Analysis Date2013-08-18 11:10:25
MD56b86a58dbebebca202ecc070306b4393
SHA1e8ebd1827a1ba412646ecaa98847842a1de0641b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 406047a70fd418dcef4fa2f7b9b177ec sha1: 54698b1398ae21d6c881648c2fc03e6057d1223e size: 86016
Section.rsrc md5: 711e05d31833bfac8645a58caa868ed6 sha1: a9d65d0aaeff0205a9e8eec24282a24ffe61ef0c size: 16384
Timestamp2011-08-17 02:32:37
PackerMicrosoft Visual Basic v5.0
PEhashd6d4ba324ec49c1c23eca9fa7c73b5ed81e1495b
AVclamavWin.Trojan.Agent-196315

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ ➝
{6DCB487C-0DFA-48C2-ABDC-296BBD892262}
RegistryHKEY_CLASSES_ROOT\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ ➝
ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ ➝
pIContextMenu.ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\pIContextMenu.ShellExt\ ➝
pIContextMenu.ShellExt\\x00
RegistryHKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ ➝
{6DCB487C-0DFA-48C2-ABDC-296BBD892262}
RegistryHKEY_CURRENT_USER\Control Panel\International\nTimes ➝
66
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF5989.tmp
Creates FileC:\_ze3j.bat
Creates FileC:\setup.ad
Creates FileC:\setup1.ad
Creates FileC:\WINDOWS\system32\gugprd.dll
Creates FileC:\WINDOWS\system32\setup.ad
Deletes FileC:\setup.ad
Deletes FileC:\setup1.ad
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html
Creates ProcessC:\_ze3j.bat
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://g.100goo.com/VipUrl.aspx?P=6181
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://86.826060.com/cj/direct/629108.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://g.100goo.com/VipUrl.aspx?P=6181
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://86.826060.com/cj/direct/629073.html

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628546.html

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://g.100goo.com/VipUrl.aspx?P=6181

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://g.100goo.com/VipUrl.aspx?P=6181

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexShell.CMruPidlList
Winsock DNSg.100goo.com

Process
↳ C:\_ze3j.bat

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://86.826060.com/cj/direct/629108.html

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B45FF030-4447-11D2-85DE-00C04FA35C89}\iexplore\Type ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexShell.CMruPidlList
Winsock DNS86.826060.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://u.9lwan.com/cj/direct/628635.html

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B45FF030-4447-11D2-85DE-00C04FA35C89}\iexplore\Type ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexShell.CMruPidlList
Winsock DNSu.9lwan.com

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://86.826060.com/cj/direct/629073.html

Network Details:

DNSu.9lwan.com
Type: A
60.28.214.9
DNS1st.ecoma.glb0.lxdns.com
Type: A
218.92.221.56
DNS1st.ecoma.glb0.lxdns.com
Type: A
218.92.221.55
DNS1st.ecoma.glb0.lxdns.com
Type: A
218.92.221.58
DNS1st.ecoma.glb0.lxdns.com
Type: A
218.92.221.57
DNS86.826060.com
Type: A
DNSg.100goo.com
Type: A
HTTP GEThttp://u.9lwan.com/cj/direct/628635.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://86.826060.com/cj/direct/629108.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 60.28.214.9:80
Flows TCP192.168.1.1:1034 ➝ 218.92.221.56:80

Raw Pcap
0x00000000 (00000)   47455420 2f636a2f 64697265 63742f36   GET /cj/direct/6
0x00000010 (00016)   32383633 352e6874 6d6c2048 5454502f   28635.html HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000040 (00064)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000050 (00080)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000060 (00096)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000b0 (00176)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000c0 (00192)   290d0a48 6f73743a 20752e39 6c77616e   )..Host: u.9lwan
0x000000d0 (00208)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f636a2f 64697265 63742f36   GET /cj/direct/6
0x00000010 (00016)   32393130 382e6874 6d6c2048 5454502f   29108.html HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 202a2f2a   1.1..Accept: */*
0x00000030 (00048)   0d0a4163 63657074 2d4c616e 67756167   ..Accept-Languag
0x00000040 (00064)   653a2065 6e2d7573 0d0a4163 63657074   e: en-us..Accept
0x00000050 (00080)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000060 (00096)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000070 (00112)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000080 (00128)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000090 (00144)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x000000a0 (00160)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x000000b0 (00176)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000c0 (00192)   290d0a48 6f73743a 2038362e 38323630   )..Host: 86.8260
0x000000d0 (00208)   36302e63 6f6d0d0a 436f6e6e 65637469   60.com..Connecti
0x000000e0 (00224)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x000000f0 (00240)   0d0a                                  ..


Strings