Analysis Date2014-09-06 00:12:28
MD54ab76ace0b81eae20c64595c6a1c7b65
SHA1edaa723152964352867fd68e508cb5b59fa253c0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 69606dc29fb53a2b8ccca6bf8e6882a7 sha1: cf114eb9da0efaca293e0b90fdb1d93e32077d11 size: 42496
SectionUPX2 md5: 0f63bc69994f3ff76dea05e93e0f70b2 sha1: d5f36dfb94f18ce1ba4d834cbe14d90b37734d97 size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhash6b28631e418d918f9fc8a345562c17fef5a284c6
IMPhashc7ecd1a0a4200634e300116dcad86d0d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.abjects.net
Type: A
91.217.189.77
DNSirc.abjects.net
Type: A
62.210.211.122
DNSirc.abjects.net
Type: A
37.59.60.133
DNSirc.abjects.net
Type: A
37.59.41.117
DNSirc.abjects.net
Type: A
195.154.6.113
DNSirc.abjects.net
Type: A
192.241.89.206
DNSirc.abjects.net
Type: A
192.186.136.206
DNSirc.abjects.net
Type: A
94.23.42.81
DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1033 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1034 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1035 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1036 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1037 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1038 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1039 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1040 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1041 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1042 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1043 ➝ 91.217.189.77:6667
Flows TCP192.168.1.1:1044 ➝ 91.217.189.77:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343437   NICK [KuanG]-447
0x00000010 (00016)   33333130 35300d0a 55534552 205b4b75   331050..USER [Ku
0x00000020 (00032)   616e475d 2d373133 37383933 33312030   anG]-713789331 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34343733    0 :[KuanG]-4473
0x00000040 (00064)   33313035 300d0a                       31050..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323535   NICK [KuanG]-255
0x00000010 (00016)   33373930 31350d0a 55534552 205b4b75   379015..USER [Ku
0x00000020 (00032)   616e475d 2d343038 30313031 31372030   anG]-408010117 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32353533    0 :[KuanG]-2553
0x00000040 (00064)   37393031 350d0a                       79015..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373535   NICK [KuanG]-755
0x00000010 (00016)   31353336 34380d0a 55534552 205b4b75   153648..USER [Ku
0x00000020 (00032)   616e475d 2d303039 38383437 35392030   anG]-009884759 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37353531    0 :[KuanG]-7551
0x00000040 (00064)   35333634 380d0a                       53648..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313636   NICK [KuanG]-166
0x00000010 (00016)   31323730 39320d0a 55534552 205b4b75   127092..USER [Ku
0x00000020 (00032)   616e475d 2d333238 36353833 30342030   anG]-328658304 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31363631    0 :[KuanG]-1661
0x00000040 (00064)   32373039 320d0a                       27092..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d303631   NICK [KuanG]-061
0x00000010 (00016)   34343039 36360d0a 55534552 205b4b75   440966..USER [Ku
0x00000020 (00032)   616e475d 2d393230 35333339 35362030   anG]-920533956 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 30363134    0 :[KuanG]-0614
0x00000040 (00064)   34303936 360d0a                       40966..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333630   NICK [KuanG]-360
0x00000010 (00016)   31323435 31390d0a 55534552 205b4b75   124519..USER [Ku
0x00000020 (00032)   616e475d 2d363335 36353538 33302030   anG]-635655830 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33363031    0 :[KuanG]-3601
0x00000040 (00064)   32343531 390d0a                       24519..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373631   NICK [KuanG]-761
0x00000010 (00016)   39393831 36330d0a 55534552 205b4b75   998163..USER [Ku
0x00000020 (00032)   616e475d 2d393336 36323034 38342030   anG]-936620484 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37363139    0 :[KuanG]-7619
0x00000040 (00064)   39383136 330d0a                       98163..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333232   NICK [KuanG]-322
0x00000010 (00016)   35383738 32360d0a 55534552 205b4b75   587826..USER [Ku
0x00000020 (00032)   616e475d 2d323933 37373237 31352030   anG]-293772715 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33323235    0 :[KuanG]-3225
0x00000040 (00064)   38373832 360d0a                       87826..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373333   NICK [KuanG]-733
0x00000010 (00016)   32363134 37380d0a 55534552 205b4b75   261478..USER [Ku
0x00000020 (00032)   616e475d 2d393738 30393335 39312030   anG]-978093591 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37333332    0 :[KuanG]-7332
0x00000040 (00064)   36313437 380d0a                       61478..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323930   NICK [KuanG]-290
0x00000010 (00016)   37303336 37350d0a 55534552 205b4b75   703675..USER [Ku
0x00000020 (00032)   616e475d 2d313539 38383634 34352030   anG]-159886445 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32393037    0 :[KuanG]-2907
0x00000040 (00064)   30333637 350d0a                       03675..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353939   NICK [KuanG]-599
0x00000010 (00016)   34373732 32300d0a 55534552 205b4b75   477220..USER [Ku
0x00000020 (00032)   616e475d 2d383334 31303933 31312030   anG]-834109311 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35393934    0 :[KuanG]-5994
0x00000040 (00064)   37373232 300d0a                       77220..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393931   NICK [KuanG]-991
0x00000010 (00016)   32353136 36320d0a 55534552 205b4b75   251662..USER [Ku
0x00000020 (00032)   616e475d 2d313635 39383339 36332030   anG]-165983963 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39393132    0 :[KuanG]-9912
0x00000040 (00064)   35313636 320d0a                       51662..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383036   NICK [KuanG]-806
0x00000010 (00016)   35373234 32380d0a 55534552 205b4b75   572428..USER [Ku
0x00000020 (00032)   616e475d 2d373635 37353735 31362030   anG]-765757516 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38303635    0 :[KuanG]-8065
0x00000040 (00064)   37323432 380d0a                       72428..


Strings
A
l
.?
A
l
.?

*0)quf*2
!2NU_"
2\u_Zmv
]|[4c 
.53oL&
:6c.-;
6Vt~k6
7qi5%(
9l$\w_
9tX#pO}
ADVAPI32.dll
AG87MV
aOhAVQ
^?A>XK
]cp/K_x^
.)D$H)
dM1X	l
D$t+D$\
D$t#D$h
e6$xs(
E9ml~v
elzkeZ
eqp0xt
ExitProcess
@eZ^D3d
FFShnW
FindWindowA
{F+:s/)
FvV?ZrS
~{#~G5_
GetProcAddress
hj^]*c
hl`XR86
!h*tzh
I4`1o"
I|7Irp
IFQ-lU
InternetOpenA
jfF}:1e
 JL=<vF
jnDXIs
k.0l}ZuTE%*-x6@
kAqOA5mDZ,(v
K~Biw~
KERNEL32.DLL
K"GDU)t
k[<u <
:kzQ7.
!lI0vI
,LI'3iI,
'L}jIGuj
*'lk=f
LLd3m*hw
LoadLibraryA
LQL5c)d
MPR.dll
nE8x}.
NH("oT&^U
noL~Od
NYg-Mb
oD{7Aoe
OnO!1G
(PoiNSE
P	>>%Q
psU?oH3X
P?Y<O-
Pyy|k,#|
\QoFi5
qUA=?)
q]y+)h
RegCloseKey
r J.~Ks
SHELL32.dll
ShellExecuteA
s`)L$4
!This program cannot be run in DOS mode.
t$t#t$l
T#YJz1
ug69xT
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
#V?Soi
V`sU9>
WININET.dll
WNetAddConnection2A
'wPrZxO
WS2_32.dll
WSWB0f
w.TB!{
 =x.?$
XL)^Fe
XPTPSW
\#Xqqi4.K
X+ s4}
Z:DEvWd
Z,kMXF
zz0$CC