Analysis Date2013-10-28 03:56:44
MD545451dc93ee29baf89143b9663b5a4c4
SHA1fb0af0b4c2c4057cd24b253b5507171041a4bc68

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nsp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.nsp1 md5: 8211b3f9901db9770cc5bf0c31bba324 sha1: e91ed706af1594aa012de389bee6c6dd3ec27628 size: 36199
Section.nsp2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2008-08-20 07:07:25
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: explorer
FileVersion: 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 6.00.2900.3156
FileDescription: Windows Explorer
OriginalFilename: 湁慈彯䥖彐䅃坈 .EXE
PackerNsPack v3.7 -> North Star (h)
PEhash9886335a912406160c1bf31b7153af197affd25b
AVaviraTR/Dldr.Losab.aea.1
AVavgRootkit-Agent.Y
AVmsseVirTool:WinNT/Rootkitdrv.gen!FR

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32StopAor.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessOpen http://baidu.bbtu001.com/htm/w28.htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexLove Av Av Av Av Av
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSbaidu.bbtu001.com

Process
↳ Open http://baidu.bbtu001.com/htm/w28.htm

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSbaidu.bbtu001.com
Type: A

Raw Pcap

Strings
080404B0
6.00.2900.3156
6.00.2900.3156 (xpsp_sp2_gdr.070613-1234)
(C) Microsoft Corporation. All rights reserved.
CompanyName
 .EXE
explorer
FileDescription
FileVersion
InternalName
LegalCopyright
Microsoft Corporation
Microsoft(R) Windows(R) Operating System
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Explorer
0#v3J5
22V,(9
2vG)ek
3cBZE<|
4i"*7	
5/[&Lo
/=6h]R
6v4w1V
7*VWF!
@@9A	@J
ADVAPI32.DLL
AnHao_VIP_CAHW 
Av<#7Zhn
b9|?P+
]B%U8%
Dl<'0|(
e^`V|~
ExitProcess
e"Z@V%
(faZ:t
\f ;;k
fruGkHe
?^fruo
&ga)oJ
	g#C#HF
Ged 	ZT
GetKeyboardType
GetProcAddress
H4O1"Q
hcsbKw
HD0]v7
Hnku7\}
<hp}nr
Ih[TA$
isYRFi
%K%8"gtQ
KERNEL32.DLL
l=Fg}`
LoadLibraryA
NeP<h0?
nfZ\t2D
nz[p%~J
o5\q>o
OC[-eUR%RA2)]
OLEAUT32.DLL
\oSlD:
PL+<pA
	%Q2oF
(QNP3	2a
r+[<9.
RegQueryValueExA
RegSetValueExA
[s<d|'v
SetTimer
SF8+lu
(sG;Qp
sNbUdD
|SS_gD^P
StartServiceA
SysFreeString
t<'{#}=
T3;(uY
Tg`zAk
This program must be run under Win32
TlsSetValue
U,.-.._
#UQLpO
u^Rw?h
USER32.DLL
VirtualAlloc
VirtualFree
VirtualProtect
V_Z'=F
WriteFile
W+Ugjy
)WW6X7$M
xF$?U#i
X&"`:I
y.T uQ
Z+9XXn.*