Analysis Date2014-02-18 10:49:26
MD521d475168ca41f2d825c920cd44de691
SHA1fbe40d3d7d3e5747a4981333eb9f37443bec7f84

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d55ae2febbe512f5a77fd87f7b9a44f5 sha1: 0453f138da57413b64fd522ea81e948355d40974 size: 8704
Section.data md5: 3ce9da31bc66fab42922fb2ef1e3f1f5 sha1: 883f6eebba0ff6f29dfa2e37177feba680d88f4d size: 46080
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 2dcf3a989c6f1e2503314415c051f1d1 sha1: c8b995e06643701ca3eb58e939a053b41474de06 size: 1536
Section.CRT md5: 7f0339e938b32353c88742492c76db56 sha1: f300ba0d94350a1df7a203f4f1d3dab616c78c16 size: 512
Section.tls md5: 2466d3c49a5973ab5d4427a290a31b8b sha1: 9a98adb3118065376e43e82b6a32080aee6117aa size: 512
Section.rsrc md5: feae86d27058593100b56359742b8ad6 sha1: 9b91575024b704666196467e57d90223b7174715 size: 9216
Timestamp2014-02-11 10:43:25
PEhashb8beb8bf8e3e2a3e9bb3c09d86034a6e953cd424
IMPhashdf668ba407536aa7370243c71ce308c3
AVavgAdware Generic_s.AD

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSforces.downloads-express.ru

Network Details:

DNSforces.downloads-express.ru
Type: A
194.29.185.208
HTTP GEThttp://forces.downloads-express.ru/get_xml?file_id=47303547&did=527640752&hsig=4583e6db3240e71b13f6651d1ce430cb70b6f63ab10acf833bddb412d43058de
User-Agent: tiny-dl/nix
Flows TCP192.168.1.1:1031 ➝ 194.29.185.208:80

Raw Pcap
0x00000000 (00000)   47455420 2f676574 5f786d6c 3f66696c   GET /get_xml?fil
0x00000010 (00016)   655f6964 3d343733 30333534 37266469   e_id=47303547&di
0x00000020 (00032)   643d3532 37363430 37353226 68736967   d=527640752&hsig
0x00000030 (00048)   3d343538 33653664 62333234 30653731   =4583e6db3240e71
0x00000040 (00064)   62313366 36363531 64316365 34333063   b13f6651d1ce430c
0x00000050 (00080)   62373062 36663633 61623130 61636638   b70b6f63ab10acf8
0x00000060 (00096)   33336264 64623431 32643433 30353864   33bddb412d43058d
0x00000070 (00112)   65204854 54502f31 2e310d0a 41636365   e HTTP/1.1..Acce
0x00000080 (00128)   70743a20 2a2f2a0d 0a557365 722d4167   pt: */*..User-Ag
0x00000090 (00144)   656e743a 2074696e 792d646c 2f6e6978   ent: tiny-dl/nix
0x000000a0 (00160)   0d0a486f 73743a20 666f7263 65732e64   ..Host: forces.d
0x000000b0 (00176)   6f776e6c 6f616473 2d657870 72657373   ownloads-express
0x000000c0 (00192)   2e72750d 0a0d0a                       .ru....


Strings
Fh
..

061117000000Z
100208000000Z
121018000000Z
121221000000Z
140114000000Z
140211104325Z0
140211104325Z0#
160314235959Z0[1
200207235959Z0J1
20,]0j
201229235959Z0b1
201230235959Z0^1
2Z[KV~ 
360716235959Z0
3a,hx";P #
527640752
555n'B+	
5C=5Zv
7WRvsA
'/!:8H B
(_ahs2
(APyS,
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
/[,!aT
atexit
B4=oFNM
BAEFECBA
Bq2f!A
/(c) 2006 thawte, Inc. - For authorized use only1
calloc
Certification Services Division1806
_cexit
~cqtVx
Cx6^tE
c];*Xwp
@CzS,a
d2(SR2
D7m"l|
DeleteCriticalSection
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
D]L@CG
Durbanville1
>Egu|\
EnterCriticalSection
ExitProcess
;FPy(D
FreeLibrary
fwrite
G|2ZvB*o"
GetCommandLineA
GetLastError
__getmainargs
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
 Gi`{J
G$x9-@s
HeapAlloc
HeapFree
HqBiW6
#http://crl.thawte.com/ThawtePCA.crl0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://ocsp.thawte.com0
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
?,$i_0
.idata
igW\bs
InitializeCriticalSection
IsBadReadPtr
	J#f0Y
_Jv_RegisterClasses
KERNEL32.dll
k~iW9$
KQJ)$j
KX0aY<
LeaveCriticalSection
l[HhIY7
libgcj_s.dll
LLC Mail.Ru0
LLC Mail.Ru1
LoadLibraryA
malloc
memcpy
memmove
memset
mingwm10.dll
Mingw runtime failure:
__mingwthr_key_dtor
__mingwthr_remove_key_dtor
"mL#Lg
Moscow1
msvcrt.dll
N<7^"[
\%oC?M
_onexit
oU!Qwi
}!p4D[
P`.data
__p__environ
__p__fmode
{{.pzcDd>
Q7&dw|
qRN@ic
qUF9JiK
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
rjC@Py
r-+&on~
</security>
<security>
__set_app_type
_setmode
SetUnhandledExceptionFilter
signal
sJJ.yi
SkZ2{*V
sPg(88
strcmp
Symantec Corporation100.
Symantec Corporation1402
'Symantec Time Stamping Services CA - G2
'Symantec Time Stamping Services CA - G20
+Symantec Time Stamping Services Signer - G40
Thawte1
Thawte Certification1
Thawte Code Signing CA - G2
Thawte Code Signing CA - G20
thawte, Inc.1(0&
Thawte, Inc.1$0"
thawte Primary Root CA0
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TimeStamp-2048-10
TimeStamp-2048-20
TlsGetValue
.tn<Cy
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
&t^uc:
}>U0vj
  Unknown pseudo relocation bit size %d.
  Unknown pseudo relocation protocol version %d.
>|V}{"
VeriSignMPKI-2-100
vfprintf
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
  VirtualQuery failed for %d bytes at address %p
v}oaxQ
\w62Q`
+w}6dO
Western Cape1
_winmajor
'wjbhqI
wL3,<3Nms
WL`#HK/
 Wpk?3
=WsKHg
#x|7\_3
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x;NJH-l_
 Y*Acn
yKwOL\m6
ym]Iak0
;+Zu8hT