Analysis Date2015-03-23 16:38:53
MD573dbbaf316a9c4571865f18dbc047c58
SHA1809565c4b2ea3adfabb7f9e665b8be3a79182223

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c5c11121f4553c7363c2e66de2a235bc sha1: cf6c127971779c754c5fa503ac2a25d9b6fd3ea1 size: 4096
Section.rdata md5: b66aa727eec4ad370967b22bccafa46c sha1: 464f95475b82f4ede9f2ebe20e7cda86ac0f72c0 size: 512
Section.data md5: 2dc90d3949002ec4c5abbf5005deb5ab sha1: 9f2c6e2037d2144196c109ff509f97493263acfd size: 3584
Section.rsrc md5: 52e9f293b0f3ceb38a8276919e0db15c sha1: 9cf1515bf49f9f8c9d9d7a4217e40757f292ab56 size: 10752
Timestamp2014-01-08 15:19:02
PEhashefe61ca12c33967d21548dc958e02913dd281c54
IMPhash7f6ca38551f552e03c882c782556cd58
AV360 Safeno_virus
AVAd-AwareTrojan.Zbot.IDA
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Zbot.IDA
AVAuthentiumW32/Trojan.CFMF-8948
AVAvira (antivir)TR/ATRAPS.A.1486
AVBullGuardTrojan.Zbot.IDA
AVCA (E-Trust Ino)Win32/Upatre.LLeBZDB
AVCAT (quickheal)TrojanPWS.Zbot.Gen
AVClamAVWin.Trojan.Zbot-33959
AVDr. WebTrojan.DownLoader11.13248
AVEmsisoftTrojan.Zbot.IDA
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Krptik.AIW!tr
AVFrisk (f-prot)W32/Trojan3.HBI
AVF-SecureTrojan.Zbot.IDA
AVGrisoft (avg)Generic_r.DKA
AVIkarusTrojan-Spy.Zbot
AVK7Trojan ( 0001140e1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.EmailFakeDoc
AVMcafeeGeneric-FAOB!73DBBAF316A9
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.A
AVMicroWorld (escan)Trojan.Zbot.IDA
AVRisingno_virus
AVSophosMal/Zbot-OP
AVSymantecTrojan.Zbot
AVTrend MicroTROJ_UPATRE.JW
AVVirusBlokAda (vba32)Trojan.Bublik

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe
Creates FilePIPE\wkssvc
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\woodtoy.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSintracawood.co.id
Winsock DNSwarungjambu.com

Network Details:

DNSintracawood.co.id
Type: A
75.98.233.9
DNSwarungjambu.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1032 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1033 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1034 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1035 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1036 ➝ 75.98.233.9:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
C:\025daf1118d10ef9aa74204bb98237e05533bc7b64e740f668bcb254788db80d
C:\_11OnG8u.exe
C:\35ad8cede96c21d61aa9d9855947428ae2dab3d2b3d05f46caa315f3b1747ffe
C:\4584d0bfe1c349ee77f695973b3129453756156bf56db27c3a5a788788417728
C:\5tI0zcFj.exe
C:\698eb68b1684072c28da215ed16e00a2c78e1325159e1de8d69d0ddac2fc18bb
C:\6e259705fa68987ce5ea6594fc34eeb91d60607abe09e016e439ca7149e58f3f
C:\a2a9390de009874d268dd11ea8262a7fb3061857e44c00801f13de6a667b2434
C:\bf32d3b0\b662ef49.exe
C:\Bm5q2HKw.exe
C:\d2ac88482b99f2546e199f1d1004a0131d87f4e9364481591779cd89def6c274
C:\d6c5404d7d5036270d0dace256ff58165a8f867d6633ffeefb0701236fe1716e
C:\dcb2ecdc5e0d44fee47d4c5fca065c15ae4fac5912b34869c3efbb9a7aa1f8a3
C:\e9987bf1f50eda797ae88687a0a11fcbb552610fe7a4b25e30c80fc6c44fd645
C:\edb240d82b99ffaeebb6d19a06eb1aa3e77eea025e407c752b135c95096f1179
c:\f4h1p8\5kal92.exe
C:\f862f94eba1e5c17c30105ca779ec515b3049ef22df32e9e6bdba353e5e32444
C:\QDsori_t.exe
C:\tB1JkhyD.exe
C:\TtyJIznS.exe
C:\YfnHXLeN.exe
C:\Yr64pUSu.exe
D3D8.dll
VERSION.dll
0"3)3}3
3A2U2H4|4t0x0;4&4
apHeileF
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADC
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
CharLowerBuffW
CharUpperBuffW
@.data
drntetQueG
eapHlloAfW
etCoenW
etOpUQ
ExitProcess
FilteetR
FitercmteWdl
foWntOSettpHrcto
GetCommandLineW
GetCurrentProcess
Ge[Temt
GetModuleHandleW
GetProcessAffinityMask
GetSystemInfo
Hanele
HtYpQut
jryOetiopW
KERNEL32.dll
llEeecuxeW
LoadLibraryW
Modtesoc
NELR2.d3
nnectW
nOptpernt
nteInetrE
PCurtentrireDW
quReetMGdulo
`.rdata
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
rletmeWah
    </security>
    <security>
SERUendS
!This program cannot be run in DOS mode.
;+tPriS
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
}uleNiP
USER32.dll
VnReeuesqW
WINIernt
yIerll