Analysis Date2014-11-21 16:10:27
MD5dd71cb6902717f245f5bf599779e8de9
SHA1cd016d69d3b8f6817c23fe679d8b6e5882fd08ac

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e69723e0a74be1a6cc4cda43a5ae0277 sha1: 44526971de3c0998ef8f0f5b073602d38b0e11de size: 150528
Section.rdata md5: 83a8ef7e91f3cea1e4943f26f5fe1987 sha1: 66c1c266a5f5fde2803b9d7c4415b937ffc53687 size: 120832
Section.data md5: 008029de29639c309d316d72a239dbd7 sha1: 112979ff8f9a9100ffa007fdfd8c28cdb96af9fc size: 2560
Section.rsrc md5: 9331a498607fd50177ecde933488ab97 sha1: 4375bc65f0f08fd40de560b50c9be811888c071d size: 512
Section.reloc md5: f8876b6fa66c0c5fc0283ac67c1741b7 sha1: 5974131702b3c31918ecc45d78c0cc58070bca4e size: 1024
Timestamp2013-09-23 18:31:32
VersionCompanyName: Корпорация Майкрософт
FileDescription: Редактор личных символов
PEhash7580643cd01558bdf53173828053971434a73659
IMPhash0734294b1c3f0ae3e2f6e5ff06feac4f
AV360 SafeGen:Variant.Kazy.253772
AVAd-AwareGen:Variant.Kazy.253772
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/A-5e90b529!Eldorado
AVAvira (antivir)TR/Kazy.27648012
AVBullGuardGen:Variant.Kazy.253772
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDropper.Gepys.A
AVClamAVWin.Trojan.Agent-814955
AVDr. WebTrojan.Mods.4
AVEmsisoftGen:Variant.Kazy.253772
AVEset (nod32)Win32/Kryptik.BLBB
AVFortinetW32/Kryptik.BJBC!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.253772
AVGrisoft (avg)Dropper.Generic8.BZJZ
AVIkarusTrojan.Win32.Malagent
AVK7Trojan ( 0046d9681 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.ED
AVMcafeePacked-AM!DD71CB690271
AVMicrosoft Security EssentialsTrojan:Win32/Gepys.B
AVMicroWorld (escan)Gen:Variant.Kazy.253772
AVRisingno_virus
AVSophosTroj/Agent-ADVT
AVSymantecPacked.Generic.459
AVTrend MicroTROJ_KRYPTK.SML2
AVVirusBlokAda (vba32)Trojan.ShipUp

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\Application Data\Mozilla\xgdnakm.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Tasks\ojdkgck.job

Process
↳ C:\Documents and Settings\All Users\Application Data\Mozilla\xgdnakm.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:


Raw Pcap

Strings
....
w
..=
....
W.
.2.l
Int
041904B0
562424
CompanyName
FileDescription
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
01D5#BG!
01Du!BGa
1 1$1(1,1
1"1+151q1
1Q>&=k>Q
2#2-272A2J2P2]2b2h2m2v2}2
23&+]j
; ;&;,;2;8;>;D;J;P;V;
*3hSso
\3rr*Y
4$4.474A4G4M4U4[4a4h4
4%5*505:5F5L5R5W5]5i5p5~5
>4/kK7
:#:):/:5:;:A:G:M:S:Y:_:e:k:q:w:}:
6"6(6-626=6K6Q6_6d6i6o6u6
7%7+7C7I7O7V7\7k7w7}7
`}7CLB,
7jxm7a
7uGB;:
<`>8QS>
, a84|m1
a/,BYR_
_acmdln
_adjust_fdiv
ADVAPI32.dll
`AW|]pX
)BFz AK[
Bz3UGn3E3b331k3&1A3(D;3-IB3)=F3%AJ3qU~3
_cexit
_c_exit
c>{g ]
ckS`d{
_controlfp
CreateFileW
ct8}kl
@.data
d^oF57
dQ50C`
e5,YcR
_except_handler3
ExitProcess
ExitThread
E	`YPj
F&CIFoh
-{fe}{Mr
=Fhuq:
FlushFileBuffers
fn(wAS(
F|rKifen
GetACP
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetLocaleInfoW
__getmainargs
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStartupInfoW
GetSystemInfo
GetSystemMetrics
GetVersionExA
>gK06gC
GlobalFree
"gWK$p
HD("GX
HDh$GXY*1D
HeapAlloc
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
_h/+`g'
I_5f @298f
+IBuAl
_initterm
InterlockedExchange
IsValidLocale
j2E&%!
~JUaA~M
#jw_BKw
KERNEL32.dll
 KuK6[
l6G`}/JG}/JPn0I$j'a
_lclose
LoadIconA
LoadLibraryA
LocalAlloc
lstrcatW
L	v$yN
%+lWt:I
malloc
mHp_D4e;.
m)i b*x
](M[/nK
|mP~meb
msvcrt.dll
MulDiv
Neln`c
}n'Q|W
nYK	nU
O|<bGJu
OtI[EiU
pcjuRj
__p__commode
:<Pd:<@U"=EW,;O4
__p__fmode
;P<n;e;U;r;K
,=/p#@/r'?/-
qELVv]
!]Q!INQ
qRK35L
QueryPerformanceCounter
_)>QZY
r?}bY~ 
`.rdata
rE,2R(
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegDeleteValueW
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegQueryValueExA
RegQueryValueExW
RegQueryValueW
RegSetValueExW
@.reloc
rqJF3&
Rw#~CJ
rzN5nHO/
SAmK&?4
__set_app_type
SetFilePointer
SetStdHandle
__setusermatherr
|s+FE:
software\classes\444erface\{0c733a5e-2a1c-11ce-ade5-00aa0044773d}\nummethods
sw/z8V/
T8yzl8
?T 9?L !?D 
TerminateProcess
!This program cannot be run in DOS mode.
t~I7}Z
U4jtv3
~U`	f@
u#h JD
u^}kx^,
UnhandledExceptionFilter
urFKVz
user32
USER32.dll
VirtualAlloc
VirtualProtect
VirtualQuery
V=Q~RIm
_vsnwprintf
VT0BB.
v.T!w|'J
=w5#Ib5
WaitForSingleObject
;|Wc^`
wcschr
wcslen
wcsrchr
WriteFile
|wUB|}OS
W_**V-
x[^b[*
_XcptFilter
X+m([#l
xw:@w{A
X!X=%Gt8
:XYc:VWY:6WY:2[M:Kl
y%G<c(U
Y^w4 vo4
Yzn<vo
zQygCI