Analysis Date2016-03-14 21:52:08
MD5fefadce1b6749c84d1cdccf90fe5043c
SHA10658d8d53f168b060ef0671278a5abbfb54948b8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1eee3970f75774d0ca87fa53a81715ee sha1: 9def27e7ba7f7a0b37d2b6d34098c54128dbe9f4 size: 838656
Section.rdata md5: 492051b061541519321e3883f2f420be sha1: 25c4526b61111b91463a391663174090b0e9fbce size: 305152
Section.data md5: cb05ead4f8ebdf88021e9ed0fda1b9f5 sha1: c9054720a6a882cb15fcfbf8854b6b7ddf33bbf2 size: 8192
Timestamp2015-04-15 01:49:47
PackerMicrosoft Visual C++ ?.?
PEhash30b538ed43bd146863fa986763053d395d977222
IMPhash265c194476bf392c70c5332074f54f8f
AVCA (E-Trust Ino)Gen:Variant.Injector.47
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CE
AVRisingNo Virus
AVMcafeeTrojan-FHOH!FEFADCE1B674
AVMicroWorld (escan)Gen:Variant.Injector.47
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Crypt.ZPACK.236391
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVEmsisoftGen:Variant.Injector.47
AVTwisterNo Virus
AVAd-AwareGen:Variant.Injector.47
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecDownloader.Upatre!g15
AVBullGuardGen:Variant.Injector.47
AVArcabit (arcavir)Gen:Variant.Injector.47
AVFortinetW32/Kryptik.DDQD!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Injector.47
AVDr. WebNo Virus
AVK7Trojan ( 004cd0081 )
AVF-SecureGen:Variant.Injector.47

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\jpcfnstgxi\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Solutions Profile Parental Superfetch ➝
C:\WINDOWS\system32\ylvdydjiqf.exe
Creates FileC:\WINDOWS\system32\ylvdydjiqf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\jpcfnstgxi\tst
Creates FileC:\WINDOWS\system32\jpcfnstgxi\etc
Creates FileC:\WINDOWS\system32\jpcfnstgxi\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ylvdydjiqf.exe
Creates ServiceWebClient AutoConfig Collector - C:\WINDOWS\system32\ylvdydjiqf.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileC:\WINDOWS\Prefetch\YLVDYDJIQF.EXE-37DE25AF.pf
Creates FileC:\WINDOWS\Prefetch\A5ZERMXL25JAZTLE.EXE-239B96D7.pf
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\IWICDJL.EXE-3A281EA7.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\A5ZERMXL25C24TLELLEPN9R.EXE-1216B8FF.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ Pid 1320

Process
↳ Pid 1856

Process
↳ Pid 444

Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jpcfnstgxi\rng
Creates FileC:\WINDOWS\system32\jpcfnstgxi\cfg
Creates FileC:\WINDOWS\TEMP\a5zermxl25jaztle.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\jpcfnstgxi\tst
Creates FileC:\WINDOWS\system32\jpcfnstgxi\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\jpcfnstgxi\lck
Creates FileC:\WINDOWS\system32\iwicdjl.exe
Deletes FileC:\WINDOWS\TEMP\a5zermxl25jaztle.exe
Creates ProcessC:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe"

Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe

Creates FileC:\WINDOWS\system32\jpcfnstgxi\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe"

Creates FileC:\WINDOWS\system32\jpcfnstgxi\tst

Process
↳ C:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSnailthere.net
Type: A
98.139.135.129
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSyourpass.net
Type: A
160.153.16.67
DNSviewagain.net
Type: A
208.91.197.27
DNSplantpass.net
Type: A
188.93.8.43
DNSplantstand.net
Type: A
72.52.4.119
DNSfallagain.net
Type: A
195.22.28.196
DNSfallagain.net
Type: A
195.22.28.197
DNSfallagain.net
Type: A
195.22.28.198
DNSfallagain.net
Type: A
195.22.28.199
DNSverypass.net
Type: A
170.130.204.100
DNStakepass.net
Type: A
127.0.0.1
DNSwaitsugar.net
Type: A
208.100.26.234
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNStriessugar.net
Type: A
DNSyoursugar.net
Type: A
DNStriesstand.net
Type: A
DNSyourstand.net
Type: A
DNSlrstnagain.net
Type: A
DNSlrstnpass.net
Type: A
DNSviewpass.net
Type: A
DNSlrstnsugar.net
Type: A
DNSviewsugar.net
Type: A
DNSlrstnstand.net
Type: A
DNSviewstand.net
Type: A
DNSplantagain.net
Type: A
DNSfillagain.net
Type: A
DNSfillpass.net
Type: A
DNSplantsugar.net
Type: A
DNSfillsugar.net
Type: A
DNSfillstand.net
Type: A
DNSsenseagain.net
Type: A
DNSlearnagain.net
Type: A
DNSsensepass.net
Type: A
DNSlearnpass.net
Type: A
DNSsensesugar.net
Type: A
DNSlearnsugar.net
Type: A
DNSsensestand.net
Type: A
DNSlearnstand.net
Type: A
DNStoreagain.net
Type: A
DNStorepass.net
Type: A
DNSfallpass.net
Type: A
DNStoresugar.net
Type: A
DNSfallsugar.net
Type: A
DNStorestand.net
Type: A
DNSfallstand.net
Type: A
DNSweekagain.net
Type: A
DNSveryagain.net
Type: A
DNSweekpass.net
Type: A
DNSweeksugar.net
Type: A
DNSverysugar.net
Type: A
DNSweekstand.net
Type: A
DNSverystand.net
Type: A
DNSpieceagain.net
Type: A
DNSmuchagain.net
Type: A
DNSpiecepass.net
Type: A
DNSmuchpass.net
Type: A
DNSpiecesugar.net
Type: A
DNSmuchsugar.net
Type: A
DNSpiecestand.net
Type: A
DNSmuchstand.net
Type: A
DNSwaitagain.net
Type: A
DNStakeagain.net
Type: A
DNSwaitpass.net
Type: A
DNStakesugar.net
Type: A
DNSwaitstand.net
Type: A
DNStakestand.net
Type: A
DNSsorrystep.net
Type: A
DNSfiftystep.net
Type: A
DNSsorryplain.net
Type: A
DNSfiftyplain.net
Type: A
DNSsorrygrown.net
Type: A
DNSfiftygrown.net
Type: A
DNSsorryblack.net
Type: A
DNSfiftyblack.net
Type: A
DNStheirstep.net
Type: A
DNSlikrstep.net
Type: A
DNStheirplain.net
Type: A
DNSlikrplain.net
Type: A
DNStheirgrown.net
Type: A
DNSlikrgrown.net
Type: A
HTTP GEThttp://longcold.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://fridayloss.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://yourpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://viewagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://plantpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://plantstand.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://fallagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://verypass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
HTTP GEThttp://waitsugar.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1053 ➝ 160.153.16.67:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1055 ➝ 188.93.8.43:80
Flows TCP192.168.1.1:1056 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1057 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1058 ➝ 170.130.204.100:80
Flows TCP192.168.1.1:1060 ➝ 208.100.26.234:80

Raw Pcap

Strings