Analysis Date2016-01-29 06:06:03
MD5be136af3d34d40d3b142f492f5406d19
SHA1625bcc17f404bfba2013e362b8a74873b280d209

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.code md5: 82a9707e96ce2db008581e6b8b46f4d4 sha1: 52168e36596f478f20421259da0a9af20cbb26e8 size: 5632
Section.DATA md5: 5c85347a3a4dc6e6f94b0952c08a1670 sha1: af070283074f0822d90d26c4627324b73a15fa60 size: 6656
SectionRSRC md5: 929215dee27be36035d65e961b2300f9 sha1: 36baec88b3f6d76f1fe2fd00536bd5c725046ce5 size: 31232
Section.r md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2014-04-23 07:37:18
AVCA (E-Trust Ino)Win32/Upatre.FS
AVRisingNo Virus
AVMcafeeUpatre-FAAC!BE136AF3D34D
AVAvira (antivir)TR/Crypt.EPACK.miod.1
AVTwisterTrojanDldr.Upatre.dik.wkid
AVAd-AwareTrojan.GenericKD.1949202
AVAlwil (avast)Kryptik-PAB [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVGrisoft (avg)Generic_s.DZA
AVSymantecTrojan.Asprox.B
AVFortinetW32/Waski.F!tr
AVBitDefenderTrojan.GenericKD.1949202
AVK7Trojan ( 004aff101 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AK
AVMicroWorld (escan)Trojan.GenericKD.1949202
AVMalwareBytesTrojan.Upatre
AVAuthentiumW32/Trojan.RLAO-7427
AVEmsisoftTrojan.GenericKD.1949202
AVFrisk (f-prot)W32/Trojan3.LTK
AVIkarusTrojan-Downloader.Win32.Upatre
AVZillya!Backdoor.CPEX.Win32.29943
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_UP.FF6B08CD
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVCAT (quickheal)TrojanDownloader.Upatre.AA3
AVBullGuardTrojan.GenericKD.1949202
AVArcabit (arcavir)Trojan.GenericKD.1949202
AVClamAVWin.Trojan.Upatre-5766
AVDr. WebTrojan.Upatre.112
AVF-SecureTrojan-Downloader:W32/Upatre.J

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\vdigj.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSadapob.medianewsonline.com
Winsock DNS188.165.214.6
Winsock DNSkajaaninkalevalaiset.com

Network Details:

DNSadapob.medianewsonline.com
Type: A
127.0.0.1
DNSkajaaninkalevalaiset.com
Type: A
HTTP GEThttp://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: myupdate
HTTP GEThttp://188.165.214.6:19904/2910us1/COMPUTER-XXXXXX/1/0/0/
User-Agent: myupdate
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:19904
Flows TCP192.168.1.1:1031 ➝ 188.165.214.6:19904
Flows TCP192.168.1.1:1032 ➝ 188.165.214.6:19904

Raw Pcap

Strings