| Analysis Date | 2014-10-09 16:16:51 |
|---|---|
| MD5 | bc646542672516a08e7fc3824432b1f6 |
| SHA1 | b39043b921fa24fca16b5381a0c58de2adcca5ae |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 96f19965715a9b4a77290326ac9e545c sha1: 5c40f458dea04920bd36bd718a4eed9e52b9ff43 size: 4608 | |
| Section | .data md5: 5e210c11b9fe92358c4fa917043afda7 sha1: 0facd928697b3deed173c2149df0e2bc3e3a78a0 size: 7168 | |
| Section | .idata md5: bdd6e11a11fffb3445806e7648a94008 sha1: 8d8b343a67cd2d91ec8e124914714cdc3cd4cc70 size: 1024 | |
| Section | .rsrc md5: 2d206b8f393c1844fd6fb61d74d40184 sha1: fd6b747a1d974c755bb891bfc7d7eff66104bf98 size: 5632 | |
| Timestamp | 2005-05-22 14:12:56 | |
| PEhash | fd09002112a4313b1d5bcfb338f14d27db93121b | |
| IMPhash | c5effa462f51432aeac8904668baca02 | |
| AV | 360 Safe | Gen:Variant.Kazy.311358 |
| AV | Ad-Aware | Gen:Variant.Kazy.311358 |
| AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
| AV | Arcabit (arcavir) | Trojan.Bublik.boim |
| AV | Authentium | W32/Trojan.SCZK-3312 |
| AV | Avira (antivir) | TR/Dldr.JQGV |
| AV | CA (E-Trust Ino) | Win32/Zbot.HSD |
| AV | CAT (quickheal) | TrojanDownloader.Upatre.A6 |
| AV | ClamAV | no_virus |
| AV | Dr. Web | Trojan.DownLoad3.28161 |
| AV | Emsisoft | Gen:Variant.Kazy.311358 |
| AV | Eset (nod32) | Win32/TrojanDownloader.Waski.A |
| AV | Fortinet | W32/Kryptik.CF!tr |
| AV | Frisk (f-prot) | W32/Trojan3.GVH |
| AV | F-Secure | Gen:Variant.Kazy.311358 |
| AV | Grisoft (avg) | Crypt2.CDKF |
| AV | Ikarus | Trojan-Spy.Zbot |
| AV | K7 | Trojan ( 00491c461 ) |
| AV | Kaspersky | Trojan.Win32.Generic |
| AV | MalwareBytes | Trojan.FakePDF |
| AV | Mcafee | PWSZbot-FOH!BC6465426725 |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Upatre.A |
| AV | MicroWorld (escan) | Gen:Variant.Kazy.311358 |
| AV | Norman | winpe/Upatre.TE |
| AV | Rising | no_virus |
| AV | Sophos | Troj/Agent-AFGR |
| AV | Symantec | Trojan.Zbot |
| AV | Trend Micro | TROJ_BUBLIK.AAA |
| AV | VirusBlokAda (vba32) | no_virus |
| AV | Yara APT | no_virus |
| AV | Zillya! | Trojan.Bublik.Win32.12641 |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe |
| Creates File | PIPE\wkssvc |
| Creates Process | "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe" |
| Creates Mutex | VideoRenderer |
Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\budha.exe"
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | VideoRenderer |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Winsock DNS | pvwebsolution.com |
| Winsock DNS | bestdatingsitesreview4u.com |
Network Details:
| DNS | bestdatingsitesreview4u.com Type: A 54.231.161.83 |
|---|---|
| DNS | pvwebsolution.com Type: A 107.150.48.43 |
| Flows TCP | 192.168.1.1:1031 ➝ 54.231.161.83:443 |
| Flows TCP | 192.168.1.1:1032 ➝ 54.231.161.83:443 |
| Flows TCP | 192.168.1.1:1033 ➝ 54.231.161.83:443 |
| Flows TCP | 192.168.1.1:1034 ➝ 54.231.161.83:443 |
| Flows TCP | 192.168.1.1:1035 ➝ 107.150.48.43:443 |
| Flows TCP | 192.168.1.1:1036 ➝ 107.150.48.43:443 |
| Flows TCP | 192.168.1.1:1037 ➝ 107.150.48.43:443 |
| Flows TCP | 192.168.1.1:1038 ➝ 107.150.48.43:443 |
Raw Pcap
0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+. 0x00000000 (00000) 804c0103 .L.. 0x00000000 (00000) 802b01 .+.
Strings
;
"011
011)
[.11
"1G"
:222)
!222
%222
2222
;225
2B221
>322
3222
4221
4221b
4222)%
422(O
45w:
6222
7225
7H22
b222
B222
b<2222F22
C:\6rK9ahXj.exe
C:\9Mv2h3yq.exe
C:\_aAe2Ubm.exe
C:\ah2pUxjt.exe
C:\CXdmAIOY.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.860\payment-history-n434543-434328745231.exe
C:\joqzqDkD.exe
C:\KTlJdrQu.exe
C:\OR5IuFXG.exe
C:\PcsRxiHN.exe
C:\qPQ7RHAZ.exe
C:\tj2bmaoC.exe
C:\wN_EOgPn.exe
F222
F222%
G'a225
G;f225
H222
j/11
J222
J322
N222
O222
q.11
r>5w:
t>5w>
tB5w:
vV:`
vV>2
vV;2
vV@2
vV5v
vV7`
vV8e
vV9d
vV9s
vVE2
vV?t
W1A5w.3F8
W222
w.2222
w"2222
w*2222
w&2222
w.3222
w*3222
w&4322
Z222
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
%%____
0000000
00000000000000
1"t7.r
26)EEEEEEEEEEEEEEEEEEEEEEEEE
+2I_DEEEJ
2kEEEE
4e *<+
?5?5?5
5?55555
55@WEh
65F62F5?5??5?5h>
6EEEEEEEEEEEEEEEEEEEEEE
8EEEEEEEEEEEEEEEEEEEEEE
)-a6$wA
acmFilterChooseA
acmStreamOpen
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
ckkkk8kkEEEEEEEE
CloseHandle
CreateEventW
CreateWindowExA
DefWindowProcA
DeleteCriticalSection
-E8EEEEEEEEEEEEEE
EEE8/5[g
EEEEEE
EEEEEEE
EEEEEEE86e,<RkEEEEEEEE8S!
EEEEEEEEE
EEEEEEEEEEE
+*<EEEEEEEEEEEEE
=EEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEi.HEEE<(
EEEEEEi5@?oEEEEEEEEEEEEEEEEEEEEE
EEEkEEEEEEEi
EES + Ek<QYsYQY
EkEEEEEEEEcss8EE<
ExitProcess
FFhFFhFhhhhFh
FreeLibrary
fZ5555?5
GetLastError
GetMessageA
GetModuleHandleA
GetModuleHandleW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetProcAddress
GetTickCount
GetVolumeInformationW
GlobalLock
GlobalUnlock
HeapAlloc
HeapCreate
i<1@*5*5
.idata
InitializeCriticalSection
j,?*W$$f
k "\BkkkkkkkEEEEEEEEE
kernel32.dll
kkEEEEEEEEEEEEEE
kkEEEkEEEkE)
kkk8k8k8kk9E
kkkE-`KBkkkk
kkkkkEEkEEEEHaa
kkkkkkk
kkkkkkkkkEk
kkkkkkkkkEkkk^TBEEEEEEEEEEEEEEEE
kkkkkkkkkkEER(T(REEEEEEEEEEEEEEE
kt"--nEkkkkkk
L L(L ](] ] ] ] ] ] ] ] ] (L#2
LoadCursorA
LoadIconA
LoadLibraryExA
lstrcpyW
mciSendStringA
+Mk.j) 8.B
Msacm32.dll
oPeN Bad.mp3 typE mPeGvideo aLIas myF
PostQuitMessage
QanEEEEEEEEEEEEEE
QdLEEk$
RegisterClassA
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
Rkkkkk
</security>
<security>
SEEEEEEEEEEEEEEEEEEEEEEE
SetEvent
.s,*@ff?<EEEE
T} G#
!This program cannot be run in DOS mode.
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TryEnterCriticalSection
user32.dll
VI(Z`(
WaitForMultipleObjects
*WE$8!$8.
@WE8<Z
Winmm.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
*y(o;+n
YYYYYY
+YYYYYYs+7I_IEEEEJ
,+Z*P\$