Analysis Date2014-04-23 13:01:29
MD554e094d71a266449f273a6b9da958171
SHA13ef2291a2f6f8cffb31a38379e37c6ce5b1ad17d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 413e32899e5febf04cdcc23d7a55a79a sha1: 5b99abc6b0e09e58edd2f00bf69c85f6fd6a5030 size: 3072
Section.rdata md5: a7be3435558b59beb7b7718274bc492c sha1: fbf37393370a349b904ac220dd1fe255e21bac98 size: 2048
Section.data md5: fd4514fd22489fa489055433a148e789 sha1: 7bdd2f210a3d706398c45abbff519f76811a0495 size: 512
Section.rsrc md5: e2d7776d2c8f78b0638cf755c3179384 sha1: 4e3de0da261d85e3a47d026f9b23b5462f67743e size: 2048
Section.reloc md5: 88c794ceab54bd3679127072ea7de5bd sha1: def674cbb5423b472abebb435141b0460d729cd1 size: 512
Section.text md5: d34676a96b66e7fe92bc3797bf693515 sha1: 6a5a9ac5d695d15af31491e02318f0dedb32e747 size: 154112
Timestamp2013-08-15 00:15:57
Pdb pathC:\build\source\realjboxstub\rel32\realjbox.pdb
VersionLegalCopyright: Copyright © RealNetworks, Inc. 2001-2013
InternalName: RealNetworks RealPlayer
FileVersion: 16.0.3.51
CompanyName: RealNetworks, Inc.
ProductName: RealNetworks RealPlayer
ProductVersion: 16.0.3.51
FileDescription: RealNetworks RealPlayer
OriginalFilename: realjbox.exe
PEhash4771b4f13b2d31b0d368bb84c08f664d126b5e55
IMPhashd7a08b50a694844bbe37d4b58def74a6
AVmcafeeW32/Ramnit.a
AVavgWin32/Zbot.G
AVaviraW32/Ramnit.C
AVmsseVirus:Win32/Ramnit.N
AVclamavW32.Ramnit-1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\3ef2291a2f6f8cffb31a38379e37c6ce5b1ad17dmgr.exe
Creates ProcessC:\3ef2291a2f6f8cffb31a38379e37c6ce5b1ad17dmgr.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C3E1D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\3ef2291a2f6f8cffb31a38379e37c6ce5b1ad17dmgr.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{37FFF72F-FE56-017C-F492-53D696521D45}
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\3ef2291a2f6f8cffb31a38379e37c6ce5b1ad17dmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Network Details:

DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSgoogle.com
Type: A
62.253.3.119
DNSgoogle.com
Type: A
62.253.3.114
DNSgoogle.com
Type: A
62.253.3.103
DNSgoogle.com
Type: A
62.253.3.118
DNSgoogle.com
Type: A
62.253.3.84
DNSgoogle.com
Type: A
62.253.3.109
DNSgoogle.com
Type: A
62.253.3.89
DNSgoogle.com
Type: A
62.253.3.123
DNSgoogle.com
Type: A
62.253.3.99
DNSgoogle.com
Type: A
62.253.3.98
DNSgoogle.com
Type: A
62.253.3.93
DNSgoogle.com
Type: A
62.253.3.113
DNSgoogle.com
Type: A
62.253.3.94
DNSgoogle.com
Type: A
62.253.3.88
DNSgoogle.com
Type: A
62.253.3.104
DNSgoogle.com
Type: A
62.253.3.108
DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
Flows TCP192.168.1.1:1034 ➝ 62.253.3.119:80
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443

Raw Pcap

Strings
"\
{----}
.
..
.
..
.
h+
...E
.
s

040904b0
16.0.3.51
CompanyName
Copyright 
FileDescription
FileVersion
InternalName
jjjjjj
LegalCopyright
OriginalFilename
ProductName
ProductVersion
realjbox.exe
RealNetworks, Inc.
 RealNetworks, Inc. 2001-2013
RealNetworks RealPlayer
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
&<?."_
%<~%`!
0b'	Q4$
0vQ?<L
1,202P2l2p2
2(2.242~2
['26@O
2{Jg)b
??2@YAPAXI@Z
3/393L3V3[3`3
3]LcQdYI
3}-LM<
??3@YAXPAX@Z
4$4-4F4q4y4
&?^:[5
`@53cP8H
5!535;5A5M5X5v5|5
5E7@an
5m	lJ3
6'6,6<6A6G6M6c6j6
!69~N,&e
;6GucS
7#7;7E7
9$919N9
 9_i!`m
A[?0f3
_acmdln
ADVAPI32.dll
|AjQg1
_aJwCO
_amsg_exit
aoXaEa
@APDD^
Bj>7|N
bsgFp,
B.text
':]/C'
C:\build\source\realjboxstub\rel32\realjbox.pdb
CDnbu(K&
_cexit
:&:.:::c:k:v:|:
CloseHandle
C_o;.`?
_commode
_configthreadlocale
_controlfp_s
CreateFileA
CreateProcessA
_crt_debugger_hook
C( rtw
CS5dkK
CurrentVersion
^d06	Xm
d-3?)j
@.data
dB+(hW
DDDDDD
DecodePointer
__dllonexit
)DmttU.
d!y#AA6
EH/e:ikP
EncodePointer
_except_handler4_common
}F80hm
ffAmMWx
-(+fi:pc
_fmode
f%ms=h
FreeLibrary
FSU*<{
G05dkK
G35dbQ
G45dkJ
G(54Qr9
G55dkM
G55dkN
G55dkO
G<5dk@
G 5dk[
G_5dk&
G;5dk@
G:5dk@
G'5dk\
G"5dk-
G$5dk"
G&5dk}
G%5dk^
G:5dkA
G=5dkB
G?5dkD
G>5dkE
G?5dkG
G	5dkG
G+5dkP
G*5dkQ
G(5dkS
G:5dkU
G/5dkU
G.5dkU
G-5dkV
G^5dkW
G,5dkW
G69dkL
G75dkV
G85dkC
G95dkA
G>9dkB
G9:dkM
GB5dk*
G:>dkO
G<"dkz
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoW
GetSystemTimeAsFileTime
GetTickCount
GetVolumeInformationA
GetWindowsDirectoryA
'g(Rnm
GS5dk#
GW5dk$
GX5dk/
h%5VW!
h/9kA.
HeapSetInformation
hk8TuZ
HY_^Z[
I*}2Kw
IhBGc^
_initterm
_initterm_e
InterlockedCompareExchange
InterlockedExchange
_invoke_watson
IsDebuggerPresent
_ismbblead
I#=U~J
}'IyCme
'J'(94
j<kJ>Y
j,l=v\
)JNIq3
kernel32.dll
KERNEL32.dll
Kw'eHH
`L#$^$
(l<elzO
LoadLibraryA
!lZ	p@3
.*m"7zR
memset
mgr.exe
+%mp9{r
MSVCR100.dll
NVNh"%
$>o:3f
O6,W8	
o-h.UL
_onexit
OpenMutexA
o>QZJN
OS8g%kh
OshM|oF
OWiTb~
p^0&MM
P1IHX(
Pbh652
q8giT;
q8OAwT
Q(gz7*
q[\?{p
,~Q^PC
)[Qq"R
QueryPerformanceCounter
r5bI>{
R7mG=|
`.rdata
realjbox.exe
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
@.reloc
RmEPNr
RSDS:M-xw
%RY:zj
s)0CFA
S3_.rMLw)
sB#[)&
Sd ;~^
__set_app_type
SetUnhandledExceptionFilter
__setusermatherr
SOFTWARE\RealNetworks\RealPlayer
%s\Preferences\MainApp
SRQWVj
SX MY)
t0y	%r
	t>>As
TerminateProcess
?terminate@@YAXXZ
T=F~OO
!This program cannot be run in DOS mode.
tlDP_V
t"?W+n
u&FepN
U$hVI^
UnhandledExceptionFilter
_unlock
upPz$	
&U)qtJ
(%u"{s
USER32.dll
uv}A:H|
uX?<BtUQ py
Uy*9UC>v 
V#(|k5!
-VUFugN
VWQRSj
w1F_OdCw:
W'45,?P!
WinExec
 wKX9r
WriteFile
wsprintfA
^wVm<kD
wW?US(
_XcptFilter
X?<L|Q
:XL:>Ux4
xmGPJy
x\z'~~
# %Y5bj
YCow`9
?YCuqF
.Y~G+(
Y!M3@K
`yNg+QR
!YV~}^
ZaI=Tm
Zjxo~%P`
Z}r2Beg