Analysis Date2015-12-31 17:02:23
MD529afe6db23eb17f3f27ca61cfa254da8
SHA1e888cab14b1ef18b5693c97e94ad95887e8d0755

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7c799561a56c17fe12bd1d88cce3a384 sha1: d69552a69e6ec935052fd05b575e34fe8bcb57cd size: 51200
Section.rdata md5: b508c6655331495dfe13beff49053f20 sha1: 627957b6ea16417af584717bb34134dab663bcb1 size: 16384
Section.data md5: 761366bc0d1b54e1ad2e7307830ef2b0 sha1: 8b2be7df7331b389ce05ee34597aea9bda706e54 size: 33280
Section.rsrc md5: 27bc7b6545ef9c13cf1fda3a340acca5 sha1: b8f558ff21a57a8185e0a7b2e27cf47494f73d73 size: 53248
Timestamp2015-10-16 23:53:09
VersionLegalCopyright:
InternalName:
FileVersion: 1.2.9.5
CompanyName:
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 1.2
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ ?.?
PEhash90514f43954ab9f95a5b2c6c9ca122d9655982c7
IMPhashc40c3641d4d8f61a307f4ac79aa26faa
AVAuthentiumW32/Trojan.USPZ-5409
AVDr. WebBackDoor.Andromeda.662
AVMalwareBytesTrojan.InfoStealer
AVTrend Microno_virus
AVEmsisoftGen:Variant.Barys.49793
AVKasperskyTrojan.Win32.Generic
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Kryptik.EBBE
AVK7Trojan ( 004d49951 )
AVAvira (antivir)TR/Crypt.ZPACK.189404
AVFortinetW32/Kryptik.EASA!tr
AVIkarusWorm.Win32.Dorkbot
AVSymantecTrojan.Smoaler
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Crypt5.EUL
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo
AVF-SecureGen:Variant.Barys.49793
AVBitDefenderGen:Variant.Barys.49793
AVZillya!Trojan.Sharik.Win32.1790
AVBullGuardGen:Variant.Barys.49793
AVRisingno_virus
AVArcabit (arcavir)Gen:Variant.Barys.49793
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Gen:Variant.Barys.49793
AVTwisterno_virus
AVCAT (quickheal)Trojan.CeeInject.r4
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVAd-AwareGen:Variant.Barys.49793
AVClamAVno_virus
AVMcafeeRDN/Generic.dx

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processsvchost.exe

Process
↳ svchost.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe ➝
C:\Documents and Settings\Administrator\Application Data\evchhfdr\tafjjaar.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\evchhfdr
Creates FileC:\Documents and Settings\Administrator\Application Data\evchhfdr\tafjjaar.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Creates Mutex4E27753A08787C10C821EC1A86069920C059900A

Network Details:

DNSa-0003.a-msedge.net
Type: A
204.79.197.203
DNSe11290.dspg.akamaiedge.net
Type: A
23.15.25.55
DNSe4578.b.akamaiedge.net
Type: A
104.70.73.171
DNSe10088.dspb.akamaiedge.net
Type: A
104.70.53.87
DNSwww.msn.com
Type: A
DNSgo.microsoft.com
Type: A
DNSwww.adobe.com
Type: A
DNShostnamessimply1.effers.com
Type: A
DNSwww.microsoft.com
Type: A
HTTP GEThttp://www.msn.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=146008
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://go.microsoft.com/fwlink/?LinkId=45396
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.adobe.com/support/main.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://www.microsoft.com/windows
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 204.79.197.203:80
Flows TCP192.168.1.1:1032 ➝ 23.15.25.55:80
Flows TCP192.168.1.1:1033 ➝ 23.15.25.55:80
Flows TCP192.168.1.1:1034 ➝ 104.70.73.171:80
Flows TCP192.168.1.1:1035 ➝ 23.15.25.55:80
Flows TCP192.168.1.1:1036 ➝ 23.15.25.55:80
Flows TCP192.168.1.1:1037 ➝ 104.70.73.171:80
Flows TCP192.168.1.1:1038 ➝ 104.70.73.171:80
Flows TCP192.168.1.1:1039 ➝ 104.70.53.87:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000060 (00096)   2e353037 3237290d 0a486f73 743a2077   .50727)..Host: w
0x00000070 (00112)   77772e6d 736e2e63 6f6d0d0a 436f6e6e   ww.msn.com..Conn
0x00000080 (00128)   65637469 6f6e3a20 636c6f73 650d0a0d   ection: close...
0x00000090 (00144)   0a                                    .

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203234 360d0a43   t-Length: 246..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0af6                                ...

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203230 310d0a43   t-Length: 201..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0ac9                                ...

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2032 35340d0a 436f6e74 656e742d   h: 254..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0afe            encoded.....

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d313436 30303820 48545450   nkId=146008 HTTP
0x00000020 (00032)   2f312e31 0d0a5573 65722d41 67656e74   /1.1..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20676f2e 6d696372 6f736f66   ost: go.microsof
0x00000090 (00144)   742e636f 6d0d0a43 6f6e6e65 6374696f   t.com..Connectio
0x000000a0 (00160)   6e3a2063 6c6f7365 0d0a436f 6e74656e   n: close..Conten
0x000000b0 (00176)   742d4c65 6e677468 3a203239 370d0a43   t-Length: 297..C
0x000000c0 (00192)   6f6e7465 6e742d54 7970653a 20617070   ontent-Type: app
0x000000d0 (00208)   6c696361 74696f6e 2f782d77 77772d66   lication/x-www-f
0x000000e0 (00224)   6f726d2d 75726c65 6e636f64 65640d0a   orm-urlencoded..
0x000000f0 (00240)   0d0a2901                              ..).

0x00000000 (00000)   504f5354 202f6677 6c696e6b 2f3f4c69   POST /fwlink/?Li
0x00000010 (00016)   6e6b4964 3d343533 39362048 5454502f   nkId=45396 HTTP/
0x00000020 (00032)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000030 (00048)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000040 (00064)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000050 (00080)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000060 (00096)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x00000070 (00112)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x00000080 (00128)   73743a20 676f2e6d 6963726f 736f6674   st: go.microsoft
0x00000090 (00144)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000a0 (00160)   3a20636c 6f73650d 0a436f6e 74656e74   : close..Content
0x000000b0 (00176)   2d4c656e 6774683a 20323639 0d0a436f   -Length: 269..Co
0x000000c0 (00192)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x000000d0 (00208)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x000000e0 (00224)   726d2d75 726c656e 636f6465 640d0a0d   rm-urlencoded...
0x000000f0 (00240)   0a0d01                                ...

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2031 33300d0a 436f6e74 656e742d   h: 130..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0a82            encoded.....

0x00000000 (00000)   504f5354 202f7375 70706f72 742f6d61   POST /support/ma
0x00000010 (00016)   696e2e68 746d6c20 48545450 2f312e31   in.html HTTP/1.1
0x00000020 (00032)   0d0a5573 65722d41 67656e74 3a204d6f   ..User-Agent: Mo
0x00000030 (00048)   7a696c6c 612f342e 30202863 6f6d7061   zilla/4.0 (compa
0x00000040 (00064)   7469626c 653b204d 53494520 362e303b   tible; MSIE 6.0;
0x00000050 (00080)   2057696e 646f7773 204e5420 352e313b    Windows NT 5.1;
0x00000060 (00096)   20535631 3b202e4e 45542043 4c522032    SV1; .NET CLR 2
0x00000070 (00112)   2e302e35 30373237 290d0a48 6f73743a   .0.50727)..Host:
0x00000080 (00128)   20777777 2e61646f 62652e63 6f6d0d0a    www.adobe.com..
0x00000090 (00144)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x000000a0 (00160)   650d0a43 6f6e7465 6e742d4c 656e6774   e..Content-Lengt
0x000000b0 (00176)   683a2033 32390d0a 436f6e74 656e742d   h: 329..Content-
0x000000c0 (00192)   54797065 3a206170 706c6963 6174696f   Type: applicatio
0x000000d0 (00208)   6e2f782d 7777772d 666f726d 2d75726c   n/x-www-form-url
0x000000e0 (00224)   656e636f 6465640d 0a0d0a49 01         encoded....I.

0x00000000 (00000)   504f5354 202f7769 6e646f77 73204854   POST /windows HT
0x00000010 (00016)   54502f31 2e310d0a 55736572 2d416765   TP/1.1..User-Age
0x00000020 (00032)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000030 (00048)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000040 (00064)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x00000050 (00080)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x00000060 (00096)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x00000070 (00112)   0a486f73 743a2077 77772e6d 6963726f   .Host: www.micro
0x00000080 (00128)   736f6674 2e636f6d 0d0a436f 6e6e6563   soft.com..Connec
0x00000090 (00144)   74696f6e 3a20636c 6f73650d 0a436f6e   tion: close..Con
0x000000a0 (00160)   74656e74 2d4c656e 6774683a 20343134   tent-Length: 414
0x000000b0 (00176)   0d0a436f 6e74656e 742d5479 70653a20   ..Content-Type: 
0x000000c0 (00192)   6170706c 69636174 696f6e2f 782d7777   application/x-ww
0x000000d0 (00208)   772d666f 726d2d75 726c656e 636f6465   w-form-urlencode
0x000000e0 (00224)   640d0a0d 0a9e01                       d......


Strings