Analysis Date2014-01-17 13:57:35
MD5aaf6e51ed5d72e485d4531e1a5a70665
SHA136d89104aef71893132ad445e607f1f596f8d616

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: 6e3e4887f043cbca57d442a29584102b sha1: d1dfcd6fe55d3cce01b62cdbcf15498ccc4f71e9 size: 10240
Section.text md5: 6f987b9c67fdd5638c3fd561ab1dfae3 sha1: e1008cdb8394fb886c3e9ed1f628c9a7d3c0b81b size: 15872
Section.rdata md5: 30c17c14cded9f873fa9b0a35a2180e4 sha1: b97e164d10cc0bc895c8328abe722871c30d609f size: 512
Section.data md5: 6670db95e46ed401490b73ca2ff9cd7d sha1: 9bbc040bcdebe6791325b18f5ccd9c360cbdba99 size: 3072
Section.rsrc md5: afd6571ba5c64ca1654f7bf4c056d177 sha1: f9d6283dd29ce81d39d84c201c6f38ba8203e282 size: 15872
Timestamp1982-09-01 21:59:30
VersionFileVersion: 3.9
ProductName: ykujzeffee
ProductVersion: 3.9
CompanyName: ftgrfdggzrg
PEhashcd24d5a0ff2604fdc25ec2cb79b37728d66646f3
AVavgCrypt_s.FGI
AVaviraTR/Dropper.A.19446

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mseudx.exe\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mseudx.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\36D891~1.EXE
Creates Mutex3227095050

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
157.56.77.156
DNSmkjjkez-sy.ru
Type: A
144.76.144.27
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://mkjjkez-sy.ru/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 157.56.77.156:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 144.76.144.27:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 64726f2f 696d6167   POST /andro/imag
0x00000010 (00016)   652e7068 70204854 54502f31 2e310d0a   e.php HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d6b 6a6a6b65 7a2d7379   Host: mkjjkez-sy
0x00000030 (00048)   2e72750d 0a557365 722d4167 656e743a   .ru..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 0d0a436f    Mozilla/4.0..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a43   rm-urlencoded..C
0x00000080 (00128)   6f6e7465 6e742d4c 656e6774 683a2038   ontent-Length: 8
0x00000090 (00144)   380d0a43 6f6e6e65 6374696f 6e3a2063   8..Connection: c
0x000000a0 (00160)   6c6f7365 0d0a0d0a 66484741 54384133   lose....fHGAT8A3
0x000000b0 (00176)   2b6a6e65 6e435231 31717275 416a375a   +jnenCR11qruAj7Z
0x000000c0 (00192)   524c7843 4f316137 38324877 79535748   RLxCO1a782HwySWH
0x000000d0 (00208)   6f584e36 2b556648 57743635 586a6341   oXN6+UfHWt65XjcA
0x000000e0 (00224)   7662446e 50776b78 4a386772 6f41536c   vbDnPwkxJ8groASl
0x000000f0 (00240)   4e675365 7048365a 46582b6b 6b766761   NgSepH6ZFX+kkvga
0x00000100 (00256)                                         


Strings
100704b0
CompanyName
FileVersion
ftgrfdggzrg
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
ykujzeffee
                   
 "!!!!!!           
;\$$|)
222A^^^Fmmm
24879879879mm
2QUM|GcZ|
3***Xaaa
4875522189754
487552218975459849598444944875522189754xzt
4-d))$
)6k = 
\$8+\$
*-9AqQkI
9]M,lW
aaa9lll
ADQf`V
AlphaBlend
AppendMenuA
^^^:bbbbvvv
BitBlt
_CIatan
_CIatan2
_CItanh
CloseHandle
closesocket
CoInitialize
COMCTL32.DLL
connect
CoUninitialize
CreateBitmap
CreateCompatibleDC
CreateDIBSection
CreateFileA
CreateMenu
@.data
DDRAW.DLL
de.f&Zik
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyAcceleratorTable
DestroyIcon
DestroyMenu
DestroyWindow
DirectDrawCreateEx
DllGetVersion
;\$Dux
D$ VPSj
~~~dvvv=
dy>4875522189754666666666666
EnterCriticalSection
Eo}Fhi
ExitProcess
fclose
FillRect
+fPw/fP1+vf/8fGnpg==
FreeLibrary
g7+SpqumuJCurbHd9J6upLyvqKY=
GDI32.DLL
GetDIBits
gethostbyname
GetModuleHandleA
GetObjectA
GetObjectType
getpeername
GetProcAddress
GetProcessAffinityMask
GetStockObject
GetVersionExA
GetWindow
""">ggg
GGGYnnn
gmtime
G#'Q%r\*k
h60rVOZ
ha6muIerpKmk
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
:***hlll
|h"q)C
Hv9OQc
inet_addr
InitCommonControlsEx
InitializeCriticalSection
?InitOnceExecuteOnce
ioctlsocket
iq6zhamjvaqijq/+94Oqqq2H
iq6zjq+rrZWusqM=
iq6znK61raeji6n85qizsw==
iqeoqqeriaqrp6U=
iqeoqqerjrSirQ==
IsAppThemed
J\4rKi|
jqeou6OBoaqi
jqeou6OPqaijpKM=
jqqrpJGupqKov5bg/a6K
jrmiqbKijq+rrYc=
jrmiqbKimLSoq6Ph4Yw=
\$\K;\$(
Kernel32.dll
KERNEL32.dll
___kHHHD
:::?KKK
KKKXmmm
LeaveCriticalSection
LoadCursorA
LoadIconA
LoadLibraryA
LocalFileTimeToFileTime
,`L	Qc
"(((Lsss
m6K1vLOmpIerpKnx17U=
ma61pa+pqbKimLT98ai4tA==
malloc
mciSendCommandA
memcmp
memcpy
memmove
memset
mLiiuvX1
mrmuvKOXuqmkrbXh36imqLq/
msimg32.dll
MSVCRT.dll
n660vauinK61raf2
n66mrICupKM=
'nDWzD
nq6znK61raeji6n85qizsw==
o7+jpKo=
[OD$I{
ok"2d]s3r
OLE32.DLL
PB_DropAccept
PB_WindowID
{#Ppn)^
pq61pqOr+/Q=
QSVWh<
Rbi8V?
`.rdata
RemovePropA
RevokeDragDrop
*$$$ROOO
R,[PD=
SelectObject
SendMessageA
SetActiveWindow
SetEndOfFile
SetFilePointer
SetFileTime
SetMenu
SetPixel
socket
sprintf
sssAttt
strcat
strcpy
_stricmp
strlen
SystemTimeToFileTime
t+9.u/
`.text
!This program cannot be run in DOS MODE.
TlsAlloc
UnregisterClassA
USER32.DLL
?UUUUUU
uxtheme.dll
V:5Hr?
VF6{DD-a
WBTLQo
WideCharToMultiByte
WindowClass_%d
WINMM.DLL
wjxqpTL
wL}x*|
WriteFile
WSACleanup
WSAStartup
WSOCK32.DLL
WWW_WWW;
wwwwwwww
wwwwwwwwtww
wwwwwwwwuww
wwwwwwwwwwpwwp
x]_h08
x!K)		
_ysA(J"
YYYT```mggg
zj/wnC^
zrt/V9
Z'zHh+	
ZZZTkkk