Analysis Date2015-05-29 04:49:42
MD535dd33cdca7224f1e108335dd56024e7
SHA1e84eeb4160a0513fe9e6a31d9d10de0f93e1630a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 514ea0239eefaf129c171a0f3d0f5457 sha1: 121dda8d06e9c3deab785fa426b51867f9a89cde size: 21504
Section.rsrc md5: e997ba6e11b11cd324e93a079284be5d sha1: 64b9af09bb1f70e1137bd1bf1037c627e08a44c9 size: 2560
Timestamp2014-07-06 18:22:51
VersionLegalCopyright: (c) 2000-2014 Martin Prikryl
InternalName: winscp
FileVersion: 5.5.3.4214
CompanyName: Martin Prikryl
ReleaseType: stable
WWW: http://winscp.net/
ProductName: WinSCP
ProductVersion: 5.5.3.0
FileDescription: WinSCP: SFTP, FTP and SCP client
OriginalFilename: winscp.exe
PackerUPX -> www.upx.sourceforge.net
PEhash6fa98d17dbc21dd593e30f343c4e251faaebf51c
IMPhash06d92d662f64304b53228e40b8aadea8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.Net CLR@\Description ➝
Microsoft .NET COM+ Integration with SOAP@
Creates FileC:\WINDOWS\fsldsw.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\E84EEB~1.EXE > nul
Creates MutexC:\malware.exe
Creates ServiceMicrosoft .Net Framework COM+ Support@ - C:\WINDOWS\fsldsw.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\E84EEB~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates File\Device\Afd\Endpoint
Winsock DNS192.168.1.1

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1196

Process
↳ C:\WINDOWS\fsldsw.exe

Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\temp\files\lpk.dll
Creates Filemm33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\d35c221f74db5d48b3aa3ad663400c85\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filemm33.dll
Creates Mutex.Net CLR@
Creates MutexDBWinMutex
Creates MutexC:\WINDOWS\fsldsw.exe

Network Details:

DNSxulei521.wicp.net
Type: A
119.205.128.209
DNSxulei521.wicp.net
Type: A
119.205.128.209
DNSlevel4.cn
Type: A
DNSlinfeng.sytes.net
Type: A
Flows TCP192.168.1.1:1039 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1049 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1059 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1068 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1077 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1087 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1096 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1106 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1115 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1124 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1134 ➝ 119.205.128.209:8080
Flows TCP192.168.1.1:1143 ➝ 119.205.128.209:8080

Raw Pcap
0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .


Strings
.

040904E4
5.5.3.0
5.5.3.4214
(c) 2000-2014 Martin Prikryl
CompanyName
FileDescription
FileVersion
http://winscp.net/
InternalName
LegalCopyright
Martin Prikryl
OriginalFilename
ProductName
ProductVersion
ReleaseType
stable
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
winscp
WinSCP
winscp.exe
WinSCP: SFTP, FTP and SCP client
"0,0V0l0
01\2 S ($
;01i#345
0/5=5K5_5x5
._0/c d 
;0csvv
131J20
2%2/2T2g2w2
2'BV>(
??2@YAPAXI@Z
3+bV5t8XHeDdCQsTCxND
3*p+$,o-
3S(V82[!
3T3^3h3r3
40@P\r
`4-2Q[z=
$,44M3
4d5tdDL
4Mtfm0B34M
4txHtn
5]+Imd
?.?5?V?i?
:&:.:6:>
6@6J6Q6^6e6~6
)707=7D7y7
7+7E7L7P7T7
7*858P
`7d7h7
8reDGz`!5e
8W8\8`8d8
9.9I9Q9Y9b9
<9h7(=
[a2tC"
a''''bcde''''fghi
@ABCDEFGHIJKLMNOPQ
ADVAPI32.dll
bRich+
~\Ch-g
c`lQVYOu
crOP*=[
__CxxEl
#C@yFileA
ddddditCoddddntro'']dlhLMN
dkN|.7}~[6
=D=M=Z=w=~=
DVAPIkRegi
$e }~!
eCntr4
e\Curr
eDIWid
EGr!GEDD(Gr!CC
ELpkDlN
,etTxe
ExitProcess
eYlInii
f/3X0/_
@*< FF
F:\g1fd.ex
fh|`$3
F-#.TMP
Furlmf
fvxwpx
~'g7jk
g@b	g(
?GetCe9Y
GetIfTable
GetProcAddress
GetWindowsDirec=ry
?'g'KP@A0BCp
#h4A(l
h8tg'Ka9:
HHuQfV
HSPECca
	.htm0
IcoOUS
iitPcA
iphlpapi.dll
iriteF
+is-5.h
KERNEL32.DLL
k#/$n'(E
KTh+dI
l6pqKr(s
(LG1X4Y
lGetl7
LMux i686
LoadLibraryA
[LpkUY
LThis pro
lyozr){
maVi/"bys
m cannot be run in DOS mode.
MceCtrlHao
MmentVari
.ms-"n
MSVCRT.dll
,.N CLRT
!NET ^&&%$
_NHU"6F@+\
nopqrstuvwxyz0123456789+/
NWc#l:n
o`9J9P9T9X9\9n
OM+ SuppH@
OpenServiceA
OWurrv
P0Z0a0n0u0
pMiCn3
}pqt!mRC
 pX0Qav'
QF['^d
RARZIPC!
rcu4$)
rgs9z4
RIPTION\Sy
rj(Z}X4~
RST\XYZabcdefghijklm
.s3!yt(
 \\%s %d
/sh1wa
SHDeleteKeyA
SHELL32.dll
ShellExecuteA
SHLWAPI.dll
Sh$tPathNamCcloses~
Sizeof-O
sUnl=oOp
t1g|9m/
tConti
!This program cannot be run in DOS mode.
Tl4rcp
tonsWS2_32.dll
t''OPExQ
tp:/,s:;/
t\Ser7
TSeT4KwrUV
@%T	ye
<=<u<|<
UAdd7`0
_UAE@XZ
U_-Ag=:
u[d<tP
uP66K]
USER32.dll
Vge:X<}
VirtualAlloc
VirtualFree
VirtualProtect
;Vr=31
vt_sp_n
WS2_32.dll
wsprintfA
x7VJE]
+X(,a3]
X?]f'bb
XPTPSW
XYa01'Kwr23LG45
YSTEMeY
zi^a/5f (X