Analysis Date2015-10-10 12:40:59
MD54a8106874070cead8246c334ea2ffb3e
SHA1e5ef80b1ffce4aea91bd6d45189b2528f85ba7d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nfJBg86 md5: 3d205aa6ebc29f16d4525d190343ce8a sha1: 26406e449ce67864da05c7742683dc4f8ef16027 size: 512
Section.nfJBg86 md5: 700ca6eaf01a6bed47cf6f791966f7f9 sha1: f567b10bb923bd5f44ab07392a508446e5a70bfe size: 1649217
Timestamp2015-09-26 02:47:21
VersionInternalName: EyeGuarder.exe
FileVersion: 1.0.0.1
CompanyName: 宁波浩克网络科技
ProductName: EyeGuard
ProductVersion: 1.0.0.1
FileDescription: EyeGuarder安装程序
OriginalFilename: EyeGuarder.exe
PackerEXECryptor v1.4.0.1
PEhash0a66849f6cba9f96c8ce921b873a0d302d0d9129
IMPhash469b1bae2575baede5bf1f06a01b4767
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.163570
AVDr. WebTrojan.Virtumod.10616
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Zusy.163570
AVBullGuardGen:Variant.Zusy.163570
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!Trojan.DipleGenS.Win32.1
AVEmsisoftGen:Variant.Zusy.163570
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Zusy.163570
AVMicrosoft Security Essentialsno_virus
AVK7Riskware ( 0040eff71 )
AVBitDefenderGen:Variant.Zusy.163570
AVFortinetRiskware/Tool
AVSymantecBackdoor.Trojan
AVGrisoft (avg)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Zusy.163570
AVTwisterno_virus
AVAvira (antivir)TR/Zusy.1650241
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSint.dpool.sina.com.cn
Winsock DNScount.smxcpj.com

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.219
DNScount.smxcpj.com
Type: A
122.226.102.82
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
User-Agent: e5ef80b1ffce4aea91bd6d45189b2528f85ba7d1
HTTP GEThttp://count.smxcpj.com/setup/az_jg.php?op=click_install&ri=e5ef80b1ffce4aea91bd6d45189b2528f85ba7d1&vs=1.1.1&mc=XX-XX-XX-XX-XX-XX&tm=1444502259&key=1d50098445db14d659739e08551f656a&sd=&dq=<html>%20%20<head>%20%20%20%20<title>404%20Not%20Found</title>%20%20</head>%20%20<body>%20%20%20%20<h1>Not%20Found</h1>%20%20%20%20<p>Your%20browser%20sent%20a%20request%20that%20this%20server%20could%20not%20understand.</p>%20%20%20%20<p>No%20such%20file%20or%20directory.</p>%20%20<hr%20/>%20%20<address>Microsoft-IIS/7.0</address>%20%20</body></html>&sc=1024*768&os=Windows%20XP(32)
User-Agent: Http
HTTP GEThttp://count.smxcpj.com/setup/getGg.php?ri=e5ef80b1ffce4aea91bd6d45189b2528f85ba7d1&equipment=2
User-Agent: e5ef80b1ffce4aea91bd6d45189b2528f85ba7d1
Flows TCP192.168.1.1:1031 ➝ 180.149.136.219:80
Flows TCP192.168.1.1:1032 ➝ 122.226.102.82:80
Flows TCP192.168.1.1:1033 ➝ 122.226.102.82:80

Raw Pcap

Strings