Analysis Date2013-08-18 01:39:38
MD53f34de2ae128f4678a9e35e7a70e40f3
SHA1fbf4aeb60c960e631a48f45fb74e488a4d9e49c6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 754933b528fb5016b9f52e1d98903ebc sha1: b07814f0066949de703a935228586367530bf998 size: 2048
Section.rdata md5: 27a43ca983af7dc06912d92d0eaba22a sha1: 6cce56bf83615003345bcf3f5ca2cbe61eb04721 size: 4096
Section.data md5: 77e116bcf22b7d46631903a51d8094f5 sha1: 234511e22171c427b567773f4e48e17454b48078 size: 512
Section.rsrc md5: a97d731d8d1989f3e92ba39635f491f4 sha1: 5a1017ecf43595100a00c52ee76a0e5dc15afd47 size: 86016
Sectionuldguzw md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1999-04-27 11:46:16
VersionLegalCopyright: Copyright (C) 2011
InternalName: Firework
FileVersion: 1, 0, 0, 1
ProductName: Firework
ProductVersion: 1, 0, 0, 1
FileDescription: Katy Pery
OriginalFilename: Firework.mp3
PackerBorland Delphi 3.0 (???)
PEhashc62ad2a9b62d7ed534515c7add000019594c8e16
AVclamavTrojan.Sirefef-6

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas\NoOfOldWorkAreas ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ProgramsCache ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\Services ➝
31
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream ➝
NULL
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\rundll32.exe fldrclnr.dll,Wizard_RunDLL
Creates MutexShell.CMruPidlList

Process
↳ C:\WINDOWS\system32\rundll32.exe fldrclnr.dll,Wizard_RunDLL

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz\Last used time ➝
NULL
Creates FilePIPE\srvsvc
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates MutexDesktopCleanupMutex

Network Details:

HTTP GEThttp://85.17.226.180:8083/ask?a=0&u=131075&m=fd09776b&h=fd09776b
User-Agent: Opera/9.29 (Windows NT 5.1; U; LangID=409; x86)
Flows TCP192.168.1.1:1031 ➝ 85.17.226.180:8083
Flows TCP192.168.1.1:1031 ➝ 85.17.226.180:8083

Raw Pcap
0x00000000 (00000)   47455420 2f61736b 3f613d30 26753d31   GET /ask?a=0&u=1
0x00000010 (00016)   33313037 35266d3d 66643039 37373662   31075&m=fd09776b
0x00000020 (00032)   26683d66 64303937 37366220 48545450   &h=fd09776b HTTP
0x00000030 (00048)   2f312e31 0d0a486f 73743a20 38352e31   /1.1..Host: 85.1
0x00000040 (00064)   372e3232 362e3138 300d0a55 7365722d   7.226.180..User-
0x00000050 (00080)   4167656e 743a204f 70657261 2f392e32   Agent: Opera/9.2
0x00000060 (00096)   39202857 696e646f 7773204e 5420352e   9 (Windows NT 5.
0x00000070 (00112)   313b2055 3b204c61 6e674944 3d343039   1; U; LangID=409
0x00000080 (00128)   3b207838 36290d0a 436f6e6e 65637469   ; x86)..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a         on: close....


Strings