Analysis Date2014-07-08 21:15:27
MD566d0bb3894e3e9e8f1783debd82eebd8
SHA1f3b5fd458fe762d7ec6fa1852367294c6b2441e5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ebb451837f3c8c5c26dd77e7de9a5ef6 sha1: 9506209ccd88fa72fee94263ceec42a5534784a7 size: 20480
Section.rdata md5: 2a4f3416e219cb3a9bae1033c1fac07b sha1: c9b48bec17853e43c0bad63c0d26f883ce30871f size: 4096
Section.data md5: becda18c5984c9c14bf6c414115b3d97 sha1: bcaae3682ca2e0e2b1abbab1bda2a92a6cbe73b6 size: 12288
Timestamp2012-08-10 18:40:14
PackerInstaller VISE Custom
PEhash1b684dd345b2623863dd8ff0e4cd2a50ac961eec
IMPhash80be0cf15159130d390c890a28b5e3a9
AV360 SafeTrojan.Generic.7686288
AVAd-AwareTrojan.Generic.7686288
AVAlwil (avast)OnLineGames-GJF [Trj]
AVArcabit (arcavir)Trojan.Alyak.b
AVAuthentiumW32/Sadenav.E.gen!Eldorado
AVAvira (antivir)TR/Alyak.B.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Alyak.B3
AVClamAVWin.Trojan.Alyak-3
AVDr. WebTrojan.DownLoader6.42097
AVEmsisoftTrojan.Generic.7686288
AVEset (nod32)Win32/Alyak.A
AVFortinetW32/Alyak.B!tr
AVFrisk (f-prot)W32/Sadenav.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.7686288
AVGrisoft (avg)Generic29.NJK
AVIkarusTrojan.Win32.Alyak
AVK7Trojan ( 0040516f1 )
AVKasperskyTrojan.Win32.Alyak.b
AVMalwareBytesSpyware.OnlineGames
AVMcafeeDownloader-FCJ
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Kanav.B
AVMicroWorld (escan)Trojan.Generic.7686288
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingTrojan.Downloader!56ED
AVSophosTroj/Alyak-B
AVSymantecTrojan.Gen
AVTrend MicroTROJ_ALYAK.SMAE
AVVirusBlokAda (vba32)BScope.Trojan.Win32.Inject.2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{142309E1-A02B-B9FB-470B-7B4130DD3F90}\stubpath ➝
%SystemRoot%\system32\AYLaunch.exe\\x00
Creates FileC:\WINDOWS\system32\AYLaunch.exe
Creates Processreg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{142309E1-A02B-B9FB-470B-7B4130DD3F90}" /f
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\F3B5FD~1.EXE > nul
Winsock URLhttp://www.ins2060.com/images/1.txt
Winsock URLhttp://blog.yahoo.com/_QQPVM4JN73SIEAEHSHJPGJA5WY/articles/732002/commentRss
Winsock URLhttp://kglhk.gotoip55.com/2.txt

Process
↳ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{142309E1-A02B-B9FB-470B-7B4130DD3F90}" /f

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\F3B5FD~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
74.6.50.150
DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSwww.ins2060.com
Type: A
211.40.118.18
DNSblog.yahoo.com
Type: A
DNSkglhk.gotoip55.com
Type: A
HTTP GEThttp://blog.yahoo.com/_QQPVM4JN73SIEAEHSHJPGJA5WY/articles/732002/commentRss
User-Agent: Testing
HTTP GEThttp://www.ins2060.com/images/1.txt
User-Agent: Testing
Flows TCP192.168.1.1:1031 ➝ 74.6.50.150:80
Flows TCP192.168.1.1:1032 ➝ 211.40.118.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f5f5151 50564d34 4a4e3733   GET /_QQPVM4JN73
0x00000010 (00016)   53494541 45485348 4a50474a 41355759   SIEAEHSHJPGJA5WY
0x00000020 (00032)   2f617274 69636c65 732f3733 32303032   /articles/732002
0x00000030 (00048)   2f636f6d 6d656e74 52737320 48545450   /commentRss HTTP
0x00000040 (00064)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000050 (00080)   3a205465 7374696e 670d0a48 6f73743a   : Testing..Host:
0x00000060 (00096)   20626c6f 672e7961 686f6f2e 636f6d0d    blog.yahoo.com.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f696d61 6765732f 312e7478   GET /images/1.tx
0x00000010 (00016)   74204854 54502f31 2e310d0a 55736572   t HTTP/1.1..User
0x00000020 (00032)   2d416765 6e743a20 54657374 696e670d   -Agent: Testing.
0x00000030 (00048)   0a486f73 743a2077 77772e69 6e733230   .Host: www.ins20
0x00000040 (00064)   36302e63 6f6d0d0a 43616368 652d436f   60.com..Cache-Co
0x00000050 (00080)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x00000060 (00096)   0a0d0a                                ...


Strings
{\
\
. l
         (((((                  H
0123456789ABCDEF
0123456789ABCDEFDEAD0306D7A6A0A2DF
01A6A8A6A8A20B68ABA0A0
04A2A163ABA2A0A20BA26364DCD5D2868DD0DDDEDFD08DDADFDEDCD6D8D2808EADA70B01AF04A280DAA6AE04AD0EADA70B80DFAE0BA607A2638EA20B020380D6A80E0BAFA0A0A2AB63DEADAA03ADA8A2A80B0E80
{0C0E961A-B4A8-E590-B49C-10C120397B82}{9566349E-FF8E-9410-C6CB-2070C090DD3E}{0E6481AF-7FA5-FD00-B49A-F4E04FC96580}{C458898B-DA80-0792-5883-A0083C2FF97C}{0E6481AF-7FA5-FD00-B49A-F4E04FC96580}{F0F0207D-29DA-E5BD-E71F-A18B0AEAC092}{C458898B-DA80-0792-5883-A0083C2FF97C}{DEFE7E66-9410-2E07-ADEC-342AD321F464}
4925528556415996
628E060E0BA2AA84ADAD0B62800E060E0BA2AACEC480DF86D0AF02A8AEAC68A20CA2
7?{<+1{
7?{|8b{
7?{Rich
8104A60BA2D7A6A0A2
81A6A8D20CA2AE
84A2A18EA20B87AFA002A2D20CDF
84A2A18F02A2040687AFA002A2D20CDF
84A2A1DBA2A0A20BA2D5A206DF
84A2A1DD03A2A8D5A206D20CDF
84A2A1DE04A2AF0BA2D5A206DF
84A2A1DEA0AD0EA2D5A206
8EDDD78B81DF84D280DAA6AE04AD0EADA70B80DFAE0BA607A2638EA20B020380D6A80E0BAFA0A0A2AB63DEADAA03ADA8A2A80B0E80
A5A204A8A2A0CEC468ABA0A0
abnormal program termination
AC0B0B03C96D6D01010168A6A80EC4C3C7C368AEADAA6DA6AAAFA1A20E6DCF680B0C0B
AC0B0B03C96D6DA4A0ADA16806AFACADAD68AEADAA6D8D8F8F8387DACBD9D8C1CE8ED6D2DFD2DC8EDCD983D1D9DFC281866DAF040BA6AEA0A20E6DC1CEC4C3C3C46DAEADAAAAA2A80B840E0E
AC0B0B03C96D6DA5A1A0ACA568A1AD0BADA603C2C268AEADAA6DC4680B0C0B
ADVAPI32.dll
\AYLaunch.exe
AYLaunch.exe
 /c  del 
CloseHandle
\cmd.exe
CreateFileA
CreateProcessA
D1A20B87A2040EA6ADA8D20CDF
D6A80BA204A8A20B84A2AFABD7A6A0A2
D6A80BA204A8A20BDD03A2A88204A0DF
D6A80BA204A8A20BDD03A2A8DF
D6A80BA204A8A20BDEA0AD0EA2DCAFA8ABA0A2
D6A80BA204A8A20BDEACA2AEA5DEADA8A8A2AE0BA6ADA8DF
@.data
DC0B0B038F02A20406D6A8A7ADDF
DFDB87DF83D6CEC468ABA0A0
DOMAIN error
DSUVWh
ExitProcess
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThread
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetShortPathNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTempPathA
GetVersion
GetVersionExA
__GLOBAL_HEAP_SELECTED
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
http://www.naver.com/
Identity
KERNEL32.dll
LCMapStringA
LCMapStringW
LoadLibraryA
lstrcatA
lstrcpyA
MessageBoxA
\Microsoft\Acti
Microsoft Visual C++ Runtime Library
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
 > nul
onents
Program: 
<program name unknown>
PSh,u@
- pure virtual function call
PVh4d@
PWWWWWWVW
`.rdata
ReadFile
RegCloseKey
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\
RegDeleteValueA
RegOpenKeyExA
RegQueryValueExA
ResumeThread
RtlUnwind
runtime error 
Runtime Error!
SetFilePointer
SetHandleCount
SetPriorityClass
SetThreadPriority
[Sh8d@
SING error
Software
Software\Blizzard Entertainment\Battle.net\Identity
SOFTWARE\Microsoft\Ole
SS@SSPVSS
 -start
stubpath
SVWj@3
SVWj@Z3
TerminateProcess
Testing
!This program cannot be run in DOS mode.
<title>
TLOSS error
tPh`d@
t#SSUP
t.;t$$t(
t$$VSS
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
VC20XC00U
Version
ve Setup\Installed Comp
^Vh8d@
VirtualAlloc
VirtualFree
VWj@Y3
VWuBh|d@
WideCharToMultiByte
WriteFile
"WWSh4d@
Yt^j	j
Ytkhdw@
_^][YY
YYh$p@