Analysis Date2015-12-02 04:19:44
MD510bb8556cd81a506396e6cc7feb69d27
SHA1cc0da9e7de5e5ab69872f317067ba15deee035ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5bf0df744d25d482fde3f6470b80114d sha1: 7a348c7acb401f9dd2f655544aa04fb60413d7de size: 5120
Section.rdata md5: 4d8347bbf7ed1cf77737bd5651445cfd sha1: ff9d6a888ee73e44dba91b755608cf556487a405 size: 2048
Section.data md5: 1d09639e1bac48a53b64a2760e5b5d78 sha1: 13018c1ccddaeb5d6fbb0f6b4b820e421357ab24 size: 73216
Section.rsrc md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Timestamp2012-05-14 14:36:59
PackerMicrosoft Visual C++ v6.0
PEhash439044ffe1a5ed8af071246a681029f89d107756
IMPhash042c3e0dabd645f5ceb44bd41cdd4002
AVRisingError Scanning File
AVMcafeeBackDoor-FGQ
AVAvira (antivir)BDS/Morix.bh.1
AVTwisterVirus.3AEBF3C0A0F238F8
AVAd-AwareBackdoor.Farfli.AS
AVAlwil (avast)Farfli-AP [Trj]
AVEset (nod32)Win32/Farfli.KA
AVGrisoft (avg)SHeur4.AFUN
AVSymantecTrojan Horse
AVFortinetW32/Generic.AC.48802
AVBitDefenderBackdoor.Farfli.AS
AVK7Trojan ( 00052e341 )
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost!rfn
AVMicroWorld (escan)Backdoor.Farfli.AS
AVMalwareBytesBackdoor.Farfli
AVAuthentiumW32/Backdoor.AK.gen!Eldorado
AVFrisk (f-prot)W32/Backdoor.AK.gen!Eldorado
AVIkarusTrojan-Spy.Win32.Agent
AVEmsisoftBackdoor.Farfli.AS
AVZillya!Trojan.Agent.Win32.239305
AVKasperskyTrojan-Spy.Win32.Agent.cbot
AVTrend MicroBKDR_MORIX.DL
AVCAT (quickheal)Trojan.Aksula.A
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVPadvishno_virus
AVBullGuardBackdoor.Farfli.AS
AVArcabit (arcavir)Backdoor.Farfli.AS
AVClamAVWIN.Trojan.Morix
AVDr. WebTrojan.PWS.Gamania.44731
AVF-SecureBackdoor.Farfli.AS
AVCA (E-Trust Ino)Win32/SillyDl.YRG
AVRisingError Scanning File
AVMcafeeBackDoor-FGQ
AVAvira (antivir)BDS/Morix.bh.1
AVTwisterVirus.3AEBF3C0A0F238F8
AVAd-AwareBackdoor.Farfli.AS
AVAlwil (avast)Farfli-AP [Trj]
AVEset (nod32)Win32/Farfli.KA
AVGrisoft (avg)Generic33.BMOB
AVSymantecTrojan Horse
AVFortinetW32/Generic.AC.48802
AVBitDefenderBackdoor.Farfli.AS
AVK7Trojan ( 00052e341 )
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost!rfn
AVMicroWorld (escan)Backdoor.Farfli.AS
AVMalwareBytesBackdoor.Farfli
AVAuthentiumW32/Backdoor.AK.gen!Eldorado
AVFrisk (f-prot)W32/Backdoor.AK.gen!Eldorado
AVIkarusTrojan-Spy.Win32.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\96B5BD42 ➝
C:\WINDOWS\96B5BD42\svchsot.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\InfoTime\InfoTime ➝
20151202\\x00
Creates FilePIPE\DAV RPC SERVICE
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FilePIPE\atsvc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\96B5BD42\svchsot.exe
Creates Processnet start "Task Scheduler"
Creates Mutexdbgzlx.eicp.net:7777127.0.0.1:2012127.0.0.1:2012

Process
↳ net start "Task Scheduler"

Creates Processnet1 start "Task Scheduler"

Process
↳ net1 start "Task Scheduler"

Network Details:

DNSdbgzlx.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1032 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1033 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1034 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1035 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1036 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1037 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1038 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1039 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1040 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1041 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1042 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1043 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1044 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1045 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1046 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1047 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1048 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1049 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1050 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1051 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1052 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1053 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1054 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1055 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1056 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1057 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1058 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1059 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1060 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1061 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1062 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1063 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1064 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1065 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1066 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1067 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1068 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1069 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1070 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1071 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1072 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1073 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1074 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1075 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1076 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1077 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1078 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1079 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1080 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1081 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1082 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1083 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1084 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1085 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1086 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1087 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1088 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1089 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1090 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1091 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1092 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1093 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1094 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1095 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1096 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1097 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1098 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1099 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1100 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1101 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1102 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1103 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1104 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1105 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1106 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1107 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1108 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1109 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1110 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1111 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1112 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1113 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1114 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1115 ➝ 174.128.255.231:7777
Flows TCP192.168.1.1:1116 ➝ 174.128.255.231:7777

Raw Pcap

Strings
Deng
Me
.
jEZ
.
`.

0>Kj	@
1o0PjVo
2H(`@$hP
2q2fZz
??2@YAPAXI@Z
(3-!0,1'8"5.*2$
30;|k=
3BU/6D
3edJ*=
3<OWv	
~3sZ0e
??3@YAXPAX@Z
<4,$?7/'
>,4?v0
5j?#W!?W
"61B>7?g
8MZt	_^3
9NxkMUJ
9V>r+1V
_acmdln
_adjust_fdiv
a fSwq
B11Q']
B?1;Yu
b2w"wi=+
^~<B9av
Bmj278
bVtau&
}!CNk)Q
_controlfp
cT8y/Vc*$6,
=D60UJ
}d&8#e
@.data
$dBglD
d"'FeW
!d}%h8
DHjE~c
D$lD8C@-
Dmzb{1
^duLmb
d#X{8t
_except_handler3
F?(;ae
fbsMxR
FreeLibrary
`F,RT2
<f Uqw
fvGP90)
G9(eX8
%Gao)$
/.GeAv
GetLastError
__getmainargs
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetStartupInfoA
HeapAlloc
HeapFree
huQBN#u
_initterm
InterlockedExchange
IsBadReadPtr
I>&V5 
_J0(7ih
j0h 1@
j0Ph<]A
&J5P{3
j`	7sRr
j8hp1@
j hP1@
JNYi(T
{jnYP\yp
}j)&S9
J}zSmy
k7dlLN
KERNEL32.dll
KkW|2C~Gw4S
-lAz.i
lB]!2@
lJ:cT%
LoadLibraryA
LocalAlloc
L;UyFhq
/#LVgb
@M1)sjY
m3iR]\L
	mg,M%
M.^ibO
:M\LNx
{M_>nc
moMoQk&
MPiYZ2s
M&sIpb	*
MSVCRT.dll
/M|U>CwU
NLx!<D
nV-I\O
OE9<e@
oNcVDA
?OVkr?8oz
_P'{:	
__p__commode
__p__fmode
-pGJ^)
Plg=:}
P??rGJv
Pu|OE0
pv:f7b
%,q::;
%+Q+PQ$
|{$:r: 
RaiseException
`.rdata
realloc
!RfS>d5+
RW2V6N
Sbc%)$
Server.Dat
__set_app_type
__setusermatherr
SF(F,S
S@S}8b
sT&+(m
_stricmp
SVWj@Ph
!This program cannot be run in DOS mode.
ti`>6q
T<(OWs
u?0Lm|W5'
#uaBO1R
U)Bt}gsN
	uiiTo/
u!+^NR
USER32.dll
<U^+tU
uu78we
ve*G)|
VirtualAlloc
VirtualFree
VirtualProtect
~V&m7D
VXF5r>iM
w,,Gb\p)
W];=je
w.<Jyj
%Wl-A#v2
WpI#8;
WSP8SH
wsprintfA
WT1nvu;
<W)v'8
x2R<B#
_XcptFilter
xhRS+dE
;x L^5
x)+MD\m,Ft$
XQ=Acw
/)XrE+
X!r,p8$
XxJpx.
Y4E~+tzP'
Y5t~V^mx`
]yu.]|$
z8&qo]Cf6
"_z[fW
-z%;u: