Analysis Date2015-12-02 04:17:20
MD51067fb200a090162e3e6f3f128f1e5d9
SHA1d607b2462b0cd87a89126cb7af93f6b79f93f257

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8067456c5dc713997e61924c501c8cb2 sha1: a31e9403bbcd95793846f9619bda7cfde9229e20 size: 580096
Section.itext md5: 3f63b5c2974302201afb8afa01b8ac10 sha1: 7e49535face98e2cd7183ec3e98c2a95894ebcd5 size: 6656
Section.data md5: 81fa247370ecc3476b5c17086c0f2024 sha1: 57a1468ce4eaa810ed0ffdb3622c1d142eb61123 size: 15872
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: cd30ca2b6ff5111155dec94ee29ec186 sha1: e5fd41be7799ae8933dbc4c297e57fc2fc8d2368 size: 16896
Section.tls md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rdata md5: c1788dfeb92bbf0cff5aeaeaf1270ff8 sha1: 469a55b2d8c433d2a38eb7d9398cf0c8965abf15 size: 512
Section.reloc md5: e55564594dad16a2ca19fb85903b9300 sha1: 7ef009dc015904e2abf1868ff1c92a15317b0df4 size: 35840
Section.rsrc md5: b2612dddb69c37be920820d1905ce13d sha1: cbb7aa48bbc9120f7506492075ecc0f29bda8d98 size: 190464
Timestamp2012-06-07 15:59:53
VersionLegalCopyright: Copyright (C) 1999
InternalName: MSRSAAPP
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft Corp.
Comments: Remote Service Application
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
FileDescription: Remote Service Application
OriginalFilename: MSRSAAP.EXE
PEhash28e500d11f4485a4452208ba2eeeea262052bf92
IMPhashe5b4359a3773764a372173074ae9b6bd
AVKasperskyBackdoor.Win32.DarkKomet.xyk
AVMicroWorld (escan)Trojan.Inject.AUZ
AVF-SecureTrojan.Inject.AUZ
AVKasperskyBackdoor.Win32.DarkKomet.xyk
AVMicrosoft Security EssentialsBackdoor:Win32/Fynloski.A
AVMicroWorld (escan)Trojan.Inject.AUZ
AVFortinetW32/Generic.AC.606
AVF-SecureTrojan.Inject.AUZ
AVIkarusBackdoor.Win32.DarkKomet
AVK7Backdoor ( 003b505d1 )
AVMalwareBytesTrojan.RemoteAccess
AVMcafeeGeneric BackDoor.xa
AVEmsisoftTrojan.Inject.AUZ
AVMicrosoft Security EssentialsBackdoor:Win32/Fynloski.A
AVEset (nod32)Win32/Fynloski.AA
AVFortinetW32/Generic.AC.606
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVDr. WebBackDoor.Comet.2020
AVGrisoft (avg)Downloader.Generic13.AWJB
AVAd-AwareTrojan.Inject.AUZ
AVK7Backdoor ( 003b505d1 )
AVEmsisoftTrojan.Inject.AUZ
AVClamAVWIN.Trojan.DarkKomet
AVMalwareBytesTrojan.RemoteAccess
AVMcafeeGeneric BackDoor.xa
AVArcabit (arcavir)Trojan.Inject.AUZ
AVBitDefenderTrojan.Inject.AUZ
AVBitDefenderTrojan.Inject.AUZ
AVArcabit (arcavir)Trojan.Inject.AUZ
AVAd-AwareTrojan.Inject.AUZ
AVEset (nod32)Win32/Fynloski.AA
AVBullGuardTrojan.Inject.AUZ
AVBullGuardTrojan.Inject.AUZ
AVAlwil (avast)Agent-ASXK [Trj]
AVAvira (antivir)BDS/DarkKomet.GR
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVCA (E-Trust Ino)Win32/Fynloski.A!generic
AVCA (E-Trust Ino)Win32/Fynloski.A!generic
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVAlwil (avast)GenMalicious-CHX [Trj]
AVGrisoft (avg)Downloader.Generic13.AWJB
AVCAT (quickheal)Backdoor.Fynloski.A9
AVCAT (quickheal)Backdoor.Fynloski.A9
AVDr. WebBackDoor.Comet.2020
AVIkarusBackdoor.Win32.DarkKomet
AVAvira (antivir)BDS/DarkKomet.GR
AVClamAVWIN.Trojan.DarkKomet
AVPadvishMalware.Trojan.gtrb
AVPadvishMalware.Trojan.gtrb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit ➝
C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\Local Settings\Temp\MSDCSC\msdcsc.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MSDCSC\msdcsc.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NJCRYPT BY 3V1L.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MSDCSC\msdcsc.exe
Creates FilePIPE\lsarpc
Creates Processcmd.exe /k attrib C: +s +h
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\MSDCSC\msdcsc.exe
Creates Processcmd.exe /k attrib C: +s +h
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\NJCRYPT BY 3V1L.EXE

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:" +s +h

Process
↳ cmd.exe /k attrib C: +s +h

Creates Processattrib "C:\malware.exe" +s +h

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\NJCRYPT BY 3V1L.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates Processdw20.exe -x -s 260

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\MSDCSC\msdcsc.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processnotepad
Creates MutexDC_MUTEX-2J5Q63W

Process
↳ attrib "C:" +s +h

Process
↳ attrib "C:\malware.exe" +s +h

Process
↳ dw20.exe -x -s 260

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\15FBE.dmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\15FBE.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ notepad

Creates MutexDCPERSFWBP
Creates MutexDC_MUTEX-2J5Q63W

Network Details:

DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNSvkontakte.myvcn.com
Type: A
Flows TCP192.168.1.1:1037 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1038 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1039 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1040 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1041 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1042 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1043 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1044 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1045 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1046 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1047 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1048 ➝ 54.174.31.254:1604
Flows TCP192.168.1.1:1049 ➝ 54.174.31.254:1604

Raw Pcap

Strings