Analysis Date2014-10-11 14:03:30
MD5197db860331e314e4e64e317850c74d5
SHA1cff2297ce90aa963fbbd66069e8e9bfc6f53a9b2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7fa77dd2f590b4752adabd0bc2196587 sha1: 36bbf04b852ef40213f55f2adb1377a394e6c80a size: 63488
Section.rdata md5: 77624ec0eaaa7b3c01ef02d4ce37fe78 sha1: 11f4f0525801f2fdb1d47b9fbba606c6df54bd87 size: 14336
Section.data md5: 4fe0e4aa1ebf9245145b98f0c3684d13 sha1: 43bd4c46fe8b6b466e5b561480f966d3c782677b size: 512
Section.rsrc md5: 52883d62929d133cff8bcd53a70bf08f sha1: 9ea3870f99bcfe3f5a999c0ae6cc704385dee5b0 size: 1024
Timestamp2011-04-23 11:59:23
PackerMicrosoft Visual C++ v6.0
PEhash4176fd2f7e6189ac92300f77440c1982b56352c3
IMPhash8d8ea9f925307cabdda9762ee4e022f5
AV360 SafeGen:Trojan.Heur.JP.fqX@a8SvTLmi
AVAd-AwareGen:Trojan.Heur.JP.fqX@a8SvTLmi
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Kazy.maklt
AVBullGuardGen:Trojan.Heur.JP.fqX@a8SvTLmi
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Agent-792182
AVDr. Webno_virus
AVEmsisoftGen:Trojan.Heur.JP.fqX@a8SvTLmi
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/CodecPack.fam!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.JP.fqX@a8SvTLmi
AVGrisoft (avg)Downloader.Generic14.CKJ
AVIkarusTrojan-Downloader.Win32.Renos
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.MJ
AVMicroWorld (escan)Gen:Trojan.Heur.JP.fqX@a8SvTLmi
AVNormanwinpe/Troj_Generic.WERMW
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Trojan-Inject.Popup.01658
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.98.139
DNSseesaa.net
Type: A
59.106.28.139
DNSyelp.com
Type: A
198.51.132.180
DNSyelp.com
Type: A
198.51.132.80
DNSeitinvalid.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
.
.
.
.
??
.
   
.
??0_Lockit@std@@QAE@XZ
0ShP\A
15:59:17
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??1type_info@@UAE@XZ
??2@YAPAXI@Z
<9~L<A|
_acmdln
_adjust_fdiv
ADVAPI32.dll
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
Apr 23 2011
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
.?AV_com_error@@
.?AVtype_info@@
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
CloseHandle
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHABV12@@Z
?compare@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEHIIPBDI@Z
_controlfp
CreateFileA
__CxxFrameHandler
_CxxThrowException
@.data
__dllonexit
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
_except_handler3
f9="XA
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?find_first_not_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
GetActiveWindow
GetCapture
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetCursor
GetFocus
GetForegroundWindow
GetInputState
GetLastError
__getmainargs
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetUserDefaultLangID
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z
_initterm
?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IPBDI@Z
?insert@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADPADD@Z
InterlockedDecrement
IsBadCodePtr
IsCharAlphaA
IsCharAlphaNumericA
KERNEL32.dll
LoadLibraryA
LocalFree
lstrlenA
memcpy
memset
MSVCP60.dll
MSVCRT.dll
MultiByteToWideChar
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
OLEAUT32.dll
_onexit
__p__commode
__p__fmode
PSSSSSSh 
PSSSSSSVSj6
QPA@XY
QQSVW3
QqX[YZ
`.rdata
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
(Rich;
RQJAIYZ
RQSPH+
      </security>
      <security>
__set_app_type
__setusermatherr
sprintf
SQSWVP
strcat
strcpy
strlen
_strlwr
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?swap@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXAAV12@@Z
[t795<XA
!This program cannot be run in DOS mode.
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
u395<XA
UNIQSTRING987654
USER32.dll
VirtualAlloc
wcslen
WideCharToMultiByte
WININET.dll
WRQPSjF
_XcptFilter
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
?_Xran@std@@YAXXZ
Y;8Yt4
YPhpPA
YYPh,WA
<Z~D<a|
<z~<<+t8</t4<=t0