Analysis Date2014-07-03 17:48:19
MD546596ad773c94915d927d6419199b176
SHA1223d6a7053152068324ca1a0db4da5cd900d7189

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 57cb5136128215c300316f94f7f71d71 sha1: 8b86de58f90160b46c3014eb14dc43e39e34e5ee size: 177664
Section.rsrc md5: 5b4c3abbdcfae02002406760c7432712 sha1: 8ceea88dae426aec5b1a86aef27c99b9938923a5 size: 512
Timestamp2012-04-04 03:32:42
PackerUPX -> www.upx.sourceforge.net
PEhashc8e405e2d686d79a0eae5d14f513ee30b06c1213
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AV360 SafeTrojan.Keylogger.MWP
AVAd-AwareTrojan.Keylogger.MWP
AVAlwil (avast)KeyLogger-ARY [Spy]
AVArcabit (arcavir)Heur.RoundKick
AVAuthentiumW32/VBInject.AM.gen!Eldorado
AVAvira (antivir)BDS/Backdoor.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Worm.Ainslot.A.mue
AVClamAVno_virus
AVDr. WebWorm.Siggen.6967
AVEmsisoftTrojan.Keylogger.MWP
AVEset (nod32)Win32/Ainslot.AA worm
AVFortinetW32/Cospet.HA!tr
AVFrisk (f-prot)W32/VBInject.AM.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Keylogger.MWP
AVGrisoft (avg)Worm/Generic2.BLRH
AVIkarusTrojan.Win32.VB
AVK7EmailWorm ( 003a1cd61 )
AVKasperskyTrojan.Win32.Generic:Worm.Win32.Shakblades.bdc
AVMalwareBytesTrojan.Agent
AVMcafeeW32/Generic.worm!p2p
AVMicrosoft Security EssentialsWorm:Win32/Ainslot.A
AVMicroWorld (escan)Trojan.Keylogger.MWP
AVNormanwin32:win32/Ainslot.A
AVRisingWorm.Win32.Anisolt.a
AVSophosMal/VB-GI
AVSymantecW32.Shadesrat
AVTrend MicroWORM_SWISYN.SM
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1
AVF-SecureGeneric.Keylogger.2.D5EAE87D
AVZillya!Worm.Shakblades.Win32.2403
AVMicroWorld (escan)Generic.Keylogger.2.D5EAE87D
AVFortinetW32/Injector.PDT!tr
AVIkarusTrojan.Win32.VB
AVK7EmailWorm ( 003a1cd61 )
AVRisingWorm.Win32.Anisolt.a
AVAvira (antivir)BDS/Backdoor.Gen
AVGrisoft (avg)Worm/Generic2.BLRH
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Worm.Ainslot.A.mue
AVMcafeeW32/Generic.worm!p2p
AVDr. WebWorm.Siggen.6967
AVKasperskyTrojan-FakeAV.Win32.Windef.mer
AVAd-AwareGeneric.Keylogger.2.D5EAE87D
AVPadvishWorm.Win32.Shakblades.bdc
AVAuthentiumW32/VBInject.AM.gen!Eldorado
AVBullGuardGeneric.Keylogger.2.D5EAE87D
AVBitDefenderGeneric.Keylogger.2.D5EAE87D
AVAlwil (avast)KeyLogger-ARY [Spy]
AVMalwareBytesTrojan.Agent
AVEset (nod32)Win32/Ainslot.AA worm
AVFrisk (f-prot)W32/VBInject.AM.gen!Eldorado
AVVirusBlokAda (vba32)Malware-Cryptor.VB.gen.1
AVTwisterVirus.F62FAA9000FF25A010.mg
AVClamAVWin.Trojan.Blackshades-1
AVTrend MicroWORM_SWISYN.SM
AVEmsisoftGeneric.Keylogger.2.D5EAE87D
AVSymantecW32.Shadesrat
AVArcabit (arcavir)Generic.Keylogger.2.D5EAE87D
AVMicrosoft Security EssentialsWorm:Win32/Ainslot.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{D8DFB3AF-54FE-C89D-B686-BFAFBAFDCCD4}\StubPath ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\INSTALL\DATE\IYTPP1WV8T ➝
July 3, 2014\\x00
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID\ID\IYTPP1WV8T ➝
Mayhem Bot\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D8DFB3AF-54FE-C89D-B686-BFAFBAFDCCD4}\StubPath ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe:*:Enabled:Windows Messanger" /f
Creates Processcmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f
Creates MutexIYTPP1WV8T

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions ➝
NULL

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe:*:Enabled:Windows Messanger" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\java\jusched.exe:*:Enabled:Windows Messanger" /f

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Process
↳ REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\\malware.exe" /t REG_SZ /d "C:\\malware.exe:*:Enabled:Windows Messanger" /f

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\\malware.exe ➝
C:\\malware.exe:*:Enabled:Windows Messanger\\x00

Process
↳ cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Creates ProcessREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network Details:

DNSjava.3utilities.com
Type: A
64.191.29.122
DNS1java.3utilities.com
Type: A
Flows TCP192.168.1.1:1033 ➝ 64.191.29.122:6729
Flows TCP192.168.1.1:1035 ➝ 64.191.29.122:6729

Raw Pcap

Strings