Analysis | #totalhash

Analysis Date	2016-03-14 21:52:08
MD5	fefadce1b6749c84d1cdccf90fe5043c
SHA1	0658d8d53f168b060ef0671278a5abbfb54948b8

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 1eee3970f75774d0ca87fa53a81715ee sha1: 9def27e7ba7f7a0b37d2b6d34098c54128dbe9f4 size: 838656
Section	.rdata md5: 492051b061541519321e3883f2f420be sha1: 25c4526b61111b91463a391663174090b0e9fbce size: 305152
Section	.data md5: cb05ead4f8ebdf88021e9ed0fda1b9f5 sha1: c9054720a6a882cb15fcfbf8854b6b7ddf33bbf2 size: 8192
Timestamp	2015-04-15 01:49:47
Packer	Microsoft Visual C++ ?.?
PEhash	30b538ed43bd146863fa986763053d395d977222
IMPhash	265c194476bf392c70c5332074f54f8f
AV	CA (E-Trust Ino)	Gen:Variant.Injector.47
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.CE
AV	Rising	No Virus
AV	Mcafee	Trojan-FHOH!FEFADCE1B674
AV	MicroWorld (escan)	Gen:Variant.Injector.47
AV	MalwareBytes	No Virus
AV	Avira (antivir)	TR/Crypt.ZPACK.236391
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	No Virus
AV	Authentium	W32/Zusy.X.gen!Eldorado
AV	Emsisoft	Gen:Variant.Injector.47
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Injector.47
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Eset (nod32)	Win32/Kryptik.DDQD
AV	Grisoft (avg)	Win32/Cryptor
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	VirusBlokAda (vba32)	No Virus
AV	Symantec	Downloader.Upatre!g15
AV	BullGuard	Gen:Variant.Injector.47
AV	Arcabit (arcavir)	Gen:Variant.Injector.47
AV	Fortinet	W32/Kryptik.DDQD!tr
AV	ClamAV	No Virus
AV	BitDefender	Gen:Variant.Injector.47
AV	Dr. Web	No Virus
AV	K7	Trojan ( 004cd0081 )
AV	F-Secure	Gen:Variant.Injector.47

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\system32\jpcfnstgxi\tst
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Solutions Profile Parental Superfetch ➝ C:\WINDOWS\system32\ylvdydjiqf.exe
Creates File	C:\WINDOWS\system32\ylvdydjiqf.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\jpcfnstgxi\tst
Creates File	C:\WINDOWS\system32\jpcfnstgxi\etc
Creates File	C:\WINDOWS\system32\jpcfnstgxi\lck
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\ylvdydjiqf.exe
Creates Service	WebClient AutoConfig Collector - C:\WINDOWS\system32\ylvdydjiqf.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝ 192.168.254.254\\x00
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝ 192.168.254.254\\x00
Creates File	C:\WINDOWS\Prefetch\YLVDYDJIQF.EXE-37DE25AF.pf
Creates File	C:\WINDOWS\Prefetch\A5ZERMXL25JAZTLE.EXE-239B96D7.pf
Creates File	NDIS
Creates File	C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates File	C:\WINDOWS\Prefetch\IWICDJL.EXE-3A281EA7.pf
Creates File	C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates File	C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates File	C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File	C:\WINDOWS\Prefetch\A5ZERMXL25C24TLELLEPN9R.EXE-1216B8FF.pf
Creates File	C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ Pid 1320

Process
↳ Pid 1856

Process
↳ Pid 444

Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\jpcfnstgxi\rng
Creates File	C:\WINDOWS\system32\jpcfnstgxi\cfg
Creates File	C:\WINDOWS\TEMP\a5zermxl25jaztle.exe
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\jpcfnstgxi\tst
Creates File	C:\WINDOWS\system32\jpcfnstgxi\run
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\jpcfnstgxi\lck
Creates File	C:\WINDOWS\system32\iwicdjl.exe
Deletes File	C:\WINDOWS\TEMP\a5zermxl25jaztle.exe
Creates Process	C:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp
Creates Process	WATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe"

Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe

Creates File	C:\WINDOWS\system32\jpcfnstgxi\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe"

Creates File	C:\WINDOWS\system32\jpcfnstgxi\tst

Process
↳ C:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	nailthere.net Type: A 98.139.135.129
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	groupgrain.net Type: A 208.91.197.241
DNS	threeonly.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	yourpass.net Type: A 160.153.16.67
DNS	viewagain.net Type: A 208.91.197.27
DNS	plantpass.net Type: A 188.93.8.43
DNS	plantstand.net Type: A 72.52.4.119
DNS	fallagain.net Type: A 195.22.28.196
DNS	fallagain.net Type: A 195.22.28.197
DNS	fallagain.net Type: A 195.22.28.198
DNS	fallagain.net Type: A 195.22.28.199
DNS	verypass.net Type: A 170.130.204.100
DNS	takepass.net Type: A 127.0.0.1
DNS	waitsugar.net Type: A 208.100.26.234
DNS	ableread.net Type: A
DNS	fearstate.net Type: A
DNS	longcold.net Type: A
DNS	fridayloss.net Type: A
DNS	wrongbelow.net Type: A
DNS	hilldance.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	triessugar.net Type: A
DNS	yoursugar.net Type: A
DNS	triesstand.net Type: A
DNS	yourstand.net Type: A
DNS	lrstnagain.net Type: A
DNS	lrstnpass.net Type: A
DNS	viewpass.net Type: A
DNS	lrstnsugar.net Type: A
DNS	viewsugar.net Type: A
DNS	lrstnstand.net Type: A
DNS	viewstand.net Type: A
DNS	plantagain.net Type: A
DNS	fillagain.net Type: A
DNS	fillpass.net Type: A
DNS	plantsugar.net Type: A
DNS	fillsugar.net Type: A
DNS	fillstand.net Type: A
DNS	senseagain.net Type: A
DNS	learnagain.net Type: A
DNS	sensepass.net Type: A
DNS	learnpass.net Type: A
DNS	sensesugar.net Type: A
DNS	learnsugar.net Type: A
DNS	sensestand.net Type: A
DNS	learnstand.net Type: A
DNS	toreagain.net Type: A
DNS	torepass.net Type: A
DNS	fallpass.net Type: A
DNS	toresugar.net Type: A
DNS	fallsugar.net Type: A
DNS	torestand.net Type: A
DNS	fallstand.net Type: A
DNS	weekagain.net Type: A
DNS	veryagain.net Type: A
DNS	weekpass.net Type: A
DNS	weeksugar.net Type: A
DNS	verysugar.net Type: A
DNS	weekstand.net Type: A
DNS	verystand.net Type: A
DNS	pieceagain.net Type: A
DNS	muchagain.net Type: A
DNS	piecepass.net Type: A
DNS	muchpass.net Type: A
DNS	piecesugar.net Type: A
DNS	muchsugar.net Type: A
DNS	piecestand.net Type: A
DNS	muchstand.net Type: A
DNS	waitagain.net Type: A
DNS	takeagain.net Type: A
DNS	waitpass.net Type: A
DNS	takesugar.net Type: A
DNS	waitstand.net Type: A
DNS	takestand.net Type: A
DNS	sorrystep.net Type: A
DNS	fiftystep.net Type: A
DNS	sorryplain.net Type: A
DNS	fiftyplain.net Type: A
DNS	sorrygrown.net Type: A
DNS	fiftygrown.net Type: A
DNS	sorryblack.net Type: A
DNS	fiftyblack.net Type: A
DNS	theirstep.net Type: A
DNS	likrstep.net Type: A
DNS	theirplain.net Type: A
DNS	likrplain.net Type: A
DNS	theirgrown.net Type: A
DNS	likrgrown.net Type: A
HTTP GET	http://longcold.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://fridayloss.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://yourpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://viewagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://plantpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://plantstand.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://fallagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://verypass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
HTTP GET	http://waitsugar.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent:
Flows TCP	192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1052 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1053 ➝ 160.153.16.67:80
Flows TCP	192.168.1.1:1054 ➝ 208.91.197.27:80
Flows TCP	192.168.1.1:1055 ➝ 188.93.8.43:80
Flows TCP	192.168.1.1:1056 ➝ 72.52.4.119:80
Flows TCP	192.168.1.1:1057 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1058 ➝ 170.130.204.100:80
Flows TCP	192.168.1.1:1060 ➝ 208.100.26.234:80

Raw Pcap

Strings