Analysis Date2016-01-06 21:02:04
MD57b4c5e10d275268a5a806d1f172fb7c0
SHA12b750ef1e303054027c08c6ddc8d61cb44db7472

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5c78aa65569c89ca565c2f4a29904d86 sha1: 034455a9efd095dfc544b3e5a8af9f184fa495f5 size: 36352
Section.rdata md5: 28765472af35777e4b617e176bab08b3 sha1: 2ee64f316bdc91357f5bbb414b6b32dfe5e9141d size: 4608
Section.data md5: 16a33b481ee6d8c26847f237fb3f9463 sha1: 4d21d883331c70f6ce6a80f76de49c413a7629ed size: 3584
Section.rsrc md5: cbdfb0b0fd27ae913941178a98cccb54 sha1: 18e2ad2242d84f7f334db88de1d8f6c5a3037bab size: 24064
Timestamp2013-10-10 05:06:28
VersionLegalCopyright: Copyright (C) 2013 Tencent. All Rights Reserved
InternalName: QQProtectUpd.exe
FileVersion: 2.0.0.2
CompanyName: Tencent
ProductName: QQProtect Update
ProductVersion: 2.0.0.2
FileDescription: QQ安全防护更新进程
OriginalFilename: QQProtectUpd.exe
PackerMicrosoft Visual C++ v6.0
PEhashdfbd5c15528ef66aa3c5624fded70aa40d5cd674
IMPhasha000076feb2bc9dcb2ee4afe8f019f24
AVAd-AwareGen:Variant.Graftor.121335
AVDr. WebTrojan.Disabler.97
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Backdoor.YQAC-5434
AVEmsisoftGen:Variant.Graftor.121335
AVK7Riskware ( 0040eff71 )
AVTrend Microno_virus
AVEset (nod32)Win32/ServStart.FZ
AVIkarusTrojan-DDoS.AC
AVAlwil (avast)ServStart-B [Trj]
AVFortinetW32/Staser.SCK!tr
AVGrisoft (avg)DDoS.AC
AVAvira (antivir)DDoS/Nitol.B.1049
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Graftor.121335
AVSymantecBackdoor.Trojan
AVVirusBlokAda (vba32)Trojan.Staser
AVBitDefenderGen:Variant.Graftor.121335
AVZillya!Trojan.Staser.Win32.327
AVBullGuardGen:Variant.Graftor.121335
AVRisingBackdoor.Overie!486D
AVMicroWorld (escan)Gen:Variant.Graftor.121335
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.B
AVArcabit (arcavir)Gen:Variant.Graftor.121335
AVCAT (quickheal)Error Scanning File
AVMcafeeRDN/Generic BackDoor
AVTwisterTrojan.5FD085045DB969BC
AVClamAVno_virus
AVMalwareBytesno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Distribuete\Description ➝
Distributch Transaction Coordinator Service.
Creates FileC:\WINDOWS\system32\mmqcmg.exe
Creates ServiceDistribufwn Transaction Coordinator Service - C:\WINDOWS\system32\mmqcmg.exe

Process
↳ Pid 804

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1128

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\mmqcmg.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexDistribuete

Network Details:

DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.209.90.81
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
107.23.160.218
DNSmmm.d9sd.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1032 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1033 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1034 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1035 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1036 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1037 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1038 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1039 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1040 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1041 ➝ 54.209.90.81:1406
Flows TCP192.168.1.1:1042 ➝ 54.209.90.81:1406

Raw Pcap
0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.


Strings