Analysis Date2016-04-26 20:44:00
MD5b9fb03f9dff8711d92d647080981f084
SHA1a4cfeb8f398a8fd68e81dc89ba014e28def96fa0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Sectioncode md5: de3f4faa27f4f4f391be33bad815b13f sha1: 794af378113e7f8b33526fe0a2f62c50f5ca9e43 size: 7168
Sectiondata md5: ba8a13e55946b35da77b9a4a58e2d9a8 sha1: 605085241810d66b423646dc2f0bc6b4d374b8e9 size: 13824
Section.idata md5: 798744f175bcc62970423d43e37d6062 sha1: a0d2d94d08bc7913db947bcebff349009fd4e0f7 size: 3072
Timestamp2014-01-07 14:50:21
PEhash8b819e10a70df75cd0fc24de6abc5203b5014193
IMPhash3e960be8eda70801665d22b1c143e813
AVCA (E-Trust Ino)Gen:Trojan.Heur.bmX@X2O50Mg
AVF-SecureGen:Trojan.Heur.bmX@X2O50Mg
AVDr. WebTrojan.Siggen6.58591
AVClamAVWin.Trojan.Agent-1365351
AVArcabit (arcavir)Gen:Trojan.Heur.bmX@X2O50Mg
AVBullGuardGen:Trojan.Heur.bmX@X2O50Mg
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVTrend MicroTROJ_SHYAPE.SMA
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Shyape.Win32.3
AVEmsisoftGen:Trojan.Heur.bmX@X2O50Mg
AVIkarusTrojan.Win32.Shyape
AVFrisk (f-prot)No Virus
AVAuthentiumW32/S-d8d35880!Eldorado
AVMalwareBytesTrojan.Sakurel
AVMicroWorld (escan)Trojan.Generic.15581674
AVMicrosoft Security EssentialsTrojanDropper:Win32/Derusbi!dha
AVK7Trojan ( 004b349e1 )
AVBitDefenderGen:Trojan.Heur.bmX@X2O50Mg
AVFortinetW32/Shyape.J!tr
AVSymantecTrojan.Sakurel
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Shyape.J
AVAlwil (avast)Cleaman-K [Trj]
AVAd-AwareGen:Trojan.Heur.bmX@X2O50Mg
AVTwisterNo Virus
AVAvira (antivir)TR/Agent.28384.1
AVMcafeeBackDoor-FCLT!B9FB03F9DFF8
AVRising0x59cf5009

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates Processcmd.exe /c ping 127.0.0.1 & del "C:\malware.exe"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates Processcmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe"

Process
↳ reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe"

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MicroMedia ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe\\x00

Process
↳ cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe"

Creates Processreg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "MicroMedia" /t REG_SZ /d "C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe"

Process
↳ cmd.exe /c ping 127.0.0.1 & del "C:\malware.exe"

Creates Processping 127.0.0.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe

Process
↳ ping 127.0.0.1

Winsock DNS127.0.0.1

Network Details:


Raw Pcap

Strings
<(*+++
<\*++]
[0Y0W0U
100208000000Z
130828000000Z
140927235959Z0
1(c) 2006 VeriSign, Inc. - For authorized use only1E0C
200207235959Z0
2Terms of use at https://www.verisign.com/rpa (c)101.0,
38"3$x3.3
5Digital ID Class 3 - Microsoft Software Validation v21 0
<6*+++
ADVAPI32.dll
AllocateAndInitializeSid
aoxdof98$nff
BeginPaint
B^^Z%;$;
(<C-++]
CallWindowProcA
]cdOroi
CloseHandle
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
CreateWindowExA
DDDDDDDDDD<-
dnff98*(/y(*Zfks*(/y(
DTOPTOOLZ Co.,Ltd.0
DTOPTOOLZ Co.,Ltd.1>0<
d*%|*(/y(*%~*XOMUYP*%n*(/y(
EndPaint
EqualSid
ExitProcess
ExpandEnvironmentStringsA
fclose
FindFirstFileA
FreeSid
fwrite
Gepcffk%>$:!"iegzk~chfo1!GYCO!2$:1!]cdne}y!D^!?$;1!Y\;#
GetComputerNameA
GetCurrentProcessId
GetCursorPos
GetDlgItemTextA
GetFileSize
GetForegroundWindow
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetSystemWow64DirectoryA
GetTempFileNameA
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetVersionExA
GetVolumeInformationA
GetWindowRect
gmtime
GoLink, GoAsm www.GoDevTool.com
hhhhhhhhhhW
#http://crl.verisign.com/pca3-g5.crl04
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
#http://logo.verisign.com/vslogo.gif04
http://ocsp.verisign.com0
http://ocsp.verisign.com0;
HttpOpenRequestA
HttpSendRequestA
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
.idata
ign$oro*%i*
ign$oro*%i*x
ign$oro*%i*xom*knn*/yVYel~}kxoVGcixeyel~V]cdne}yVI
ign$oro*%i*zcdm*;8=$:$:$;*,*nof*(/y(
	image/gif0!0
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsUserAnAdmin
KERNEL32.dll
LoadBitmapA
>""&lyy!!!x!3gg&9?8"x59;lbbey ?3!x7%&i599=?3ks%p"/&3ks2p ?2ks2
>""&lyy!!!x!3gg&9?8"x59;lbbey&>9"9ys%x<&1i ?2ks2
malloc
Management Support Team1
Mapo-gu1
memcpy
memset
MessageBoxA
msvcrt.dll
MultiByteToWideChar
/nU/nU/nU/y
OpenProcess
OpenProcessToken
PeekMessageA
PeekNamedPipe
ReadFile
RegCloseKey
RegDeleteValueA
RegOpenKeyA
rrrrrrrrrr
RtlZeroMemory
SEOUL1
SetFilePointer
SetWindowPos
SetWindowTextA
SHELL32.dll
ShowWindow
sprintf
strcat
strcpy
strlen
(<T*++
USER32.dll
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
<VeriSign Class 3 Public Primary Certification Authority - G50
VeriSign, Inc.1
VeriSignMPKI-2-80
VeriSign Trust Network1:08
VeriSign Trust Network1;09
VirtualProtect
<~+++W,
<[)++W,
WideCharToMultiByte
Win32 Program!
WININET.dll
!!!x!3gg&9?8"x59;
]xc~oLcfo
xxod~\oxycedVX
y ?3!x7%&i599=?3ks%p"/&3ks2p ?2ks2
YEL^]KXOVGcixeyel~V]cdne}yVI
Yofl*Zxeioyy*Cn0/n