Analysis Date2016-03-19 18:59:02
MD5c9954828810b4f78b6aa4cb15dcacb62
SHA1e9ac80ece3d9eeef21e5cab7511f481514d9eba1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fe8058e4006fca7424c964cccc1e0237 sha1: 6a90136fb23058090fc0ffd82a69e9bae3bed020 size: 56320
Section.rdata md5: 9c9b446a02daa6409c23262139d48cb7 sha1: f300ed7e2b5e7456aaf2f227122fe4346407e8c0 size: 10240
Section.data md5: 0e85cb31de1e91487f1efeeb96798d88 sha1: 0e272e318acf08ee509b8bddfec94e70e4fe7183 size: 6656
Section.rsrc md5: 61fb2ab043e33ec214eefc8d3e2a5f91 sha1: 8bd2b04e0bda2ce7cd36a8ef3af990012593a364 size: 11776
Section.reloc md5: 460ef7efba72f91850c5857a1fe06c27 sha1: 0be8f897c86cc014db78d76cfe94e6a45f0647b5 size: 5120
Timestamp2013-02-05 04:03:07
PackerMicrosoft Visual C++ ?.?
PEhash002471867be2a3235a3368c638e8b117ca084b94
IMPhash4511896d043677e4ab4578dc5bcab5a0
AVMicrosoft Security EssentialsTrojan:Win32/Diofopi.F
AVRisingTrojan.Win32.Generic.1483099E
AVMcafeeGenericR-GLN!C9954828810B
AVMicroWorld (escan)Gen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVMalwareBytesTrojan.Agent
AVAvira (antivir)TR/Dropper.Gen7
AVIkarusTrojan.Win32.Scar
AVFrisk (f-prot)No Virus
AVAuthentiumW32/A-1ec329e0!Eldorado
AVEmsisoftGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVTwisterTrojan.F5D4D60C125C8750
AVAd-AwareGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVZillya!Trojan.Scar.Win32.79088
AVKasperskyTrojan.Win32.Scar.hmoa
AVTrend MicroBKDR_DIOFOPI.SM
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Shyape.G
AVGrisoft (avg)Generic32.CQJL
AVCAT (quickheal)Trojan.Diofopi.MUE.E5
AVVirusBlokAda (vba32)Trojan.Scar
AVSymantecTrojan.Sakurel
AVBullGuardGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVArcabit (arcavir)Gen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVFortinetW32/Shyape.G!tr
AVClamAVWin.Trojan.Agent-965389
AVBitDefenderGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVDr. WebTrojan.DownLoad3.22515
AVK7Trojan ( 0043a4491 )
AVF-SecureGen:Trojan.Heur.RP.fuW@aCHU9Xcj
AVCA (E-Trust Ino)Gen:Trojan.Heur.RP.fuW@aCHU9Xcj

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroMedia ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates Processcmd.exe /c ping 127.0.0.1 & del /q C:\malware.exe

Process
↳ cmd.exe /c ping 127.0.0.1 & del /q C:\malware.exe

Creates Processping 127.0.0.1

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\MicroMedia\MediaCenter.exe

Process
↳ ping 127.0.0.1

Winsock DNS127.0.0.1

Network Details:

DNSwww.polarroute.com
Type: A

Raw Pcap

Strings
00-+ CC
.
\
 
.
__
A(null)
eaHAREPMKJ
e@IMJMWPVEPKV
gv}tpfewa
                                 H
         (((((                  H
         h((((                  H
@jjj
jjjj
KERNEL32.DLL
mscoree.dll
xsMJ@KSWxw]WPAI
xSMJ@KSWxW]WPAI
xW]WTVAT
xW]WTVATx
xW]WTVATxW]WTVAT
                          
;-<@<[<
0,020U0\0u0
0/040L0R0a0g0v0|0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0 2O2t2W4S6W6[6_6c6g6k6o6|6
030:0@0N0U0Z0c0p0v0
=0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
090?0q0
0A@@Ju
0&cAPiK@QHAbMHAjEIAe
0SSSSS
0WWWWW
1?1X1_1g1l1p1t1
1$2/2M2W2a2s2
141E1P1x1
1&cAPiK@QHAbMHAjEIAs
<%<1<h<q<}<
; ;(;1;:;S;h;
1!sMJa\AG
2$2,242<2D2h3l3p3t3x3|3
2!2K2w2
242]2b2y2
2#444n4{4
2N2T2X2\2`2
3!3K3}3
3#4-4>4U4a4g4q4
38"3$x3.3
3H4\4}4
3Z3`3l3
4(5F5X5v5
:4:I:o:
< ?.?4?N?S?b?k?x?
4rswuvN
4V5\5a5g5n5
5 6-8?8Q8s8
6$61666<6E6N6V6a6f6k6p6z6
6 6(616:6C6N6S6[6j6
6%6:6z6
6"6t6z6
6[7a7z7
6/7H7O7W7\7`7d7
6`7j7w7
6h6m6w6
:):6:=:H:b:
6P7V7\7b7h7n7u7|7
70858:8?8O8~8
?;713?2
7"7'7,777<7D7J7S7X7_7e7
7-7?7E7J7k7
7(7H7h7
7>8D8H8L8P8
83!?;713x7%&
8$8(80848P8\8x8
8!8'8=8D8N9U9
8/8c8i8t8
8)8E8N8T8]8b8q8
8>8H8`8
8:8V8|8
8)919\9e9m9z9
8A8S8a8v8
8;:A:P:]:f:
<8<C<y<
?8?]?p?
8VVVVV
>983/!3::
98:Y:e:
9+929J9V9\9h9w9}9
9%9`9|9
9"9)9.959:9
9 9<9@9`9
9;9m9t9x9|9
9B9k9q9
9B:Q:`:i:~:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
AllocateAndInitializeSid
>%a\MPtVKGAWW
=a=m=y>^?t?
An application has made an attempt to load the C runtime library incorrectly.
;a<*=[=q=
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
<&<;<B<H<^<y<
;+;b;s;
@%bVAAhMFVEV]eJ@a\MPpLVAE@
Child ProcessId is %d
cK`ARpKKH
cKhMJO
CloseHandle
cmd.exe
cmd.exe /c 
cmd.exe /c rundll32 "%s" 
CONOUT$
CorExitProcess
/c ping 127.0.0.1 & del /q "%s"
Create Child Cmd.exe Process Succeed!
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
- CRT not initialized
C:\windows\system32\cmd.exe
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
%d_of_%d_for_%s_on_%s
DOMAIN error
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
<(=E=L=
EncodePointer
EnterCriticalSection
EqualSid
ExitProcess
ExpandEnvironmentStringsA
February
>F>^>i>
FindClose
FindFirstFileA
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeSid
Friday
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTokenInformation
GetUserNameA
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
gKcAPkFNAGP
gKmJMPMEHM^A
:':g:y:
`h````
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
:(:H:h:
`h`hhh
HH:mm:ss
;(;H;h;t;
HHtXHHt
=$=H=k=
http://
HTTP/1.1
HttpOpenRequestA
HttpSendRequestA
 IAIWAP
 IEHHKG
iexplorer
>If90t
>">:>@>I>`>h>v>
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetReadFile
IsDebuggerPresent
IsValidCodePage
IWRGVP
JanFebMarAprMayJunJulAugSepOctNovDec
January
j@j ^V
=)=?=J=O=Z=_=j=o=|=
.jpg?resid=%d
j"^SSSSS
:J;U;_;p;{;.=?=G=M=R=X=
?=?J?V?^?f?r?
KERNEL32.dll
LCMapStringA
LCMapStringW
L$DQUUUj
LeaveCriticalSection
LoadLibraryA
LoadResource
LockResource
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
?;?M?t?
MultiByteToWideChar
mWqWAVeJe@IMJ
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
oavjah
October
OpenProcess
OpenProcessToken
;&<O<u<{<
PeekNamedPipe
PlayWin32
Playx64
Please contact the application's support team for more information.
PPPPPPPP
Program: 
Program Files (x86)
<program name unknown>
- pure virtual function call
PUVh`EA
<&<p<w<
qeg`HH
QueryPerformanceCounter
QVVVVVVh 
>&>;>R>[>b>h>}>
`.rdata
ReadFile
RegCloseKey
RegDeleteKeyA
RegOpenKeyA
RegSetValueExA
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
?resid=%d&photoid=
rss.tmp
rswuvp
RtlUnwind
runtime error 
Runtime Error!
Saturday
    </security>
    <security>
Self Process Id:%d
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetPriorityClass
SetStdHandle
SetThreadPriority
SetUnhandledExceptionFilter
SHChangeNotify
SHELL32.dll
ShellExecuteA
SING error
SizeofResource
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
^SSSSS
=%s&type=%d&resid=%d
Sunday
SunMonTueWedThuFriSat
teh<[@
TerminateProcess
tGHt.Ht&
tHE]sMJ
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
t h`YA
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9]
t$<"u	3
Tuesday
;t$,v-
tVKCVEI
t+WWVPV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
UQPXY]Y[
URPQQh
USER32.DLL
UTF-16LE
UUUWUU
:':v:|:
VirtualAlloc
VirtualFree
v	N+D$
Wednesday
 wHAAT
WideCharToMultiByte
WinExec
WININET.dll
%wLAHHa\AGQPAa\s
wlgVAEPAmPAIbVKItEVWMJCjEIA
WriteConsoleA
WriteConsoleW
WriteFile
/!WTVMJPB
^WWWWW
!!!x89$">&9:3$9#"3x59;
!!!x&9:7$$9#"3x59;
xppwpp
xpxxxx
y ?3!&>9"9x7%&
y&>9"9y
>=Yt1j
<,<?<z<