Analysis Date2015-05-06 23:46:31
MD53fe1d8d53aad237981ef019dd1e72272
SHA1852a3dac83d5a8d3ddc912da33986412d80357e2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 208d42cddf3c0723929795bbe2feca1d sha1: ef74fefa33266e911c399d9e47e8f470429b034b size: 186368
Section.rdata md5: ee53b3a8ebcd15e02e19453482e9f8a8 sha1: 1f00f0335cfe089598c047a47daf9c592b7109e0 size: 1536
Section.data md5: 33da2a67f7f70c7e957b729808f7c265 sha1: 68af9674b01ac218590bb85f576346e6a7beb9d2 size: 69632
Section.strings md5: 341bdeb1d66b5a836b69d371fa6f0531 sha1: ee556bdb46e561cadcb9b788067c6ef660b1fbfd size: 5120
Timestamp2005-11-15 19:35:37
PEhash9e63338f5c7be487aaeae8fe76e4d2555dcddfca
IMPhash85711f51cb95468e99ab5a3adea37679
AVAd-AwareGen:Variant.Kazy.4018
AVAlwil (avast)MalOb-FN [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.4018
AVAuthentiumW32/FakeAlert.JK.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBitDefenderGen:Variant.Kazy.4018
AVBullGuardGen:Variant.Kazy.4018
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)FraudTool.SpyPro
AVClamAVWin.Trojan.Fakeav-20767
AVDr. WebTrojan.Fakealert.19786
AVEmsisoftGen:Variant.Kazy.4018
AVEset (nod32)Win32/Kryptik.IRF
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/FakeAlert.JK.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Crypt.AEKR
AVIkarusTrojan.Win32.FakeAV
AVK7Trojan ( 001dfb721 )
AVKasperskyTrojan.Win32.FakeAV.wyi
AVMalwareBytesTrojan.FakeAV.Gen
AVMcafeeFakeAlert-SpyPro.gen.bb
AVMicrosoft Security EssentialsRogue:Win32/FakeSpypro
AVMicroWorld (escan)Gen:Variant.Kazy.4018
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/FakeAV-CZ
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroTROJ_FAKEAV.SMID
AVTwisterTrojan.558BEC@140000#FF1.mg
AVVirusBlokAda (vba32)Trojan.FakeAV

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\phhmofki ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\dnytcxmeh\gjgsckhaffm.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes ➝
.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures ➝
no\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dnytcxmeh\gjgsckhaffm.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dnytcxmeh\gjgsckhaffm.exe
Creates MutexGlobal\Miranda64

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dnytcxmeh\gjgsckhaffm.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug ➝
NULL
Creates FilePIPE\lsarpc
Creates MutexGlobal\Miranda64

Network Details:


Raw Pcap

Strings
r.
...
C
PC..
2!
0
T..D.
.
_..
<
.0x.
..
..
.
`aDg
b!'$
Cgg$
eB#A
E&xit
Fdg@d
&File
ggAFdg
MS Sans Serif
 00[*=
0/^w{T
1<4^ug
>1fALZ?
}1=hke
1Lwluz
'1&oX9
^_1p^L
+(1#QF
2~rn`4Z
3,A^#61
3}i7;'
\<4OzO
5	kG=1
}5QfduLn
5/[r`616
;5?yWZ8
`*#69%
6j',3iS
6q]aUU?
<6wK7dl
6yth.U
^}6Z7a
7==DGOS
7'H_#U
 7)/niQ
<,7S<S
|7t_3^m
8A-cRGZ
8H3JrX[
\,".8p
97h}:P
9+I2J.
9mM9HY
=9"nBn
	9{(T0
@$)9Tk/
a G	Wj
>%aihm9
ARq2	%
 be=hO.p
}br dYN
b@T3%B
)c}|4~(
CloseHandle
ClosePrinter
CompareStringA
CopyRect
c pu@q
d8J5}F,
@.data
DeleteCriticalSection
,<dkU]
DocumentPropertiesA
DrawIcon
,'Dx_ F
EnumWindowStationsA
(\;eR&["
ExitProcess
eyY1_f
f1=+to9
F*H'm3
f-Ixhu
f~n62Z
+fNz>0
FreeLibrary
frN" {
F,wp$L
&_FYm-&
|=Gb!:
,g|Cw}Z
GetClientRect
GetCurrentProcessId
GetCurrentThreadId
GetFileSize
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
>GetPh5
GetProcessHeap
GetStartupInfoW
GetSystemDefaultLangID
GetSystemDirectoryA
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
GetWindowRect
GetWindowsDirectoryA
Guh/i+
hlAllh
hLibrh
hLoadh
hLocah
#h?QC7
hualPh
.h(yM!
I|*3Q{n@
i"}Cmo
"iFP2v
i}(~/i8
InitializeCriticalSection
IsIconic
IsKS0V
]IU8QB
@(Ja[PD
jb9R@I
JB}DAK&
jehC)A
Je:R!|
\J@'l))#
j%?Ptk
?jTP|:
_[.Jwq
JWyZKQ
KERNEL32.dll
}=Kz_jl
L4-	H{
{Lm=}J
LoadLibraryA
LphkS^
lt@jU0|
)Lwnv_5f
.:M8Mk
M~J7xt
mNIl^N
	MPmte
mR\V4F
M-R;yl
N/2[9PkI
NBwl<nB
n\F*f(
nGu;KXB
NkO},>
NkQo9K 
NR,r1j
[nUR}h
o[cG";
Oh1TK_
OH1*V;
\oHk,A
omYZ53
Ooi:W=
OpenPrinterA
OPlJYU
OUv?l{
|_>;OVE
oW(*G"x
peG	O(Q
PJ{*:2
PKMErp-
pNF!	5|
`!pPV<
puA@-o
pU\v~-
Q#f2e;
qNR,nm
QoRCvs(
qqo>sX
 |QS$Q
QueryPerformanceCounter
qx0x*\{
q-YqpB
R7[	_9
`.rdata
ReleaseDC
#)RH_b
>rocAhx
ruiM!h
*-*rz,
RZZKy`
"s1S/	~
s3k59E
@S64B3] 
;|s#c_
(S\C}c
SefipT;
SetForegroundWindow
SetLastError
SetRect
ShowWindow
.stringsZ
@sw}b2wJ
=syriM
T0Bj>q
T]2th]Xw
T;|7Nd
!This program cannot be run in DOS mode.
TjPLu5g
Tp)O<b
TranslateMessage
}t$|SV`5
tZNK|n>
`u3Iml
U3)n55(d
/\Uk~%
+UliXoN
\U/}m2-
USER32.dll
u~s=l\
.}UtU`
Ux!yRz
v2=04"
V Bm%%
=%\Vkd
{VK=-O
v^t` E
_w0p	$s`
=w4A5Q
WaitForSingleObject
;whWrs
WINSPOOL.DRV
WIUin{
(wIYd<
wP;2wuN
X6E&w&
>x7'!}
X7Lw;3B
/xG)94#
{x>#Has
XL&FR=
}XPHsN
xSr1u{%
x}T6RnG
XTh^I\F
x.Z5iE
\+YaS[
y)c+)i
` Yg(uZ[U
YMP#lo
yq"MSCH
yZ1+>G
!Yz>\n
:Z,[kf
.zLu^H
)Zp*0u"
Z;roshiMH|
<%%*zs
ZUIz]M"
ZylLU	
:ZzmV>