Analysis Date2015-08-22 06:39:10
MD5fe96269320d6542556278a30be0d4c2a
SHA10f4717084730e01219aadf90b619062fc797b0bc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 196076a7cb8a70d1e53174acd9477d43 sha1: d816d56ccdabf6ebe34dd153d11f1e02c0681ac9 size: 841216
Section.rdata md5: 797d501f7f88fbdd603e4b5c5b18e6d0 sha1: 11e8360c1731ff3c86c785dcac4a6248e3278ee1 size: 322560
Section.data md5: abfabc7cb1806e5ac63da718bd3d126c sha1: 43679b6649d86698ea88664bf63f7b9b8d167ba6 size: 8192
Timestamp2015-04-15 02:29:28
PackerMicrosoft Visual C++ ?.?
PEhashba65e2b916828bbf1113ed416164032bf9382c85
IMPhash870f26ff2f1192caa616b38974b04c7b
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.258907
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Kryptik-PHD [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesno_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\lvwfaezgrypl\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\iv9oks0r1lgktav9ulxqdds5.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\iv9oks0r1lgktav9ulxqdds5.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\iv9oks0r1lgktav9ulxqdds5.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Location Spooler Engine PnP-X ➝
C:\WINDOWS\system32\hogqjuckdi.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\etc
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\lck
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\tst
Creates FileC:\WINDOWS\system32\hogqjuckdi.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\hogqjuckdi.exe
Creates ServiceTP Builder User Launcher Storage - C:\WINDOWS\system32\hogqjuckdi.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1156

Process
↳ C:\WINDOWS\system32\hogqjuckdi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\iv9oks0r1tk8tav9u.exe
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\cfg
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\lck
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\run
Creates FileC:\WINDOWS\system32\lvwfaezgrypl\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\kwatdsqcwjn.exe
Creates ProcessC:\WINDOWS\TEMP\iv9oks0r1tk8tav9u.exe -r 33864 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\hogqjuckdi.exe"

Process
↳ C:\WINDOWS\system32\hogqjuckdi.exe

Creates FileC:\WINDOWS\system32\lvwfaezgrypl\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\hogqjuckdi.exe"

Creates FileC:\WINDOWS\system32\lvwfaezgrypl\tst

Process
↳ C:\WINDOWS\TEMP\iv9oks0r1tk8tav9u.exe -r 33864 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSpushpull.net
Type: A
207.148.248.143
DNSlongcross.net
Type: A
88.208.252.175
DNSlifecross.net
Type: A
50.63.87.9
DNSshallcross.net
Type: A
91.222.8.96
DNSdeepshade.net
Type: A
50.63.202.53
DNSalongthrew.net
Type: A
95.211.230.75
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSshallpull.net
Type: A
DNSdeeppull.net
Type: A
DNSpushfruit.net
Type: A
DNSfridayfruit.net
Type: A
DNSpushrise.net
Type: A
DNSfridayrise.net
Type: A
DNSpushnoise.net
Type: A
DNSfridaynoise.net
Type: A
DNSfridaypull.net
Type: A
DNSalongfruit.net
Type: A
DNSdecemberfruit.net
Type: A
DNSalongrise.net
Type: A
DNSdecemberrise.net
Type: A
DNSalongnoise.net
Type: A
DNSdecembernoise.net
Type: A
DNSalongpull.net
Type: A
DNSdecemberpull.net
Type: A
DNSlongthrew.net
Type: A
DNSsoilthrew.net
Type: A
DNSsoilcross.net
Type: A
DNSlongshade.net
Type: A
DNSsoilshade.net
Type: A
DNSlongfloor.net
Type: A
DNSsoilfloor.net
Type: A
DNSwheelthrew.net
Type: A
DNSsaidthrew.net
Type: A
DNSwheelcross.net
Type: A
DNSsaidcross.net
Type: A
DNSwheelshade.net
Type: A
DNSsaidshade.net
Type: A
DNSwheelfloor.net
Type: A
DNSsaidfloor.net
Type: A
DNSstickthrew.net
Type: A
DNSballthrew.net
Type: A
DNSstickcross.net
Type: A
DNSballcross.net
Type: A
DNSstickshade.net
Type: A
DNSballshade.net
Type: A
DNSstickfloor.net
Type: A
DNSballfloor.net
Type: A
DNSenemythrew.net
Type: A
DNSlifethrew.net
Type: A
DNSenemycross.net
Type: A
DNSenemyshade.net
Type: A
DNSlifeshade.net
Type: A
DNSenemyfloor.net
Type: A
DNSlifefloor.net
Type: A
DNSmouththrew.net
Type: A
DNStillthrew.net
Type: A
DNSmouthcross.net
Type: A
DNStillcross.net
Type: A
DNSmouthshade.net
Type: A
DNStillshade.net
Type: A
DNSmouthfloor.net
Type: A
DNStillfloor.net
Type: A
DNSshallthrew.net
Type: A
DNSdeepthrew.net
Type: A
DNSdeepcross.net
Type: A
DNSshallshade.net
Type: A
DNSshallfloor.net
Type: A
DNSdeepfloor.net
Type: A
DNSpushthrew.net
Type: A
DNSfridaythrew.net
Type: A
DNSpushcross.net
Type: A
DNSfridaycross.net
Type: A
DNSpushshade.net
Type: A
DNSfridayshade.net
Type: A
DNSpushfloor.net
Type: A
DNSfridayfloor.net
Type: A
DNSdecemberthrew.net
Type: A
DNSalongcross.net
Type: A
DNSdecembercross.net
Type: A
DNSalongshade.net
Type: A
DNSdecembershade.net
Type: A
DNSalongfloor.net
Type: A
DNSdecemberfloor.net
Type: A
DNSlongusual.net
Type: A
DNSsoilusual.net
Type: A
DNSlongcould.net
Type: A
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://pushpull.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://longcross.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://lifecross.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://shallcross.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://deepshade.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
HTTP GEThttp://alongthrew.net/index.php?method=validate&mode=sox&v=048&sox=4b654800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1041 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1042 ➝ 88.208.252.175:80
Flows TCP192.168.1.1:1043 ➝ 50.63.87.9:80
Flows TCP192.168.1.1:1044 ➝ 91.222.8.96:80
Flows TCP192.168.1.1:1045 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1046 ➝ 95.211.230.75:80

Raw Pcap

Strings