Analysis Date2015-05-06 13:35:13
MD5679ad2c73235f38d5f311357c004d7b9
SHA1c0a9118c013005c2966a6d13646575d4680767c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b369b633dd515ee3f502370fabba781 sha1: a6d78564b3006dc857a612c29c31e842f1d34d3a size: 40960
Sectioncode md5: 427b1fe57b3b0a37a8fc4c3247916ebe sha1: 7a15c53e18e12606cb0964672e4fef51487d7aaa size: 8192
Section.rdata md5: e0e79676702855f8ef33c5c410412845 sha1: d5182ddd287906f06f31fca12ca61b2220ec04cb size: 12288
Section.data md5: bfb3e38f29fc512182827a572d22f31d sha1: 239ad12168de8e1f95341c3295e4eaac6972be97 size: 20480
Section.reloc md5: b1199a68948a7a5eef3c73e85c2f4b9d sha1: 12749af93de77e434b8e0bcf6daf73a6881ce39e size: 8192
Section.imports md5: f01b2ba69f8b7f63fb2625953806d391 sha1: 7084f488b5734a13c8cb762f1a7548fd655390fc size: 4096
Timestamp2015-05-11 19:09:47
PEhash562c7eb2e3b43cdb527972dabac17eb12ffe7c75
IMPhashe24e5304e08ed28df15c638612330a62
AVAd-AwareGen:Variant.Kazy.551881
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.551881
AVAuthentiumW32/S-d37a73f3!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBitDefenderGen:Variant.Kazy.551881
AVBullGuardGen:Variant.Kazy.551881
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.551881
AVEset (nod32)Win32/Dorkbot.J worm
AVFortinetW32/Dorkbot.B!worm
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.551881
AVGrisoft (avg)Generic_r.EQJ
AVIkarusWorm.Win32.Dorkbot
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dqv
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.551881
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Palevo-B
AVSymantecno_virus
AVTrend MicroMal_DLDER
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
.
l
e
\*.*
4ZBR19116-NNIF
82z2z2s2d2g4j6k4l62d
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
Adobe
\advapi32.dll
advapi32.dll
alFSVWJB
alg.exe
\apiSoftCA
BCDEFGHIJKLMNOPQRSTUVWXYZ
bett2f00
bett2f002
\bett2f002
bfsvc.exe
calc.exe
.cmd
\cmd.exe
.com
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
CreativeAudio
\CreativeAudio
crypt32.dll
csrss.exe
/c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
/c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"
/c taskkill /F /IM Explorer.exe
C:\Users\MAQUIN~1\AppData\Local\Temp\temp41.tmp
C:\Users\Maquina03\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\Users\Maquina03\AppData\Roaming\Microsoft\Windows\Themes
C:\Users\Maquina03\AppData\Roaming\Windows Live
C:\Users\Maquina03\AppData\Roaming\Windows Live\wikangkpkg.exe
C:\Users\Maquina03\AppData\Roaming\WindowsUpdate
dnsapi.dll
.exe
explorer.exe
.gonewiththewings
*.gonewiththewings
hh.exe
Identities
\Identities
i.dll
iexplore.exe
\Internet Explorer\
jjjj
jjjjjj
KOPWELERGKR23930DW
\Live.exe
.lnk
lsass.exe
lsv.exe
\Microsoft
\Microsoft\Windows
\Microsoft\Windows\Themes
msiexec.exe
ne.exe
netapi32.dll
netutils.dll
notepad.exe
\ntdll.dll
ole32.dll
OLLYDBG.EXE
open
petools.exe
.pif
%rand%
Reader_sl.exe
regedit.exe
rpcrt4.dll
rstrui.exe
rundll32.exe
%s\*
%s\*.*
samcli.dll
.scr
"%s" /CREATE /SC ONLOGON /TN "Windows Live" /TR "%s" /RL HIGHEST
%s\Documents and Settings\All users\Start Menu\Programs\Startup
secur32.dll
SeDebugPrivilege
services.exe
shell32.dll
shlwapi.dll
smsniff.exe
_smss.exe
smss.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Uazi Soft
%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"%s" /query /tn "Windows Live"
%s\Recycler
%s\%s
%s\%s.lnk
--startup
svchost.exe
System
\system32
\System32
\System32\schtasks.exe
[System Process]
%SystemRoot%\system32\cmd.exe
%SystemRoot%\system32\SHELL32.dll
temp41.tmp
twunk_16.exe
twunk_32.exe
UaziVer
%uniq%
%uniq%.exe
update
urlmon.dll
user32.dll
userenv.dll
w.exe
\Windows Live
\Windows Live\
Windows Live
Windows Live Installer
\WindowsUpdate
\WindowsUpdate\Live.exe
\WindowsUpdate\Updater.exe
winh
wininet.dll
winlogon.exe
wireshark.exe
write.exe
ws2_32.dll
wtsapi32.dll
ZBR-JNSEXOBM
:Zone.Identifier
0"0(050<0G0[0o0u0
0040<0@0X0\0p0x0
0#0Z0`0
0141<1@1X1\1p1x1
02373=3D3
051;1M1Z1c1h1n1
>$>*>0>6><>B>H>N>T>Z>`>f>l>r>x>~>
;$;*;0;6;<;B;H;N;T;Z;`;f;t;x;|;
? ?$?(?,?0?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
;%;*;0;B;I;P;W;_;f;l;|;
0c0h0u0
;";);0;E;L;
?"?*?0?:?L?T?Z?d?v?~?
0R031>1S1]1g1
1"1(1.1<1@1D1H1L1P1T1X1\1`1d1h1l1t1x1|1
1$1.121=1B1L1U1_1c1n1s1}1
1$1:1D1I1T1^1c1
1!1A1e1j1w1
1'1N1[1r1
1'212@2
1%222A2J2Q2W2d2m2t2
171K1c1
1z2z3reas34534543233245x6
2 2$2(2,2024282<2D2H2L2l3x3
2"2(2.2<2@2D2H2L2P2T2X2\2`2d2h2l2x2|2
2)2:2G2\2i2p2
2/2O2s2
2	3"3G3Z3v3
253U3t4
?2?;?A?M?}?
31373~3
323D3K3Z3p3v3
3!303f3
3&3-353<3B3I3N3U3[3
3,343H3N3T3Z3`3f3l3r3x3~3
344A4V4k4u4
3!4.4I4V4h4
374K4P4]4b4o4t4
384H4^4{4
>3?B?V?q?~?
4'404;4R4X4c4w4
4 4$4(4,40444<4@4D4H4L4P4T4X4\4`4h4l4p4t4x4|4
4$4,484>4D4J4P4V4\4b4h4n4t4z4
<!<'<.<4<;<A<J<P<X<k<}<
=4=b=o=
<$<4<B<o<|<
;$<4<J<f<
= =4=;=T=[=a=h=|=
515>5E5}5
546@6L6X6d6p6
5$5+525:5A5G5W5b5i5o5v5{5
5!5.53585E5J5O5\5a5j5p5
5"5/545:5J5Q5c5h5n5u5z5
5'585F5{5
:!:5:;:B:V:]:
<"<5<<<C<X<_<
;+;5;?;V;f;t;
60;0Q0[0
637@7i7x7
6%6+636F6X6c6m6y6
6 6*686=6G6Z6
6[6b6w6
6G6T6q6|6
=6=@=n=
747n7u7
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7 7&7-74797@7F7M7S7]7c7n7u7|7
7#797L7T7`7k7|7
7/7q7<;
787=7J7^7c7p7~7
7	888=8J8j8u8
7<8S8m8
7A7J7P7
<#<7<s<
> >,>8>
809F9\9r9
8#848:8Q8l8v8{8
8 8$8(8,8084888<8@8D8
8 8`8e8t8y8~8
8 8O8c8h8u8
8 9)9.9@9Z9c9i9z9
=8>r>}>
="=8===S=z=
?>'8'y!1"<0$"8'6!y%"
?>'8'y>#1"#"%24;"5y%"
?>'8'y#-$15>4y%"
?>'8'y1&6.-60y%"
?>'8'y?%18:>8y%"
?>'8'y22500?1$y%"
?>'8'y245$'20y%"
?>'8'y-.:<2;6y%"
?>'8'y#?2;8!2`cgy%"
?>'8'y'=?-"%2y%"
?>'8'y"<:$$<2y%"
?>'8'y=4>"-6:y%"
?>'8'y489$";#>90>94y%"
?>'8'y489924#cy%"
?>'8'y? %4:$%y%"
?>'8'y:>5=<>5y%"
?>'8'y/5->>6$:y48:
?>'8'y&->5904y%"
?>'8'y=<<=.:#5y48:
?>'8'y/89'&>0 y%"
?>'8'y''8?9&65y48:
?>'8'y9!"25-8y%"
?>'8'y#>9."'36#2$y%"
?>'8'y!>93"$#%.y%"
?>'8'y96#9#5"8y%"
?>'8'y o$#6%#y%"
?>'8'y= -".=.<y%"
?>'8'y>:!???#y%"
?>'8'y;/$%! <y%"
?>'8'y&;:</&;/y48:
91989C9N9u9
9 9&9,92989>9D9J9P9V9\9b9h9n9t9z9
9%9.9;9X9
9+9<9i9
9!9u9{9
99:]:z:
>#>,>9>B>O>X>e>v>
:%:/:9:C:M:W:a:k:u:
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
<!<.<:<@<a<k<}<
=<=A=K=h=
>!>A>n>
B.imports
?>?b?i?v?
>b>k>p>|>
CharLowerW
=?=c=h=u=
CloseHandle
closesocket
CoCreateGuid
CoCreateInstance
CoInitializeEx
CopyFileW
CoUninitialize
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
@.data
debug_cache_dump_2384394.dmp
DeleteFileW
<D<H<L<P<T<X<\<`<d<h<l<p<t<|<
%dMutex%dExplorer%dMutex%d
dnsapi.dll
DNSAPI.dll
DnsQuery_A
DnsRecordListFree
downloader 
downloader2 
DuplicateHandle
E#+E/^ZY
EnterCriticalSection
ExitProcess
ExitThread
FindClose
FindFirstFileW
FindNextFileW
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetDriveTypeW
GetExitCodeProcess
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetLastError
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetProcessVersion
GetQueuedCompletionStatus
GetShellWindow
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTempPathW
GetTickCount
GetUserNameW
GetVersionExA
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
GetWindowThreadProcessId
>;>G>T>b>
: :$:(:,:\:`:h:l:
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InitializeCriticalSection
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
;\;i;o;u;~;
IsWoW64Process
;";/;j;
='===J=a=
>%>:>J>T>c>
?'?<?J?T?Y?d?
:#:(:.:j:w:|:
kernel32.dll
KERNEL32.dll
kernelbase.dll
:*:^:k:v:
;<;l;0<j<
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LockFile
LookupPrivilegeValueW
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcmpW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
_LZero
>,>M>}>
MapViewOfFile
MessageBoxA
MoveFileExW
MoveFileW
msvcp90.dll
MultiByteToWideChar
MUTEX_NAME_
ntdll.dll
NtQueryDirectoryFile
NtQueryInformationThread
NtQueueApcThread
NtResumeThread
ObtainUserAgentString
ole32.dll
?+?O?o?
OpenProcess
OpenProcessToken
PathFindFileNameW
PathRemoveArgsW
Process32FirstW
Process32NextW
psapi.dll
:$:):::?:P:U:f:k:|:
Qkkbal
QueryPerformanceCounter
Range: bytes=%d-%d
`.rdata
ReadFile
reboot
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEnumValueW
RegFlushKey
RegNotifyChangeKeyValue
RegOpenKeyExW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryValueA
RegQueryValueExW
RegSetValueExW
.reloc
ResetEvent
SetCurrentDirectoryW
SetEvent
SetFileAttributesW
SetFilePointer
SetHandleContext
SetLastError
SetUnhandledExceptionFilter
SHCreateDirectoryExW
shell32.dll
SHELL32.dll
ShellExecuteW
SHFileOperationW
SHGetFolderPathW
SHGetSpecialFolderPathW
shlwapi.dll
SHLWAPI.dll
?_Stinit@?1??_Init@?$basic_filebuf@_WU?$char_traits@_W@std@@@std@@IAEXPAU_iobuf@@W4_Initfl@23@@Z@4HA
StrChrW
StrCmpNIW
StrRChrW
StrStrW
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
uninstall
UnlockFile
UnmapViewOfFile
update 
update2 
urlmon.dll
user32.dll
USER32.dll
User Agent
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
winsta.dll
WinStationUnRegisterConsoleNotification
WriteFile
WriteProcessMemory
ws2_32.dll
WS2_32.dll
WSAGetLastError
WSARecvFrom
WSASendTo
WSASocketW
WSAStartup
wsprintfA
	wsprintfA
wsprintfW
	wsprintfW
wWXZOlIzwOwzIlOZXWw
ZwSetLdtEntries