Analysis Date2015-10-22 04:47:18
MD5d81a5a932804fc4a4e9a66f4368f299f
SHA10c3ad939d6198a4c7834e7b5ab6adff227851177

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e76bc9456fc7695245084d838ec8dbe4 sha1: 88f44f779ed4ef8b59402356d8f7e252c8fa2896 size: 334336
Section.rdata md5: 2d14353acbfbc1ef70259ad0e6539042 sha1: 9f2f2a92785c01e076fb6ace4a63cd2713bdb52d size: 153088
Section.data md5: b88c6f81271680f45fc4793954eba410 sha1: e3d33e0ccb8c536c5333d2b38fb9a3bfe14fec5e size: 26624
Section.rsrc md5: a72d3a2240093e1271d5bd0cb124b4e4 sha1: aeae634ab514456c097c95d7d7e263638ec0eb74 size: 2239488
Timestamp1970-01-01 01:15:59
Pdb pathC:\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 8, 2910
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhashe278fa0be89bfbe7e98218f355c8d62bbc8acc89
IMPhash5f183cf8d571f9e14eed0cddfa97d0e0
AVMalwareBytesNo Virus
AVPadvishNo Virus
AVIkarusPUA.Zzinfor
AVMalwareBytesNo Virus
AVMicrosoft Security EssentialsTrojan:Win32/Rofin!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVFortinetW32/Daws.DTDJ!tr
AVGrisoft (avg)Hider.ADZR.dropper
AVK7Adware ( 004b8eb11 )
AVKasperskyTrojan-Dropper.Win32.Daws.dtdj
AVMcafeeGenericR-ESN!D81A5A932804
AVMicrosoft Security EssentialsTrojan:Win32/Rofin!rfn
AVF-SecureGen:Variant.Zusy.118140
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVEset (nod32)No Virus
AVEset (nod32)No Virus
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVGrisoft (avg)Hider.ADZR.dropper
AVFortinetW32/Daws.DTDJ!tr
AVIkarusPUA.Zzinfor
AVK7Adware ( 004b8eb11 )
AVKasperskyTrojan-Dropper.Win32.Daws.dtdj
AVF-SecureGen:Variant.Zusy.118140
AVMcafeeGenericR-ESN!D81A5A932804
AVAd-AwareGen:Variant.Zusy.118140
AVBullGuardGen:Variant.Zusy.118140
AVBullGuardGen:Variant.Zusy.118140
AVAlwil (avast)Win32:Trojan-gen
AVAuthentiumW32/Trojan.RIYT-3285
AVCA (E-Trust Ino)No Virus
AVCA (E-Trust Ino)No Virus
AVAuthentiumW32/Trojan.RIYT-3285
AVAlwil (avast)Win32:Trojan-gen
AVCAT (quickheal)Backdoor.Dusenr.08124
AVCAT (quickheal)Backdoor.Dusenr.08124
AVAd-AwareGen:Variant.Zusy.118140
AVAvira (antivir)TR/Downloader.Gen7
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVAvira (antivir)TR/Downloader.Gen7
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVDr. WebTrojan.Rootkit.15981
AVDr. WebTrojan.Rootkit.15981
AVArcabit (arcavir)Trojan.Generic.14934268
AVBitDefenderGen:Variant.Zusy.118140
AVEmsisoftGen:Variant.Zusy.118140
AVEmsisoftGen:Variant.Zusy.118140
AVBitDefenderGen:Variant.Zusy.118140
AVArcabit (arcavir)Trojan.Generic.14934268
AVPadvishNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\violet.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\violet.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileFixTool
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 844

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\0C3AD939D6198A4C7834E7B5AB6AD-329CEA02.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL

Process
↳ Pid 1856

Process
↳ C:\WINDOWS\system32\svchost.exe

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.37.235.3:80

Raw Pcap

Strings