Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-12-28 21:27:45 2013-12-28 21:30:05 140 seconds

File Details

File Name moscow_times_JS.exe
File Size 217600 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 14c9ef92b1107e45779fe651825479cc
SHA1 bbbd85fe662f2ff93b60fca58346825df6173a47
SHA256 158dcf005a3b68acdc745b72992aae4d50718a6f27b464bf7286bf38e350ddd6
SHA512 7b6932790819bf08814aef2ca9617751938ccfc3174ad2675992f417b1ae4afb9dccbd9231561062150c54b989b550fda47a474810ae904c5052221d6eec39c0
CRC32 D520A808
Ssdeep 3072:xIaps8JOCNtU+QS4tQK6lmrCwTiVTfTnZoOQMPF6SW3IT7zzm3GAjuc3hzst:xnWWNtU+e2lsTiCMPzzmR3ha
Yara
  • shellcode - Matched shellcode byte patterns
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious
Creates an Alternate Data Stream (ADS)
file: C:\Documents and Settings\User\Application Data\IDNMitigationAPIs\IDNMitigationAPIs.pif:Zone.Identifier

Screenshots


Hosts

No hosts contacted.

Domains

No domains contacted.


Summary

C:\WINDOWS\explorer.exe
C:\
C:\WINDOWS\system32\ntdll.dll
C:\Documents and Settings\User\Application Data\IDNMitigationAPIs
C:\DOCUME~1\User\LOCALS~1\Temp\moscow_times_JS.exe
C:\Documents and Settings\User\Application Data\IDNMitigationAPIs\IDNMitigationAPIs.pif
C:\Documents and Settings\User\Application Data\IDNMitigationAPIs\IDNMitigationAPIs.pif:Zone.Identifier
C:\Documents and Settings
C:\Documents and Settings\User\Application Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
MSCTF.Shared.MUTEX.70144646
CTF.Compart.MutexDefault.70144646
CTF.Layouts.MutexDefault.70144646

Version Infos

Translation 0x0409 0x04b0
LegalCopyright Elerium (c) 2012
InternalName KTR2012V4
FileVersion 4.00.0003
CompanyName Elerium (c) 2012
LegalTrademarks Elerium (c) 2012
Comments Kaspersky Trial Reset 2012
ProductName Kaspersky Trial Reset 2012
ProductVersion 4.00.0003
FileDescription Kaspersky Trial Reset 2012
OriginalFilename KTR2012V4.exe

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000cbd9 0x0000cc00 6.25945868434
.rdata 0x0000e000 0x00002cd0 0x00002e00 5.01723429289
.data 0x00011000 0x00003e0c 0x00001000 2.19262057694
.rsrc 0x00015000 0x0002437c 0x00024400 5.57525117695

Imports

Library USER32.dll:
0x40e1ac FindWindowW
0x40e1b0 MapWindowPoints
0x40e1b4 EnumPropsW
0x40e1b8 CreateWindowExW
0x40e1bc SetCaretPos
0x40e1c0 WindowFromDC
0x40e1c4 DrawStateA
0x40e1c8 GetKeyboardLayout
0x40e1cc GetClassInfoW
0x40e1d0 FindWindowExW
0x40e1d4 SendNotifyMessageA
0x40e1d8 GetGUIThreadInfo
0x40e1dc InflateRect
Library urlmon.dll:
0x40e230 CopyBindInfo
Library SHELL32.dll:
0x40e194 DragQueryFileW
0x40e198 FindExecutableA
0x40e19c ShellAboutA
0x40e1a0 ShellExecuteExA
0x40e1a4 ShellExecuteA
Library ole32.dll:
0x40e200 CoRegisterMallocSpy
0x40e208 CoFreeAllLibraries
0x40e20c GetConvertStg
0x40e210 OleLoad
0x40e218 CreateDataCache
Library WININET.dll:
0x40e1e8 FtpRemoveDirectoryA
0x40e1ec GopherOpenFileA
0x40e1f4 InternetHangUp
Library GDI32.dll:
0x40e000 CancelDC
0x40e004 CheckColorsInGamut
0x40e008 AnimatePalette
0x40e00c BeginPath
0x40e010 ColorCorrectPalette
Library OPENGL32.dll:
0x40e16c wglShareLists
0x40e170 glTexCoord4i
0x40e174 glLoadName
0x40e178 glRotated
0x40e17c glScissor
0x40e180 glRasterPos2iv
0x40e184 glColor3ubv
0x40e188 glLoadIdentity
Library MPR.dll:
0x40e154 WNetGetLastErrorA
0x40e158 WNetEnumResourceA
0x40e15c WNetGetConnectionA
Library KERNEL32.dll:
0x40e01c SetStdHandle
0x40e020 HeapSize
0x40e028 SetFilePointer
0x40e02c GetStringTypeW
0x40e030 LCMapStringW
0x40e034 FlushFileBuffers
0x40e038 GetConsoleCP
0x40e03c HeapReAlloc
0x40e040 HeapAlloc
0x40e044 ReadFile
0x40e048 MultiByteToWideChar
0x40e04c LoadLibraryW
0x40e050 WriteConsoleW
0x40e054 IsValidCodePage
0x40e058 GetOEMCP
0x40e05c GetACP
0x40e060 GetCPInfo
0x40e064 HeapFree
0x40e06c GetCurrentProcessId
0x40e070 GetTickCount
0x40e078 HeapCreate
0x40e080 SetLastError
0x40e088 TlsFree
0x40e08c CreateFileW
0x40e090 RtlUnwind
0x40e094 OpenMutexW
0x40e098 TlsSetValue
0x40e09c TlsGetValue
0x40e0a0 TlsAlloc
0x40e0a8 GetFileType
0x40e0b0 SetHandleCount
0x40e0b8 WideCharToMultiByte
0x40e0c0 GetModuleFileNameA
0x40e0c4 GetModuleFileNameW
0x40e0c8 GetStdHandle
0x40e0cc WriteFile
0x40e0d0 ExitProcess
0x40e0d4 GetModuleHandleW
0x40e0d8 CloseHandle
0x40e0e0 CreateThread
0x40e0e4 CreateSemaphoreA
0x40e0e8 WaitForSingleObject
0x40e0ec SetWaitableTimer
0x40e0f4 GetLastError
0x40e0f8 ReleaseSemaphore
0x40e0fc Sleep
0x40e100 GetCurrentThreadId
0x40e104 FindClose
0x40e108 GetCurrentProcess
0x40e10c GlobalReAlloc
0x40e110 GetCommModemStatus
0x40e118 GetConsoleMode
0x40e11c GetCommandLineA
0x40e120 HeapSetInformation
0x40e124 GetStartupInfoW
0x40e130 DecodePointer
0x40e13c IsDebuggerPresent
0x40e140 EncodePointer
0x40e144 TerminateProcess
0x40e148 GetProcAddress

!This program cannot be run in DOS mode.
XRichN
`.rdata
@.data
HHt$HHt
?If90t
uTVWhJ
^SSSSS
j@j ^V
URPQQh
t"SS9] u
;t$,v-
UQPXY]Y[
PPPPPPPP
PPPPPPPP
your ability to control compilation/linking (%d)
knowledge of the IDE's dialogs
don't statically link (%d)
just link against user32.lib
Program to test the various Win32 %d
%8d %8d %8d
38 div 5 => %d, remainder %d.
Thread %d: wait succeeded
ReleaseSemaphore error: %d
Thread %d: wait timed out
(null)
`h````
xpxxxx
CorExitProcess
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
WindowFromDC
GetGUIThreadInfo
SendNotifyMessageA
InflateRect
FindWindowExW
GetClassInfoW
GetKeyboardLayout
DrawStateA
FindWindowW
MapWindowPoints
EnumPropsW
CreateWindowExW
SetCaretPos
USER32.dll
CopyBindInfo
CreateAsyncBindCtxEx
GetSoftwareUpdateInfo
HlinkSimpleNavigateToString
urlmon.dll
ShellExecuteA
ShellExecuteExA
FindExecutableA
ExtractAssociatedIconA
DragQueryFileW
ShellAboutA
SHELL32.dll
CreateDataCache
OleQueryLinkFromData
OleCreateMenuDescriptor
OleLoad
CoRegisterMallocSpy
StgGetIFillLockBytesOnFile
CoFreeAllLibraries
GetConvertStg
ole32.dll
FtpRemoveDirectoryA
RetrieveUrlCacheEntryStreamW
InternetFindNextFileW
InternetHangUp
InternetCanonicalizeUrlA
GopherOpenFileA
WININET.dll
ColorCorrectPalette
BeginPath
AnimatePalette
CheckColorsInGamut
CancelDC
CreateBitmapIndirect
GDI32.dll
glLoadIdentity
glColor3ubv
glRasterPos2iv
glScissor
glRotated
glLoadName
glTexCoord4i
wglShareLists
OPENGL32.dll
WNetCancelConnection2W
WNetGetResourceParentA
WNetGetConnectionA
WNetEnumResourceA
WNetGetLastErrorA
WNetGetNetworkInformationA
MPR.dll
CloseHandle
WaitForMultipleObjects
CreateThread
CreateSemaphoreA
WaitForSingleObject
SetWaitableTimer
CreateWaitableTimerA
GetLastError
ReleaseSemaphore
GetCurrentThreadId
OpenMutexW
FindClose
GetCurrentProcess
GlobalReAlloc
GetCommModemStatus
EnumLanguageGroupLocalesA
GetConsoleMode
GetCommandLineA
HeapSetInformation
GetStartupInfoW
EnterCriticalSection
LeaveCriticalSection
DecodePointer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
EncodePointer
TerminateProcess
GetProcAddress
GetModuleHandleW
ExitProcess
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
InterlockedDecrement
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapFree
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
RtlUnwind
LoadLibraryW
MultiByteToWideChar
ReadFile
HeapAlloc
HeapReAlloc
GetConsoleCP
FlushFileBuffers
LCMapStringW
GetStringTypeW
SetFilePointer
IsProcessorFeaturePresent
HeapSize
SetStdHandle
WriteConsoleW
CreateFileW
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
$<'$!!$J58,<XM\[VMUSam
$ $G''G
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
zVnVvf
N?\~te
!.0r*K
VgDiIt
w.V02:
gwC]vW<
HFG@)>Urf
Fn&\mfO
{r(.GS\
c?QOQp
je>^$4
M20p7p}A
sHTmN:
'},tAQK
QEf@QE
C<SO38R
EcQA_W
+5ZhU(
}J^SzS
*QSOm-
${qRyK
E>f>o"
j'{-J~D
ZeYJ.$
Bu[Wb'
v7{PQD
ynK]QVHw
#F@u'#
I]je8E+
[v,QSGj
GQKE0"
ZO:pq
3LVapL
9W#.I
:9X{O"
/QP[1m
'([gc1
@=@?ZM
f~?z0;l
456GHIJKLM
@tBCDEF
$gijl3
c hh#[Q
`')*|,
h&c=,9
\2Ono9`
4qx2(D
n0Ap?4/<
[Ntgce
xS"E w
W*XQhJjS
lt]av_oXpi
u}f~gs
T46P9SNG
0q.6_x
IifOV]`
$2B`2>
nu'"P*h
:j+S$T%U
>5A4o>C
'S$\E~
Fn[o@`5a
3k<lM}
IoOniz.n
`tZ|]g
&<$_s
H<O0Dh
Gm_uv
i0*`_~
*W.@cR
!8(uC~
\"w)[3U
1^XH\BZ4
r:4q<@_
KlLe/B<e
g8'#P>;sf
{L!ZANV
p7s{kS
3,F"C{
s"5T{s
JC_VZ*
#\O.ZU
_N*tJ{
,g-1M\
ed6 0`W
RVg6oE
62$~L&
k="Ti8
pFO,R1
~jT2T&
~Wxsly
`9CSU8
@PfoVjd
J<"+5x;
5{Sq"m
~]JSHy
W[Fbb"_(
EjW!ZeM
tziqJj
!b!$AUbj
!tBMgT
7w(2)y
Z)4b<m
cTY)rL
FwX$Ql~Fl
zeK7BkIW
*}z-vv~
8'xO &
-:5sceG1Q
Al6$7cO
aG rpD
t^ya2^
=p-ca8
mP=nZ@
*|wbl4)
D\Cr?Er
mk<Oq'
zSIDE,
hd=,}g*
f)<o@TWg
DP_v&
B|"(Z$
kO/f."
wI.ad9~f&
r.b&eq
|obVG|q
d\sn`j
aQwvNI
bk4/wU
D@Z&GwP
MPM"Rm
HGUT.d%
D>ux9JI
I]D,5
UM(I,0
\By*#.
A4iz3^
!H.&/*u
FxRK@`
+K'@<mO
'[j.78G{
U(,A*e5
th"wSs
2n+]3f
8m=|@TM5
qiv"(Y\
%Z<s"x2a
CMGNDO>
-c&_];
nb_rhgi
dwphqq|lS[
]@TAJJ
>37`8iIm
Dj<kGpB
DeCfUd
l08BlE
8`95b=c
jU4Z.KxOt
U/X9[u(
-"7/h
Q:?JI4
O/-"9kP8$/n
tUTjzx
V<r8aK\
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
Antivirus Signature
Bkav Clean
nProtect Clean
CAT-QuickHeal Clean
K7AntiVirus Clean
K7GW Clean
TheHacker Clean
NANO-Antivirus Clean
F-Prot Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall TROJ_GEN.F47V1227
Avast Clean
ClamAV Clean
Kaspersky Trojan-Ransom.Win32.Foreign.jxuz
BitDefender Trojan.GenericKD.1475907
Agnitum Clean
ViRobot Clean
ByteHero Clean
Ad-Aware Trojan.GenericKD.1475907
Sophos Clean
Comodo Clean
F-Secure Trojan.GenericKD.1475907
DrWeb Clean
VIPRE Clean
AntiVir TR/Crypt.Xpack.38057
TrendMicro Clean
McAfee-GW-Edition Clean
Emsisoft Trojan.GenericKD.1475907 (B)
Jiangmin Clean
Antiy-AVL Clean
SUPERAntiSpyware Clean
Commtouch Clean
AhnLab-V3 Spyware/Win32.Zbot
VBA32 Clean
ESET-NOD32 Clean
Rising Clean
Ikarus Clean
Fortinet Clean
AVG Clean
Baidu-International Clean

  • moscow_times_JS.exe 1088
    • moscow_times_JS.exe 2000
      • explorer.exe 1992
  • Explorer.EXE 1408
    • IDNMitigationAPIs.pif 192
      • IDNMitigationAPIs.pif 252
        • explorer.exe 272
moscow_times_JS.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

moscow_times_JS.exe, PID: 2000, Parent PID: 1088

network filesystem registry process services synchronization

explorer.exe, PID: 1992, Parent PID: 2000

network filesystem registry process services synchronization

Explorer.EXE, PID: 1408, Parent PID: 1372

network filesystem registry process services synchronization

IDNMitigationAPIs.pif, PID: 192, Parent PID: 1408

network filesystem registry process services synchronization

IDNMitigationAPIs.pif, PID: 252, Parent PID: 192

network filesystem registry process services synchronization

explorer.exe, PID: 272, Parent PID: 252

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

No hosts contacted.

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name moscow_times_JS.exe
File Size 217600 bytes
File Type data
MD5 30b720cd94afb58ae463ebcc517f2dcf
SHA1 4d0a5016a019d2c4adf93ebf13d5672545df1e18
SHA256 8e95e8637e1234b588c4638c5adfd8e1e806795bb2085c1498dde660f1e3f744
CRC32 76F7F48A
Ssdeep 96:LyjTV4bWMmgwYu0Y1vZ8CYczXJQBmQ7wGKtI1TR/KXVo:LyHV4bWMmgwUYp1YkGmwwG51TRJ
Yara None matched
File name IDNMitigationAPIs.pif
File Size 217600 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 14c9ef92b1107e45779fe651825479cc
SHA1 bbbd85fe662f2ff93b60fca58346825df6173a47
SHA256 158dcf005a3b68acdc745b72992aae4d50718a6f27b464bf7286bf38e350ddd6
CRC32 D520A808
Ssdeep 3072:xIaps8JOCNtU+QS4tQK6lmrCwTiVTfTnZoOQMPF6SW3IT7zzm3GAjuc3hzst:xnWWNtU+e2lsTiCMPzzmR3ha
Yara
  • shellcode - Matched shellcode byte patterns
Bummer! No comments yet.

You have to login to comment.