Analysis Date2015-10-02 22:37:35
MD56225f6544666a5e87fa7304e952d95e2
SHA147152e8cfd8b9e0eefa8d18732da488917cc5911

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.textbss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text md5: 0482ac3c63c2f0aab388031fc21833b9 sha1: 8d56de3a6edbfea64b1bc8192f9bda845f53b974 size: 5632
Section.data md5: 40aadc431537897ec3c13329ebc4ba9e sha1: a2a6e1cdd0a7978365116df8fcd7fe6d6f2941f1 size: 162304
Section.idata md5: 977112cb0a5a6afb0e1552cbc1dacee9 sha1: 3e9e7ad18bec2a630ef97ed178d1c04447a0a33c size: 512
Section.rsrc md5: e0a4ec790fdaaae0bd2e2e8ad45d7ca3 sha1: 015791396d5a7c45ab9b13aa48e7793793418713 size: 512
Timestamp2015-08-20 07:35:48
PEhash0d36a6ea366f253cce96ab7d774717229af2aa5e
IMPhash88595220f9298727caa4d01cf9e0fd15
AVCA (E-Trust Ino)no_virus
AVF-SecurePacked:W32/PeCan.A
AVDr. WebTrojan.DnsAmp.3
AVClamAVno_virus
AVArcabit (arcavir)GenPack:Generic.ServStart.12D3F3C6
AVBullGuardGenPack:Generic.ServStart.12D3F3C6
AVPadvishno_virus
AVVirusBlokAda (vba32)Rootkit.Lapka
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic:Rootkit.Win32.Lapka.an
AVZillya!no_virus
AVEmsisoftGenPack:Generic.ServStart.12D3F3C6
AVIkarusVirus.Fat.Obfuscated
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Backdoor.ZCDM-4577
AVMalwareBytesMalware.Packer
AVMicroWorld (escan)GenPack:Generic.ServStart.12D3F3C6
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.A
AVK7Trojan ( 001e15121 )
AVBitDefenderGenPack:Generic.ServStart.12D3F3C6
AVFortinetW32/Farfli.FN!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Fat-Obfuscated
AVEset (nod32)Win32/ServStart.H worm
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGenPack:Generic.ServStart.12D3F3C6
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeBackDoor-EXZ
AVRising0x5901e845

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lmnopq Stuvwxya Cde\Description ➝
Lmnopqrs Uvwxyabcd Fghijkl Nopqrstu Wxy
Creates FileC:\WINDOWS\awmiwy.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\47152E~1.EXE > nul
Creates MutexC:\malware.exe
Creates ServiceLmnopq Stuvwxya Cdefghij Lmno - C:\WINDOWS\awmiwy.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\47152E~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\awmiwy.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexLmnopq Stuvwxya Cde
Creates MutexC:\WINDOWS\awmiwy.exe

Network Details:

DNSkkk.94wgb.com
Type: A
216.99.157.163
DNSlinyuner99.oicp.net
Type: A
103.44.145.243
DNSlinyuner99.oicp.net
Type: A
103.44.145.243
Flows TCP192.168.1.1:1032 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1033 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1034 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1035 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1036 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1037 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1038 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1039 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1040 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1041 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1042 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1043 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1044 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1045 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1046 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1047 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1048 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1049 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1050 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1051 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1052 ➝ 103.44.145.243:1995
Flows TCP192.168.1.1:1053 ➝ 216.99.157.163:2006
Flows TCP192.168.1.1:1054 ➝ 103.44.145.243:1995

Raw Pcap
0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .


Strings