw Pcap

Strings
.
.).
040904B0
1, 0, 0, 1
About4Quit the application; prompts to save documents
&About MPIRing...
About MPIRing
Account:
Account & Password
&Arrange Icons
Cancel
&Cascade
Close
&Close
Close the active document
CompanyName
&Copy	Ctrl+C
Copyright (C) 2000
Create a new document
Cu&t	Ctrl+X
?Display program information, version number and copyright
&Edit
Enter
Exit
E&xit
&File
FileDescription
FileVersion
Find
&Help
InternalName
LegalCopyright
LegalTrademarks
Make Ring
MPD Ring
MPIRin
MPIRin Document
MPIRing
MPIRing1
MPIRing Application
MPIRing.Document
MPIRing.EXE
MPIRing MFC Application
MPIRing Version 1.0
MS Sans Serif
&New	Ctrl+N
&New Window
Open
Open an existing document
&Open...	Ctrl+O
OriginalFilename
Password:
&Paste	Ctrl+V
Please enter an account to run the mpd's under.  All spawned processes will launch in this context:
ProductName
ProductVersion
Quit
Ready
Refresh
Save0Save the active document with a new name
Save As
Save &As...
&Save	Ctrl+S
Save the active document
SCRL
StringFileInfo
TEXTINCLUDE
&Tile
Translation
&Undo	Ctrl+Z
VarFileInfo
VS_VERSION_INFO
&Window
3@2R$W
4Zo*i#
7*:};O
7Z7S.J
B`?:='L
CR?Z}5
@.data
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
e4`l3#
#endif
#endif //_WIN32
>\fBiX
!>]fD$
gdi32.dll
GetModuleHandleA
GetObjectW
GetProcAddress
-"Hn.r=
H,"	Z?3
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
="-IIw
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\MPIRing.rc2"  // non-Microsoft Visual C++ edited resources
IOG}U-
I{pYwOO
;)IRzT+
j6&$4Z
JVsKO7g
`%kDXH
kernel32.dll
k[uDOj
LANGUAGE 9, 1
LoadImageA
=m`ck"9Z
MessageBoxW
?(o^j*L
oOY,[hc
#pragma code_page(1252)
r-bl^d
`.rdata
resource.h
RKIV"&uS.	xo
slAWqW
SV$JdB
!This program cannot be run in DOS mode.
U}KAYX0
user32.dll
,v>m^1
V"TCcNJ
W0I%bjg
W/d Ok
w`sle(a
,X(N~^
Z4!upl6
ZN:v0c:B