Analysis Date2015-10-04 17:50:49
MD535710232a48d2c44059a6c121f4194d1
SHA12ab546688fb1ab43d912fc6b7ca8f186d70aabc7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f73159535da728eef232715fab3d4ee6 sha1: 364e19362e2193690c75ce780bfacacc7ae52a57 size: 12288
Section.rdata md5: 8a5229a40b7c929e7bcf31879d4337cc sha1: 5396449add06b73bc9c7c03232809c4f2f77716f size: 4096
Section.data md5: 95e169ec1efaa34b60e4ed4fbf4c0363 sha1: 225a35e9625054e28e2e6bc255586e177c0bff20 size: 323584
Section.idata md5: 7b4ffe8c48b449054837d7831855c892 sha1: b49d6a5f391ccf300b353d09f76fdd53553f83c9 size: 4096
Section.rsrc md5: ebc4fecced671e6eb5cee495c2bc07e8 sha1: 51f59090e40fb2590a0c8b086dea88ce6c30ffa5 size: 32768
Section.reloc md5: 2cfcb5445d5ad8a87ba63d4d000837f3 sha1: 2623ea91aeb0f29b5781d7f5b1cb856e051e4ce8 size: 4096
Timestamp2015-07-21 15:36:09
PackerMicrosoft Visual C++ v6.0
PEhash2b5652d88e2c12e6cdeab6f25c5586c72209032f
IMPhash80ab253e7913f6fa906249892ea4be1b
AVRising0x58e5ddac
AVMcafeeGenericR-EAW!35710232A48D
AVAvira (antivir)TR/Crypt.Xpack.270060
AVTwisterTrojan.Generic.wkaj
AVAd-AwareGen:Variant.Graftor.226757
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Farfli.OY
AVGrisoft (avg)BackDoor.Generic_r.LDG
AVSymantecno_virus
AVFortinetW32/Farfli.OY!tr
AVBitDefenderGen:Variant.Graftor.226757
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost.AD
AVMicroWorld (escan)Gen:Variant.Graftor.226757
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Trojan.QDZX-7795
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Farfli
AVEmsisoftGen:Variant.Graftor.226757
AVZillya!Trojan.Agent.Win32.559174
AVKasperskyTrojan.Win32.Agent.neslio
AVTrend Microno_virus
AVCAT (quickheal)Trojan.Agen.r6
AVVirusBlokAda (vba32)Trojan.Agent
AVPadvishno_virus
AVBullGuardGen:Variant.Graftor.226757
AVArcabit (arcavir)Gen:Variant.Graftor.226757
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.7278
AVF-SecureGen:Variant.Graftor.226757

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Sysinternals\Junction\EulaAccepted ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties ➝
1
Creates FileC:\WINDOWS\svchost.exe
Creates FileC:\WINDOWS\junction\msdfma.txt
Creates FileC:\WINDOWS\junction.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\junction.exe "C:\WINDOWS\junction" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
Creates ProcessC:\WINDOWS\junction.exe "C:\WINDOWS\junction" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
Creates MutexDBWinMutex
Creates Mutex220.178.209.54

Process
↳ C:\WINDOWS\junction.exe "C:\WINDOWS\junction" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

RegistryHKEY_CURRENT_USER\Software\Sysinternals\Junction\EulaAccepted ➝
1

Process
↳ C:\WINDOWS\junction.exe "C:\WINDOWS\junction" "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"

RegistryHKEY_CURRENT_USER\Software\Sysinternals\Junction\EulaAccepted ➝
1
Creates FileC:\WINDOWS\junction

Network Details:

Flows TCP192.168.1.1:1031 ➝ 220.178.209.54:3352
Flows TCP192.168.1.1:1032 ➝ 220.178.209.54:3352
Flows TCP192.168.1.1:1033 ➝ 220.178.209.54:3352
Flows TCP192.168.1.1:1034 ➝ 220.178.209.54:3352
Flows TCP192.168.1.1:1035 ➝ 220.178.209.54:3352
Flows TCP192.168.1.1:1036 ➝ 220.178.209.54:3352

Raw Pcap
0x00000000 (00000)   59                                    Y

0x00000000 (00000)   59                                    Y

0x00000000 (00000)   59                                    Y

0x00000000 (00000)   59                                    Y

0x00000000 (00000)   59                                    Y

0x00000000 (00000)   59                                    Y


Strings