ThreatExpert Report

Submission Summary:

Submission details:

Submission received: 14 June 2011, 18:37:57
Processing time: 9 min 47 sec
Submitted sample:

File MD5: 0x3E7917F6E2E4B28C5E18F5AE814AB397
File SHA-1: 0x60B24A9ADD9A224158EC67196CB98F7A9800FF98
Filesize: 1,567,536 bytes

Summary of the findings:

What's been found	Severity Level
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash
1	%System%\kbd101b.dll %Windir%\Temp\OLD10.tmp	6,144 bytes	MD5: 0x15CC5E30A8CFFFAC6056EC7CF2070187 SHA-1: 0x520BF2D27179B0FCC0CBD6C8A0070569AF8E84CF
2	%System%\kbd101c.dll %Windir%\Temp\OLD14.tmp	6,144 bytes	MD5: 0xE1CB8EE6C0DC70E0DBCFA8D32C849E91 SHA-1: 0x85C76426A7D74B6D8216C9372355553AE0B3D41B
3	%System%\kbd103.dll %Windir%\Temp\OLD18.tmp	5,632 bytes	MD5: 0x1AB5B6C627EBC61883EA311367F51130 SHA-1: 0x9C3B9EA1AA884B36EDDD588D7AE955F22709FB32
4	%System%\kbd106.dll %Windir%\Temp\OLD1C.tmp	6,144 bytes	MD5: 0x5F5124D2FE8AE381E914C9147353D64C SHA-1: 0x5631295E512BDE2F18C8E0FD9DF9106F7B0C2E47
5	%System%\kbdjpn.dll %Windir%\Temp\OLD20.tmp	8,704 bytes	MD5: 0x804B09FA1E3A86E729ABCCA7F30AE53C SHA-1: 0xFD7F04B8F2DDFF19C703FC852EF7701248C65159
6	%System%\kbdkor.dll %Windir%\Temp\OLD24.tmp	8,192 bytes	MD5: 0x3244B59A0EB07E7B181F52D80D5E7385 SHA-1: 0x0E4A9EF72972142FA6211242C35CAADD131AF120
7	[file and pathname of the sample #1]	1,567,536 bytes	MD5: 0x3E7917F6E2E4B28C5E18F5AE814AB397 SHA-1: 0x60B24A9ADD9A224158EC67196CB98F7A9800FF98
8	%System%\ï¿½ï¿½Ê¼ï¿½ï¿½Ï·ï¿½ï¿½Ö¾.txt	18 bytes	MD5: 0xB157A1240EBFB8F68BDCC8343D589329 SHA-1: 0x4F4166023B46D788116F56DFC3B7DC1F35C18BD6

Notes:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	3,268,608 bytes

Registry Modifications

The newly created Registry Value is:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International]

W2KLpk = 0x00000001

Other details

Analysis of the file resources indicate the following possible countries of origin:

	China
	Russian Federation

The following ports were open in the system:

Port	Protocol	Process
1051	UDP	[file and pathname of the sample #1]
1059	TCP	[file and pathname of the sample #1]

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
123.125.115.243	80
123.125.115.75	80
98.126.74.100	80

The data identified by the following URLs was then requested from the remote web server:

http://pos.baidu.com/ecom?di=u398035&tm=BAIDU_CPRO_SETJSONADSLOT&fn=BAIDU_CPRO_CSETADSLOT&baidu_id=
http://cpro.baidu.com/cpro/ui/c.js
http://www.showparty.cn/ad/ad.html
http://www.showparty.cn/ad/tao.html
http://pos.baidu.com/ecom?di=u398039&tm=BAIDU_CPRO_SETJSONADSLOT&fn=BAIDU_CPRO_CSETADSLOT&baidu_id=

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.