Analysis Date2014-02-13 02:52:53
MD5ab272e012eee23d62e0eae30cc5fdb93
SHA119f488060bd0ce39f62845d294460d8d15975d1e

Static Details:

PEhashf043df4d3118df6296b9eb525dc99fb90cd4a0ad
IMPhashfc4fcc7fd3b5e9c151a51b8cf9a5c44c
AVmcafeePWS-Zbot-FAQD!AB272E012EEE
AVavgPSW.Generic12.AAJX

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processc:\malware.exe

Process
↳ c:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msbalk.bat\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msbalk.bat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes Filec:\19F488~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.138.189
DNSmkjjkez-sy.ru
Type: A
144.76.144.27
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://mkjjkez-sy.ru/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.138.189:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 144.76.144.27:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 64726f2f 696d6167   POST /andro/imag
0x00000010 (00016)   652e7068 70204854 54502f31 2e310d0a   e.php HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d6b 6a6a6b65 7a2d7379   Host: mkjjkez-sy
0x00000030 (00048)   2e72750d 0a557365 722d4167 656e743a   .ru..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 0d0a436f    Mozilla/4.0..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a43   rm-urlencoded..C
0x00000080 (00128)   6f6e7465 6e742d4c 656e6774 683a2038   ontent-Length: 8
0x00000090 (00144)   380d0a43 6f6e6e65 6374696f 6e3a2063   8..Connection: c
0x000000a0 (00160)   6c6f7365 0d0a0d0a 66484741 54384133   lose....fHGAT8A3
0x000000b0 (00176)   2b6a6e65 6e435231 31717275 416a375a   +jnenCR11qruAj7Z
0x000000c0 (00192)   524c7843 4f316137 38324877 79535748   RLxCO1a782HwySWH
0x000000d0 (00208)   6f584e36 2b556648 57743635 586a6341   oXN6+UfHWt65XjcA
0x000000e0 (00224)   7662446e 50776b78 4a386772 6f41536c   vbDnPwkxJ8groASl
0x000000f0 (00240)   4e675365 70587561 45332b6b 6b766761   NgSepXuaE3+kkvga
0x00000100 (00256)                                         


Strings
????
G
100704b0
CompanyName
loikjjfzff
Name
Produ
StringFileInfo
thhhrze
Translation
VarFileInfo
VS_VERSION_INFO
~!.&0le	
204897877888897897987
6ORGHpv
6z]M+	
\$8+\$
8.AEzFjo
8..w#9
95549887798498489
955498877984984892189494894949895549887798498489
?]9cx %
9Pr+8//w/////v/z/v78//8=
cDAhe/
_CIasin
_CIcosh
CIR<vJ
closesocket
C-RY3Xx
@.data
DeleteDC
;\$Dux
D$ VPSj
>.#_Ep
ExitProcess
 }Fhy(c
f/i+:'
FileTimeToLocalFileTime
FileTimeToSystemTime
FreeLibrary
Fvy25T
g7ueqaupt56horCIoZWtpLKhqak=
GDI32.DLL
GetCurrentProcess
GetExitCodeProcess
GetLocalTime
GetModuleHandleA
gps|nG
&-gsW+
haqqt4ekq6er
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
ioctlsocket
iqOkpaekgbqtog==
iqOkpaekhqSkqKQ=
iqq/ga+kopuhvaI=
iqq/iqmssqStga6rooipqqOJ
iqq/k666oqmshKips6Owsw==
/j_'H.
jq6nq5GhqaynsJe1qKWJ
jqOktKOApqasq6I=
jqOktKOOrqSt
jr2uprKtgaGkooY=
jr2uprKtl7qnpKK0tIc=
jtO1hv
\$\K;\$(
KERNEL32.dll
k@^l@[9
 k]oBfcz
localtime
Lt}9G}
Lt}9H|
m6a5s7Opq4mkq6ikgr4=
maq5qq+mprytl7WopKO7tA==
memcpy
memmove
memset
mktime
mLyutfX6
mr2is6OYtaerorS0iqOlqLSx
MSVCRT.dll
MT,?w_
n4-|:]
n6q4squtk6C6oqaj
n6qqo4Chq60=
N95549887798498489llllllllllll
nqq/k666oqmshKips6Owsw==
n ,t{l
o7uvq6o=
PBMGug
pqq5qaOk9Po=
`.rdata
recvfrom
RN;59I
SFLEu^j
SlX^6O
strlen
T.AJHR
`.text
!This program cannot be run in DOS Mode.
u4<KFL)
V=7/c7
V`~.yiJs
WideCharToMultiByte
WSACleanup
WSAGetLastError
WSAStartup
WSOCK32.DLL
ZGjO@)<as5