Analysis Date2014-04-23 14:35:41
MD592e49c048f77d82da5a41b7bb81a1ee3
SHA1bcda53cbbc33758f4de7718e36a7dc2d2aeae617

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 7c3d25e873264d3b796666707dd18970 sha1: 08ffa6656169e4142c708e81c93cc47801cd5771 size: 49664
Section.rsrc md5: ce2bb564f71ddc551f709778c872f44f sha1: 013d97d956fb7d030cea07b1e6e2659f0a7da9b0 size: 80896
Section.text md5: c7b7cee63ea8aa4434aa4955d9369c5b sha1: 9958421eca2af1b618341d4a23e507e2d533ae86 size: 111616
Timestamp2011-01-04 13:49:16
VersionProductVersion: 8.01.0008
InternalName: Dosya Klasörü
FileVersion: 8.01.0008
OriginalFilename: Dosya Klasörü.exe
ProductName: z 3 r 0 _ x
PEhash6fd3af93815d6a5d3d881e26026f239e1e81e09b
IMPhash3243b13e562279ab7fbe2f31e45d3a95
AVmcafeeW32/Ramnit.a
AVavgWin32/Zbot.G
AVaviraW32/Ramnit.C
AVmsseVirus:Win32/Ramnit.P
AVclamavW32.Ramnit-1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify ➝
NULL
Creates FileC:\bcda53cbbc33758f4de7718e36a7dc2d2aeae617mgr.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFCB7E.tmp
Creates FileC:\Documents and Settings\Administrator\Application Data\MusaLLaT.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\MusaLLaT.exe
Creates ProcessC:\bcda53cbbc33758f4de7718e36a7dc2d2aeae617mgr.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px4.tmp
Creates FileC:\Documents and Settings\Administrator\Application Data\MusaLLaTmgr.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\bcda53cbbc33758f4de7718e36a7dc2d2aeae617mgr.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px4.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\bcda53cbbc33758f4de7718e36a7dc2d2aeae617mgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Documents and Settings\Administrator\Application Data\MusaLLaT.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusaLLaT ➝
C:\Documents and Settings\Administrator\Application Data\MusaLLaT.exe\\x00
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Documents and Settings\Administrator\Application Data\MusaLLaTmgr.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Declare.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF5D7.tmp
Deletes FileC:\WINDOWS\system32\drivers\etc\hosts
Creates ProcessC:\Documents and Settings\Administrator\Application Data\MusaLLaTmgr.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\MusaLLaTmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp

Network Details:

DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.161
DNSstromoliks.com
Type: A
66.228.61.232
DNSstromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
66.228.61.232
Flows TCP192.168.1.1:1033 ➝ 173.194.34.160:80
Flows TCP192.168.1.1:1032 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1034 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1035 ➝ 66.228.61.232:443

Raw Pcap

Strings
..
040904B0
8.01.0008
Dosya Klas
.exe
FileVersion
InternalName
jjjjjj
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
z 3 r 0 _ x
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
~~~}~}}
|%##########################
??????????????????????????????????????????????????????????????????????????????????????????
[[[[[[
[[[[[[[
[[[[[[[[
}~}}~}}~~}~~~~~~~~
}}}~}~}~~~~~}~~~~
														
?{{{{{{{0
?{{{{{{{{{0
?{{{{{{{{{{{0
{{{{{{{{{{{{{{0
0?{{{{{{{{{{{{{{{{{{{{{{0?
0,iqmi!L
1111111(o
15Ucefi=q>
1Hbp[w
@1IKK5
1PH_c2
1Pv_c2
1ybi|K
2((((((((((((((((((((((((((
2%"9w{PAnu6
2Ex)1``:"
2PK_p2e
2P%_O2^
2PO_a2
2Pu_h2
2PX_v2
2vw6ZQ
2vw6ZQ}
2vw6ZQg
?2vwve
3333330
3333333330
33333333333333
333333333333330
333333333333333
333333333333333333333333333333333333333333333333333333333333333333333
33$?m[
}~+3B{
3PT_o20
]3VP(^
4444444
444444444
4444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444444
4Kk5p+
4{l:XJ
4P\_]2
4p-6p@_.
4Pg_V2
4@zp,&3mj
555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555
*'5[Dj
5 E+/#zj
"'/5H[DPY
,5.P'!J
5PO_>2
5Pu_=2
[>6cj0
6E{|)}Q	
"' 6Hx
! 6J[[
! 6J[[Lj=
6ZwTmda
[[[[[[[[7
733333333333333333333330?
7lllll
7P$_E2g
7Pj_v2
7Ry(rm
7{WL1{j*$Z
@+?"	8
8_e`%s
8'q4Xf{
9%-lDNi
9l$\w_
9ydOhe
9Za~nW
A><<<<<<<<<<<<<<<<<<<<<<<<<<
<A-4qljm[n8#v
A9~@yAW
^a(+#A
	Aayy,
abbbbbbbababbabebababbbbbbbbbbbbbbbbbabaaababbabbbbbbaabbabbaabbabbdbabbbaaabbabbabababbb.
aP[_82
/:ASFTRr
*B7Q;P
ba_`__aa_____aaaab__a_aa``ab__a__a___b__a____`___a__a______a_a_b_a__a__`_aa`a__aa_abaa``a.
BapbgS
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB6
`?Bg?U1
bPT_:2
Bqrk:(G
<c.%{3{
	(C8,]
CE3j]s.
CloseHandle
cP9_D2,
CreateFileA
CreateProcessA
C	Vg]+d$
[c*(((((((((((((((((wl
cYCZTUK#
c~&Z\9
d70\.v)$8L
]D}aQHe
DBBEBCEBBBCBBBEDDBBBDCCBBBBCBBCBBDDBCBBBCCCBCBBCBBEDBDEBCCBBCDBCEBCBCBBBBBBDCCDCCBDDDCBBD6
ddddddddddddd
d=GH{>
.)D$H)
dJ^U0E
DPj_k2
D$t+D$\
D$t#D$h
>d+)$V
E45#x}%
eba~8-
eCMf- 
eeebeccbefbefefeffbbbeffeecbfbeeeebefebebefbceefeceefefffffbfebeebeeebebfeebfecbbbeeecffc/
EEECEEEEEBCCBCBEBEBECCBEEBCCEDECEEEDDBCDBECBEECECCECEEEBEDDBCEEBBDEEEEBBECCEDEEEEDBCECBBC6
EEEEEEEEEEEEEEEEEEEEECDEEEEEDEECECEEEDEEEEEEEDECEDEEEEEEEECECEEECEEEBEEEECEBECCEEEEEEEEEE7
EEEEEFEGEFFEGFGEEEEEFEGEFHFGGEEEEEGHEFFEFEEFFFEFEEEEHEGFEHEEGEEEFEEEEHEEEEEEFEEEEFGGEFFFE7
`#e.ir.
eP*_~2
EP	_)2
EPH_=2
ePX_F2@
ER%9CW
eu</PEY,W
ExitProcess
F{c)h4]
ffiffffffffififfffffffffffffieffffffffffiifffiiffffiffiifffffffiffffffiffffffhffffffffiif/
FFSh{G
FHHHHFGFHGFHFGEFFEFFHEFEFFFFFFFFGHHHFHGHHHFHHHHFGFGFGHGGEHFHFGGHGGGGHHFFHGHGFFEEEHHEHGHHF8
^fK8\{D
[fPFMlllll
fPu_<2
fPW_X2w
fP"_Z2D
FreeLibrary
[f}tttttttttt
G:5\hy
`G7@!F
{Gd77J
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetVolumeInformationA
GetWindowsDirectoryA
G>HN7'1
? gK	R
_glllll
<G={PC
gPw_.2.
GR.ohX=
G=z{,)
h7dllll
ha[]dlll
ha[llll
HB>2ZF
HIHIIIKHJKKHHIHKHKHKIJKHIJHJIHIJHKJHHHHHIJIIIKHIHIIHHIKIKKKIKIJJIIHKIHKJJJIIKKHHHKHKHIIIH:
HJtH7I=
HlM1 h}z
H%nk1F
HPT_;2	
HY_^Z[
$-^H)zW
Id7(1IIIIIIIIIIII
IIIII`
IIIIIIIIIIIIIId7
ijjgijggjfifjjgijijjjjigjijgjiiijijjiiiffjijjjjjjijjijijjiijiijjjiigfijjjjjijjjjjjjgijjjj0
iJnj6R
i!LPK!H-
i!LPK!z
[i)<<<<<<<<<<<<<<:nK_l
Io_UC"
IP__]2
iP__.28
IPf_S2N
IqrRk?
"IQUM0-P
[i}<<<<<<<<<<<<<<<<<wl
[i>wTTTTTTTTwpN
j}/*|.1b
'j1*?U
 .Jbjx=
JE>iHA
j=EJp~
jjmjjjjjllllljjjkljlkjjmljljljjjkkjjjmkljjjjkjjjmljjklljljljjjkllkjmjjlljlkllmkllkklljllj1
jPP_<2
j>Pza0
`jq@_.g	y 
[[[[[jxzW
J}z(P|
=K6;}5
kernel32.dll
KERNEL32.DLL
'}kgyD[
.kIUzn
KKKIKKKKKKKKIKIIKIKKKKKIKKKKKKKIKKKKKKKKKKIIKKKKKKIKKKKKIKKKIIKKKKIKKLKKKKKKKKIKKKKIIKKKK9
Kq(euu9ZG
>ky%1n
LC./09gn
.LjR=W
_](lKiz
LMLLLKKNKKNLMKKLKKLLKLKKLKNLLKLLLKKLLMKKNKLNKKNLLKLNMKKLKLKKNNMMLMLLNLKMKKLMKLKLLNKLKLNNL;
LoadLibraryA
lPM_n2X
lPN_S2r
.lqJD'
LTr|,!
`MBKEr
_mgr.exe
!M=H{	
mHMVRm
Mj.7;\f
mmlmmlmmmmlmmmmmkmmlmmlmmmmmmmmmmmmmmmmmlmmmmlmmlmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm2
MSVBVM60.DLL
n'}1lG9
n8tU%o
nhGFlllll
>"nJ>k
nKB\`lll
nKG[llll
n)Lh<e
N&Ma;tDNgxi{
(nNmicwH#
NNNNMNNNNNLNLLNNNNLLNNLLNNLNNNNLLNLLNLNLNNLLLLNNMNLLNLLNNNNLNLNLLLNNNNLLLNLNNNNNNNLNNLLLN>
npoppnomnomnmppnopomopommmnopmpnmonpppomopmooopmoppponpppmmpnompmompopnnompnopmmmmmoopoom2
nSU:K,
&nZ9dn
N{|"@z.Y
[o$(111111111((#
[o2T<<<<<<<11<t9Ll
\OFe"\T
}O>HN7'1x
OnSK3ny
OOONOOONOQNONONOOONONONOONONNORONOQNONOOOONRNORNNQNNOOONOOOONOOOQOQONOQNNRONQNNOORNOONNNN<
OpenMutexA
OPN_O2
OP,_R2Q
OqfUR5,{
OrI'u`dorn
OT>kr<
[o>wSSTTTw:nLglll
*;+O	X
Ox2]<J
:P>_12
-P$_[2
P$_<2#
P__`2m
P|_ 2p
P-_{2s
P._52~
)#(.P6~
P6_u2N
|P	_A2
PA_g2=
Pa_u2d
PA_Y2M
PC_\2Y
P^,C$WI
+Pc_X2
+PC_y2
`P?_D2
P__D2m
PE_w2}
;PF_=2
PF_'2R
"Pg_B2:
!PG_C2
>Pg_T2e
Ph_a2k
pi'p3[B
P~_j2S
Pk_!29
PK%_?E1
PK!TqaS
PK!|W'
PK!|W'O
PL_,29
|Pm_=2d
PM_72A
$P/_N2J
PO_$2S
Po_B2h
pP(_A2
ppppppqpppppppppsqpqprpppppppprpqppqrrprpqspppqrppprpppprqqrppppqpppprprpqpppqppppppppppr'
PP+_s2
pPT_12
&Pp_V2
~Pq_'2
 PQ_O2
PQ_z2f
P"_r2;
PS_A2`
pssssssqrssssssspqssssssprqsssssssqrqssqsrrsqssrrqrsssrqsspsqqsspsqqsssspsssssqqqrrsqssss(
(PT_Y28
*PU_|2
P-_u2E
+Pu_j2
Pu_q2L
Pv_l2+
=Pw_J2
PX_$2v
PY_42]
P=_Z2A
[q~b[Fllll
QFUX)/
qi?0UZu
;>.qm^
qP7_o2F
QPx_n2\
_~q\Qs
R'|-:-
r2:f&VUW&
 R8+jK
rD]9^>
R/>HN7'1x
#RKW"h
RPd_>2
RRRRRRRROORORRROOORRRORROORRRRRORRRORROOPRRRRORROORRRRRRROROROOSRRRRRRORRRRRRRROORRORRRRR<
RSSRRRRSSSRRSVRSRRRSSSSRVSSRRSRRSRSSSSSSUURSSRRRSSRSUSUSVSRSSRURSRRSSUSVURSSSSSRRVRSRRVVS=
RT94J?
`rUR7>J
rXT..B
".S0T6u 
Sc4[S/
,S$\E~
#SF7G2
s`)L$4
sPV;]<
?SqD7'
SRQWVj
SSSSSSSSSSSSSSTTTTTTTTT:kK^l
SSVVVVSVVTSSTVTVTSTVVVVWTSTVVWTVVVVVVVVSVSSSSSVSWSSWWVVVVSSVVVVVSVVVSVVVVVWVSSVVVWSVVSSSS@
[sTtpk
SvM>It
>!syn>
<<<<<<<T
T51\5W
:T.5y	
t"CA-	U;11
!This program cannot be run in DOS mode.
t$t#t$l
ttttttttj
}T\$yQ
 U0jOP4
<<<<<<<<<<<<<<<<<<<<<<<<<<u9l
{$U)AwXL
,&UFXc
/uhPnY
@)_UVm
V211111111111111111111111111
VirtualAlloc
VirtualFree
VirtualProtect
VPq_s2
vP+_U2p
vt@~^v
vtwvtvvttstvwwvtwsvsswvtsvtsvtwstwvsssvvtsssssswvswsssswsttvsssswwsssvwstwvswvssswtvvsvvv(
VWQRSj
W4h+%a
$	wF|(
 ),WN5
[wOwk8
WPm_h2t
WriteFile
WVZWWWVWWZZWWWVWWWWWWVWWWYZWWWWWVWVWWVWWVZZZWWWWWWWZWZWWWVWWVZWWWWWWYYWVWWVWWWWZZZWWYVWWV@
wwwwwww
wwwwwwwwwwwwxwwwxwwwwwwwwwwtwwwwwwxwwwwwuwwwwwwxtwwwwwwwwwwwwwwwwwwxwxwwwwwwwwwwwwwxwwwww)
{{{{{x
/xcT[-
<xfmz'
@<xfmz'
$XJa6D=
XpjBaG
XPTPSW
[XRs*6
X}s{\s
XwwwwwwwwwwwwwwSSSTTpNJBllll
XXg.YsT
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxxyxxxzzzzxyyyywzzzxyyxzzxzxzxyywyzzzwxxzxzyyxzzxwzzz*
xyyzzzwyzyzzzzwzwwxzzyxzzzyyzzxxzzwxxzz|zz|{zzz{|zzz{z{zzzzzzz|z{z{z{{z{zzzzzz{{{zzz{z{{{+
[[[[[Y
[~[y*}7l
(Y9	q(
Y-c-D[
Y\?Jh;
-Yjoz{
YPn_ 2x
y[u`Ei
YV,m{4&
yyyy3Wq
"YZ3&T
z05t0U5
z:]6!q
z,B{5Cx
|ZN^!0
zP__]2
zss(@&
Z[Z[WWZZWWZZZXXZZZZWZXZZ[X[[[ZZWZZZZZWZZXWWZXZWZWZZZZZZZZZ[ZW[ZZ[ZZ[ZWWZ[[ZZWZZZZ[[WZZZZZA
}}}{{{}}}{{}{{{}}{}}{{}}}{}}}{z}{}}{}{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},
[[^[^[^[[]^[^[[[[[[[[[^^[[[[^^[[[[[^^[[[^^[[[[[[[^]^[[[[^[[^^[[[^ZZ[[^[[[^^^^[[ZZ[[][[[[^-
zz{{zz|{zzzzzz|}zzzzzzzzzz{z{|zz{zzz|{}}}}{}}}}{}{}}}}{}}}}{}}}}}}}{}}{}{}}{{}}zz}}}{}}}},