Analysis Date2018-05-19 17:32:07
MD58f6e9d213f2e8c617fe2177366ff1d9b
SHA1338f1d269e2c493fa188e1843fa79c203c222a4f

Static Details:

AVArcabit (arcavir)Gen:Variant.Symmi.24828
AVAuthentiumW32/Gamarue.B.gen!Eldorado
AVGrisoft (avg)Generic_r.CPR
AVAvira (antivir)BDS/Androm.abfkiua
AVAlwil (avast)Error Scanning File
AVAd-AwareGen:Variant.Symmi.24828
AVBitDefenderGen:Variant.Symmi.24828
AVBullGuardGen:Variant.Symmi.24828
AVClamAVError Scanning File
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.24828
AVMicroWorld (escan)Gen:Variant.Symmi.24828
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Wauchos.LB!tr
AVFrisk (f-prot)W32/Gamarue.B.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVIkarusError Scanning File
AVK7Trojan-Downloader ( 0040f5071 )
AVKasperskyError Scanning File
AVMalwareBytesError Scanning File
AVMcafeeW32/Worm-FLC!8F6E9D213F2E
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVNANOTrojan.Win32.Androm.cjbbof
AVNANOTrojan.Win32.Androm.dpuavo
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVPadvishWorm.Win32.Gamarue.F
AVCAT (quickheal)Worm.Gamarue.F4
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-Androm
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMV
AVTwisterBackdoor.617AE862214004EF
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183
AVWindows DefenderWorm:Win32/Gamarue.F
AVZillya!Backdoor.Androm.Win32.1262

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\338f1d269e2c493fa188e1843fa79c203c222a4f.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\338f1d269e2c493fa188e1843fa79c203c222a4f.exe

Creates FileC:\Windows\SysWOW64\svchost.exe

Process
↳ C:\Windows\SysWOW64\svchost.exe

Creates Mutex
Creates Mutex3770066751
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\338f1d269e2c493fa188e1843fa79c203c222a4f.exe
Creates FileC:\ProgramData\Local Settings\Temp\ccuoikr.bat
Creates FileC:\Windows\SysWOW64\svchost.exe
Creates FileC:\ProgramData\Local Settings\Temp\ccuoikr.bat
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\42815 ➝
C:\PROGRA~3\LOCALS~1\Temp\ccuoikr.bat

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f7374 61746963 2e706870   POST /static.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   206d6f72 70686564 2e72750d 0a557365    morphed.ru..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 7258387a 554e3638   nYKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74513738   T3yqvhQu2TqetQ78
0x000000d0 (00208)   726f7937 5136626f 54664455 74594966   roy7Q6boTfDUtYIf
0x000000e0 (00224)   745a3333 4e686b45 4b416f67 396d5933   tZ33NhkEKAog9mY3
0x000000f0 (00240)   71773d3d                              qw==


Strings