Analysis Date2015-12-05 07:15:39
MD59e0558cb6173c6c40249a0dbffa653f7
SHA10bd371a93c59887b27801468998bd8cae1479583

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
PEhashac1b92fb4259f0be9acb8c8a2fb459f7c4b9e9ab
IMPhash
AVKasperskyBackdoor.Win32.Androm.a
AVMicroWorld (escan)Gen:Variant.Kazy.219676
AVGrisoft (avg)Defiler.G
AVKasperskyBackdoor.Win32.Androm.a
AVMcafeeW32/Worm-FFE!9E0558CB6173
AVMicroWorld (escan)Gen:Variant.Kazy.219676
AVFrisk (f-prot)W32/Andromeda.A.gen!Eldorado
AVF-SecureGen:Variant.Kazy.219676
AVIkarusTrojan.Defiler
AVK7Backdoor ( 003b0a701 )
AVMalwareBytesTrojan.Agent.NR
AVMcafeeW32/Worm-FFE!9E0558CB6173
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVFortinetW32/Kryptik.AFJS!tr
AVFortinetW32/Kryptik.AFJS!tr
AVCAT (quickheal)Worm.Gamarue.I1
AVF-SecureGen:Variant.Kazy.219676
AVClamAVno_virus
AVGrisoft (avg)Defiler.G
AVIkarusTrojan.Defiler
AVK7Backdoor ( 003b0a701 )
AVDr. WebBackDoor.Andromeda.22
AVMalwareBytesTrojan.Agent.NR
AVAd-AwareGen:Variant.Kazy.219676
AVDr. WebBackDoor.Andromeda.22
AVEmsisoftGen:Variant.Kazy.219676
AVAvira (antivir)Worm/Gamarue.itza
AVAvira (antivir)Worm/Gamarue.itza
AVEmsisoftGen:Variant.Kazy.219676
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVArcabit (arcavir)Gen:Variant.Kazy.219676
AVBitDefenderGen:Variant.Kazy.219676
AVBitDefenderGen:Variant.Kazy.219676
AVArcabit (arcavir)Gen:Variant.Kazy.219676
AVCAT (quickheal)Worm.Gamarue.I1
AVFrisk (f-prot)W32/Andromeda.A.gen!Eldorado
AVAd-AwareGen:Variant.Kazy.219676
AVBullGuardGen:Variant.Kazy.219676
AVBullGuardGen:Variant.Kazy.219676
AVAlwil (avast)Citadel-A [Trj]
AVAlwil (avast)Citadel-A [Trj]
AVClamAVno_virus
AVAuthentiumW32/Andromeda.A.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Andromeda.A.gen!Eldorado
AVRisingWorm.Win32.Gamarue.b
AVRisingWorm.Win32.Gamarue.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msfqoa.pif\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msfqoa.pif
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\0BD371~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.55.240.94
DNSwww.update.microsoft.com
Type: A
DNSlemon.dynv6.net:500
Type: A
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53

Raw Pcap

Strings
.,.

kernel32.dll
08X.daHtq
23456789'+/
2<8=>>D?J?P?V?\?b?h?n?t?z?
=">(?.?4?:?@?F?L?R?X?^?dH~?p?v?|?
5eZ!&I.5 
66FE<(
6r/tXv~x
91A:P= 
96138.
9#'-G3o
a/4.0>2C
ABCDEFG
af7$RnpK
:)a.T;^
ckC(ou
cubion
DelayEx
*dsbOoa
Dy"	4DJZ
efghijkl
Env&lT
er-:Ag
fC@dU8
f"	PD>4
f	P$>H4
"g;AI7$b
h.dllhpi32hadva
hdll.hsbie
HIJKLMNO`PzSTUV
hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst
	@l31.5xR
mnopqrst
n!Moz8il
NtDela
nxdMPv
	OO*D5
-P4R>U
p,@4ZA'NW"
"p FHD4 
qemut!
SVW9jdp
!This program cannot be run in DOS mode.
t;vAxGzM|S~Y
u}m2Th
%U+nmF
Uu}F_C
uvwxyz01
VasPbR(
vboxt-
vQoh%T,
wmwat9
WXYZabcd
XO.P<\
Zw=Cl.s