Analysis Date2014-11-13 12:38:46
MD5d511485eb0ec1c9ca771e75ee89db1d5
SHA1ee3bf4f4cc6f8dd90acc805441bb3b63b46018df

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f2f8a82bcac2eb17de64619c1a21ace5 sha1: 4ad00c41780bf4a81ab0b943967dadd78f23617e size: 2048
Section.rdata md5: 67a73ba618464cf8bfe21026b4308810 sha1: 302b9e77c4f3b97ef835ba832cc53208184ab352 size: 512
Section.data md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 3bc81f519543c5fc5ff89982cc6518af sha1: 4fac48021f68234a4c018c9f969f9c4e98a7cac0 size: 47818
Timestamp2004-09-08 21:23:24
VersionLegalCopyright: Copyright (C) 1999-2002 Masanao Izumo <mo@goice.co.jp>
Copyright (C) 1995 Tuukka Toivonen <tt@cgs.fi>
InternalName: timw32g
FileVersion: 2, 13, 0, 0
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: TiMidity++ Win32GUI Version
SpecialBuild:
ProductVersion: 2, 13, 0, 0
FileDescription: timw32g
OriginalFilename: timw32g.exe
PEhash3a963e70b837012f03e87d6ba952a6d76f731c6f
IMPhashf12a386eb16c07c50e17cd9346284b55
AV360 SafeVirus.Win32.Madang.C
AVAd-AwareWin32.Madangel.I
AVAlwil (avast)Madangel:Win32:Madangel
AVArcabit (arcavir)W32.ChineHacker.B
AVAuthentiumW32/Downloader.BL.gen!Eldorado
AVAvira (antivir)W32/Small.l
AVBullGuardWin32.Madangel.I
AVCA (E-Trust Ino)Win32/Madangel
AVCAT (quickheal)W32.Madang.A
AVClamAVW32.Madangel
AVDr. WebTrojan.MulDrop3.14959
AVEmsisoftWin32.Madangel.I
AVEset (nod32)Win32/Madang.B virus
AVFortinetW32/Madang.C!tr
AVFrisk (f-prot)W32/Downloader.BL.gen!Eldorado
AVF-SecureWin32.Madangel.I
AVGrisoft (avg)Win32/Madang.C
AVIkarusVirus.Win32.Small
AVK7Virus ( 00001b721 )
AVKasperskyVirus.Win32.Small.l
AVMalwareBytesTrojan.Agent.BFG
AVMcafeeW32/Alisa.d
AVMicrosoft Security EssentialsVirus:Win32/Madang.A
AVMicroWorld (escan)Win32.Madangel.I
AVNormanWin32.Madangel.I
AVRisingWin32.AngryAngel.f
AVSophosW32/Madang-Fam
AVSymantecW32.Madangel
AVTrend MicroPE_MADANGEL.D
AVVirusBlokAda (vba32)Virus.Win32.Small.L

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Serverx ➝
C:\WINDOWS\system32\Serverx.exe\\x00^\\xb9\\x10w\\x10\\xec\\xddw\\x93\\xe9@\\x00\\x90\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x1c\\xfe\\x12\\x00\\xa7Tne\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa7Tne\\xde\\x07\\x0b\\x00\\x04\\x00\\r\\x00\\x11\\x00(\\x00\\x1a\\x00B\\x02\\x9c\\xfd\\x12\\x00\\x11\\x00(\\x00x\\xfe\\x12\\x00\\x04\\x00\\x00\\x00\\x90\\x00\\x00\\x00\\x93\\xe9@\\x00\\x04\\x00\\x00\\x00\\xe3-le,Une\\xa7Tne\\x8aVne\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90Tne\\x90\\x00\\x00\\x00\\xf5Tne\\x93\\xe9@\\x00\\x0fUne\\x04\\x00\\x00\\x00%Une\\x04\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa6\\xe9@\\x000\\xae\\x80|\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\xfe\\x12\\x00x\\xff\\x12\\x00\\x88Ome\\x90\\x00\\x00\\x00\\x84\\xfe\\x12\\x00x\\xff\\x12\\x00\\x01\\x00\\x00\\x00\\x1c]me\\x90\\x00\\x00\\x00\\x93\\xe9@\\x00\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xa6\\xe9@\\x00\\x00\\x00\\x00\\x00
Creates FileC:\WINDOWS\system32\Serverx.exe
Creates ProcessC:\malware.exe
Creates MutexAngry Angel v3.0

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\pofpopitegra ➝
C:\Documents and Settings\Administrator\pofpopitegra.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\pofpopitegra.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexAngry Angel v3.0
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexpofpopitegra
Winsock DNSkvadratoff.ru
Winsock DNSgenmar.gen.tr
Winsock DNSdigpro.se
Winsock DNSurantiaproject.com
Winsock DNSsullyfrance.com
Winsock DNSeleterno.com
Winsock DNSheliomare.nl
Winsock DNSbigjohnsbeefjerky.com
Winsock DNSfloridadoubled.com
Winsock DNSfrederickallergy.com
Winsock DNSmacgregor.co.kr
Winsock DNSfigabara.com
Winsock DNSselldoor.pl
Winsock DNScoopsupermarkt.nl
Winsock DNSe-kagami.com
Winsock DNSegao.net
Winsock DNSmeubles-jacquelin.com
Winsock DNScgc-england.com
Winsock DNSsarahdavid.com
Winsock DNSdjkentaro.com

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\setupx.dll
Winsock DNS192.168.4.143
Winsock URLhttp://192.168.4.143/setupx.dat

Process
↳ C:\setupx.dll

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
HTTP GEThttp://192.168.4.143/setupx.dat
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1034 ➝ 192.168.1.1:80

Raw Pcap
0x00000000 (00000)   47455420 2f736574 7570782e 64617420   GET /setupx.dat 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a203139 322e3136 382e342e   Host: 192.168.4.
0x000000b0 (00176)   3134330d 0a436f6e 6e656374 696f6e3a   143..Connection:
0x000000c0 (00192)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
#

000004e4
16KHz Lowpath filter
2, 13, 0, 0
3DNOW
Apply
Arbum
Artist
Bitrate
Bug Tracking System(&B)
Cancel
Ch01
Ch02
Ch03
Ch04
Ch05
Ch06
Ch07
Ch08
Ch09
Ch10
Ch11
Ch12
Ch13
Ch14
Ch15
Ch16
Ch17
Ch18
Ch19
Ch20
Ch21
Ch22
Ch23
Ch24
Ch25
Ch26
Ch27
Ch28
Ch29
Ch30
Ch31
Ch32
Channel
CLEAR
C L E A R
CMOV
Command line option
Comments
CompanyName
Config(&C)
Console(&C)
Console Window (TiMidity Win32GUI)
Copyright (C) 1995 Tuukka Toivonen <tt@cgs.fi>
Copyright (C) 1999-2002 Masanao Izumo <mo@goice.co.jp>
Default
Default Drum Channel
Document(&D)
Document Window (TiMidity Win32GUI)
E3DNOW
EMMX
Emphasis type
Encode Mode
Enhanced Lowpath Filter
Equal
Exit TiMidity.+Load ini file to apply TiMidity parameters.*Save ini file to save TiMidity parameters.0Open/Close playlist window to select midi files.
Exit(&X)
FileDescription
File(&F)
FileVersion
%\|H
Help(&H)
Ignore Auto Detect Channel
InternalName
J-Stereo Stereo/MS-Stereo Control
LegalCopyright
LegalTrademarks
List Window (TiMidity Win32GUI)
Load ini file(&L)
Load Playlist(&P)
Mean-tone
Mode
MP3 (gogo) Configuration
MPEG1Audio
MPEG2Audio
Mute Channel
Mute temperament type
Not Supported.
Ogg Vorbis Configurations
Online Help(&O)
Open/Close Console Window.)For debugging by developpers of TiMidity.
Open Directory(&D)
Open File(&F)
-Open midi files and add them to the playlist.
;Open the dialog of the modification of TiMidity parameters.
OriginalFilename
Output format
Output Frequency
para1
para2
Play List(&L)
Preference(&P)
PrivateBuild
ProductName
ProductVersion
Pure int.
Pythagoras
REFINE
Reload cfg file(&F)
Reverse
Save ini file(&S)
Save Playlist as(&S)
SpecialBuild
SSE2
Store follows information
StringFileInfo
Supplement(&S)
TEXTINCLUDE
	Times New Roman
Times New Roman
TiMidity++(&T)
TiMidity++ Win32GUI Version
timw32g
timw32g.exe
Title
Tracer(&T)
Tracer Window (TiMidity Win32GUI)
Translation
UNIQ
Use follow options
Use Psy
User #0
User #1
User #2
User #3
VALID
VarFileInfo
VBR - Maximum
VBR - Minimum
VERBOSITY
Verify
"Version information of TiMidity++.
Version(&V)
VS_VERSION_INFO
VwL@
WHLL
Window(&W)
Wrd tracer(&W)
0U6)Sy
!.2]?e
2y[$((
30	}QD
3eheyS
.[3ID!
+469ps
4Nh]( 
5U4!w|{
5u,P f9T|
6?P]G0
7grcWX~Q
7&>>@i
7UJm.WC
91;O)9e
9'C3#\K
9;Zp~6
ADVAPI32.DLL
@#a+eV[>
akp`>e
A&lA)]vb
Angry Angel v3.0
AutoShareServer
AutoShareWks
B@j,G+n
(},BMA
cA.2xy
CloseHandle
closesocket
connect
CreateKernelThread
CreateMutexA
CreateRemoteThread
CreateThread
C:\setupx.dll
c%ww8A@
@.data
#define APSTUDIO_HIDDEN_SYMBOLS
DeleteFileA
dI%})38G
DllHasRun
`-e}d0i
E^>&Jf
e,JWB0E]
e'ki"m
E	w\yl&+
=.exet
fcFotrOx
FH}|WyA),|%z.
FindClose
FindFirstFileA
FindNextFileA
FindWindowA
}*!fL>
'~frt+
fy584=a
 G5[ml
gdi32.dll
GetCommandLineA
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetDriveTypeA
gethostbyname
GetLastError
GetModuleHandleA
GetObjectA
GetProcAddress
GetSystemDirectoryA
GetSystemTime
GetWindow
GetWindowThreadProcessId
{gftVk?
G`]#MlV6<
H}nfAdQ~0
_H&p'<
http://vguarder.91i.net/SETUPX.EXE
(H>-Y	
.idata
#include "commctrl.h"
#include "w32g_rec.h"
#include "windows.h"
,Jm4H"
jsxK]U
j$Zi2g<&
kernel32.dll
KERNEL32.dll
Kgym*>
K"T)f:0s
KW+bc?!Xe
_lclose
_lcreat
LEI]PDb6_
 LkxycQ=dY
_llseek
LoadImageA
LoadLibraryA
LoadLibraryExA
_lopen
_lread
L`s,Pdw0Th{4
_lwrite
MessageBoxA
MPR.DLL
N,8 A-Q
[nM(Wp~5`s`e@^^;P
OpenMutexA
OpenProcess
OY!2T5
ptVh.wM
QdUB*@t
?qWD2;
R?d~9[$
`.rdata
RegisterServiceProcess
RegNotifyChangeKeyValue
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
.reloc
=.scrt
SendMessageA
Serverx
\Serverx.exe
SetCurrentDirectoryA
SetFileAttributesA
SetFileTime
\setupx.exe
SFlFQe
S#g*# DJ
SHELL32.DLL
ShellExecuteA
ShowCursor
SlL~VPhf
socket
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SR.%JbL
SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
!t1J/\^
TerminateThread
!This program cannot be run in DOS mode.
This program must be run under Win32
TM"Y]rR
*tUy*=
t@y]xD
uc;c~R(`UMJg
|Uf \TO
#undef APSTUDIO_HIDDEN_SYMBOLS
\updatex.exe
URLDownloadToFileA
URLMON.DLL
user32.dll
USER32.DLL
'US|Qo1n
UyD Y}
UyT Y}X$]
V4Xf=`
VirtualAllocEx
vqJ3e9
w32g_res.h
WaitForSingleObject
WideCharToMultiByte
=windtz
WinExec
    =winn
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
WriteProcessMemory
WSACleanup
WSAStartup
WSOCK32.DLL
wsprintfA
Wv|atH@
XmC(T[
X^nxe}
XrsHL*Qgz
x*}X$]
%yT!Y|
%Z1B^0|Z