Analysis Date2014-06-05 07:53:59
MD57ddb6b23934679eeb81d1c61157079af
SHA10721a42746cd95ac5a3cc52853f5cbb0f7cfa4ab

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: 373d7676bcd7bbbcc26805c648309323 sha1: d2aef814de9b78aeef8ae11a9adcebc61b8ecc6f size: 10240
Section.text md5: 7354728dcde1b6ae2f194356f5025786 sha1: 0a2e2f94a92fec5ed9c1fcda5571355be0d2eac8 size: 23040
Section.rdata md5: d36fdf858d843e2b7f88e077ca8adc57 sha1: f9d650f610cf72b234c19c41f6de50e7cfeaa7b4 size: 512
Section.data md5: b4e1777d2bed86c6eebf830fab75086a sha1: a653bd2678d8f3ed8aff114f19d17af104eb13fa size: 3072
Section.rsrc md5: 57d03bf98b0552c5e4db7b83e461132b sha1: 169cbe98c31ff836e5afdf26753912d3b7bf50e8 size: 11264
Timestamp1972-01-20 07:20:46
VersionProductName: mipakokpokpzd
ProductVersion: 6.9
CompanyName: uihuhuhfzuehfiu
PEhasha73dccdbdb45e5bade33971b661f2603567ea66b
IMPhash846bb7ef3767f97cc9ca2edead4391e1
AV360 SafeTrojan.Encpk.Gen.4
AVAd-AwareTrojan.Encpk.Gen.4
AVAlwil (avast)Loktrom-V [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.TPOQ-3665
AVAvira (antivir)TR/Spy.ZBot.rkvh
AVCA (E-Trust Ino)Win32/Inject.C!generic
AVCAT (quickheal)Worm.Gamarue
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVEmsisoftno_virus
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVFortinetW32/Tepfer.AAX!tr.pws
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Encpk.Gen.4
AVGrisoft (avg)Generic35.BJBS
AVIkarusTrojan-PWS.Win32.Fareit
AVKasperskyTrojan.Win32.Inject.hhct
AVMalwareBytesSpyware.Passwords.ED
AVMcafeePWS-Zbot-FAQD!7DDB6B239346
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Trojan.Encpk.Gen.4
AVNormanwinpe/Troj_Generic.SFMID
AVRisingno_virus
AVSophosTroj/Agent-ADBJ
AVSymantecPacked.Generic.448
AVTrend MicroTROJ_SPNR.35BH14
AVVirusBlokAda (vba32)Trojan.Inject

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msiuloki.scr\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msiuloki.scr
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\0721A4~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.242.252
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.138.188
DNSmkjjkez-sy.ru
Type: A
144.76.144.27
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://mkjjkez-sy.ru/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.242.252:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 144.76.144.27:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 64726f2f 696d6167   POST /andro/imag
0x00000010 (00016)   652e7068 70204854 54502f31 2e310d0a   e.php HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d6b 6a6a6b65 7a2d7379   Host: mkjjkez-sy
0x00000030 (00048)   2e72750d 0a557365 722d4167 656e743a   .ru..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 0d0a436f    Mozilla/4.0..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a43   rm-urlencoded..C
0x00000080 (00128)   6f6e7465 6e742d4c 656e6774 683a2038   ontent-Length: 8
0x00000090 (00144)   380d0a43 6f6e6e65 6374696f 6e3a2063   8..Connection: c
0x000000a0 (00160)   6c6f7365 0d0a0d0a 66484741 54384133   lose....fHGAT8A3
0x000000b0 (00176)   2b6a6e65 6e435231 31717275 416a375a   +jnenCR11qruAj7Z
0x000000c0 (00192)   524c7843 4f316137 38324877 79535748   RLxCO1a782HwySWH
0x000000d0 (00208)   6f584e36 2b556648 57743635 586a6341   oXN6+UfHWt65XjcA
0x000000e0 (00224)   7662446e 50776b78 4a386772 6f513675   vbDnPwkxJ8groQ6u
0x000000f0 (00240)   4d67475a 6f6e6d66 48582b6b 6b766761   MgGZonmfHX+kkvga
0x00000100 (00256)                                         


Strings
 
????

100704b0
333f3
CompanyName
f3fff
mipakokpokpzd
ProductName
ProductVersion
StringFileInfo
Translation
uihuhuhfzuehfiu
VarFileInfo
VS_VERSION_INFO
;\$$|)
\$`#\$
0123456789abcdef
|$03|$(
|$03|$D
0{ ?M:3
1"4OP'2)fh
|$`3|$
|$,3|$@
|$,3|$$
\$`3\$
|$`303|$X
|$(3|$ 3x
\$`3|$@3x
3|$<3x
3|$4#l$
3|$D3x
3f89498efzzefzef
3|$H3x
3p03x(3p
3p 3\$
3p$3l$X3p
3p43|$
3p43P,3p(3P
|$`3|$X
\$`3\$X
3|$X3p
3x43p03x(3p
4246852148968
4246852148968894984894984674246852148968
4246852148968ev
#.6T*h
='7n SA7
\$8+\$
%.8FKJ*Uk
?&9L'+32D
accept
AlphaBlend
AppendMenuA
a	&x3<3
BitBlt
=C~2n$
C7@DZv
CCCCCCCCCCC
_CIlog
_CIsqrt
CloseHandle
closesocket
CoInitialize
COMCTL32.DLL
CoUninitialize
CreateBitmap
CreateCompatibleDC
CreateDIBSection
CreateFileA
CXu|#6
d+|1Gq
@.data
d:/cQq
DDRAW.DLL
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DestroyAcceleratorTable
DestroyIcon
DestroyMenu
DestroyWindow
DirectDrawCreateEx
DllGetVersion
;\$Dux
D$ VPSj
e<G^eZ
EnterCriticalSection
ExitProcess
ExitThread
fclose
ffffff
ffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
FillRect
FreeLibrary
GDI32.DLL
GetDIBits
GetFileAttributesA
GetModuleHandleA
GetObjectA
GetObjectType
GetProcAddress
GetStockObject
GetVersionExA
GetWindow
gmtime
gu2SqKant8zw4PLV/9b/+rjwqKg=
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
hPymtoqqq/X6
I76theh~4
InitCommonControlsEx
InitializeCriticalSection
?InitOnceExecuteOnce
ioctlsocket
IsAppThemed
i/WopKqqgej84A==
i/WopKqqhvb16uY=
i/yzgKKqosnw/+A=
i/yzi6Sisvb8w+z2/Mv79KnY
i/yzkqO0ovv9xur07eDi7Q==
j/irqpyvqf728tXo9ubb
j+uip7+jgfP14MQ=
j+uip7+jl+j25uDp6sQ=
j/Wota6Arvb8
j/Wota6OpvT96eA=
\$\K;\$(
Kernel32.dll
KERNEL32.dll
+Kvz8PPz9autvbysoQ==
l$`3\$
l$`3|$<3l$
l$`3l$
#l$`3p
l$`3|$X
LeaveCriticalSection
LoadCursorA
LoadIconA
LoadLibraryA
LocalFileTimeToFileTime
l$X3|$4
malloc
memcpy
memmove
memset
meqitPj0
mmmmmmm
mmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmm
mmmmmmmmmmmmmmmmmmmmmmm
M.ohS~f
MoveFileA
mPy1q6Kopu781ff1+uDp6g==
msimg32.dll
MSVCRT.dll
m+uusq6WtfX64Pbp1OD39r7g
mvC1sr6nq9v16er53P0=
]&n\S&.
>[nu(,
nvy0s6ajk/Lr4OT+
nvymoo2vq/8=
n/yzkqO0ovv9xur07eDi7Q==
O6A{wg8$6
oA+3#Y3
OLE32.DLL
ou2jqqc=
\$P3|$
\$P3|$`
\$P3P,
PB_DropAccept
PBMGu2
PB_WindowID
p/y1qK6q9Kg=
QSVWhD
`.rdata
recvfrom
RemovePropA
RevokeDragDrop
rEZb[E
SelectObject
SendMessageA
SetActiveWindow
SetEndOfFile
SetFilePointer
SetFileTime
SetMenu
SetPixel
SFLEu)
sprintf
s|@Sm}2
strcat
strcpy
_stricmp
strlen
SystemTimeToFileTime
t+9.u/
	t{AmZ(.o4E
`.text
!This program cannot be run in DOS mode.
TlsAlloc
t$X3\$X
T$X#l$X
UnregisterClassA
UoP#;-r
USER32.DLL
?UUUUUU
u.uY5O-=
/U=w>XDf
uxtheme.dll
WideCharToMultiByte
WindowClass_%d
w+J.FQ
WriteFile
Wr%O\H
WSACleanup
WSAGetLastError
WSAStartup
WSOCK32.DLL
wwwwww
wwwwwww
wwwwwwwwwwww
wwwwwwwwwy
\$X3|$
\$X3|$838
x4246852148968????????????
~Y]Nbz"
yyyyyy
}Z}#gA