Analysis Date2015-11-05 05:05:56
MD56de9abc9eb1880d0ab337125060bf354
SHA108f916e2ce9af1af0d4966302a435556f9f7683b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 356756b135d516fe4d49ac7632415f3e sha1: 6ffe3bd1af7a46a0e3d4817c3fbfc32f0c44eb37 size: 1150464
Section.rdata md5: d209fd358180e95f3d6470b98eaa45c5 sha1: 687fe11d9160dc09ea353bafa1ea861d6ad4a848 size: 318464
Section.data md5: f89f5051d9aae71411b1fa603b7dd8ac sha1: e27bd31b18ebf10cd915f6a39269409195d95746 size: 8192
Section.reloc md5: 57826b171baac0bca6d87f7f2fb6b8b0 sha1: 4e261ee99bb0e406bf3776b380e5e34e01fe6951 size: 142848
Timestamp2015-05-11 04:39:44
PackerVC8 -> Microsoft Corporation
PEhash5ce824f621e52254934c3fbbadd954548c5a4b50
IMPhash5c5dfca1a7b9b25be6801be226296861
AVRising0x59327ceb
AVMcafeeTrojan-FGIJ!6DE9ABC9EB18
AVAvira (antivir)TR/Crypt.Xpack.309544
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611782
AVZillya!Backdoor.SoxGrave.Win32.450
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Kazy.611782
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\crywoi1ldzfwshswwm1y.exe
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\crywoi1ldzfwshswwm1y.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\crywoi1ldzfwshswwm1y.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Socket Process AuthIP Health ➝
C:\WINDOWS\system32\duhozlt.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\duhozlt.exe
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\tst
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\etc
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\duhozlt.exe
Creates ServiceTablet DHCP Filtering Auto UPnP Program - C:\WINDOWS\system32\duhozlt.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\duhozlt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\run
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\crywoi1t20fwsh.exe
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\cfg
Creates FileC:\WINDOWS\system32\wpuxprrs.exe
Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\lck
Creates ProcessC:\WINDOWS\TEMP\crywoi1t20fwsh.exe -r 44121 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\duhozlt.exe"

Process
↳ C:\WINDOWS\system32\duhozlt.exe

Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\duhozlt.exe"

Creates FileC:\WINDOWS\system32\fmwlquzneyjpul\tst

Process
↳ C:\WINDOWS\TEMP\crywoi1t20fwsh.exe -r 44121 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSfairboat.net
Type: A
80.237.133.23
DNSwatchpress.net
Type: A
195.34.82.174
DNSfairpress.net
Type: A
68.65.123.154
DNSdreamboat.net
Type: A
50.63.202.104
DNSdreampress.net
Type: A
185.53.179.10
DNSdreamopen.net
Type: A
111.68.23.13
DNSthisopen.net
Type: A
66.96.162.143
DNSsaltwear.net
Type: A
50.63.202.34
DNSequalfind.net
Type: A
208.100.26.234
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSgladrest.net
Type: A
DNStakenrest.net
Type: A
DNSgladopen.net
Type: A
DNStakenopen.net
Type: A
DNSequalboat.net
Type: A
DNSgroupboat.net
Type: A
DNSequalpress.net
Type: A
DNSgrouppress.net
Type: A
DNSequalrest.net
Type: A
DNSgrouprest.net
Type: A
DNSequalopen.net
Type: A
DNSgroupopen.net
Type: A
DNSspokeboat.net
Type: A
DNSvisitboat.net
Type: A
DNSspokepress.net
Type: A
DNSvisitpress.net
Type: A
DNSspokerest.net
Type: A
DNSvisitrest.net
Type: A
DNSspokeopen.net
Type: A
DNSvisitopen.net
Type: A
DNSwatchboat.net
Type: A
DNSwatchrest.net
Type: A
DNSfairrest.net
Type: A
DNSwatchopen.net
Type: A
DNSfairopen.net
Type: A
DNSthisboat.net
Type: A
DNSthispress.net
Type: A
DNSdreamrest.net
Type: A
DNSthisrest.net
Type: A
DNSarivetold.net
Type: A
DNSsouthtold.net
Type: A
DNSarivefind.net
Type: A
DNSsouthfind.net
Type: A
DNSarivewear.net
Type: A
DNSsouthwear.net
Type: A
DNSarivehurt.net
Type: A
DNSsouthhurt.net
Type: A
DNSupontold.net
Type: A
DNSwhichtold.net
Type: A
DNSuponfind.net
Type: A
DNSwhichfind.net
Type: A
DNSuponwear.net
Type: A
DNSwhichwear.net
Type: A
DNSuponhurt.net
Type: A
DNSwhichhurt.net
Type: A
DNSspottold.net
Type: A
DNSsalttold.net
Type: A
DNSspotfind.net
Type: A
DNSsaltfind.net
Type: A
DNSspotwear.net
Type: A
DNSspothurt.net
Type: A
DNSsalthurt.net
Type: A
DNSgladtold.net
Type: A
DNStakentold.net
Type: A
DNSgladfind.net
Type: A
DNStakenfind.net
Type: A
DNSgladwear.net
Type: A
DNStakenwear.net
Type: A
DNSgladhurt.net
Type: A
DNStakenhurt.net
Type: A
DNSequaltold.net
Type: A
DNSgrouptold.net
Type: A
DNSgroupfind.net
Type: A
DNSequalwear.net
Type: A
DNSgroupwear.net
Type: A
DNSequalhurt.net
Type: A
DNSgrouphurt.net
Type: A
DNSspoketold.net
Type: A
DNSvisittold.net
Type: A
DNSspokefind.net
Type: A
DNSvisitfind.net
Type: A
DNSspokewear.net
Type: A
DNSvisitwear.net
Type: A
DNSspokehurt.net
Type: A
DNSvisithurt.net
Type: A
DNSwatchtold.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fairboat.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://watchpress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fairpress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreamboat.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreampress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreamopen.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://thisopen.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://saltwear.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://equalfind.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fairboat.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://watchpress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://fairpress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreamboat.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreampress.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://dreamopen.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://thisopen.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://saltwear.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
HTTP GEThttp://equalfind.net/index.php?method=validate&mode=sox&v=050&sox=430a4a01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 80.237.133.23:80
Flows TCP192.168.1.1:1051 ➝ 195.34.82.174:80
Flows TCP192.168.1.1:1052 ➝ 68.65.123.154:80
Flows TCP192.168.1.1:1053 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1054 ➝ 185.53.179.10:80
Flows TCP192.168.1.1:1055 ➝ 111.68.23.13:80
Flows TCP192.168.1.1:1056 ➝ 66.96.162.143:80
Flows TCP192.168.1.1:1057 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1058 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1070 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1071 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1072 ➝ 80.237.133.23:80
Flows TCP192.168.1.1:1073 ➝ 195.34.82.174:80
Flows TCP192.168.1.1:1074 ➝ 68.65.123.154:80
Flows TCP192.168.1.1:1075 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1076 ➝ 185.53.179.10:80
Flows TCP192.168.1.1:1077 ➝ 111.68.23.13:80
Flows TCP192.168.1.1:1078 ➝ 66.96.162.143:80
Flows TCP192.168.1.1:1079 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1080 ➝ 208.100.26.234:80

Raw Pcap

Strings