| Analysis Date | 2016-01-25 14:24:03 |
|---|---|
| MD5 | c47a93fb1c893adb19a4b45c7c876bba |
| SHA1 | 62008e536a2ef64a5c3931e3222382a0fa62cfe1 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 | |
|---|---|---|
| Section | .code md5: 82a9707e96ce2db008581e6b8b46f4d4 sha1: 52168e36596f478f20421259da0a9af20cbb26e8 size: 5632 | |
| Section | .DATA md5: 5c85347a3a4dc6e6f94b0952c08a1670 sha1: af070283074f0822d90d26c4627324b73a15fa60 size: 6656 | |
| Section | RSRC md5: 929215dee27be36035d65e961b2300f9 sha1: 36baec88b3f6d76f1fe2fd00536bd5c725046ce5 size: 31232 | |
| Section | .r md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Timestamp | 2014-04-23 07:37:18 | |
| AV | CA (E-Trust Ino) | Win32/Upatre.FS |
| AV | Rising | No Virus |
| AV | Mcafee | Upatre-FAAC!C47A93FB1C89 |
| AV | Avira (antivir) | TR/Crypt.EPACK.miod.1 |
| AV | Twister | TrojanDldr.Upatre.dik.wkid |
| AV | Ad-Aware | Trojan.GenericKD.1949202 |
| AV | Alwil (avast) | Kryptik-PAB [Trj] |
| AV | Eset (nod32) | Win32/TrojanDownloader.Waski.A |
| AV | Grisoft (avg) | Generic_s.DZA |
| AV | Symantec | Trojan.Asprox.B |
| AV | Fortinet | W32/Waski.F!tr |
| AV | BitDefender | Trojan.GenericKD.1949202 |
| AV | K7 | Trojan ( 004aff101 ) |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre.AK |
| AV | MicroWorld (escan) | Trojan.GenericKD.1949202 |
| AV | MalwareBytes | Trojan.Upatre |
| AV | Authentium | W32/Trojan.RLAO-7427 |
| AV | Frisk (f-prot) | W32/Trojan3.LTK |
| AV | Ikarus | Trojan-Downloader.Win32.Upatre |
| AV | Emsisoft | Trojan.GenericKD.1949202 |
| AV | Zillya! | Backdoor.CPEX.Win32.29943 |
| AV | Kaspersky | Trojan.Win32.Generic |
| AV | Trend Micro | TROJ_UP.FF6B08CD |
| AV | CAT (quickheal) | TrojanDownloader.Upatre.AA3 |
| AV | VirusBlokAda (vba32) | TrojanDownloader.Upatre |
| AV | BullGuard | Trojan.GenericKD.1949202 |
| AV | Arcabit (arcavir) | Trojan.GenericKD.1949202 |
| AV | ClamAV | Win.Trojan.Upatre-5766 |
| AV | Dr. Web | Trojan.Upatre.112 |
| AV | F-Secure | Trojan-Downloader:W32/Upatre.J |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe |
| Creates File | PIPE\wkssvc |
| Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe" |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Winsock DNS | adapob.medianewsonline.com |
| Winsock DNS | 188.165.214.6 |
| Winsock DNS | kajaaninkalevalaiset.com |
Network Details:
| DNS | adapob.medianewsonline.com Type: A 127.0.0.1 |
|---|---|
| DNS | kajaaninkalevalaiset.com Type: A |
| HTTP GET | http://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/0/51-SP3/0/ User-Agent: myupdate |
| HTTP GET | http://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/1/0/0/ User-Agent: myupdate |
| Flows TCP | 192.168.1.1:1031 ➝ 188.165.214.6:19904 |
| Flows TCP | 192.168.1.1:1031 ➝ 188.165.214.6:19904 |
| Flows TCP | 192.168.1.1:1032 ➝ 188.165.214.6:19904 |
Raw Pcap
0x00000000 (00000) 47455420 2f323931 30757331 2f434f4d GET /2910us1/COM 0x00000010 (00016) 50555445 522d5858 58585858 2f302f35 PUTER-XXXXXX/0/5 0x00000020 (00032) 312d5350 332f302f 20485454 502f312e 1-SP3/0/ HTTP/1. 0x00000030 (00048) 310d0a55 7365722d 4167656e 743a206d 1..User-Agent: m 0x00000040 (00064) 79757064 6174650d 0a486f73 743a2031 yupdate..Host: 1 0x00000050 (00080) 38382e31 36352e32 31342e36 3a313939 88.165.214.6:199 0x00000060 (00096) 30340d0a 43616368 652d436f 6e74726f 04..Cache-Contro 0x00000070 (00112) 6c3a206e 6f2d6361 6368650d 0a0d0a l: no-cache.... 0x00000000 (00000) 47455420 2f323931 30757331 2f434f4d GET /2910us1/COM 0x00000010 (00016) 50555445 522d5858 58585858 2f312f30 PUTER-XXXXXX/1/0 0x00000020 (00032) 2f302f20 48545450 2f312e31 0d0a5573 /0/ HTTP/1.1..Us 0x00000030 (00048) 65722d41 67656e74 3a206d79 75706461 er-Agent: myupda 0x00000040 (00064) 74650d0a 486f7374 3a203138 382e3136 te..Host: 188.16 0x00000050 (00080) 352e3231 342e363a 31393930 340d0a43 5.214.6:19904..C 0x00000060 (00096) 61636865 2d436f6e 74726f6c 3a206e6f ache-Control: no 0x00000070 (00112) 2d636163 68650d0a 0d0a650d 0a0d0a -cache....e....
Strings