Analysis Date2014-02-21 05:45:11
MD51f049b39c9dcd223d3b5bf2582b972d2
SHA1cd0fbd0cdd64dfa18bfa7681705f9711dea4ccd0

Static Details:

PEhashff01a4f9db20844c9fd927015115d25f35e5b88a
IMPhashb13a07c6e941e01385bf21ad47d9fea9
AVmcafeeRDN/Generic.grp!gx
AVaviraTR/Agent.BVCF.1
AVavgCrypt2.CNUS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\samr
Creates FilePIPE\lsarpc
Creates MutexGlobal\fuckhh
Creates MutexGlobal\lakmo
Creates MutexGlobal\nygtit
Creates MutexGlobal\vkgpl
Creates Mutexoaxiojy
Creates Mutexcd0fbd0cdd64dfa18bfa7681705f971a

Network Details:


Raw Pcap

Strings
.9
.Z....Q/a.8.z
.n. =...'6.7j.c...= 
/..8`
>.
H.
@
O...7
.O.C.G
.#.

>    
>     
>      
>       
>        
>         
> [\\<
>\]<
    
    <
     
       
       <
         
               
                 
                   
                 (
 ( %% )
: [\
: [\\
  0 - 
 "\0".
0jjNmQHxg|
  1 - 
 "%1" 
 "%1". 
 %1. 
1> <
11111111
1.1.1111.1111 (xpsp.111111-1111)
, 1981-2001. 
  2 - 
2> [/s] [/f]
2> [/v <
 3.0?
5.1.2600.5512
)/A(
 ABC
 AppBkUp.hiv 
 AppBkUp.reg
<(C) 
CompanyName
                   COMPARE | EXPORT | IMPORT ]
                 [/d <
  /d     
: Data, 
>] [/f]
  /f     
  /f             
: fax\0mail\0\0
: fe340ead
FileDescription
FileVersion
 HKLM
 HKLM 
 [ HKLM | HKCU | HKCR | HKU | HKCC ].
: [ HKLM | HKCU | HKCR | HKU | HKCC ]
: [ HKLM | HKCU | HKCR | HKU | HKCC ].
: [ HKLM | HKU ].
 HKLM\Software\MyCo
 HKLM\Software\MyCo 
 HKLM\TempHive
 HKU.
InternalName
LegalCopyright
 LOAD/UNLOAD 
 Microsoft
: MRU, 
 MTU 
 MyApp 
 MyCo 
 MyCo1
 MyCo1 
)/N(
 NTRKBkUp.hiv 
    /oa          
: [/oa | /od | /os | /on].
    /od          
 /od.
    /on          
OriginalFilename
    /os          
: Path, 
ProductName
ProductVersion
> ==  [ QUERY   | ADD    | DELETE  | COPY    |
REG <
  REG ADD /?
REG ADD <
REG ADD \\ABC\HKLM\Software\MyCo
REG ADD HKLM\Software\MyCo /v Data /t REG_BINARY /d fe340ead
REG ADD HKLM\Software\MyCo /v MRU /t REG_MULTI_SZ /d fax\0mail
REG ADD HKLM\Software\MyCo /v Path /t REG_EXPAND_SZ /d %%systemroot%%
: REG_BINARY, 
  REG COMPARE /?
 REG COMPARE)
REG COMPARE <
REG COMPARE HKLM\Software\MyCo HKLM\Software\MyCo1 /v Version
REG COMPARE HKLM\Software\MyCo\MyApp HKLM\Software\MyCo\SaveMyApp
REG COMPARE \\ZODIAC\HKLM\Software\MyCo \\. /s
  REG COPY /?
REG COPY <
  REG COPY HKLM\Software\MyCo\MyApp HKLM\Software\MyCo\SaveMyApp /s
  REG COPY \\ZODIAC\HKLM\Software\MyCo HKLM\Software\MyCo1
  REG DELETE /?
REG DELETE <
  REG DELETE HKLM\Software\MyCo\MyApp\Timeout
  REG DELETE \\ZODIAC\HKLM\Software\MyCo /v MTU
        REG_DWORD | REG_BINARY    | REG_DWORD_LITTLE_ENDIAN |
reg.exe
: REG_EXPAND_SZ, 
  REG EXPORT /?
REG EXPORT <
  REG EXPORT HKLM\Software\MyCo\MyApp AppBkUp.reg
  REG IMPORT /?
REG IMPORT <
  REG IMPORT AppBkUp.reg
  REG LOAD /?
REG LOAD <
  REG LOAD HKLM\TempHive TempHive.hiv
 REG_MULTI_SZ. 
: REG_MUTLI_SZ, 
        REG_NONE  | REG_EXPAND_SZ ]
  REG <Operation> /?
  REG QUERY /?
REG QUERY 
  REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /s
  REG QUERY HKLM\Software\Microsoft\ResKit /v Version
  REG RESTORE /?
REG RESTORE <
  REG RESTORE HKLM\Software\Microsoft\ResKit NTRKBkUp.hiv
  REG SAVE /?
 REG SAVE.
REG SAVE <
  REG SAVE HKLM\Software\MyCo\MyApp AppBkUp.hiv
 REG_SZ.
       [REG_SZ    | REG_MULTI_SZ  | REG_DWORD_BIG_ENDIAN    |
  REG UNLOAD /?
REG UNLOAD <
  REG UNLOAD HKLM\TempHive
 ResKit 
>] [/s <
>] [/s]
  /s   
  /s           
  /s             
 %s 
                   SAVE    | LOAD   | UNLOAD  | RESTORE |
 SaveMyApp
 Setup 
StringFileInfo
: %systemroot%
  /t   
 TempHive 
 TempHive.hiv 
 Timeout 
Translation
> [/v <
  /v   
  /v           
 [/v 
  /va            
VarFileInfo
> | /ve] [<
  /ve  
  /ve          
  /ve            
 Version 
 | /ve] [/s]
> | /ve] [/t <
> | /ve | /va] [/f]
VS_VERSION_INFO
 Windows
 Windows.
 [Y(
 ZODIAC 
 ZODIAC.
`02^. 
05'I1X&M]
-0DS1E
^0hISfp_$'
0H,~*O+|#
0m+OPl27O)3ZM-_
"1BD12NC.
1j~c_*C@wO~s
1mhPnZ
*:1MNfP
2G'	U)+5
,2~_h	C
%2O|)_
2ph*Q3x1925O1
:2qj](
2q_u`O#
2r-IqI
2@u87;
	(2"w'
2YZq<k
38h`%4<
|38hk5
|$38y(Vh_h
39&KSn4
>3~FEV
,~3L*{]
3LNosxW
3O]y7z
:3q[Ej
>46G?W4Kk
48Q!w~Q
.	4&A,
4L_dE7B
4m/OTl67S)7ZQ-c
4o`N-Yw
4/tS3'b
4,z"6m
4z]dmt^
,52I-XHMY
5Iz;i+c
5^j 8:O\
5:jOa.
}@^6;^
6Dhz#{
6gEC_4,~QA
!6j/l	
6N6ms9
6OJ(b	
6OKnold64C
#6~)|q
6r%rbL
6_?smY
6!s&{N
75nv/LSt
7	b-RL
	7hav~]
7y(Jw_hIC~gN*{#Zjy
|$7<y(tl_hW2~go
858I9X
8~gY!|$ONy(
8m3OXl:7W);ZU-g
8y(hg_hW-~g
8yTh,R
9D$Lu%
9)@qJ2
]9:Q&L&_P
|$)9y(ji_hO/~gi
a5a}^j
aAv;qp[0I
acEIiuv
ADVAPI32.dll
ahcu^g4P
a	Q[^*
AQ_|-}
av;_z(
Aw;>$]e
Ay(Bp_h!5~g9
|$A?y(Ro_h
Ay(z~_ha.~g
a>z%=nN
b=2QvE6
<b2	_y
B49GCW
`":baDnn
bBFx6l
bCfg[9
Bd#bZB
BeI7L5E7YdE
bm ZCcu
b%;SK7
~bwIN~f
By(Tr_h97~gO |$_Cy(
c)_2{N1
-c~du'
[C~gg+|$
C~_hI,daN*{
._cHX^
cKPNP 8
c=nemW-E
}COe{9!
C?OZ^L
cP/lNPO}k|
c*P'Yq
c~$TQ5
c	!U49
D;$=\=
D$ 9H<
D$(9T$(v2
DA2WX^
@.data
d\;h\T
DH:Wji-
D`?KA!&
{+<dkKZ
Dm?OdlF7c)GZa-s
=Dm*p@
dN>m_d
[d\NNx'
Ds{vX[C
%/dT&RbXR
!|$'Dy(ls_h!8~g
D$Zf%,
D/ZI-[
e6R-ZhZ
(eaKa4b
|$eBy(
E[D"zv
%_/efW
|$eHy(
ENkhI_%+F5lyW~O+|$ONy(z~_hIC~g
eNWB+y$
e,p=@f
\EP'`-g3dV*
EvxP?{9
Ey(Ju_h#:~g3"|$=Ey(ru_hI;~ga#|$
|$E@y(|q_h]6~g
f_D B}
f+D$|f
f+D$Vf
f+D$Zf
f]Eru 8
fffff.
fGQ+|$
f*g/qW}
F#|`><L5x
~fN+{$NNx(y~^hHC}gN*|#OMy'z}_gIB~fO*{$NNx(y~^hHC}gN+{#OMy'z}_gIB~fO*|#NNx(y~^hHC}gN+{$NMy'z}_gIB~fO*|#O
Fy(Hv_h);~gm#|$yFy(
,~g_+|
G(3M6[
g^+{3O]y7z
g89959\79zim'Z/
(;gasB
gdH|9hP
GE69:)-r
GetLastError
GetLocaleInfoA
g;g13N
gg^WNrOq
!^G|h-A
gN:|3O]y7z
-~gN`=(7
g^?>|o
gO~<eK
~gOK|$O
gOM|$O
gOY|$Ox
gPc[0h_
G#|r&(
gR9|-PP
GYa{AGd
|$g>y(~n_h92~g/
h5qp_l
h/.}%6Q
~_haC~g{i}
h|C~gg
hD}L$Q@
hes2waRshx0AzP
h?G	0=
_hIM~gO
h@!i~N
$=,hJVf=
HmCOhl
hNpp#O
HNVOx"
~$hrol
h=s~gG
hSS}$o
)/hT*RfXV
!hU,<U
@hW{dD
Hy[dDCX
i;?*(>
I5oWi[|
IC~gN*{#
IC~gN*{#$
IC~gN*{#\
IC~gN*{#&
IC~gN*{#5
IC~gN*{#o
IC~gN*{#ONy(=
IC~gO+|$ON
IC~gO+|$SNy(z~`hIC~g
IC~gO+|$SNy(z~`hSC~gg+|
?i'	%F_
<I]g}B
|@`*IGRi
InterlockedCompareExchange
;>iSL=&L
IsValidAcl
~iT]Cj~N:|3O]y7z
<[:iVh
iYByt^~
|$I>y(\n_h
J(_$-]
j0	?4s
]j!d<&
j_hIC~g
:jhIp4
J$j&2#''U!+S
jK$x&(
JL8?u{
JLJ)SI~-
jn up1Y
 JQN~1
/JQ	(v
/J`} s
jSIdqO`y,
JTX$aW|
_j(UDx
jU	JB^
jX?C?i
JYyD+uD7
jZf}qK
k2J7j926':U4+f
k6J;j=2:'>U8+j
*@k=Ap
'kBJGj
KCgqa-
KDC:My
;K>e:H
KERNEL32.dll
\kfEn&
k_)G."N}
k_hu0~g
k.J3j522'6U0+b
#k>JCjE2B'FU@+r
k*J/j12.'2U,+^
k:J?jA2?'BU;+n
"]%%*L
[L37G 
+L$8f	
l{A-e_hf
L$ *D$=
|$Lf+D$2
L$`f+D$V
L$<f+D$V
LFmOG,
l_hw1~g
	+LI|b
LL\/G>
;L$@s{
&^ltw%
=L<w,sI_
m1g5T}
[>m)1K?g03
<m7O\l>7[)?ZY-k
MDSfzb
]Md+>u)
=M`fi^N
m$jiuz
m)%Jw5u
@m;O`lB7_)CZ]-o
m(pFnw
[M-\Q])
Mqi~Tv
mq:OR;
MR}wac
mvYOgH
mw{8]Gd
	!<my(O%J5
n3L<SF&
Narzq^g
~nhHR~vO:|3O]y7z
~nhNC}
~nhXC}vO:|3O]y7z
nK\UOD<)
nkZjXG
$NmyGz
$nNxGz
+|,NNy0z~_
N*{#ONy(
np$B}zP{	
n#vNt/<9U
$^Nx7z
$N]y7z
Ny(z~_hI
N}(z~Gj=B}
O3S4VD
Od-z&c
+oi],48:hx
oiDn(X
OJ|COM
OJ|CO]y'
OKTX\Jt
 OK~Uv
OL.|$O
omO|0<
ONj<?/
ONy(8w_h
$|$ONy((p_h
%|$ONy(|w_h7;~gO+|$
|$ONy(\w_h?<~gO+|$
+|$ONy(z
+|$ONy(z~_hIC~gO,~$O
ONy(z~_hMC~gP+|$
O+}$OM
OOv<i+
%OTx]2
OwhK&2
oX%(MY
OyCQwxO*
*o^zH|
#p3&MS
p:|3OM
P5R}m<m
_P+7}f
?P^Gc2
pH*aCm
p_hi5~gW
PHTkx`
p)`LVVz
}[|P^R0
+	pwBi
'!,;Q&
q4?h(j
q\5|$O
Q7xI Ld
Qd9Ys8
Qm$R3?
q_N{	*
[Q+|$O9
qO>d/A
QP XF^
Q		T0~
Q"y0;F	7
>r034o<S
R%1%4$
.R>1/Q
R'$508G
r7i4vH
RBAh6~
rbr%l*TNT}
`.rdata
rf7Yl;
R}[:G"
RGH~(>
r_h{7~gq
r_h96~g%
rIhQPkg
RkN?6`d
RVN}u/
ryx{~x
r}ZC&`h
RzqZ9f
}@.rZR
sA177zh
Sa$;F?
|$sAy(
s_h}8~g
SIBiOLz
s.!LfQxH
\+|$SNy(
sQ#A}fO
.S%@r<
t$4+T$8
?t5(@8A
T$,+D$,
T$Df+D$(
TeZz2*
T$ f+D$
t_(gK}
THhL#{
!This program cannot be run in DOS mode.
T#l'+)
^<tONx]
!/]T"R[XN
T$|ywSX
)u$%^^
UAK"O!
+	>UFg
/u><FP
u_hk:~g
U jv&8:D
}UT7-HI
:<uW/Q{
u,z	aU
uzPYi~;CW
.VAfjPH
vC)(MQ&k
V-GaE1
v>gd#~9
vgW.?t
VHT=` 
?vI7tY7Wr97eDBLlYw
/!v%iV
VK0it%
,vL}dO
}%VNzI
 VPmC.O
V+qeN*
(v?S?a!
v_^WaQn
|$W9y(
WAz!B\p:
wbmuDb
WESW$#
| Wgv|g
WH0RMp
WI6HgR
_wIR~f^+
_wIR~vO:
_wIR~vO*
_wIR~vO:|3OM
_wIR~vO:|3OO{(
_wIR~vO:|3O]y/
_wIR~vO:|3O]y'
~^wIR~vO:|3O]y7z
_wIR~vO:|3O]y7z}nhXC
_wIR~vO:|#^N
wO??,;O
;wPMy70@
Wr`5+7
~WRU=.
W}Teir
	]$W.To
;|x1[AVSN
*X8jj"X
X9u/C-
*xaU!J,
=;XBO1	Y
xb'zhIC
= XC7bM
 xgd5,
x_h=9~g
x;LZ7A86e
XNy({~_h
x_Q>1`U
xsCfJQ
!!=X)TUp
XU^0G=
xWo Uq
x(y~^hHC}gJ+
|$_<y(
|$];y(
|$}=y(
}y{)*|
Y<	0)+S
Y3z2zo8e
*\&y7M
Y!}7UJ8rB
=y(8m_h
yB*$|00
Ybl?3d%;
~	.yC6
yC~wOl
;{ye=K/c
y!}G WhNwg
<y(:l_h
yM{}t`
Yo{6v}t
_=:yPd
=[}yPN
y#Q,xO
:y(Rj_h7/~gM
;y(Rk_h90~gO
Ys7#4#
'y~^SV
y/~}uzv
Yx|HzMG
|$y:y(
):y!ym
|$y?y(z~_hg<~gO+|$
y(z~_hI
\z#)9_!
zap[m9j3
zc?aAX
\Z'">Dg
}>!@_zDT<
=Ze:\r
zFOQ:	
\Z'">Hw
Z{i{!n<
?ZMmv}u
Z^O~8m
zQ$ Mj
	zr4gE
zrI@(j
:Zxmz^J.
z(-Y`h-G~gO+|$[N
zy'%`x|
z``zGj