Analysis Date2015-05-23 18:11:07
MD50445937eee7159fae9c912356331a0a4
SHA1e4683ae0a1de7694845cff7ebc8a1a36628e10dc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 87e6f5297088bee5465900427f008173 sha1: 6db6d347c89e9f11e5b27cf5c53669e0bd0656d4 size: 6144
Section.data md5: f1ab2370a364765cc01820a3d76a41eb sha1: a4d996a9b0fb0dd7596ff39134925b46637b7774 size: 2048
Section.rdata md5: 01462bbaa54d603bfa3454feccb63fd6 sha1: 3644b510638233ef5a7a8412f53612d28c36dd85 size: 2560
Section.idata md5: c172974ed6f2dd740abed3a81271b941 sha1: bdd328d3ed06a1f8139fb1d4caf29c748da1580d size: 1536
Section.rsrc md5: adc39a152be102eb7a041e991a6d202c sha1: 76189e9a0c3b080a0c8dcac8bfa0acf0dcd1001a size: 5120
Timestamp2004-05-20 06:02:07
PEhash86f54a7ff3c1451fa1ffd627d39147b3b2405508
IMPhash641a435995118d1e23b199af0b58ecfd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSfindlawenforcement.com
Winsock DNSperfectablets.com

Network Details:

DNSperfectablets.com
Type: A
8.8.8.8
DNSfindlawenforcement.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 8.8.8.8:443
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings

Cancel
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\gPAqfiLuU.exe
E&xit
&File
&Help
MS Shell Dlg
&New 
~~~~~~~~
*++++++(,-.//,0 1234256++++++78
22222222222222222222222222222222222222222222222222222222222222222222222222222222
-2NO ;;; PQRS
3eLp,lWoN
7oLd7iMrLrdEcA
7oLd.u]sZr,
9T`aaa
9TTTTT
A1d5e#[YGGGGGGfgQ_	
;      (<=>?@<->A@BA@C<     * DE
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
BeginPaint
bGGGGGGHIW^c[Z
BiYmX.OlW
 b +/o
CheckMenuItem
CloseClipboard
CreateCaret
CreateDirectoryW
CreateMenu
DestroyCaret
Eh1^1g
EmptyClipboard
EnableMenuItem
/eQWTnOobP]oNA
ExitProcess
F]ePLTb]a]y
#F=FFFFF
FFFFFFF
FFFF=FFFFFF
FFFFFFFFFF=
FFFFFFFFFFF
FindWindowA
fl?8Z`et
FlashWindow
GetClientRect
GetClipboardData
GetClipboardOwner
GetCursorPos
GetKeyboardLayout
GetKeyboardState
GetMessageA
GetMessageTime
GetModuleHandleA
GetScrollInfo
GetSystemMenu
G;;;;;;HI
GlobalLock
GlobalUnlock
GPt;rZc,dOrPs^
HeapAlloc
HideCaret
HPa[C]eLtP
.idata
iGGGGGUjkXclcVmmnfodpqrUGUGGUfsQtu	
}iiiiiii~
InvalidateRect
IsBadReadPtr
IsWindow
IsZoomed
J1KL-5M@5M
kernel32.dll
LJ fw'
LoadIconA
MessageBoxIndirectA
MsgWaitForMultipleObjects
;o^t<uTt8e^sLgP
PostMessageA
.rdata
RegisterClassA
RegisterClipboardFormatA
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
;R:F?O=
?rLn^lLtPMPs^aRe
.rPa_eBiYdZw0x,
rPcZrO ]eN
ScreenToClient
    </security>
    <security>
SetCaretPos
SetClassLongA
SetClipboardData
SetKeyboardState
SetScrollInfo
SetWindowPos
SetWindowTextA
ShowCaret
S`n>hTnP
!This program cannot be run in DOS mode.
ToAsciiEx
ToUnicodeEx
TrackPopupMenu
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
ttttFFFFFFFFFFFF
	||||	u
U;;;;;;HVW0XYZ0[\]5AX^HO;;;;O;[Q_
user32.dll
VPjkrZ
W'fl:;E`YtU
WinHelpA
wUUUUUUUjxrUrjyyzrrzorUUUUUUUfs{F
XcTSPnOS_rTnRA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>