Analysis Date2015-08-01 18:50:27
MD56f89485f796bcb1ae41a80c2ff839b82
SHA1c38aeb98117742a60e7b2f6a91e199bbea99c54a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 15c08fca38fa8d0d68f54e435374a8b3 sha1: a7df9080016b4e175ed17ba7ab7f8371b5669bf6 size: 254464
Section.rsrc md5: 6488897e7040ab2e4e0c3aaf507bc500 sha1: 68f588f61215f896347e5c386601f03f8a7f1b2c size: 103936
Timestamp2012-06-07 15:59:53
VersionLegalCopyright: Copyright (C) 1999
InternalName: MSRSAAPP
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft Corp.
Comments: Remote Service Application
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
FileDescription: Remote Service Application
OriginalFilename: MSRSAAP.EXE
PackerUPX -> www.upx.sourceforge.net
PEhashb0f963e7ce758f8fac79c46bfc44a01dd39eb634
IMPhasha38ad86d74cafc45094a5085e33419e4
AVCA (E-Trust Ino)Win32/Fynloski.DY
AVF-SecureTrojan.Inject.AUZ
AVDr. WebBackDoor.Comet.884
AVClamAVWIN.Trojan.DarkKomet
AVArcabit (arcavir)Trojan.Inject.AUZ
AVBullGuardTrojan.Inject.AUZ
AVPadvishBackdoor.Win32.DarkKomet.xyk.Generic
AVVirusBlokAda (vba32)Backdoor.DarkKomet
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_FORUCON.BMC
AVKasperskyBackdoor.Win32.DarkKomet.aagt
AVZillya!Trojan.Fynloski.Win32.3191
AVEmsisoftTrojan.Inject.AUZ
AVIkarusBackdoor.Win32.DarkKomet
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVMalwareBytesBackdoor.Bot.DarkKomet
AVMicroWorld (escan)Trojan.Inject.AUZ
AVMicrosoft Security EssentialsBackdoor:Win32/Fynloski.A
AVK7Backdoor ( 003b505d1 )
AVBitDefenderTrojan.Inject.AUZ
AVFortinetW32/Generic.AC.606
AVSymantecBackdoor.Graybird
AVGrisoft (avg)BackDoor.Generic15.CFFJ
AVEset (nod32)Win32/Fynloski.AA
AVAlwil (avast)Agent-AWZS [Trj]
AVAd-AwareTrojan.Inject.AUZ
AVTwisterBackdoor.0100@2FF0204@2F.mg
AVAvira (antivir)BDS/Backdoor.Gen
AVMcafeeGeneric.gj
AVRisingBackdoor.Win32.DarkKomet.c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
Creates FileC:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe
Creates Processcmd.exe /k attrib C: +s +h
Creates Processcmd.exe /k attrib C: +s +h

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:" +s +h

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:\malware.exe" +s +h

Process
↳ C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate ➝
C:\Documents and Settings\All Users\Start Menu\WINDOWS\Windows Update.exe\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnotepad
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe
Creates ProcessC:\WINDOWS\explorer.exe
Creates MutexDC_MUTEX-M1JFHWK

Process
↳ attrib "C:" +s +h

Process
↳ attrib "C:\malware.exe" +s +h

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Process
↳ C:\WINDOWS\explorer.exe

Process
↳ notepad

Creates MutexDC_MUTEX-M1JFHWK
Creates MutexDCPERSFWBP

Network Details:

DNSblackwizardt.no-ip.org
Type: A
186.236.46.63
Flows TCP192.168.1.1:1037 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1038 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1039 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1040 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1041 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1042 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1043 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1044 ➝ 186.236.46.63:1111
Flows TCP192.168.1.1:1045 ➝ 186.236.46.63:1111

Raw Pcap
0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308

0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308

0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308

0x00000000 (00000)   44353733 42413541 34454646 43334642   D573BA5A4EFFC3FB
0x00000010 (00016)   36323933 3038                         629308


Strings