Analysis Date2014-02-20 05:21:23
MD505d66386dbf07b2523c5cd2b8687411f
SHA1fb52f93ce29fc8f2fdf8723230ee69b7d08d4968

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e349e845a3e7ba7ef3cb1375310a3d9e sha1: 08e091f8713f8650d55abb8eae3849b607604e37 size: 45056
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: e092614f8342a736851978dc5dbc58b8 sha1: dde04409ae0de0b7e285e8038ea4d02bd9801993 size: 8192
Timestamp2011-09-19 14:26:02
VersionInternalName: serv
FileVersion: 1.00
CompanyName: 微软中国
ProductName: 工程1
ProductVersion: 1.00
OriginalFilename: serv.dat
PackerMicrosoft Visual Basic v5.0
PEhash44876e89a9c56dfe479f5873b29fe6775b45b4fc
IMPhash27bdb89a9c83003bea014ea2153d04ac
AVavgGeneric34.QCX
AVmsseTrojan:Win32/ServStart.gen!B
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows ➝
C:\Program Files\Windows Media Player\comine.exe\\x00
Creates FileC:\Program Files\Windows Media Player\comine.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFBABE.tmp
Creates Processcmd /c ping 127.0.0.1 -n 2&del malware.exe
Creates ProcessC:\Program Files\Windows Media Player\comine.exe 0

Process
↳ cmd /c ping 127.0.0.1 -n 2&del malware.exe

Creates Processping 127.0.0.1 -n 2

Process
↳ C:\Program Files\Windows Media Player\comine.exe 0

RegistryHKEY_CLASSES_ROOT\yali\ ➝
daohang\\x00
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFEB43.tmp
Creates FilePIPE\lsarpc

Process
↳ ping 127.0.0.1 -n 2

Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings
....
080404B0
0axaAbPbBbSbnbubPb2bWbIbxbpbQbGbUbTbXbzbZadbjbsbSaybpbgbXbybWb bubebMbbc0b bNb0bQafbsbibUabcubfb
1.00
1.vbp
\2011
333f3
abcdef0123456789
abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ 
@*\AD:\
AddItem
Arguments
Close
cmd /c ping 127.0.0.1 -n 2&del 
CompanyName
C:\Program Files
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player
C:\Program Files\Windows Media Player\comine.exe
CreateShortcut
Ctrl+Alt+e
daohang
Description
Desktop
\Device\HarddiskVolume1\
.exe
explorer.exe
f3fff
FileMessage:
FileVersion
HKCR\yali\
HKCR\yali\id
HKCR\yali\mac
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
Hotkey
HTMLDocument
http://www.hao12338.com/?index
IconLocation
?id=
Iexplore.exe
IEXPLORE.EXE|TTRAVELER.EXE|SOGOUEXPLORER.EXE|360SE.EXE|GREENBROWSER.EXE|FIREFOX.EXE|MAXTHON.EXE|THEWORLD.EXE|OPERA.EXE|CHROME.EXE|SAFARI.EXE|NETSCAPE.EXE
InternalName
@isual Studio\VB98\C2
JanbrbbbUbSbfadbZb2bTb5b1bebBbWbeb
lanren
.lnk
&mac=
Na0bmbtbIaRaeawbPb0bXanbrbmaLbQblbpbWb6bYa5bybebVb bhbfb byaWadbtbna
NULL
open
OriginalFilename
ProductName
ProductVersion
Qabb7bqaBaJa1ataGacaKb
ReadAll
RegRead
REG_SZ
RegWrite
Save
serv
serv.dat
SpecialFolders
StringFileInfo
TargetPath
Translation
VarFileInfo
VS_VERSION_INFO
WindowStyle
WorkingDirectory
wscript.shell
WScript.Shell
"""""/
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
bianliang
ChildName
ChildPath
ChildPID
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
CloseHandle
CreateToolhelp32Snapshot
`.data
DllFunctionCall
d:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
EnumProcesses
EnumProcessModules
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FileMessage:Na0bmbtbIaRaeaxbBbcbUbgb5bobDaEayaxaHayaWadbtbnaFaQbgbgbTbpbUbgbmbqb|Na0bmbtbIaRaeaxbBbcbUbkb5brb bGb6bdbZbtbYada3bobYbRa6bmbYasbUbnbnbtb|1|1|1|0|1|1
GetCurrentProcessId
GetModuleFileNameExA
GetProcessImageFileNameA
}#j hhC@
jiajiemi
}#jXh\:@
kernel32
kernel32.dll
Module1
MSVBVM60.DLL
NTDLL.DLL
NtTerminateProcess
oLLLLL
OpenProcess
ozR1ML
ParentName
Process32First
Process32Next
psapi.dll
shell32.dll
ShellExecuteA
SHFileOperationA
shijian2
tervalfa
!This program cannot be run in DOS mode.
Timer1
Timer2
Timer3
tongjidaima
vb6chs.dll
VBA6.DLL
__vbaAryCopy
__vbaAryDestruct
__vbaAryVar
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLbound
__vbaLenBstr
__vbaLsetFixstr
__vbaNew2
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaR8IntI4
__vbaR8Str
__vbaRecAnsiToUni
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGt
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarLateMemCallLd
__vbaVarLateMemSt
__vbaVarMove
__vbaVarSetObj
__vbaVarSetVar
__vbaVarTstEq
__vbaVarTstGt
wr""/p
wwwwwwww
wwwwwwwxp
wxr""/p
^zz111
^zz1111
^zz1111M
^zz1111MM
zz1111MMM