Analysis Date2015-10-12 14:10:13
MD5b9044f94e124a218470dca89b1f6148f
SHA1eef85277ee984f984525d9d7451d3d130983886f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ddc625f4e59fd881db0f6daa713018ed sha1: dcdcfd5c49299c935f5f439c427ce904c4b28ad5 size: 77824
Section.rdata md5: 138e4911bfea4b6a91577d309438530c sha1: efb0481e6eaf53d1502c49a0c8363cde5c0c3953 size: 10752
Section.data md5: 85944440aeb876fb61376fe6deecc22e sha1: d6e2609778c76452bf1d49b91cc1b29276cb0dbe size: 7168
Section.rsrc md5: 201eea47f80f1ae976788ff5ac6d1358 sha1: a45169d7935615976270e9e99d9121379f79fd06 size: 573440
Section.reloc md5: 80c647c743816381d171b5fa4470220e sha1: 04d0ffdb1981465f880a46d5e03e266734136eaf size: 6656
Timestamp2011-11-20 14:05:21
Pdb pathG:\Working\SVN\vc\XP2P\NP2P\Release\NP2P.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: NP2P
FileVersion: 1, 1, 15, 910
ProductName: NP2P 应用程序
ProductVersion: 1, 1, 15, 910
FileDescription: NP2P 应用程序
OriginalFilename: NP2P.exe
PackerMicrosoft Visual C++ ?.?
PEhashd9dbc2059b107429c97c6af6a4c33d13f0e39ac9
IMPhash1f1e457af2c3479681d26d73af8e0de1
AVFortinetW32/Injector.NKOZ!tr
AVTrend Microno_virus
AVBitDefenderGen:Variant.Mikey.25035
AVKasperskyTrojan-Dropper.Win32.Injector.nkoz
AVMicroWorld (escan)Gen:Variant.Mikey.25035
AVIkarusTrojan.Backdoor.PoisonIvy
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVK7no_virus
AVRisingno_virus
AVArcabit (arcavir)Gen:Variant.Mikey.25035:Gen:Variant.Graftor.247498
AVTwisterno_virus
AVGrisoft (avg)BackDoor.PoisonIvy.AT.dropper
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVDr. WebTrojan.DownLoader16.35178
AVMalwareBytesno_virus
AVZillya!Dropper.Injector.Win32.71450
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVF-SecureGen:Variant.Mikey.25035
AVSymantecno_virus
AVClamAVno_virus
AVEmsisoftGen:Variant.Mikey.25035
AVEset (nod32)no_virus
AVAvira (antivir)TR/Hijacker.Gen
AVMicrosoft Security Essentialsno_virus
AVCA (E-Trust Ino)no_virus
AVBullGuardGen:Variant.Mikey.25035
AVAd-AwareGen:Variant.Mikey.25035
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\o4734a4\epjSe2B.dll
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.inf
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\b7j6sKI.sys
Creates FileC:\WINDOWS\o4734a4\wMmMg77.dll
Creates FileC:\WINDOWS\SBYQDLP\sccon0987.txt
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.sys
Creates FileC:\WINDOWS\system32\drivers\blackList.base
Creates File\Device\Afd\Endpoint
Deletes FileC:/WINDOWS/b7j6sKI.sys
Creates Processnet start xtfilemon
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/o4734a4/epjSe2B.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/o4734a4/epjSe2B.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==
Creates MutexXROMain
Creates ServiceyO373 - C:/WINDOWS/b7j6sKI.sys
Winsock URLhttp://cdn.p2ptool.com/p2p/black.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1176

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/o4734a4/epjSe2B.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileM2ProcProt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexXMX_XP2P_YT_3275
Creates MutexXROMain
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnp2p.soomeng.com

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/o4734a4/epjSe2B.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==

Creates File\Device\Tcp
Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xtfilemon\DebugFlags ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv ➝
grpconv -o\\x00
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList\FSFilter Activity Monitor ➝
NULL
Creates Processrunonce -r
Creates Servicextfilemon - system32\DRIVERS\xtfilemon.sys

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

Creates FilePIPE\lsarpc

Process
↳ net start xtfilemon

Creates Processnet1 start xtfilemon

Process
↳ runonce -r

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\WINDOWS\system32\grpconv.exe" -o

Process
↳ net1 start xtfilemon

Starts Servicextfilemon

Process
↳ "C:\WINDOWS\system32\grpconv.exe" -o

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\Log ➝
Init Application.\\x00

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSso.qh-lb.com
Type: A
106.120.160.134
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNSwww.baidu.com
Type: A
DNSwww.so.com
Type: A
DNScdn.p2ptool.com
Type: A
DNSnp2p.soomeng.com
Type: A
HTTP GEThttp://cdn.p2ptool.com/p2p/black.txt
User-Agent: Test
HTTP GEThttp://np2p.soomeng.com/bmy/?usr=lgflfs.2&mac=XXXXXXXXXXXX&ver=1.1.15.910
User-Agent: Test
Flows TCP192.168.1.1:1031 ➝ 106.120.160.134:80
Flows TCP192.168.1.1:1032 ➝ 106.120.160.134:80
Flows TCP192.168.1.1:1035 ➝ 8.37.231.22:80
Flows TCP192.168.1.1:1036 ➝ 8.37.231.21:80

Raw Pcap

Strings