Analysis Date2015-08-09 02:17:54
MD5775c040783855325f8153f3c51b8ed08
SHA168d5ec4c965fcc279afc541632e3bcad4ef9afcd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: 598f4a3ea9a77a58914b7ef518bf0a5d sha1: b68861b4137ae760ec8b99cdd47ba2c41c924a83 size: 27648
Section.import md5: baff881cce48e1833593c7a35a4e450f sha1: 244ab55b9a8416a6b8ec51cea762e54035ad80a2 size: 512
Timestamp2013-04-13 20:04:05
PEhash4e2aca4971b31ee06325b810826f45cc3cf42c50
IMPhash89795a862e03b596fe1403dce4b6aea2
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Trojan.Heur.FU.biW@aeYiZOb
AVDr. WebBackDoor.Andromeda.178
AVClamAVno_virus
AVArcabit (arcavir)Gen:Trojan.Heur.FU.biW@aeYiZOb
AVBullGuardGen:Trojan.Heur.FU.biW@aeYiZOb
AVPadvishno_virus
AVVirusBlokAda (vba32)Malware-Cryptor.Inject.gen.2
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.Androm.czd
AVZillya!no_virus
AVEmsisoftGen:Trojan.Heur.FU.biW@aeYiZOb
AVIkarusWorm.Win32.Gamarue
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.OWPE-6566
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.FU.biW@aeYiZOb
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.I
AVK7no_virus
AVBitDefenderGen:Trojan.Heur.FU.biW@aeYiZOb
AVFortinetno_virus
AVSymantecno_virus
AVGrisoft (avg)Win32/DH{eVAWgQWBB1SBBoEOgROBDwgACSAkImZrWw}
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVAlwil (avast)Crypt-BY [Trj]
AVAd-AwareGen:Trojan.Heur.FU.biW@aeYiZOb
AVTwisterSuspicious.E800000000@2F.mg
AVAvira (antivir)TR/ATRAPS.Gen
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wupdmgr.exe

Process
↳ C:\WINDOWS\system32\wupdmgr.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\cclwxq.bat\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\cclwxq.bat
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com
Type: A
DNSrestlesz.su
Type: A
DNSdevicesta.ru
Type: A
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53

Raw Pcap

Strings
,H
%allusersprofile%
%allusersprofile%\
cc%08X.dat
\Local Settings
n%lu
%s\cc%s.%s
sLoad
\system32\wupdmgr.exe
\syswow64\msiexec.exe
\Temp
u%allusersprofile%
0 0&0,02080>0D0J0P0V0\0b0h0n0t0z0
?$?*?0?6?<?B?H?N?T?Z?`?f?l?r?x?~?
1A1P1 4&4,42484>4D4J4P4V4\4b4h4n4t4z4
2;2@2a2u2
4C5U5r5
5'6?6p6
5@6d6|6:7n7
5<6O6l6S7p7
7/7A7V7f7
9446258d11644bfeeb35aefa9b7233fd
94:N:]:
9'9+91959:9E9K9`9d9n9r9|9
aabcdeefghiijklmnoopqrstuuvwxyzaU
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
advapi32.dll
cc%08X.dat
CheckTokenMembership
CloseHandle
closesocket
connect
Connection: close
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
ConvertStringSecurityDescriptorToSecurityDescriptorA
ConvertStringSidToSidA
CreateDirectoryW
CreateFileW
CreateMutexA
CreateProcessW
CreateThread
D:(A;;KA;;;WD)
D:(A;;KRWD;;;WD)
DeleteFileW
dnsapi.dll
DnsExtractRecordsFromMessage_W
DnsQuery_A
DnsRecordListFree
DnsWriteQuestionToBuffer_W
<)<d<y<
>E>U>e>
ExitProcess
ExitThread
ExpandEnvironmentStringsW
FreeLibrary
GetEnvironmentVariableW
GetFileTime
gethostbyname
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetShortPathNameW
GET /%s HTTP/1.0
getsockname
GetSystemDirectoryW
GetThreadContext
GetTickCount
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryW
;$;=;G;l;
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
Host: %s
http://devicesta.ru/gate02.php
http://restlesz.su/00044ldr.php
http://restlesz.su/00055ldr.php
http://restlesz.su/0011ldr.php
http://restlesz.su/0022ldr.php
http://restlesz.su/gate2.php
id:%lu|bid:%lu|bv:%lu|sv:%lu|pa:%lu|la:%lu|ar:%lu
id:%lu|tid:%lu|result:%lu
.import
inet_addr
kernel32.dll
KERNEL32.DLL
LoadLibraryA
LoadLibraryW
LocalFree
lstrcatA
lstrcatW
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
MultiByteToWideChar
NtDelayExecution
ntdll.dll
NtQueryInformationProcess
POST /%s HTTP/1.1
PQQQQQQ
Qkkbal
QPj hT
ReadFile
recvfrom
RegCloseKey
RegCreateKeyExA
RegDeleteValueW
RegEnumValueW
RegOpenKeyExA
RegQueryValueExW
RegSetKeySecurity
RegSetValueExA
RegSetValueExW
ResumeThread
RtlRandom
S-1-5-32-544
sendto
SetCurrentDirectoryW
SetEnvironmentVariableW
SetErrorMode
SetFileAttributesW
SetFileTime
shutdown
socket
software\GoogleInc
software\microsoft\windows\currentversion\Policies\Explorer\Run
software\microsoft\windows nt\currentversion\windows
SVWjdj
t4x4|4
!This program cannot be run in DOS mode.
user32.dll
User-Agent: Mozi1la/4.0
VirtualAlloc
VirtualFree
WaitForSingleObject
WriteFile
ws2_32.dll
WSACreateEvent
WSAEventSelect
WSAStartup
wsprintfA
wsprintfW
www.update.microsoft.com
ZwClose
ZwCreateSection
ZwMapViewOfSection
ZwQueryInformationProcess
ZwResumeThread
ZwUnmapViewOfSection