Advanced File Analysis System

File Name: 900f83e9f1dd818f4c1006ae6b0c6c518d6bc943376140fc2be3c99f1d8ffa9f.ex

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 855fa325ab3aa9499ec8260a8172c2f75b5854d7

MD5: 1fc01f0b85c82b69c5e04b55bb8a07ee

Information Discovery

Reads data out of its own binary image Show sources

api_process_name	process: 855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe, pid: 2512, offset: 0x00000000, length: 0x00000040
api_process_name	process: 855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe, pid: 2512, offset: 0x00000108, length: 0x000000f8

Networking

Attempts to connect to a dead IP:Port (8 unique times) Show sources

network_host_ip	119.147.163.227:80 (China)
network_host_ip	157.185.170.133:80 (United States)
network_host_ip	72.21.91.29:80 (United States)
network_host_ip	121.201.47.218:443 (China)
network_host_ip	121.201.47.218:80 (China)
network_host_ip	157.185.158.198:80 (United States)
network_host_ip	104.193.88.123:80 (unknown)
network_host_ip	23.215.131.176:80 (United States)

Performs some HTTP requests Show sources

network_url	http://b.533y.com/_regevent.gif?event=100&ename=%E6%89%93%E5%BC%80&type=0&game=z&oid=16311&oid1=16311&oid2=&cid=39531&aid=70236&lc=0&userSession=08:00:27:CB:30:5F&newStat=0&referer=http%3A%2F%2Fweb%2E4399%2Ecom%2Fz%2Fclients%2Fzt%5Fsmba%5Fzddl%2Freg%2Ehtml%3Fagid%3D22100%26cid%3D39531%26aid%3D70236%26oid%3D16311%26oid2%3D%26vcode%3Dcafes%26dirtype%3D0%26pt%3D0
network_url	http://client.5054399.com/active.htm?tag=Z70236&ver=3.0.0.1&count=1&apartdays=0&keepdays=1&weekdays=1
network_url	http://web.4399.com/z/clients/zt_smba_zddl/reg.html?oid=16311&oid2=&vcode=cafes&dirtype=0&pt=0agid=22100&cid=39531&aid=70236&game=z&did=p6p2h462q385g714h378u343m392e371a392y35yl315n378l378f371d7d7x7xxf336i7i7r679c868v336s385c392x462g49gg462b49bw49wk336f336n336q371d336u378x378w35w&vid=54cdc5495f19770b35ee4c1659ab7891&mac=08:00:27:CB:30:5F&toAd=1&autorun=0
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/css/theme.css
network_url	http://pic.my4399.com/js/core.js
network_url	http://pic.my4399.com/re/cms/feUtil/effectTj/1.1/effectTj.js
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/css/bb.jpg
network_url	http://web.4399.com/util/get_login.php?&jsoncallback=jsonp_04269758833383082
network_url	http://web.4399.com/util/?_c=code&t=reg
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/css/video.swf
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/css/bg1.png
network_url	http://pic.my4399.com/re/cms/web/js/config.js
network_url	http://pic.my4399.com/re/cms/web/js/lib/jquery.js?v1.7.2
network_url	http://pic.my4399.com/re/cms/web/js/web_referer.js
network_url	http://pic.my4399.com/re/cms/web/js/user/action.js
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/js/autologin.js
network_url	http://record.4399.com/a.php?r=&s=800x600&fv=12.0
network_url	http://webpic.my4399.com/re/cms/z/clients/zt_smba_zddl/css/sound.swf
network_url	http://pic.my4399.com/re/cms/clients/js/client_old_reg.js
network_url	http://pic.my4399.com/re/cms/web/js/module/util.js
network_url	http://pic.my4399.com/re/cms/feUtil/easydialog/2.2/easydialog.min.js
network_url	http://web.4399.com/util/get_login.php?&jsoncallback=jsonp_05604826788807868
network_url	http://web.4399.com/util/get_login.php?&jsoncallback=jsonp_05643016475029259
network_url	http://txt.unionli.com/txlink.gif?alid=70236&oid=16311&time=1534806157492
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAWAJn8G8pVTNI4cGFpe7i4%3D
network_url	http://ocsp2.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJrF0xYA49jC3D83fgDGesaUkzIQQUf9OZ86BHDjEAVlYijrfMnt3KAYoCEA%2Bo0zpfaDx76QP%2FphgC0qo%3D
network_url	http://crl.globalsign.net/primobject.crl

Network activity contains more than one unique useragent. Show sources

Process	855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe
User-Agent	Internal
Process	855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe
User-Agent	LHL
Process	855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe
User-Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

A process sent information about the computer to a remote location. Show sources

api_process_name

855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe: /_regevent.gif?event=33&ename=\xef\xbf\xa5\xef\xbe\xb8\xef\xbe\xb8\xef\xbf\xa8\xef\xbe\xa7\xef\xbe\x84\xef\xbf\xa6\xef\xbe\xb3\xef\xbe\xa8\xef\xbf\xa5\xef\xbe\x86\xef\xbe\x8c\xef\xbf\xa6\xef\xbe\xa1\xef\xbe\x86&vcode=1&type=0&game=z&oid=16311&oid1=16311&oid2=&cid=39531&aid=70236&lc=0&projectId=&userSession=0e414a3c-72d60f-e355c1&newStat=3&baseoid=16311&referer=http%3A%2F%2Fweb.4399.com%2Fz%2Fclients%2Fzt_smba_zddl%2Freg.html%3Foid%3D16311%26oid2%3D%26vcode%3Dcafes%26dirtype%3D0%26pt%3D0agid%3D22100%26cid%3D39531%26aid%3D70236%26game%3Dz%26did%3Dp6p2h462q385g714h378u343m392e371a392y35yl315n378l378f371d7d7x7xxf336i7i7r679c868v336s385c392x462g49gg462b49bw49wk336f336n336q371d336u378x378w35w%26vid%3D54cdc5495f19770b35ee4c1659ab7891%26mac%3D08%3A00%3A27%3ACB%3A30%3A5F%26toAd%3D1%26autorun%3D0&f2=%7B%22userName%22%3Anull%2C%22loginType%22%3Anull%7D&f3=%7B%22stime%22%3A1534798442936%2C%22etime%22%3A7714554%2C%22system%22%3A%22windows%22%2C%22systemVer%22%3A%227%22%2C%22browser%22%3A%22ie%22%2C%22browserVer%22%3A7%2C%22resolution%22%3A%5B800%2C600%5D%2C%22isCookie%22%3A1%2C%22isMobile%22%3A0%2C%22isCanvas%22%3A0%2C%22deviceType%22%3A%22desktop%22%2C%22deviceModel%22%3A%22desktop%22%2C%22xyClick%22%3A%5Bnull%2Cnull%2C1196%2C748%5D%2C%22pageInfo%22%3A%7B%22maxScrollTop%22%3A0%2C%22height%22%3A748%7D%2C%22clickType%22%3A1%2C%22u3dVer%22%3Anull%2C%22flashVer%22%3A%5B20%2C0%2C0%5D%2C%22isU3d%22%3A1%7D

api_process_name

855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe: /_regevent.gif?event=31&ename=\xef\xbf\xa6\xef\xbe\xb3\xef\xbe\xa8\xef\xbf\xa5\xef\xbe\x86\xef\xbe\x8c\xef\xbf\xa6\xef\xbe\xa1\xef\xbe\x86\xef\xbf\xa5\xef\xbe\x87\xef\xbe\xba\xef\xbf\xa7\xef\xbe\x8e\xef\xbe\xb0&vcode=1&type=0&game=z&oid=16311&oid1=16311&oid2=&cid=39531&aid=70236&lc=0&projectId=&userSession=0e414a3c-72d60f-e355c1&newStat=3&baseoid=16311&referer=http%3A%2F%2Fweb.4399.com%2Fz%2Fclients%2Fzt_smba_zddl%2Freg.html%3Foid%3D16311%26oid2%3D%26vcode%3Dcafes%26dirtype%3D0%26pt%3D0agid%3D22100%26cid%3D39531%26aid%3D70236%26game%3Dz%26did%3Dp6p2h462q385g714h378u343m392e371a392y35yl315n378l378f371d7d7x7xxf336i7i7r679c868v336s385c392x462g49gg462b49bw49wk336f336n336q371d336u378x378w35w%26vid%3D54cdc5495f19770b35ee4c1659ab7891%26mac%3D08%3A00%3A27%3ACB%3A30%3A5F%26toAd%3D1%26autorun%3D0&f2=%7B%22userName%22%3Anull%2C%22loginType%22%3Anull%7D&f3=%7B%22stime%22%3A1534798442936%2C%22etime%22%3A7714554%2C%22system%22%3A%22windows%22%2C%22systemVer%22%3A%227%22%2C%22browser%22%3A%22ie%22%2C%22browserVer%22%3A7%2C%22resolution%22%3A%5B800%2C600%5D%2C%22isCookie%22%3A1%2C%22isMobile%22%3A0%2C%22isCanvas%22%3A0%2C%22deviceType%22%3A%22desktop%22%2C%22deviceModel%22%3A%22desktop%22%2C%22xyClick%22%3A%5Bnull%2Cnull%2C1196%2C748%5D%2C%22pageInfo%22%3A%7B%22maxScrollTop%22%3A0%2C%22height%22%3A748%7D%2C%22clickType%22%3A1%2C%22u3dVer%22%3Anull%2C%22flashVer%22%3A%5B20%2C0%2C0%5D%2C%22isU3d%22%3A1%7D

Stealing of Sensitive Information

Sniffs keystrokes Show sources

api_process_name

Process: 855fa325ab3aa9499ec8260a8172c2f75b5854d7.exe(2512)

Attempts to modify proxy settings

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_anomaly

Actual checksum does not match that reported in PE header

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Data Obfuscation

Unconventionial binary language: Chinese (Simplified)

Loading...