Analysis Date2015-12-24 12:28:58
MD51f0077a58af2022bb2b8f237fb74a0c8
SHA12d6f3b93ce31af57a9a220bce8b8c872a88070c0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0aea262082eb1c6237682d42896164a9 sha1: 0236d6db1cf7080f2d786c0661c06400dbf7532b size: 55808
Section.rdata md5: af13fdfe878a913d7eaef82269f17586 sha1: f3790792bb105b7f22acc5c8243b0c8e1a8d305b size: 512
Section.data md5: dc6c10de1600dfa8516afc529fad9d47 sha1: 822a9e8c1867d9e0828bf0157d3899f502ac9b36 size: 4608
Section.rsrc md5: 87614e48f8e1582dfa6bf736b6604d60 sha1: 1dab30aa11aca825021aa1cae855ea03eac18eb9 size: 16384
Timestamp2012-07-24 05:57:37
PEhashbcd12e982c0ee03743ddde633a5714829b3dedba
IMPhash2d56c26d9fb9a17549786530cc6d5ce4
AVArcabit (arcavir)Gen:Variant.Kazy.749702
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVTwisterTrojan.Girtk.EAYW.zykk
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Generic36.CGMH
AVAd-AwareGen:Variant.Kazy.749702
AVMalwareBytesSpyware.Shifu
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Sharik.wra
AVDr. Webno_virus
AVAvira (antivir)TR/Crypt.ZPACK.189160
AVClamAVno_virus
AVF-SecureGen:Variant.Kazy.749702
AVCAT (quickheal)TrojanDownloader.Dofoil.r4
AVIkarusTrojan-Downloader.Win32.Upatre
AVRising0x5924afcd
AVSymantecTrojan.Smoaler
AVZillya!no_virus
AVBitDefenderGen:Variant.Kazy.749702
AVK7Trojan ( 004d44811 )
AVEset (nod32)Win32/Kryptik.EAYW
AVBullGuardGen:Variant.Kazy.749702
AVVirusBlokAda (vba32)no_virus
AVFortinetW32/Kryptik.EFHE!tr
AVFrisk (f-prot)no_virus
AVMcafeeTrojan-FHFZ!1F0077A58AF2
AVEmsisoftGen:Variant.Kazy.749702
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dofoil.T
AVMicroWorld (escan)Gen:Variant.Kazy.749702
AVAuthentiumW32/Trojan.HBHE-4911

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Classes ➝
C:\Documents and Settings\Administrator\Application Data\ggfgabfs\tafjjaar.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ggfgabfs\tafjjaar.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ggfgabfs
Creates File\Device\Afd\Endpoint
Creates Mutex6656015B08787C10C821EC1AAE77ED41C059900A

Network Details:

DNSa-0003.a-msedge.net
Type: A
204.79.197.203
DNSe4578.b.akamaiedge.net
Type: A
104.70.73.171
DNSe11290.dspg.akamaiedge.net
Type: A
23.196.127.104
DNSwww.msn.com
Type: A
DNSwww.adobe.com
Type: A
DNSgo.microsoft.com
Type: A
DNSsconetawses.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.79.197.203:80
Flows TCP192.168.1.1:1034 ➝ 104.70.73.171:80
Flows TCP192.168.1.1:1035 ➝ 23.196.127.104:80
Flows TCP192.168.1.1:1036 ➝ 23.196.127.104:80
Flows TCP192.168.1.1:1038 ➝ 104.70.73.171:80

Raw Pcap

Strings