Analysis Date2015-12-03 20:59:22
MD5bae2dbd353ca54d6a885b620e93fb997
SHA1aba04802745d6c0be02adad1261353e4f33d2ce5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bb8bf837719f0c4088138fe74a9d55d2 sha1: 289b1958bd85caba4cc86010768c857d4decbbe2 size: 638976
Section.rdata md5: 0c82fb1e9f5781f6a6439e9f99ba2a88 sha1: ece67ff0384aacd51f3181c24f8792ba5c4d3c78 size: 167936
Section.data md5: b77fa553e3d34bd72c38890427428a1a sha1: c69d6b32bcba560061a6a2cceb3cadb01506448a size: 16384
Section.rsrc md5: 583a019519a2fb23290fae51806b7656 sha1: c571a097d504526e7a550bb6ac734ff43354c429 size: 327680
Sectionj_uh md5: 7b76f795b39780a6842595f1d2672b71 sha1: 16a6a3ce99232396f7e923483bba00dd33451a05 size: 20480
Timestamp2006-08-28 07:08:09
VersionLegalCopyright: (C) 2006 Adobe Systems Incorporated. All rights reserved.
InternalName: Adobe Help Viewer
FileVersion: 1.0.0.185
CompanyName: Adobe Systems Incorporated
ProductName: Adobe Help Viewer
ProductVersion: 1.0
FileDescription: Adobe Help Viewer
OriginalFilename: ahv.exe
PEhasha29be8a1b493f1d90b49b1a5f7d316fed0d84dcc
IMPhash644c2afa954e2ae0013dd6a3d57f8d06
AVClamAVWin.Trojan.Ramnit-7712
AVAd-AwareWin32.VJadtre.3
AVRisingWin32.Roue.a
AVZillya!Virus.Nimnul.Win32.5
AVCAT (quickheal)W32.Nimnul.F1
AVK7Virus ( 0040f7441 )
AVMalwareBytesno_virus
AVPadvishno_virus
AVTwisterVirus.558BEC81EC@120000#.mg
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVArcabit (arcavir)Win32.VJadtre.3
AVAvira (antivir)W32/Jadtre.B
AVEmsisoftWin32.VJadtre.3
AVCA (E-Trust Ino)Win32/Nimnul.A
AVIkarusTrojan-Downloader.Win32.Small
AVKasperskyVirus.Win32.Nimnul.f
AVMcafeeW32/Kudj
AVMicroWorld (escan)Win32.VJadtre.3
AVSymantecW32.Wapomi.C!inf
AVTrend MicroPE_WAPOMI.BM
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVFrisk (f-prot)W32/PatchLoad.E
AVF-SecureWin32.VJadtre.3
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVEset (nod32)Win32/Wapomi.BA virus
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVGrisoft (avg)Win32/Wapomi.I
AVBullGuardWin32.VJadtre.3
AVAuthentiumW32/PatchLoad.E
AVDr. WebBackDoor.Darkshell.246

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lOoQaM.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\lOoQaM.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\lOoQaM.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\705c7caa.bat
Creates FileC:\temp\files\lOoQaM.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNSddos.dnsnb8.net
Type: A

Raw Pcap

Strings