Analysis Date2015-01-06 13:26:05
MD59a75e275883e800768ed5e9bee2837f4
SHA1e71ae6408821e6312fbb20a33b366ab6fb8a3e8c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e80992014f71a8d74a073aae70d08af5 sha1: aae7a06dabaaea701fd3ee7e60caca9231586191 size: 24064
Section.rdata md5: c9f64a3006462e830a22bdd4740678e5 sha1: f826180bec15822759dbe35685cab921f2dfda70 size: 5120
Section.data md5: a81e24eb26c207ab205634c089d49bbd sha1: ea171d3fd65bfe4a3f7323478f4eece0e2fb874f size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: e59ebaf5a10435d6e478b6533e56d894 sha1: 99f7107733018dbc6edadcc96b32b1769c79fcef size: 79872
Timestamp2009-06-06 21:42:05
PackerNullsoft PiMP Stub -> SFX
PEhash2b796256a06c573d348291d79dbe1006128f0760
IMPhash099c0646ea7282d232219f8807883be0
AV360 Safeno_virus
AVAd-AwareApplication.Downloader.TW
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Application.Downloader.TW
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Chindo.174359
AVBullGuardApplication.Downloader.TW
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftApplication.Downloader.TW
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan-Downloader ( 004af0161 )
AVKasperskyDownloader.Win32.Agent.chlp:HEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Application.Downloader.TW[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates Filesetup_001.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\2.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\nsProcess.dll
Creates FilePIPE\wkssvc
Creates File9377mycs_Y_mgaz2_01.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\System.dll
Creates Filesysdiag-c75_blue.exe
Creates Filesetup_3386.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\i.rar
Creates FileF0820_s_30841.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\Inetc.dll
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\SetupSoft\uninst.lnk
Creates FileOfficeAssist.0195.80.1043.exe
Creates FileIQIYIsetup_l_spl004@kb010.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileBaiduPlayerNetSetup_469.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File2345Explorer_329242_silence.exe
Creates FilePIPE\lsarpc
Creates FileG0828_s_70986.exe
Creates File\Device\Afd\Endpoint
Creates FilePIPE\srvsvc
Creates FileWanDouJia_runk4_kb.exe
Creates FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Creates FileC:\Program Files\SetupSoft\Uninstall.exe
Creates FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\4.ico
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileQQBrowser_Setup_Hk_78653.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq2.tmp
Creates FileBrowser_V3.0.1167.3_r_4259_(Build14091614).exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\2.ico
Deletes FileOfficeAssist.0195.80.1043.exe
Deletes Filesetup_001.exe
Deletes FileIQIYIsetup_l_spl004@kb010.exe
Deletes FileBaiduPlayerNetSetup_469.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl1.tmp
Deletes File2345Explorer_329242_silence.exe
Deletes FileG0828_s_70986.exe
Deletes File9377mycs_Y_mgaz2_01.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\System.dll
Deletes Filesysdiag-c75_blue.exe
Deletes Filesetup_3386.exe
Deletes FileWanDouJia_runk4_kb.exe
Deletes FileSoHuVA_4.3.0.1-c204900003-ng-nti-s-x.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\i.rar
Deletes FileF0820_s_30841.exe
Deletes FileBaiduBrowserOnlineSetupSilent-494-ftn_30000046.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\4.ico
Deletes FileQQBrowser_Setup_Hk_78653.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp
Deletes FileBrowser_V3.0.1167.3_r_4259_(Build14091614).exe
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexSetupSoft
Winsock DNSint.dpool.sina.com.cn
Winsock DNSdown.yinyue.fm
Winsock DNSw.x.baidu.com
Winsock DNSt.cn
Winsock DNSshadu.baidu.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSt.cn
Type: A
114.134.80.138
DNSshadu.n.shifen.com
Type: A
123.125.65.162
DNSswwx.n.shifen.com
Type: A
123.125.65.175
DNSaaa.163vv.com
Type: A
222.186.60.60
DNSaaa.163vv.com
Type: A
222.186.60.18
DNSaaa.163vv.com
Type: A
222.186.60.23
DNSdl.p2sp.n.shifen.com
Type: A
61.135.185.123
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.5
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.6
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.3
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.234.4
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.2
DNSopt.xdwscache.glb0.lxdns.com
Type: A
8.37.235.3
DNSs.lllsoo.com
Type: A
42.120.61.139
DNSdownload.pps.tv.webscache.com
Type: A
119.188.40.81
DNSdownload.2345.com
Type: A
218.75.155.244
DNSdownload.2345.com
Type: A
60.191.187.15
DNSdownload.2345.com
Type: A
60.191.223.2
DNSdownload.2345.com
Type: A
60.191.223.4
DNSdownload.2345.com
Type: A
60.191.223.15
DNSdownload.2345.com
Type: A
61.147.127.202
DNSdownload.2345.com
Type: A
61.147.127.203
DNSdownload.2345.com
Type: A
61.160.245.8
DNSdownload.2345.com
Type: A
61.160.245.11
DNSdownload.2345.com
Type: A
61.160.245.14
DNSdownload.2345.com
Type: A
122.228.248.3
DNSna.b9.aicdn.com
Type: A
108.186.7.130
DNSna.b9.aicdn.com
Type: A
108.186.7.131
DNSna.b9.aicdn.com
Type: A
72.8.188.90
DNSna.b9.aicdn.com
Type: A
72.8.188.94
DNSna.b9.aicdn.com
Type: A
72.8.188.98
DNSna.b9.aicdn.com
Type: A
108.186.7.129
DNSdown.gtm.ucweb.com
Type: A
111.161.46.107
DNSdown.gtm.ucweb.com
Type: A
112.91.128.40
DNSdownload012.rdb.cnc.ccgslb.com.cn
Type: A
218.60.107.12
DNSdownload012.rdb.cnc.ccgslb.com.cn
Type: A
61.179.105.147
DNSdl.wandoujia.com
Type: A
125.39.216.11
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.226
DNSdldir1.qq.com.cdngc.net
Type: A
174.35.56.218
DNSna.b9.aicdn.com
Type: A
108.186.7.129
DNSna.b9.aicdn.com
Type: A
108.186.7.130
DNSna.b9.aicdn.com
Type: A
108.186.7.131
DNSna.b9.aicdn.com
Type: A
72.8.188.90
DNSna.b9.aicdn.com
Type: A
72.8.188.94
DNSna.b9.aicdn.com
Type: A
72.8.188.98
DNSshadu.baidu.com
Type: A
DNSw.x.baidu.com
Type: A
DNSdown.yinyue.fm
Type: A
DNSdl.p2sp.baidu.com
Type: A
DNSxiazai.9377.com
Type: A
DNSdl.static.iqiyi.com
Type: A
DNSdownload.2345.cn
Type: A
DNSsoft.lvbaoranshiye.com
Type: A
DNSdown2.uc.cn
Type: A
DNSwdl1.cache.wps.cn
Type: A
DNSdldir1.qq.com
Type: A
DNSdown4.huorong.cn
Type: A
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://t.cn/Rhj55aT
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://shadu.baidu.com/index/fulldownload/30841
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/full/1/70986
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down.yinyue.fm/open/setup_3386.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.p2sp.baidu.com/BaiduPlayerContent/BaiduPlayerNetSetup_469.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://w.x.baidu.com/go/mini/8/30000046
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://xiazai.9377.com/20140919/9377mycs_Y_mgaz2_01.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://s.lllsoo.com/click/66947
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.static.iqiyi.com/hz/IQIYIsetup_l_spl004@kb010.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://download.2345.cn/silence/2345Explorer_329242_silence.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://soft.lvbaoranshiye.com/SoHuVA_4.3.0.1-c204900003-ng-nti-s-x.rar
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down2.uc.cn/pcbrowser/down.php?pid=4259
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://wdl1.cache.wps.cn/wps/download/OfficeAssist.0195.80.1043.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dl.wandoujia.com/files/inst/WanDouJia_runk4_kb.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://dldir1.qq.com/invc/tt/QQBrowser_Setup_Hk_78653.exe
User-Agent: NSIS_Inetc (Mozilla)
HTTP GEThttp://down4.huorong.cn/sysdiag-c75_blue.exe
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 114.134.80.138:80
Flows TCP192.168.1.1:1033 ➝ 123.125.65.162:80
Flows TCP192.168.1.1:1034 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1035 ➝ 222.186.60.60:80
Flows TCP192.168.1.1:1036 ➝ 61.135.185.123:80
Flows TCP192.168.1.1:1037 ➝ 123.125.65.175:80
Flows TCP192.168.1.1:1038 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1039 ➝ 42.120.61.139:80
Flows TCP192.168.1.1:1040 ➝ 119.188.40.81:80
Flows TCP192.168.1.1:1041 ➝ 218.75.155.244:80
Flows TCP192.168.1.1:1042 ➝ 108.186.7.130:80
Flows TCP192.168.1.1:1043 ➝ 111.161.46.107:80
Flows TCP192.168.1.1:1044 ➝ 218.60.107.12:80
Flows TCP192.168.1.1:1045 ➝ 125.39.216.11:80
Flows TCP192.168.1.1:1046 ➝ 174.35.56.226:80
Flows TCP192.168.1.1:1047 ➝ 108.186.7.129:80

Raw Pcap

Strings
 " ".E
................

!1Aa
#+3;CScs
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
)&,><,"<:
*?|<>/":
&""!%$%$$''&#(((!*** ..-
%%$ ""!"
0,(9'3
|0?}nf
0,sA&.E
0sVnzXF
(1wh",
?25&":.
#2-dB@UJ
)<2":Dd%fh
33o~nN^
3?7uFy
|4.|(.|,.
?|^<@4|
>=&<">&4662Z|.bh
5+gfDt
.6KExG
>+=+7(
765Q0 
<7C2?d
?7_wh8&
+ 8!:$
8NCRCu
9AJ"K^
9a	w^#K
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
AppendMenuA
aR_p~N
|&|+ay
?,{ayv
b			a			_
BeginPaint
#bNZWI
<b@:t&
Bw	gza
#bz>CmN
'&*cAb
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
c\lb"jr
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
Cuc`&4
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
De%9Gt
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
dgeD 6
>d@HupPp9
DialogBoxParamA
DispatchMessageA
}D)){QO
&(''dqom
DrawTextA
dr~`k %?
};d-[SDYG
D$(SPS
e . #000
E2&mHA
e{9Y`8
E**)a220
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
F`<(.&
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
fsDtD%0K
@f@^@V
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
(G:WuC
:h`erZ
&,HnR=
http://nsis.sf.net/NSIS_Error
HtVHtHH
-H?yQ:w}
`i6p)E
=>]IJLh
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
i)N_Q$
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
\\\iSSS
IsWindow
IsWindowEnabled
IsWindowVisible
izzaiJ`d
`J(}(%
jji	jji	llk	
JJJ-JJJ
JQ236{z\|L
_&k1}'
_KAwwu
KERNEL32
KERNEL32.dll
Kqc'Gi
K_r)o0
Ks{/(tv
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
l*xK'M
m*a3=y
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
MML(___
MMMHWWV	
More information at:
MoveFileA
MoveFileExA
mujm'I
MulDiv
MultiByteToWideChar
n]{[d4}K
.ndata
NSIS Error
~nsu.tmp
:nSVo,Rx
NullsoftInst
NulluM	E
oD?@c^
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
p.&?B&
PeekMessageA
P;M;[[
PostQuitMessage
PPPPPP
p&R2pV
Q5$tC::x
Qa7E3{y 
`~q"co
&Q:JO<
|\qRRCM
qWBFz.
<-R<B)
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
R)"<*N
#Rw;Cd
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
sGbv3=}g
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
Sl$p"B
softuV
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SSR7a``	
SSSMJKK0JJJ
SystemParametersInfoA
> _?=t
t1!/(Cg
t2`kY%o7E$
!This program cannot be run in DOS mode.
tnG^\}
_^[t	P
TrackPopupMenu
U[:)2	
"#ukV~p
unpacking data: %d%%
Uo21tf
USER32.dll
%u.%u%s%s
uyDBq6
"*Ve'Q
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#Vh;+@
v$Lbbj
VTZ7.j
WaitForSingleObject
W_md|@
_WpjNF8
WriteFile
WritePrivateProfileStringA
wsprintfA
[x04q_
-X07%9i
*x_b<yM
X[}Knn
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
 xnSL3
^^^[xwv
yI'a@C->
yQsXsBsN3F;V{
~YWe8{
YYY&poo
"Z*7U4#f
+zaI]Cm
Z?bx;0W0^
zl>dGT
z$sQ1i
ZS>t~s+
ZZZaJJJ
ZZZcJJJ.JJJ	---