Analysis Date2016-03-14 15:33:05
MD5f7135cd1ac68a8d6d9e188895ba7782f
SHA121a643eb34fe7447558164fabe09e1e55f5e371d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f2d9535b21fd1bc64ec83855f31b1931 sha1: 10772a382b2dbcb34678d2b5770ab2571a72907b size: 798720
Section.rdata md5: 78b044c6b78a8c04731c1f5d92063145 sha1: c948cadc64cd4f0d78dde4edc4004815d0971c8c size: 60416
Section.data md5: adce84fc38b95382160111b1527023f2 sha1: 32c2f2927d0555a560676cf3ebf103b77cb72937 size: 426496
Timestamp2014-11-28 22:59:19
PackerMicrosoft Visual C++ ?.?
PEhash3343ac5a5db0984e6f0abe34926649eb2aeab78b
IMPhashca2a663f090c4cd1fb02a8f9ed7d8297
AVCA (E-Trust Ino)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BW
AVRisingNo Virus
AVMcafeeNo Virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.FakePDF
AVAvira (antivir)BDS/Zegost.Gen
AVIkarusTrojan.Crypt3
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.22722
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVSymantecDownloader.Upatre!g15
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Symmi.22722
AVDr. WebNo Virus
AVK7Trojan ( 004cd0081 )
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xjsvlsd1l3zejxhibul4uec.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xjsvlsd1l3zejxhibul4uec.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xjsvlsd1l3zejxhibul4uec.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IP Provider Tools Health DHCP Browser ➝
C:\WINDOWS\system32\oyuhvfpcs.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\etc
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates FileC:\WINDOWS\system32\oyuhvfpcs.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\oyuhvfpcs.exe
Creates ServiceBrightness Transaction Endpoint Connections - C:\WINDOWS\system32\oyuhvfpcs.exe

Process
↳ Pid 828

Process
↳ Pid 876

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1136

Process
↳ Pid 1232

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1900

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\xjsvlsd1rztejxhi.exe
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\rng
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\run
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates FileC:\WINDOWS\system32\pyrhzpdipfy.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\cfg
Creates ProcessC:\WINDOWS\TEMP\xjsvlsd1rztejxhi.exe -r 51299 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ C:\WINDOWS\TEMP\xjsvlsd1rztejxhi.exe -r 51299 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSlearncook.net
Type: A
121.254.178.252
DNSlearnnext.net
Type: A
216.21.239.197
DNSfallcook.net
Type: A
195.22.28.199
DNSfallcook.net
Type: A
195.22.28.196
DNSfallcook.net
Type: A
195.22.28.197
DNSfallcook.net
Type: A
195.22.28.198
DNSweektall.net
Type: A
208.100.26.234
DNSverycook.net
Type: A
68.64.161.187
DNSyourpass.net
Type: A
160.153.16.67
DNSviewagain.net
Type: A
208.91.197.27
DNSplantpass.net
Type: A
188.93.8.43
DNSplantstand.net
Type: A
72.52.4.119
DNSsouthblood.net
Type: A
DNSpickgrave.net
Type: A
DNSableread.net
Type: A
DNSroomstock.net
Type: A
DNSwatcheasy.net
Type: A
DNSuponmail.net
Type: A
DNStakenhand.net
Type: A
DNSwatchsince.net
Type: A
DNSspotdont.net
Type: A
DNSofferaunt.net
Type: A
DNSmadethan.net
Type: A
DNSdrinkwide.net
Type: A
DNSpickmake.net
Type: A
DNSwhomfifth.net
Type: A
DNSlrstnnext.net
Type: A
DNSviewnext.net
Type: A
DNSlrstnbeen.net
Type: A
DNSviewbeen.net
Type: A
DNSplanttall.net
Type: A
DNSfilltall.net
Type: A
DNSplantcook.net
Type: A
DNSfillcook.net
Type: A
DNSplantnext.net
Type: A
DNSfillnext.net
Type: A
DNSplantbeen.net
Type: A
DNSfillbeen.net
Type: A
DNSsensetall.net
Type: A
DNSlearntall.net
Type: A
DNSsensecook.net
Type: A
DNSsensenext.net
Type: A
DNSsensebeen.net
Type: A
DNSlearnbeen.net
Type: A
DNStoretall.net
Type: A
DNSfalltall.net
Type: A
DNStorecook.net
Type: A
DNStorenext.net
Type: A
DNSfallnext.net
Type: A
DNStorebeen.net
Type: A
DNSfallbeen.net
Type: A
DNSverytall.net
Type: A
DNSweekcook.net
Type: A
DNSweeknext.net
Type: A
DNSverynext.net
Type: A
DNSweekbeen.net
Type: A
DNSverybeen.net
Type: A
DNSpiecetall.net
Type: A
DNSmuchtall.net
Type: A
DNSpiececook.net
Type: A
DNSmuchcook.net
Type: A
DNSpiecenext.net
Type: A
DNSmuchnext.net
Type: A
DNSpiecebeen.net
Type: A
DNSmuchbeen.net
Type: A
DNSwaittall.net
Type: A
DNStaketall.net
Type: A
DNSwaitcook.net
Type: A
DNStakecook.net
Type: A
DNSwaitnext.net
Type: A
DNStakenext.net
Type: A
DNSwaitbeen.net
Type: A
DNStakebeen.net
Type: A
DNStriesagain.net
Type: A
DNSyouragain.net
Type: A
DNStriespass.net
Type: A
DNStriessugar.net
Type: A
DNSyoursugar.net
Type: A
DNStriesstand.net
Type: A
DNSyourstand.net
Type: A
DNSlrstnagain.net
Type: A
DNSlrstnpass.net
Type: A
DNSviewpass.net
Type: A
DNSlrstnsugar.net
Type: A
DNSviewsugar.net
Type: A
DNSlrstnstand.net
Type: A
DNSviewstand.net
Type: A
DNSplantagain.net
Type: A
DNSfillagain.net
Type: A
DNSfillpass.net
Type: A
DNSplantsugar.net
Type: A
DNSfillsugar.net
Type: A
DNSfillstand.net
Type: A
DNSsenseagain.net
Type: A
DNSlearnagain.net
Type: A
DNSsensepass.net
Type: A
DNSlearnpass.net
Type: A
DNSsensesugar.net
Type: A
DNSlearnsugar.net
Type: A
DNSsensestand.net
Type: A
DNSlearnstand.net
Type: A
DNStoreagain.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learncook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learnnext.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://fallcook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://weektall.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://verycook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yourpass.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://viewagain.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://plantpass.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://plantstand.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learncook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learnnext.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://fallcook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://weektall.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://verycook.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yourpass.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://viewagain.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://plantpass.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://plantstand.net/index.php?method=validate&mode=sox&v=034&sox=3ce5b800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1038 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 68.64.161.187:80
Flows TCP192.168.1.1:1043 ➝ 160.153.16.67:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1045 ➝ 188.93.8.43:80
Flows TCP192.168.1.1:1046 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1047 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1048 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1049 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1050 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1052 ➝ 68.64.161.187:80
Flows TCP192.168.1.1:1053 ➝ 160.153.16.67:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1055 ➝ 188.93.8.43:80
Flows TCP192.168.1.1:1056 ➝ 72.52.4.119:80

Raw Pcap

Strings