Analysis Date2015-12-10 18:15:11
MD5f875cd39c360fe120e4c48cc94b76ba4
SHA13c088e75394862c5cea61cea6683c7f16412a89e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8290b64a6767314e77837057e0224d6b sha1: 062b62f9ce5ca2911af22cb4b06a700cbf5c33f7 size: 49152
Section.data md5: f51f61f418b284e90d6558e42971589e sha1: 309c73c5dbaaf9f1c8fa1690d2fb6816a45bdd6b size: 20480
Section.rsrc md5: 65792d63a95b5f705774a71bc3276626 sha1: ec44ad7e439c39707ad01ca52b81e38e2afbae54 size: 4096
Timestamp2015-11-25 00:36:23
VersionProductVersion: 1.00
InternalName: gdfgdg
FileVersion: 1.00
OriginalFilename: gdfgdg.exe
ProductName: Derenkinoperkusos
PackerMicrosoft Visual Basic v5.0
PEhashfe0bb23b5072f6b7d9f47cba5dee04ad0ea0d0f0
IMPhash98b7dd1892516ea6c09566efcc904143
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeRDN/Spybot.bfr
AVAvira (antivir)TR/Dropper.VB.42120
AVTwisterno_virus
AVAd-AwareTrojan.GenericKD.2897253
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Injector.COAE
AVGrisoft (avg)Inject3.QZK
AVSymantecTrojan.Gen.2
AVFortinetW32/CNBG.SM5!tr
AVBitDefenderTrojan.GenericKD.2897253
AVK7Trojan ( 004d7fd31 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVMicroWorld (escan)Trojan.GenericKD.2897253
AVMalwareBytesWorm.Gamarue
AVAuthentiumW32/Trojan.KNIQ-2609
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftTrojan.GenericKD.2897253
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.ithj
AVTrend MicroTROJ_GE.9875DE16
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVBullGuardTrojan.GenericKD.2897253
AVArcabit (arcavir)Trojan.GenericKD.2897253
AVClamAVno_virus
AVDr. WebTrojan.PWS.Siggen1.44300
AVF-SecureTrojan.GenericKD.2897253

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\mspoyw.com\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\mspoyw.com
Creates File\Device\Afd\Endpoint
Deletes FileC:\3C088E~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.158
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNScwdrally.com
Type: A
199.246.2.103
DNSwww.update.microsoft.com
Type: A
HTTP POSThttp://cwdrally.com/map/image.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 65.55.50.158:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 199.246.2.103:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6d61 702f696d 6167652e   POST /map/image.
0x00000010 (00016)   70687020 48545450 2f312e31 0d0a486f   php HTTP/1.1..Ho
0x00000020 (00032)   73743a20 63776472 616c6c79 2e636f6d   st: cwdrally.com
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f342e 300d0a43 6f6e7465   zilla/4.0..Conte
0x00000050 (00080)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x00000060 (00096)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x00000070 (00112)   75726c65 6e636f64 65640d0a 436f6e74   urlencoded..Cont
0x00000080 (00128)   656e742d 4c656e67 74683a20 38300d0a   ent-Length: 80..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a0d 0a664847 41543841 332b6a6e   e....fHGAT8A3+jn
0x000000b0 (00176)   656e4352 31317172 75416a37 5a512f67   enCR11qruAj7ZQ/g
0x000000c0 (00192)   59655669 3738472b 31786a48 4c716e52   YeVi78G+1xjHLqnR
0x000000d0 (00208)   7a384566 45546436 3445474e 512b2f4f   z8EfETd64EGNQ+/O
0x000000e0 (00224)   304e6774 2f663538 686f7776 68595547   0Ngt/f58howvhYUG
0x000000f0 (00240)   5870513d 3d                           XpQ==


Strings