Analysis Date2016-01-28 10:45:52
MD5df4aff24ae32ab7c9ad4756c69cbf7a5
SHA13b1bc35ecadb377cfa6b0ba1063aeb9de98c8326

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.code md5: 82a9707e96ce2db008581e6b8b46f4d4 sha1: 52168e36596f478f20421259da0a9af20cbb26e8 size: 5632
Section.DATA md5: 5c85347a3a4dc6e6f94b0952c08a1670 sha1: af070283074f0822d90d26c4627324b73a15fa60 size: 6656
SectionRSRC md5: 929215dee27be36035d65e961b2300f9 sha1: 36baec88b3f6d76f1fe2fd00536bd5c725046ce5 size: 31232
Section.r md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2014-04-23 07:37:18
AVRisingNo Virus
AVMcafeeUpatre-FAAC!DF4AFF24AE32
AVAvira (antivir)TR/Crypt.EPACK.miod.1
AVTwisterTrojanDldr.Upatre.dik.wkid
AVAd-AwareTrojan.GenericKD.1949202
AVAlwil (avast)Kryptik-PAB [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic_s.DZA
AVSymantecTrojan.Asprox.B
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.GenericKD.1949202
AVK7Trojan ( 004aff101 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AK
AVMicroWorld (escan)Trojan.GenericKD.1949202
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.RLAO-7427
AVFrisk (f-prot)W32/Trojan3.LTK
AVIkarusTrojan-Downloader.Win32.Upatre
AVEmsisoftTrojan.GenericKD.1949202
AVZillya!Backdoor.CPEX.Win32.29943
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UP.FF6B08CD
AVCAT (quickheal)TrojanDownloader.Upatre.AA3
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVBullGuardTrojan.GenericKD.1949202
AVArcabit (arcavir)Trojan.GenericKD.1949202
AVClamAVWin.Trojan.Upatre-5766
AVDr. WebTrojan.Upatre.112
AVF-SecureTrojan-Downloader:W32/Upatre.J
AVCA (E-Trust Ino)Win32/Upatre.FS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSadapob.medianewsonline.com
Winsock DNS188.165.214.6
Winsock DNSkajaaninkalevalaiset.com

Network Details:

DNSadapob.medianewsonline.com
Type: A
127.0.0.1
DNSkajaaninkalevalaiset.com
Type: A
HTTP GEThttp://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: myupdate
HTTP GEThttp://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/1/0/0/
User-Agent: myupdate
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:19904
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:19904
Flows TCP192.168.1.1:1032 ➝ 188.165.214.6:19904

Raw Pcap
0x00000000 (00000)   47455420 2f323931 30757331 2f434f4d   GET /2910us1/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f302f35   PUTER-XXXXXX/0/5
0x00000020 (00032)   312d5350 332f302f 20485454 502f312e   1-SP3/0/ HTTP/1.
0x00000030 (00048)   310d0a55 7365722d 4167656e 743a206d   1..User-Agent: m
0x00000040 (00064)   79757064 6174650d 0a486f73 743a2031   yupdate..Host: 1
0x00000050 (00080)   38382e31 36352e32 31342e36 3a313939   88.165.214.6:199
0x00000060 (00096)   30340d0a 43616368 652d436f 6e74726f   04..Cache-Contro
0x00000070 (00112)   6c3a206e 6f2d6361 6368650d 0a0d0a     l: no-cache....

0x00000000 (00000)   47455420 2f323931 30757331 2f434f4d   GET /2910us1/COM
0x00000010 (00016)   50555445 522d5858 58585858 2f312f30   PUTER-XXXXXX/1/0
0x00000020 (00032)   2f302f20 48545450 2f312e31 0d0a5573   /0/ HTTP/1.1..Us
0x00000030 (00048)   65722d41 67656e74 3a206d79 75706461   er-Agent: myupda
0x00000040 (00064)   74650d0a 486f7374 3a203138 382e3136   te..Host: 188.16
0x00000050 (00080)   352e3231 342e363a 31393930 340d0a43   5.214.6:19904..C
0x00000060 (00096)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000070 (00112)   2d636163 68650d0a 0d0a650d 0a0d0a     -cache....e....


Strings