Analysis Date | 2015-10-15 11:43:35 |
---|---|
MD5 | 82eb279b92296d8daee06edda45acdda |
SHA1 | 2592a0a3d35c8ec69337611cbc879f771ce16adb |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: bf48f398c357bd9b259bb05ccb484472 sha1: c0502848701b5e731473f5e30ea0994c24723b3f size: 798720 | |
Section | .rdata md5: 8c103ed5751201b4b4a5f2e318f4ea16 sha1: 8471b664a0b84f60d223e76d57f11c1d30903a66 size: 59904 | |
Section | .data md5: 34bace0ebcdcb46063d45adcbb085e3c sha1: 61ba0234e8535d5b94b3b2ae97204b07f6501d42 size: 411648 | |
Timestamp | 2015-01-27 09:18:35 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | a3fee08660d33b1ce8bb8429e90a26c49354bd80 | |
IMPhash | fa4deecc6a2c62fd848575b932b8fc72 | |
AV | Rising | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Symmi.22722 |
AV | Dr. Web | Trojan.KillFiles.23474 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | TROJ_WONTON.SMJ1 |
AV | Kaspersky | no_virus |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | MalwareBytes | Trojan.FakePDF |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AE |
AV | K7 | Trojan ( 004cd0081 ) |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Kryptik.DXVJ |
AV | Alwil (avast) | Kryptik-OOC [Trj] |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Crypt.ZPACK.Gen8 |
AV | Mcafee | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\cjslhx1ltlidfzygeiqltij.exe |
---|---|
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\cjslhx1ltlidfzygeiqltij.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cjslhx1ltlidfzygeiqltij.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Application Installer Logs ➝ C:\WINDOWS\system32\mxxqrhwvhr.exe |
---|---|
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\etc |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\tst |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\lck |
Creates File | C:\WINDOWS\system32\mxxqrhwvhr.exe |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\mxxqrhwvhr.exe |
Creates Service | Provider Proxy Manager WMI Defragmenter - C:\WINDOWS\system32\mxxqrhwvhr.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1140
Process
↳ C:\WINDOWS\system32\mxxqrhwvhr.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\gypdgrqri.exe |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\rng |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\cfg |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\tst |
Creates File | C:\WINDOWS\TEMP\cjslhx1s9didfzy.exe |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\lck |
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\run |
Creates File | \Device\Afd\Endpoint |
Creates Process | C:\WINDOWS\TEMP\cjslhx1s9didfzy.exe -r 47487 tcp |
Creates Process | WATCHDOGPROC "c:\windows\system32\mxxqrhwvhr.exe" |
Process
↳ C:\WINDOWS\system32\mxxqrhwvhr.exe
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\mxxqrhwvhr.exe"
Creates File | C:\WINDOWS\system32\klmuxmoiofumcle\tst |
---|
Process
↳ C:\WINDOWS\TEMP\cjslhx1s9didfzy.exe -r 47487 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | enemyguess.net Type: A 208.91.197.241 |
---|---|
DNS | queentell.net Type: A 208.91.197.241 |
DNS | wednesdayhalf.net Type: A 208.91.197.241 |
DNS | mouthrest.net Type: A 208.91.197.241 |
DNS | drivethirteen.net Type: A 208.91.197.241 |
DNS | faceboat.net Type: A 208.91.197.241 |
DNS | muchhappy.net Type: A 208.91.197.241 |
DNS | rockhome.net Type: A 184.168.221.104 |
DNS | rockover.net Type: A 97.74.182.1 |
DNS | madehome.net Type: A 23.236.62.147 |
DNS | dutycloth.net Type: A 195.22.26.254 |
DNS | dutycloth.net Type: A 195.22.26.231 |
DNS | dutycloth.net Type: A 195.22.26.252 |
DNS | dutycloth.net Type: A 195.22.26.253 |
DNS | headborn.net Type: A 208.100.26.234 |
DNS | quickborn.net Type: A 27.121.64.91 |
DNS | darkpaid.net Type: A 217.160.165.207 |
DNS | cloudborn.net Type: A 184.168.221.96 |
DNS | ableread.net Type: A |
DNS | soilunder.net Type: A |
DNS | sensesound.net Type: A |
DNS | joinover.net Type: A |
DNS | wishover.net Type: A |
DNS | joingrain.net Type: A |
DNS | wishgrain.net Type: A |
DNS | joingold.net Type: A |
DNS | wishgold.net Type: A |
DNS | deadhome.net Type: A |
DNS | deadover.net Type: A |
DNS | deadgrain.net Type: A |
DNS | rockgrain.net Type: A |
DNS | deadgold.net Type: A |
DNS | rockgold.net Type: A |
DNS | wronghome.net Type: A |
DNS | wrongover.net Type: A |
DNS | madeover.net Type: A |
DNS | wronggrain.net Type: A |
DNS | madegrain.net Type: A |
DNS | wronggold.net Type: A |
DNS | madegold.net Type: A |
DNS | milkcloth.net Type: A |
DNS | triedcloth.net Type: A |
DNS | milkpaid.net Type: A |
DNS | triedpaid.net Type: A |
DNS | milkaugust.net Type: A |
DNS | triedaugust.net Type: A |
DNS | milkborn.net Type: A |
DNS | triedborn.net Type: A |
DNS | withcloth.net Type: A |
DNS | withpaid.net Type: A |
DNS | dutypaid.net Type: A |
DNS | withaugust.net Type: A |
DNS | dutyaugust.net Type: A |
DNS | withborn.net Type: A |
DNS | dutyborn.net Type: A |
DNS | thesecloth.net Type: A |
DNS | sightcloth.net Type: A |
DNS | thesepaid.net Type: A |
DNS | sightpaid.net Type: A |
DNS | theseaugust.net Type: A |
DNS | sightaugust.net Type: A |
DNS | theseborn.net Type: A |
DNS | sightborn.net Type: A |
DNS | casecloth.net Type: A |
DNS | headcloth.net Type: A |
DNS | casepaid.net Type: A |
DNS | headpaid.net Type: A |
DNS | caseaugust.net Type: A |
DNS | headaugust.net Type: A |
DNS | caseborn.net Type: A |
DNS | quickcloth.net Type: A |
DNS | thencloth.net Type: A |
DNS | quickpaid.net Type: A |
DNS | thenpaid.net Type: A |
DNS | quickaugust.net Type: A |
DNS | thenaugust.net Type: A |
DNS | thenborn.net Type: A |
DNS | sundaycloth.net Type: A |
DNS | mostcloth.net Type: A |
DNS | sundaypaid.net Type: A |
DNS | mostpaid.net Type: A |
DNS | sundayaugust.net Type: A |
DNS | mostaugust.net Type: A |
DNS | sundayborn.net Type: A |
DNS | mostborn.net Type: A |
DNS | meatcloth.net Type: A |
DNS | sickcloth.net Type: A |
DNS | meatpaid.net Type: A |
DNS | sickpaid.net Type: A |
DNS | meataugust.net Type: A |
DNS | sickaugust.net Type: A |
DNS | meatborn.net Type: A |
DNS | sickborn.net Type: A |
DNS | cloudcloth.net Type: A |
DNS | darkcloth.net Type: A |
DNS | cloudpaid.net Type: A |
DNS | cloudaugust.net Type: A |
DNS | darkaugust.net Type: A |
HTTP GET | http://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://rockhome.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://rockover.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://madehome.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://dutycloth.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://headborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://quickborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://darkpaid.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://cloudborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://rockhome.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://rockover.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://madehome.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://dutycloth.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://headborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://quickborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://darkpaid.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
HTTP GET | http://cloudborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1042 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 184.168.221.104:80 |
Flows TCP | 192.168.1.1:1045 ➝ 97.74.182.1:80 |
Flows TCP | 192.168.1.1:1046 ➝ 23.236.62.147:80 |
Flows TCP | 192.168.1.1:1047 ➝ 195.22.26.254:80 |
Flows TCP | 192.168.1.1:1048 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1049 ➝ 27.121.64.91:80 |
Flows TCP | 192.168.1.1:1050 ➝ 217.160.165.207:80 |
Flows TCP | 192.168.1.1:1051 ➝ 184.168.221.96:80 |
Flows TCP | 192.168.1.1:1052 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1053 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1054 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1055 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1056 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1057 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1058 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1059 ➝ 184.168.221.104:80 |
Flows TCP | 192.168.1.1:1060 ➝ 97.74.182.1:80 |
Flows TCP | 192.168.1.1:1061 ➝ 23.236.62.147:80 |
Flows TCP | 192.168.1.1:1062 ➝ 195.22.26.254:80 |
Flows TCP | 192.168.1.1:1063 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1064 ➝ 27.121.64.91:80 |
Flows TCP | 192.168.1.1:1065 ➝ 217.160.165.207:80 |
Flows TCP | 192.168.1.1:1066 ➝ 184.168.221.96:80 |
Raw Pcap
Strings