Analysis Date2015-12-24 08:44:13
MD5226915254c380b0b2588a67ec90a99f7
SHA12e1a7760af1020a62604df8a852ab6fd31a45693

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d45cea78f3ab9f4fead024bd33ce5a1 sha1: 4f574f1ea1198062053208332d2fbfd95fb1563d size: 59392
Section.rdata md5: b6f626c36f35902475f8149097675376 sha1: 23de5ae8c94087d3d33b45310aba913eba34d067 size: 20992
Section.data md5: e6d38ab08a9fe9cbad2d493ca324a0c0 sha1: 41675827a2fa71ab58afa301fe7a2dde3c720ca4 size: 15360
Section.rsrc md5: c9903124f6672cbe53350b50befa903d sha1: 9058adc1386437f2026b3025ae0579b87ebc7251 size: 512
Section.text md5: 67ab7afe9b79924535fd9c79b061ba87 sha1: cb3bd6c8a8d9373f76042c46b81d16f9959365a2 size: 111616
Timestamp2013-04-14 15:26:01
Pdb pathc:\winter\Set\Bottom\Up\value\wild\industry\Support\nearcare.pdb
PackerMicrosoft Visual C++ ?.?
PEhash78b2c9aa66be69f3985786817238fe5e4031db5d
IMPhashb2498eed3c3aa5befc085379b8319a74
AVAd-AwareTrojan.Gamarue.AP
AVGrisoft (avg)Downloader.Generic13.APRF
AVCAT (quickheal)Worm.Gamarue.r5
AVIkarusTrojan-Downloader.Win32.Andromeda
AVAvira (antivir)BDS/Androm.EB.103
AVK7Trojan-Downloader ( 0043f6bc1 )
AVClamAVWin.Trojan.Gamarue-35
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Trojan.Gamarue.AP
AVMalwareBytesTrojan.Downloader
AVDr. WebBackDoor.Andromeda.178
AVMcafeePWSZbot-FDN!226915254C38
AVBitDefenderTrojan.Gamarue.AP
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVEmsisoftTrojan.Gamarue.AP
AVMicroWorld (escan)Trojan.Gamarue.AP
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVRisingWorm.Win32.Gamarue.x
AVBullGuardTrojan.Gamarue.AP
AVFortinetW32/Kryptik.AYXG!tr
AVSymantecPacked.Dromedan!gen21
AVAuthentiumW32/Trojan.NETF-7216
AVTrend Microno_virus
AVFrisk (f-prot)W32/Trojan2.NWYN
AVTwisterSuspicious.2525@2FF0000@.mg
AVCA (E-Trust Ino)Win32/Gamarue.MKBZAUB
AVVirusBlokAda (vba32)BScope.Worm.Gamarue.2413
AVF-SecureTrojan.Gamarue.AP
AVZillya!Downloader.Andromeda.Win32.2944

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\ccwuoki.bat\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\ccwuoki.bat
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.189
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNShzmksreiuojy.in
Type: A
195.22.28.198
DNShzmksreiuojy.in
Type: A
195.22.28.199
DNShzmksreiuojy.in
Type: A
195.22.28.196
DNShzmksreiuojy.in
Type: A
195.22.28.197
DNShzmksreiuojy.ru
Type: A
52.28.249.128
DNShzmksreiuojy.com
Type: A
52.28.249.128
DNShzmksreiuojy.biz
Type: A
52.28.249.128
DNShzmksreiuojy.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://8.8.8.8/xxxxxxxxx.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.in/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.ru/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.com/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.biz/ldr.php
User-Agent: Mozilla/4.0
HTTP POSThttp://hzmksreiuojy.nl/ldr.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.189:80
Flows TCP192.168.1.1:1032 ➝ 8.8.8.8:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 195.22.28.198:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1040 ➝ 52.28.249.128:80
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 176.58.104.168:80

Raw Pcap

Strings