Analysis Date2015-05-08 11:54:46
MD5ce492cdc9633a154a309d8a0c552f3e4
SHA184f697896bc22be3e72341919a910b43399411c8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 9c3cce290a50a651d807fbcfeece5281 sha1: 9a4f88aff03109b561c4d8201f8a211277279645 size: 61440
Section.sdata md5: 0620071c11a24208dfe2bf7e516ead37 sha1: 14eca50ccc308fe465a4682ace49ff4af3107f0e size: 4096
Section.rsrc md5: 1379d2b240f7cf42a1b23245a050b3b2 sha1: ec79bdaf6ec8dddf8e54cb3a2193b8138b7a59db size: 114688
Section.reloc md5: 7c438c1a3c8e4fbdf6aeb5100b353bef sha1: 166d897c29ef4af0f86ac41bd0db9ae54968f426 size: 4096
Timestamp2015-02-03 15:15:19
Pdb pathC:\Users\ZORO1\AppData\Local\Temp\krakcvve.pdb
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: krakcvve.exe
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: krakcvve.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashd625d49640546b68edad23d6ca1fbd984c9e57ba
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareGen:Variant.Kazy.65374
AVAlwil (avast)GenMalicious-BW [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.65374
AVAuthentiumW32/Trojan.MWAP-4574
AVAvira (antivir)TR/Dropper.Gen
AVBitDefenderGen:Variant.Kazy.65374
AVBullGuardGen:Variant.Kazy.65374
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Generic.r4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.65374
AVEset (nod32)MSIL/Injector.BFM
AVFortinetMSIL/Injector.PE!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.65374
AVGrisoft (avg)ILCrypt
AVIkarusWin32.SuspectCrc
AVK7Trojan ( 004302371 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.Gen
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVMicroWorld (escan)Gen:Variant.Kazy.65374
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"
Creates Mutex5cd8f17f4086744065eb0992a09e05a2

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 ➝
"C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FilePIPE\lsarpc
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE
Creates Processdw20.exe -x -s 272
Creates Mutex5cd8f17f4086744065eb0992a09e05a2

Process
↳ dw20.exe -x -s 272

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1311D.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe" "Trojan.exe" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\Trojan.exe:*:Enabled:Trojan.exe\\x00
Creates FilePIPE\lsarpc

Network Details:


Raw Pcap

Strings
gggggggg
Nm
.
......U
.
.$y..
.#
)
!%..
0.0.0.0
000004b0
1R%;
7$8&9':';'<,=1>2?3@3A3B7C7D8E8F;G;H;I;J<K@LBMENEOEPEQGRGSHTIUJVJWLXMYMZM[P\Q]R^R_U`UaUbUcYd[e[fbgchc
8<5^KnIrpNi5o
9F&Eq'
Ae\_
Assembly Version
aZj8hXu0ndxqAALrY1FwmO+PXbfAmjUrEw==
aZj8hXu0ndxqAQLsQlRnqeaZe7nK
aZj8hXu0ndxqAQL+U2lwku2Obavjiz08FeY=
aZj8hXu0ndxqBBX2Q1xSj+GIe6vdozU+CO1O
aZj8hXu0ndxqBQ7tQ0xjkc+HcrfNqyg=
aZj8hXu0ndxqEBX6Vk1nrfyEfb3dnRE=
aZj8hXu0ndxqFALrY1FwmO+PXbfAmjUrEw==
bInqh3Li4JoFPQr+R29rmPmkeIvLjSQ6CPE=
?bzPI
cr515y5m
dM+g2zA=
d)XREss
([@@E
eojhniy/3YQ=
FileDescription
FileVersion
Fz[6(S
InternalName
krakcvve.exe
LegalCopyright
MZ&Vm&cyp
o3xf3
OKHemXG/3I89cyH2W1xx3aaTJu6H
OKHZgnC8wZkjDyr2VEttjuGNavbgqwQPIe1WVGeK4Zl1
OriginalFilename
Pb!}g
ProductVersion
`RCzT
StringFileInfo
Translation
VarFileInfo
<@V@K
VS_VERSION_INFO
W0+qxY(CDr
wsmH+M.@3
XovsiDC91os=
Xwm[
=____"
>/////
0M8=<%I-
[0s+^*
12![][Q@I
,1HPP@
1iPcdr
1,%QPG`O@$%
1vV!]C
34!gR8
@'4BV}i-jF~f~
	4kg4;
4n^Clt
4System.Web.Services.Protocols.SoapHttpClientProtocol
4$YI^X
5B&yFVXDZ
& @5HS(
?6~,tx
7_6 IA
7B'	^a
7#pFv%
8}:'';
8.0.0.0
81-n0C
8;2VTG
87#jdV
>|8f.d
8-wI:]qC
[8wvjj"
==<9"""
9"""6ef
9@@;6zz
9e&N;&uy
%9g!*d
9n\!/Z
@9x@9*'
.aaaa|
>aay|p
`ab;5!
;;+AC1{tc
\ac99*
ac}rbrS2
Activator
Ae%qY0
air_54
anwt61
ApartmentState
Application
ApplicationBase
ar_mrn
Assembly
AsyncCallback
avn7ny
b0wiuc
$b828d5cf-46b5-4f4a-b8be-9d94ba88e4e3
BeginInvoke
|bEiE\
bgdgmg
bh82je
BitConverter
bkw8wx
BlockCopy
Buffer
BUU+@X
bvvb6Z
B x8g`
.C`988
.cctor
cD^pdS
CF~.fx
cihote
ClearProjectError
C$oaJ{
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Computer
ComVisibleAttribute
Concat
Contains
Conversions
Convert
_CorExeMain
cPEYp8
C	Q	Y	`	e	o	z	
cr515y5m.resources
CreateInstance
Create__Instance__
CreateProjectError
C|  TT
cttt55
C:\Users\ZORO1\AppData\Local\Temp\krakcvve.pdb
cvivy3
d55r75
]`_^_d67+bcc44%	
,>d6OP~
<'d&8?
d9fyor
DateTime
dbghlp32
D+CB,TBa
DebuggableAttribute
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
DebuggingModes
Decimal
Delegate
DelegateAsyncResult
DelegateAsyncState
DelegateCallback
;df<>>
Directory
Dispose__Instance__
DllImportAttribute
dlnxk4
dml24c
dr5s6s
dvhtys
dwmapi
dwp2h4
dx7w5v
dxwz5c
E++!!!
e6t25d
)EbQP,3
EditorBrowsableAttribute
EditorBrowsableState
".EEEEE
eg3wce
eH%_	=
Em,g;E
Encoding
EndInvoke
Environment
 .#ep#4
epi9ok
Equals
er1v40
eu08wm
eUUUOUU
Exception
Exists
e_YJJGID-e\Vqpn
f8t18k
fcq=CE
%FFfee
#ffffFX
fffnTUn
ffgeiq
fk_ian
ForLoopControl
ForNextCheckDec
fO#smg
frmf__
FromArgb
FromBase64String
[]..f.t
`f$.UAY
fUVcdTl
FX`*(]*
fxbm8q
fz7c4_
|fZchwfK*,
G1%8Xj
g1F<>>
g2m_ha
g4mim6
g7tX[]3
	g[CI*'
GeneratedCodeAttribute
get_Application
get_Chars
get_Computer
GetDelegateForFunctionPointer
GetDirectories
GetEntryAssembly
get_EntryPoint
GetExecutingAssembly
get_GetInstance
GetHashCode
GetInstance
get_Length
get_Location
GetModuleHandle
get_Now
GetObject
GetObjectValue
GetParameters
GetProcAddress
GetProcessById
GetString
get_SystemDirectory
GetType
GetTypeFromHandle
get_User
get_UTF8
get_WebServices
gexu4w
GPSm=&
g^Q01!
gT6]jm
~gU]]]*
GuidAttribute
gwwwD7wwwq
gwwwwwwwwq
h3r9wh
h"48+#q>"8
HelpKeywordAttribute
hg284y
HideModuleNameAttribute
hnkxb9
>H^(Pw
hr$Cp}
hsr1kz
httpapi
hu:C&hF
i8>>f>
IAsyncResult
>IDAT=
$)IeD-
ierfpo
in59wd
instance
IntPtr
Invoke
Irzzzz//
iU9~D!
iz67tj
iZbGJ?
j007_b
j5lxve
ja1b50
J"}A{T
jcGwjUteS
jdt1if
J^\e8O
jGcjYJ\
!$Jgh/
jk3dfo
jpypme
jq^ {9
~j#Qo;
Js2-)#
.jx'}]]
k15den
k1ztjf
k2vlv6
$k<3"E
K;7n.T
"kA`\_<
kernel32.dll
'kfy0V
'kh,VB
KKKD^UU
kp48x0
krakcvve
krakcvve.exe
kv-3+/w
k~!v`D
kvv5o6
l1696j
{l6;09
l6q2pa
l71gpm
l99rzn
=LBjMJ
lFSVx$y
lig1df
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lvcjyt
m3ukny
m+7%g9_
mam~c#
m_AppObjectProvider
Marshal
may9qe
mc2jtx
m_ComputerObjectProvider
MethodBase
MethodInfo
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
m_MyWebServicesObjectProvider
Mnyqq1
<Module>
mq86ix
mscoree.dll
mscorlib
mscorsn
m_ThreadStaticValue
MulticastDelegate
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
My.User
MyWebServices
My.WebServices
mzbxsf
mzxvz1
n5`z-)
ndl7f_
NJT1dj
nmmmtm
npdfaz
?Nrscq
Nui[mo~?
N/zg-ZS
o~^}}.
Object
ObjectFlowControl
[)OhjM
okpaor
oleaut32
On2IpP?
OQWR6QJ4
OS3;di
otxdu8
P7%US3
/p8Dl7
p8fww0
PADPADP
ParameterInfo
ParameterizedThreadStart
PBOE79
pdkka;
p,I?eh
pp4844
ppBue 
Process
ProjectData
PS??79
PSmA7/
PSmA7$
`/PT;7A#L
Pt!a%,
#ptWEQb
/$P/V]c
PYO|79
PYqa6Y.
@q%***
'Q3BAg
q86712
q89YJo&
qajtmd
QA\t}d
qh99l1
qMb7k$
Q^,ME$$)
/QNNxso
QR!|Ib2D
r9ysae
razyzp
RB!BQJ
@@rbFSkj
&("rdH98%FGB34*{mZwiZ*,
R+}Djjj
@.reloc
reoa1x
ResourceManager
R~,g8]
ri{{{F
R+ LKD
RmQE(_
?Rqgd(
R~%Rg	
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
r+(URv
:RV%eU9
s4qjnf
s7un8i
s8qqjb
s8rt7c
`.sdata
SEqss+
SetApartmentState
SetProjectError
setupapi
S_gVlC?#
S:J~wu
sk66y9
smgutm
*s}s}1
's	^Sg
StandardModuleAttribute
STAThreadAttribute
String
#Strings
SU==;U
System
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.Drawing
System.IO
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
System.Threading
T4JX+,U
t5o74n
TargetMethod
TargetObject
TdWD)Ee
tee[;&(
t>f}qn
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStaticAttribute
tLMLLL
tnmWO]71G<+ikkEE8
ToArgb
ToChar
ToGenericParameter
ToInt16
ToInt32
ToLower
ToString
tq~`be
t"tLMM-
""&TTTTU
&TTUUf
u907w7
	!*ua:+pa
ubtgi1
UInt32
UL8cO6
UUSe+	ZJ
.UVfnn
UY[MLJ(*
V&&&!|
V12<B5
v2.0.50727
v71f45
|V_?79
V8$r1[P\\
vi28q8
|vl`k<m
vnvMOw
vr0d_s
vw4wtq
vz78k2
W-++/;
w03jgc
w22z9e
w5fi2b
wb3vk2
wbmhyf
wdtpn1
WebServices
wfct0f
wfQJ9`ce
wgh_nz
\WJ3r,
wlnbd3
WlQ9=o
Wl\X'N
WQ.--QS[
WrapNonExceptionThrows
wujvkF
}wy{T=E
wzgnyn
WzOiz!z$
x7pmq4
xbaf89
	X\e-1$23$
XEPZ<!
xl87kf
xolehlp
xRj xK
xsccsx
/xt{&/
xtgdmg
XT	@tD
xu_rzj
XUUUSm0
xzrxut
y2y87l
y47gr_
y5rGK3
ya5tag
YdCD=#$
yeq0_8
ykhcdl
yl_tcf
Yn*[y f2
yul0dc
\@YX.{
yx]~H1
z0o4jm
Z_cc}=f
zcvmcw
*z+}Fk#
Z}=g\5
ziweL~
zkS\b')
zzzzzzz