Analysis Date2015-05-07 04:55:08
MD520de1571f12eef1cb5fbf30ea8d3c5ca
SHA1957150acc1a31b0435ff26cb36a835799a12d24e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 98f8a83ff42968a52a07b385d95dcbd1 sha1: 9bc2b72f4c1cb5e8165705c89c8afe687cc0130a size: 7168
Section.rdata md5: 4bab86bd6aac59b0adf0d28f17689e49 sha1: cc48a1e029ae396aa9d5ab2f8f016f71eba23ca7 size: 512
Section.data md5: b9750b0bb8ac29f348864ec51e12bfc8 sha1: 7f5a0ab99a7d95eedf2dc1443b2722999e107398 size: 512
Section.rsrc md5: 10e0de40292282c5f07564c324a3338c sha1: 0f86247cf9715601384ca4987cba68bb86c77cd4 size: 24064
Timestamp2012-12-25 01:30:36
VersionLegalCopyright: Copyright Divine© 2012
InternalName: CheckSum Fixer
FileVersion: 1, 0, 0, 1
CompanyName: Divine
PrivateBuild:
LegalTrademarks: Divine©
Comments:
ProductName: Divine CRC CheckSum Fixer
SpecialBuild:
ProductVersion: 1, 0, 1, 1
FileDescription: CRC CheckSum Fixer
OriginalFilename: CheckSum Fixer.exe
PEhash50ee89bf2a7bf9e8cd97d8119f882575061890db
IMPhash95aa5f98dd84693544353d2012e4ccf7
AVAd-AwareGen:Variant.Gamarue.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Gamarue.1
AVAuthentiumW32/Andromeda.D.gen!Eldorado
AVAvira (antivir)Worm/Gamarue.I.483
AVBitDefenderGen:Variant.Gamarue.1
AVBullGuardGen:Variant.Gamarue.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Andromeda.22
AVEmsisoftGen:Variant.Gamarue.1
AVEset (nod32)Win32/Injector.AAPF
AVFortinetW32/Andromeda.FQR!tr.dldr
AVFrisk (f-prot)W32/Andromeda.D.gen!Eldorado
AVF-SecureGen:Variant.Gamarue.1
AVGrisoft (avg)Downloader.Generic13.WVW
AVIkarusWorm.Win32.Gamarue
AVK7Trojan ( 004134401 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeGenericR-CYV!20DE1571F12E
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Gen:Variant.Gamarue.1
AVPadvishWorm.Win32.Gamarue.I1
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterTrojan.0DED857F44B4C7F0
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Wauchos.2183

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexDBWinMutex

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\36874 ➝
C:\Documents and Settings\All Users\Local Settings\Temp\msnrfzm.com\\x00
Creates FileC:\Documents and Settings\All Users\Local Settings\Temp\msnrfzm.com
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\957150~1.EXE
Creates Mutex3227095050

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.58.222
DNSxjpakmdcfuqe.in
Type: A
178.79.190.156
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.253
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.254
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.231
DNSxjpakmdcfuqe.ru
Type: A
195.22.26.252
DNSxjpakmdcfuqe.biz
Type: A
209.99.40.225
DNSxjpakmdcfuqe.nl
Type: A
176.58.104.168
DNSwww.update.microsoft.com
Type: A
DNSxjpakmdcfuqe.com
Type: A
HTTP POSThttp://31.200.244.37/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.in/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.ru/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.biz/l.php
User-Agent: Mozilla/4.0
HTTP POSThttp://xjpakmdcfuqe.nl/l.php
User-Agent: Mozilla/4.0
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows TCP192.168.1.1:1032 ➝ 31.200.244.37:80
Flows UDP192.168.1.1:1033 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1034 ➝ 178.79.190.156:80
Flows UDP192.168.1.1:1035 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1036 ➝ 195.22.26.253:80
Flows UDP192.168.1.1:1037 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 209.99.40.225:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 176.58.104.168:80

Raw Pcap
0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 33312e32   /1.1..Host: 31.2
0x00000020 (00032)   30302e32 34342e33 370d0a55 7365722d   00.244.37..User-
0x00000030 (00048)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000040 (00064)   2e300d0a 436f6e74 656e742d 54797065   .0..Content-Type
0x00000050 (00080)   3a206170 706c6963 6174696f 6e2f782d   : application/x-
0x00000060 (00096)   7777772d 666f726d 2d75726c 656e636f   www-form-urlenco
0x00000070 (00112)   6465640d 0a436f6e 74656e74 2d4c656e   ded..Content-Len
0x00000080 (00128)   6774683a 2038340d 0a436f6e 6e656374   gth: 84..Connect
0x00000090 (00144)   696f6e3a 20636c6f 73650d0a 0d0a7570   ion: close....up
0x000000a0 (00160)   71636843 73387646 544b464f 566d6e49   qchCs8vFTKFOVmnI
0x000000b0 (00176)   4b474977 694c7258 30305664 36385433   KGIwiLrX00Vd68T3
0x000000c0 (00192)   79717668 51753254 71657451 6e337149   yqvhQu2TqetQn3qI
0x000000d0 (00208)   79375136 62705466 44557459 4966745a   y7Q6bpTfDUtYIftZ
0x000000e0 (00224)   33334e42 34454b41 7367396d 59337177   33NB4EKAsg9mY3qw
0x000000f0 (00240)   3d3d                                  ==

0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 786a7061   /1.1..Host: xjpa
0x00000020 (00032)   6b6d6463 66757165 2e696e0d 0a557365   kmdcfuqe.in..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 72583030 56643638   nIKGIwiLrX00Vd68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e423445 4b417367 396d5933   tZ33NB4EKAsg9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 786a7061   /1.1..Host: xjpa
0x00000020 (00032)   6b6d6463 66757165 2e72750d 0a557365   kmdcfuqe.ru..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 72583030 56643638   nIKGIwiLrX00Vd68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e423445 4b417367 396d5933   tZ33NB4EKAsg9mY3
0x000000f0 (00240)   71773d3d                              qw==

0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 786a7061   /1.1..Host: xjpa
0x00000020 (00032)   6b6d6463 66757165 2e62697a 0d0a5573   kmdcfuqe.biz..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 300d0a43 6f6e7465 6e742d54   a/4.0..Content-T
0x00000050 (00080)   7970653a 20617070 6c696361 74696f6e   ype: application
0x00000060 (00096)   2f782d77 77772d66 6f726d2d 75726c65   /x-www-form-urle
0x00000070 (00112)   6e636f64 65640d0a 436f6e74 656e742d   ncoded..Content-
0x00000080 (00128)   4c656e67 74683a20 38340d0a 436f6e6e   Length: 84..Conn
0x00000090 (00144)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x000000a0 (00160)   0a757071 63684373 38764654 4b464f56   .upqchCs8vFTKFOV
0x000000b0 (00176)   6d6e494b 47497769 4c725830 30566436   mnIKGIwiLrX00Vd6
0x000000c0 (00192)   38543379 71766851 75325471 6574516e   8T3yqvhQu2TqetQn
0x000000d0 (00208)   33714979 37513662 70546644 55745949   3qIy7Q6bpTfDUtYI
0x000000e0 (00224)   66745a33 334e4234 454b4173 67396d59   ftZ33NB4EKAsg9mY
0x000000f0 (00240)   3371773d 3d                           3qw==

0x00000000 (00000)   504f5354 202f6c2e 70687020 48545450   POST /l.php HTTP
0x00000010 (00016)   2f312e31 0d0a486f 73743a20 786a7061   /1.1..Host: xjpa
0x00000020 (00032)   6b6d6463 66757165 2e6e6c0d 0a557365   kmdcfuqe.nl..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 0d0a436f 6e74656e 742d5479   /4.0..Content-Ty
0x00000050 (00080)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000060 (00096)   782d7777 772d666f 726d2d75 726c656e   x-www-form-urlen
0x00000070 (00112)   636f6465 640d0a43 6f6e7465 6e742d4c   coded..Content-L
0x00000080 (00128)   656e6774 683a2038 340d0a43 6f6e6e65   ength: 84..Conne
0x00000090 (00144)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x000000a0 (00160)   75707163 68437338 7646544b 464f566d   upqchCs8vFTKFOVm
0x000000b0 (00176)   6e494b47 4977694c 72583030 56643638   nIKGIwiLrX00Vd68
0x000000c0 (00192)   54337971 76685175 32547165 74516e33   T3yqvhQu2TqetQn3
0x000000d0 (00208)   71497937 51366270 54664455 74594966   qIy7Q6bpTfDUtYIf
0x000000e0 (00224)   745a3333 4e423445 4b417367 396d5933   tZ33NB4EKAsg9mY3
0x000000f0 (00240)   71773d3d 3d                           qw===


Strings

040904b0
1, 0, 0, 1
1, 0, 1, 1
 2012
About
CheckSum Fixer
CheckSum Fixer.exe
Comments
CompanyName
Copyright Divine
CRC CheckSum Fixer
Divine
Divine 
Divine CRC CheckSum Fixer
Exit
FileDescription
FileVersion
Fix CheckSum
InternalName
jjjj
LegalCopyright
LegalTrademarks
MS Sans Serif
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0~PO:_Tn
0Q$*Ly
[0`vXp|
2)"%/6
?/4,`6
	a8CYz'#u&
AcJ@`GDaIG^GK\HS]J[OCaPDVD7=)
<AS8<.=?6+
B/!bRGeUJeUJeUJeUJcSH\PGWMFULFSNKPONLNOIMPFOUCPZ?P\8M\CW`qnZ
bP11PAsbzgkOjgGoPA7PAD1
C0#eVKiZOhYOhYOhYO_SK<]t.`
C1$hYOl]Sk]Sk]Sk\R\TO/j
C4.M?9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9N@9F810 
C>uA#m
`cWiZQk]Sk]Sl]TeVLD2%/
D1&k\SoaWo`Wo`Wn_V\VS0k
D3'naXse\re\re\rd[]YW0p
@.data
Da)Ym4qs9
DialogBoxParamA
Divine CRC CheckSum Fixer
Divine CRC CheckSum Fixer v1.0
E4)rd\viaviaviatg_][[0t
Eb*Zp7yz>
eg\m^Uo`Wo`Wo`WoaXiZPA/"-
>]&?e+I
EndDialog
ExitProcess
F+iJVi
FindResourceA
For more informations visit our website http://divineprotector.com
GetProcAddress
gkwUg!X}
GNy8=[+)H$
}HB7OA7PC8NA6E4&8"
)_hPXf
HQ5wLV
_hzYm%\
I2 J4!J4!J4!J4!J3!J3!J3!J3!J3!J3!G1 Q9
}icYqd[re\re\re\re\sf]eVM9&
i#R 7X!>
j@h\@@
jnpmhewkdymfxleyle{og|pi|qi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi|pi}qixldF6,G7-{pi
K=6wmh
KERNEL32.dll
k	k9JmT
_`\`k]mymmpgjg^kb[oc]tg`vjcwkdxldxleylexlexlexlexlexleymeth`F5+F6,xld}qi|pi|pi|og_ab4|
\K>_NA_M@_M@_M@_M@_N@_N@_N@_NA_NA_NA_N@_M@_M@_NAYI=dO5
kPAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
L6%M7&M7&M7&M7&M7&M7&M7&M7&M7&M7&J5$U>"
L$L0ue|
LoadLibraryA
LoadResource
lpsnkjrkgvkezng}rk
lUbe	:>
lwLwwznP
MessageBoxA
#m'jzk
mve=tG
_NBbQEbQEbQEbQEbQEbQEaQDaPDaPCaOC`OB`OB_NA_NA^NAXI>gP4
NJZLe<
Nwz~pSlyowp
nxmhi`ic[kaYnbZsf_uhaviaviaviaviaviard\E4)F5+th`ymexleylewkc\]^0x
NzN}pl
O9)P;+P;+P;+P;+P;+P;+P;+P;+P;+P;*L8)X@%
OH;WG;YI<ZH<[I=]K?\K=M:,8#
oopuol|rn
ov{qopslixni~sl
oww9oww
P$KdPA%M
]ploQtwp
]plo[}znp~~Xpxz}
^{pntlwQzwop}[l
PPjUjRj
p_s}plo
p`}wNlnspPy
p_zbtopNsl}
p[}znp~~b
p[}znp~~Xpxz}
pzq]p~z
p_zzwspw{>=^yl{~sz
\^QgWMhYOiZPcSID1$0
QH:ZH;[I<\I<\I<TA3B-
Qj6j4j
{qlPB<,
]q;NgD
Q=,S>.S>.S>.S>.S>.S>.S>.S>.S>.S>.O<-\D)
Qtyo]p~z
Qz}Opm
Qz}^tyrwpZmupn
`.rdata
/RFEQPP
RwzmlwLwwzn
RwzmlwQ}pp
RYwPc&\
SizeofResource
_s}ploNzy
~spww>=9oww
%s%s%s%s%s%s%s%s%s%s%s
SVWh,@@
SVWXPj
s~z3WlRz
t0&hLJ
T@1VB3VB3VB3VB3VB3VB3VB3VB3VB3VB3T@2VB.iO.kQ-zb3~h5
!This program cannot be run in DOS mode.
t.j@h,A@
t*j-jKj
tmH8/G7.
tmjge?
tzyQtw
*%Uf<;
u"h$@@
un{piG7-H9/
USER32.dll
V#9[#@
vp}ypw>=9oww
WD5YF8YF8YF8YF8YF8YF8YF8YF8YF8YF8XF8VD7TB5SB4RA4M=1[F-
Welcome to Divine CRC CheckSum Fixer.
wp>=Qt}~
wpSlyowpL
wqD4+-
wrI91=-$~sm
Wzlo]p~z
WzloWtm}l}
xbRtYL
X$;^&C
(X Gg/fv=
xp_s}plo
Y-BR&y]6X
`yslyowpoP
ysyojS|
ytirxv
`yxl{atp
YYKdSHeUJ^NBC/!1
*Z&=a)F
ZH:\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=\J=WF:aL3
[}znLoo}p~~
[}znp~~
Z{py`}wL
zwp>=9oww
Z_z@R:1U.@d$b