Analysis Date2015-10-04 20:34:28
MD5c3c4c818769e2ea07e90bc22164c2022
SHA19f32026828b889c92907cd18e5079ed0b779d57e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 290468ac5a88f34f959df4ddf4b2f56e sha1: 25bfda3fec9ad3cbf6b814c736a853ec9e3e8ab0 size: 25600
Section.rdata md5: cb15431b8c8538503c0afcd97309f2e6 sha1: e94545ae9a42468887820b5fb35497b75a6dbf95 size: 126976
Section.data md5: f2e1403193e490168d6b95c2960337cb sha1: 79e584ffdcbbef3f2214e23450187ff8411eda32 size: 3584
Timestamp2014-02-18 09:48:37
PackerMicrosoft Visual C++ ?.?
PEhash7d585d24e6ff78b4b60baa10b90aea7a9e2eab69
IMPhash44b8b693759315b204dbd6aba6e75c6b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Win32.ExplorerHijack.jmW@a8BfBub
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.jmW@a8BfBub
AVBullGuardGen:Win32.ExplorerHijack.jmW@a8BfBub
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanAPT.PlugX.E4
AVTrend MicroBKDR_PLUGX.EO
AVKasperskyTrojan-Dropper.Win32.Injector.njog
AVZillya!no_virus
AVEmsisoftGen:Win32.ExplorerHijack.jmW@a8BfBub
AVIkarusTrojan.Win32.Jorik
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.APZG-7020
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.jmW@a8BfBub
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.H
AVK7Riskware ( 0040eff71 )
AVBitDefenderGen:Win32.ExplorerHijack.jmW@a8BfBub
AVFortinetW32/Plugx.AD!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Agent4.BTYA
AVEset (nod32)Win32/Korplug.BX
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Win32.ExplorerHijack.jmW@a8BfBub
AVTwisterVirus.56576A406800100000.mg
AVAvira (antivir)TR/Injector.157184.1
AVMcafeeRDN/Generic BackDoor
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates ProcessC:\Documents and Settings\All Users\DRM\XXX\.exe
Creates MutexGlobal\onuteywax
Creates MutexDBWinMutex

Process
↳ C:\Documents and Settings\All Users\DRM\XXX\.exe

Creates FileC:\Documents and Settings\All Users\DEBUG.LOG
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexGlobal\uecpg
Creates MutexGlobal\eklrhgdvaqrfzgugv
Creates MutexGlobal\ommdvtuqnjwvdfajh
Creates MutexGlobal\ufiggmvpeeiwv
Creates MutexGlobal\ssmuagced
Creates MutexGlobal\wucme
Creates MutexGlobal\aadodbpkgqnaj
Creates MutexGlobal\mschu
Creates MutexGlobal\onuteywax
Creates MutexGlobal\gxklm
Creates MutexGlobal\kcbgn
Creates MutexGlobal\gxkrqsnwbuyet
Creates MutexGlobal\inkxsdwqbtist
Creates MutexGlobal\uimnyxkbx
Creates MutexGlobal\ufkaq
Creates MutexGlobal\aelyqgtun
Creates MutexGlobal\mwmjwuuwpuvcczsph
Creates MutexGlobal\oibsb

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193249.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193243.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193238.jpg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193253.jpg
Creates FileC:\Documents and Settings\All Users\DRM\XXX\nprqyjadoqkp
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193228.jpg
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\XXX-SCREEN\Administrator\20151004193233.jpg
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\000000010000000000000100
Creates MutexMMMM
Winsock DNS127.0.0.1

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings