Analysis Date2015-05-28 18:30:09
MD5bdc69fd653f03de67ba0122c0c9f859d
SHA16c18e65e1e3930c9cfc9b65680f735ee0e4bf8b3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 336eb614e69a6cb7661699abc5499718 sha1: 875fd676532a3bb5217822a935ef50ec8cae9bb7 size: 21504
Section.rsrc md5: e997ba6e11b11cd324e93a079284be5d sha1: 64b9af09bb1f70e1137bd1bf1037c627e08a44c9 size: 2560
Timestamp2014-07-06 18:22:51
VersionLegalCopyright: (c) 2000-2014 Martin Prikryl
InternalName: winscp
FileVersion: 5.5.3.4214
CompanyName: Martin Prikryl
ReleaseType: stable
WWW: http://winscp.net/
ProductName: WinSCP
ProductVersion: 5.5.3.0
FileDescription: WinSCP: SFTP, FTP and SCP client
OriginalFilename: winscp.exe
PackerUPX -> www.upx.sourceforge.net
PEhash6fa98d17dbc21dd593e30f343c4e251faaebf51c
IMPhash06d92d662f64304b53228e40b8aadea8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rstuvw Yabcdefg Ijk\Description ➝
Rstuvwxy Bcdefghij Lmnopqr Tuvwxyab Def
Creates FileC:\WINDOWS\mmqkie.exe
Creates ProcessC:\WINDOWS\system32\cmd.exe /c del C:\6C18E6~1.EXE > nul
Creates MutexC:\malware.exe
Creates ServiceRstuvw Yabcdefg Ijklmnop Rstu - C:\WINDOWS\mmqkie.exe

Process
↳ C:\WINDOWS\system32\cmd.exe /c del C:\6C18E6~1.EXE > nul

Creates Filenul
Deletes FileC:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1108

Process
↳ C:\WINDOWS\mmqkie.exe

Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\temp\files\lpk.dll
Creates Filemm33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FilePIPE\wkssvc
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\d35c221f74db5d48b3aa3ad663400c85\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filemm33.dll
Creates MutexRstuvw Yabcdefg Ijk
Creates MutexDBWinMutex
Creates MutexC:\WINDOWS\mmqkie.exe

Network Details:

DNSyemo123.f3322.net
Type: A
115.208.53.63
DNSlinfeng.sytes.net
Type: A
Flows TCP192.168.1.1:1037 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1046 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1055 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1064 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1073 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1082 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1092 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1101 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1110 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1119 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1128 ➝ 115.208.53.63:2015
Flows TCP192.168.1.1:1136 ➝ 115.208.53.63:2015

Raw Pcap
0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .

0x00000000 (00000)   b0                                    .


Strings
.

040904E4
5.5.3.0
5.5.3.4214
(c) 2000-2014 Martin Prikryl
CompanyName
FileDescription
FileVersion
http://winscp.net/
InternalName
LegalCopyright
Martin Prikryl
OriginalFilename
ProductName
ProductVersion
ReleaseType
stable
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
winscp
WinSCP
winscp.exe
WinSCP: SFTP, FTP and SCP client
"0,0V0l0
01\2 S ($
;01i#345
0/5=5K5_5x
;0gg'Kc<=>>
 0@P\M
131J20
2%2/2T2g2w2
=2t=D=M=Z=w=~=
??2@YAP
3*p+$,o-
3S(V82[!
3T3^3h3r3
`4-2Q[z=
4d5tdDL
4Mtfm0B34M
4P@A0B'KwvC)D
4txHtn
5]+Imd
?.?5?V?i?
6@6J6Q6^6e6~6
6)707=7D7y7
67a?T9
:&:.:6:>:F:O:
?766 cP;v
7*858P8W8\8`8d8
`7d7h7
7davrs
7E7L7P7T7X7
9.9I9Q9Y9b9
<9h7(=
`9J9P9T9X9\9n
a''''bcde''''fghi
@ABCDEFGHIJKLMNOPQ
\:+	Ac
ADVAPI32.dll
AXI@Z(LG
BIREB3l
$ B= L T
bRich+
~\Ch-g
c`lQVYOu
C#M<qt@i
#C@yFileA
\d!dt%S
DebugS
dFFFFitCoFFFFntror
dkN|.7}~[6
DOS mode.
DVAPIkRegi
$e }~!
?E+@.,
eCntr4
e\Curr
EFlhLMKwrrNOPExQK
ellIni
ELpkDdY
ExitProcess
eYthCaY
f/3X0/
@*< FF
F:\g1fd.
fh|`$3
fpv'-w
Furlmf
fvxwpx
~'g7jk
g9Y8[&
g@b	g(
GDIWidM
?GetCe9Y
GetIfTable
GetProcAddress
GetTxvM
GetWindowsDirec=ry
#h4A(l
HHuQfV
hrGrsP
	.htm0
IcoOUS
iitPcA
ijutfh
iphlpapi.dll
iriteF
is-5.h
KERNEL32.DLL
k#/$n'(E
l6pqKr(s
lGetl7
|Libra
LlEZK[
	l+|.ms-"nl
LMux i686
LoadLibraryA
	:Lpk5
[LpkeY
LThis progra
lyozr){
m cannot be run i
MceCtrlHao
MmentVari
MSVCRT.dll
:'m%u/
!NET ^&&%$
nopqrstuvwxyz0123456789+/
ns;g0q
NWc#l:n
OCPECc
OpenServiceA
OW'g'KuXYa01
P0Z0a0n0u0
}pqt!mRC
R3d5tcJMS
rcu4$)
reDGzRS6
r$EDr$
rj(Z}X4~
RST\XYZabcdefghijklm
/sh1wa
SHDeleteKeyA
SHELL32.dll
ShellExecuteA
SHLWAPI.dll
Sh$tPathNamCcloses~
{srcrOP*
sUnl=oOp
t''23LG4Kwrv5
tConti
_Th+dI
!This program cannot be run in DOS mode.
TimL@*
TION\Sy
Tl4rcp
tonsWS2_32.dll
}tp:/,s:;/
t\Ser7
t_sp_n
twl?, */*
@%T	ye
<=<u<|<
UAE@XZ
U_-Ag=:
u[d<tP
updcoa;
USER32.dll
vCLW\P
Vge:X<}
VirtualAlloc
VirtualFree
VirtualProtect
vNoDfy
;Vr=3j
WS2_32.dll
wsprintfA
x7VJE]
X?]f'bb
XPTPSW
x-xbitp
$ Y= IV
YSTEMeY
zi^a/5f (X
ZIPHg95
ZPSMLT
@((Zxf