Analysis Date2015-11-02 10:02:12
MD5ce1cd83aee5b85e7397847d898e64f6e
SHA17f4f78e26a6bef0c7f12c0bd5dfdeffb68af5e9b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d98e866a5a4c74fc02db23d045a57a99 sha1: 9ef48566e5e48488251401bec0f1b19f047b8110 size: 14336
Section.rdata md5: eb764630c88f5c66e6cdc8479a64cc07 sha1: da87e9124d4b1b1328a1f2687d71c7ee6cfe3130 size: 1024
Section.data md5: d3f904ae49c5913c40d3fbdb86b2cbb1 sha1: 6bb3203b1d09331144f947ee194f03a521a549ce size: 512
Section.rsrc md5: ae625ab6f38afd0b176c498b33d6ace7 sha1: 09b0465ee36eea6d1289f735deb449cb395d4ae7 size: 34816
Timestamp2013-01-15 11:39:00
VersionLegalCopyright: MSWYGanjqz
InternalName: Done.exe
FileVersion: 5.1.1.7 (Tue 01/15/2013)
CompanyName: MrgiWelgtm
PrivateBuild: BwuRbyZNCX
ProductName: FFPLYDcfhR
ProductVersion: 3.4.8.8
FileDescription: iSWfyugVxG
OriginalFilename: Done.exe
PackerBorland Delphi 3.0 (???)
PEhasheb78e71901d6fda1cf390eef0059906d0d36285b
IMPhash40656839aca8d3facdb9758e3cd30bda
AVRisingno_virus
AVMcafeeGenericR-DGN!CE1CD83AEE5B
AVAvira (antivir)TR/Graftor.65040
AVTwisterTrojan.90DC74D2BD0BC091
AVAd-AwareGen:Variant.Gamarue.1
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVEset (nod32)Win32/Injector.ABKC
AVGrisoft (avg)Downloader.Generic13.AAFF
AVSymantecDownloader
AVFortinetW32/Generic.AC.2476958
AVBitDefenderGen:Variant.Gamarue.1
AVK7Trojan ( 004ca18c1 )
AVMicrosoft Security EssentialsTrojanDropper:Win32/Gamarue.F
AVMicroWorld (escan)Gen:Variant.Gamarue.1
AVMalwareBytesno_virus
AVAuthentiumW32/Andromeda.D.gen!Eldorado
AVFrisk (f-prot)W32/Andromeda.D.gen!Eldorado
AVIkarusVirus.Win32.CeeInject
AVEmsisoftGen:Variant.Gamarue.1
AVZillya!Downloader.Andromeda.Win32.2235
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_SPNR.35CC13
AVCAT (quickheal)Worm.Gamarue.IM4
AVVirusBlokAda (vba32)TrojanDownloader.Andromeda
AVPadvishDropper.Win32.Gamarue.F
AVBullGuardGen:Variant.Gamarue.1
AVArcabit (arcavir)Gen:Variant.Gamarue.1
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVF-SecureGen:Variant.Gamarue.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\srvsvc
Creates FilePIPE\lsarpc
Creates ProcessC:\malware.exe
Creates ProcessC:\malware.exe
Creates MutexDBWinMutex

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msiqam.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msiqam.exe
Deletes FileC:\7F4F78~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.190
DNSxjpakmdcfuqe.in
Type: A
178.79.190.156
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.231
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.252
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.253
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.254
DNSxjpakmdcfuqe.com
Type: A
72.5.65.113
DNSxjpakmdcfuqe.com
Type: A
72.5.65.113
DNSxjpakmdcfuqe.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNSxjpakmdcfuqe.biz
Type: A
HTTP POSThttp://31.200.244.37/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.in/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.ru/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.com/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.nl/l.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.58.222:80
Flows TCP192.168.1.1:1032 ➝ 31.200.244.37:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 178.79.190.156:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.231:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1038 ➝ 72.5.65.113:80
Flows UDP192.168.1.1:1039 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap

Strings