Analysis Date | 2016-03-14 21:52:08 |
---|---|
MD5 | fefadce1b6749c84d1cdccf90fe5043c |
SHA1 | 0658d8d53f168b060ef0671278a5abbfb54948b8 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 1eee3970f75774d0ca87fa53a81715ee sha1: 9def27e7ba7f7a0b37d2b6d34098c54128dbe9f4 size: 838656 | |
Section | .rdata md5: 492051b061541519321e3883f2f420be sha1: 25c4526b61111b91463a391663174090b0e9fbce size: 305152 | |
Section | .data md5: cb05ead4f8ebdf88021e9ed0fda1b9f5 sha1: c9054720a6a882cb15fcfbf8854b6b7ddf33bbf2 size: 8192 | |
Timestamp | 2015-04-15 01:49:47 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 30b538ed43bd146863fa986763053d395d977222 | |
IMPhash | 265c194476bf392c70c5332074f54f8f | |
AV | CA (E-Trust Ino) | Gen:Variant.Injector.47 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.CE |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHOH!FEFADCE1B674 |
AV | MicroWorld (escan) | Gen:Variant.Injector.47 |
AV | MalwareBytes | No Virus |
AV | Avira (antivir) | TR/Crypt.ZPACK.236391 |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | No Virus |
AV | Authentium | W32/Zusy.X.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Injector.47 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Injector.47 |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | No Virus |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Eset (nod32) | Win32/Kryptik.DDQD |
AV | Grisoft (avg) | Win32/Cryptor |
AV | CAT (quickheal) | TrojanSpy.Nivdort.WR4 |
AV | VirusBlokAda (vba32) | No Virus |
AV | Symantec | Downloader.Upatre!g15 |
AV | BullGuard | Gen:Variant.Injector.47 |
AV | Arcabit (arcavir) | Gen:Variant.Injector.47 |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | ClamAV | No Virus |
AV | BitDefender | Gen:Variant.Injector.47 |
AV | Dr. Web | No Virus |
AV | K7 | Trojan ( 004cd0081 ) |
AV | F-Secure | Gen:Variant.Injector.47 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\system32\jpcfnstgxi\tst |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\a5zermxl25c24tlellepn9r.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Solutions Profile Parental Superfetch ➝ C:\WINDOWS\system32\ylvdydjiqf.exe |
---|---|
Creates File | C:\WINDOWS\system32\ylvdydjiqf.exe |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\tst |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\etc |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\lck |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\ylvdydjiqf.exe |
Creates Service | WebClient AutoConfig Collector - C:\WINDOWS\system32\ylvdydjiqf.exe |
Process
↳ Pid 808
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝ 192.168.254.254\\x00 |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝ 192.168.254.254\\x00 |
Creates File | C:\WINDOWS\Prefetch\YLVDYDJIQF.EXE-37DE25AF.pf |
Creates File | C:\WINDOWS\Prefetch\A5ZERMXL25JAZTLE.EXE-239B96D7.pf |
Creates File | NDIS |
Creates File | C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf |
Creates File | C:\WINDOWS\Prefetch\IWICDJL.EXE-3A281EA7.pf |
Creates File | C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf |
Creates File | C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf |
Creates File | C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Creates File | C:\WINDOWS\Prefetch\A5ZERMXL25C24TLELLEPN9R.EXE-1216B8FF.pf |
Creates File | C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf |
Process
↳ Pid 1120
Process
↳ Pid 1208
Process
↳ Pid 1320
Process
↳ Pid 1856
Process
↳ Pid 444
Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\jpcfnstgxi\rng |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\cfg |
Creates File | C:\WINDOWS\TEMP\a5zermxl25jaztle.exe |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\tst |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\run |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\jpcfnstgxi\lck |
Creates File | C:\WINDOWS\system32\iwicdjl.exe |
Deletes File | C:\WINDOWS\TEMP\a5zermxl25jaztle.exe |
Creates Process | C:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp |
Creates Process | WATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe" |
Process
↳ C:\WINDOWS\system32\ylvdydjiqf.exe
Creates File | C:\WINDOWS\system32\jpcfnstgxi\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\ylvdydjiqf.exe"
Creates File | C:\WINDOWS\system32\jpcfnstgxi\tst |
---|
Process
↳ C:\WINDOWS\TEMP\a5zermxl25jaztle.exe -r 47515 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
---|---|
DNS | nailthere.net Type: A 98.139.135.129 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | groupgrain.net Type: A 208.91.197.241 |
DNS | threeonly.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | yourpass.net Type: A 160.153.16.67 |
DNS | viewagain.net Type: A 208.91.197.27 |
DNS | plantpass.net Type: A 188.93.8.43 |
DNS | plantstand.net Type: A 72.52.4.119 |
DNS | fallagain.net Type: A 195.22.28.196 |
DNS | fallagain.net Type: A 195.22.28.197 |
DNS | fallagain.net Type: A 195.22.28.198 |
DNS | fallagain.net Type: A 195.22.28.199 |
DNS | verypass.net Type: A 170.130.204.100 |
DNS | takepass.net Type: A 127.0.0.1 |
DNS | waitsugar.net Type: A 208.100.26.234 |
DNS | ableread.net Type: A |
DNS | fearstate.net Type: A |
DNS | longcold.net Type: A |
DNS | fridayloss.net Type: A |
DNS | wrongbelow.net Type: A |
DNS | hilldance.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | triessugar.net Type: A |
DNS | yoursugar.net Type: A |
DNS | triesstand.net Type: A |
DNS | yourstand.net Type: A |
DNS | lrstnagain.net Type: A |
DNS | lrstnpass.net Type: A |
DNS | viewpass.net Type: A |
DNS | lrstnsugar.net Type: A |
DNS | viewsugar.net Type: A |
DNS | lrstnstand.net Type: A |
DNS | viewstand.net Type: A |
DNS | plantagain.net Type: A |
DNS | fillagain.net Type: A |
DNS | fillpass.net Type: A |
DNS | plantsugar.net Type: A |
DNS | fillsugar.net Type: A |
DNS | fillstand.net Type: A |
DNS | senseagain.net Type: A |
DNS | learnagain.net Type: A |
DNS | sensepass.net Type: A |
DNS | learnpass.net Type: A |
DNS | sensesugar.net Type: A |
DNS | learnsugar.net Type: A |
DNS | sensestand.net Type: A |
DNS | learnstand.net Type: A |
DNS | toreagain.net Type: A |
DNS | torepass.net Type: A |
DNS | fallpass.net Type: A |
DNS | toresugar.net Type: A |
DNS | fallsugar.net Type: A |
DNS | torestand.net Type: A |
DNS | fallstand.net Type: A |
DNS | weekagain.net Type: A |
DNS | veryagain.net Type: A |
DNS | weekpass.net Type: A |
DNS | weeksugar.net Type: A |
DNS | verysugar.net Type: A |
DNS | weekstand.net Type: A |
DNS | verystand.net Type: A |
DNS | pieceagain.net Type: A |
DNS | muchagain.net Type: A |
DNS | piecepass.net Type: A |
DNS | muchpass.net Type: A |
DNS | piecesugar.net Type: A |
DNS | muchsugar.net Type: A |
DNS | piecestand.net Type: A |
DNS | muchstand.net Type: A |
DNS | waitagain.net Type: A |
DNS | takeagain.net Type: A |
DNS | waitpass.net Type: A |
DNS | takesugar.net Type: A |
DNS | waitstand.net Type: A |
DNS | takestand.net Type: A |
DNS | sorrystep.net Type: A |
DNS | fiftystep.net Type: A |
DNS | sorryplain.net Type: A |
DNS | fiftyplain.net Type: A |
DNS | sorrygrown.net Type: A |
DNS | fiftygrown.net Type: A |
DNS | sorryblack.net Type: A |
DNS | fiftyblack.net Type: A |
DNS | theirstep.net Type: A |
DNS | likrstep.net Type: A |
DNS | theirplain.net Type: A |
DNS | likrplain.net Type: A |
DNS | theirgrown.net Type: A |
DNS | likrgrown.net Type: A |
HTTP GET | http://longcold.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://fridayloss.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://yourpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://viewagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://plantpass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://plantstand.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://fallagain.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://verypass.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
HTTP GET | http://waitsugar.net/index.php?method=validate&mode=sox&v=048&sox=4e9bca00&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1042 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1043 ➝ 98.139.135.129:80 |
Flows TCP | 192.168.1.1:1044 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1045 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1051 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1052 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1053 ➝ 160.153.16.67:80 |
Flows TCP | 192.168.1.1:1054 ➝ 208.91.197.27:80 |
Flows TCP | 192.168.1.1:1055 ➝ 188.93.8.43:80 |
Flows TCP | 192.168.1.1:1056 ➝ 72.52.4.119:80 |
Flows TCP | 192.168.1.1:1057 ➝ 195.22.28.196:80 |
Flows TCP | 192.168.1.1:1058 ➝ 170.130.204.100:80 |
Flows TCP | 192.168.1.1:1060 ➝ 208.100.26.234:80 |
Raw Pcap
Strings