Analysis Date2014-08-19 20:19:48
MD5a1eb0adc886c7fff98ec77dbae4e20fe
SHA158781992baa6da7ae48339d8f68468b1b3304ed7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 04f47e525309cda84826febf8e6d3b67 sha1: cab4849b3dc011eb6f33770a18b290a3d8c55a56 size: 54272
Section.rsrc md5: 15b9731cd28305092765c256d288b2e3 sha1: c5dcaf4b5ece0961c0fe782f800b59ee8c01a286 size: 512
Timestamp1992-06-19 22:22:17
PackerUPX -> www.upx.sourceforge.net
PEhash538e6844938894684ddd30eef5721cc8016436d4
IMPhash7195dd7b935f953d494e04ea5baddba6
AV360 SafeGen:Variant.Symmi.6412
AVAd-AwareGen:Variant.Symmi.40401
AVAlwil (avast)Inject-AJW [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)DR/Delphi.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.40401
AVEset (nod32)Win32/Injector.BBMT
AVFortinetW32/Injector.fam!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.40401
AVGrisoft (avg)Inject2.ARIC
AVIkarusTrojan.Win32.Injector
AVK7no_virus
AVKasperskyBackdoor.Win32.Mustela.ay
AVMalwareBytesno_virus
AVMcafeeRDN/Generic BackDoor!zl
AVMicrosoft Security EssentialsVirTool:Win32/DelfInject.gen!BI
AVMicroWorld (escan)Gen:Variant.Symmi.6412
AVNormanwinpe/Troj_Generic.VJDWW
AVRisingno_virus
AVSophosno_virus
AVSymantecSuspicious.MH690
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\update ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\gupdater.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\update.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\gupdater.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\m.html
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\m.html
Creates Process"C:\Program Files\Internet Explorer\iexplore.exe" "C:\malware.exe"
Creates Process"C:\Program Files\Internet Explorer\iexplore.exe" "C:\malware.exe"

Process
↳ "C:\Program Files\Internet Explorer\iexplore.exe" "C:\malware.exe"

Process
↳ "C:\Program Files\Internet Explorer\iexplore.exe" "C:\malware.exe"

Network Details:


Raw Pcap

Strings
.
T
.
T0

])+&/=
0=-,3fe?
0#<7`<)
_ [-0?I
2WPz3k}\
_|_386
6&KW5%:a
6=ya4f
9l$\w_
9w*Ie(
~baJv^gY
BEhy,d?
BF" X0
bOe$g{d}
c2VsQU1
CharNextW
.)D$H)
D$t+D$\
D$t#D$h
)D!w1~
d"wb3'RQ
D<wn#>
$e!I"H
ejaIb]:uwD
eK2Z[2jM)
	EVFaOq
ExitProcess
f14Pd?~X
FFSh)D
+F}h<q(
"fjSY}
F|w$q&{
GE6%K"
GetProcAddress
G &[J~
GVC19p+
<h}&aY
;hg**{
hgj%A%
@h:m_]
H?n7d)
h*{T%=4
*i+'],
)^I9/y
'?\(IX
KERNEL32.DLL
	k~Jp[
>kvSMR62m
L}>]%J
LoadLibraryA
_`m*\d
.\mnD0&
MV"'~?
NPP1Cv
nr}YqN
o_"7"E
oleaut32.dll
OXvT'_
p=2FK^
+QfWd`
$qp?Z^
r 9;/<
:;r+}%D
shell32.dll
SHGetMalloc
s`)L$4
svWj?!
SysFreeString
:TAi> (o=
"=TEXM
This program must be run under Win32
t$t#t$l
.~'U~.
u2nvcrW
?)uQFF"
user32.dll
VirtualAlloc
VirtualFree
VirtualProtect
VYvXcrtG
W11=	x9
W?Hl4=
	W<mh[
X26<gX~
{xcv{#
.XEoKZ
XPTPSW
XR^V$:N
-xYg}F
YMv@e.
`)Y%Pv[~
>Y%U|*
yz]@B+X
z3.d8n$e
Z88D(r
~<z|_j