Analysis Date2016-02-15 18:23:30
MD52ca2ae83c20b894ac01dcd05ff432891
SHA12ad063ee4d56b3d42b6ec386fa9f950c9824c72a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 06ab5d461936341874ecb390358c9cb4 sha1: 0060415bdb3761f7a2d44bdda1ad68bbccf0a404 size: 334336
Section.rdata md5: f1b0c42b3adcf22f1562e536f731f00b sha1: 94a9de24876c7590fe05c1b84688a6eae38f9d24 size: 153088
Section.data md5: c5d6d1f41e0e61ca29ecd361bdcb1562 sha1: 0e1c62186739a7b38cbad066f74f7cf0abe560a5 size: 26624
Section.rsrc md5: 0c89dec9d983c286b92ff91b6e7655af sha1: 479d16834e8abd043b90b062855e032b0a3c09d0 size: 2239488
Timestamp1970-01-01 08:24:35
Pdb pathC:\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 9, 216
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhashe278fa0be89bfbe7e98218f355c8d62bbc8acc89
IMPhash5f183cf8d571f9e14eed0cddfa97d0e0
AVCA (E-Trust Ino)Gen:Variant.Zusy.118140
AVRisingTrojan.Win32.Zzinfor.f
AVMcafeeGenericR-FZQ!2CA2AE83C20B
AVAvira (antivir)TR/Downloader.Gen7
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.118140
AVAlwil (avast)Win32:Trojan-gen
AVEset (nod32)No Virus
AVGrisoft (avg)Win32/DH{ZxMlKA?}
AVSymantecNo Virus
AVFortinetW32/Daws.DTDJ!tr
AVBitDefenderGen:Variant.Zusy.118140
AVK7Adware ( 004b8cd41 )
AVMicrosoft Security EssentialsTrojan:Win32/Rofin.B
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.RIYT-3285
AVEmsisoftGen:Variant.Zusy.118140
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVIkarusPUA.Zzinfor
AVZillya!Trojan.Zzinfor.Win32.119
AVKasperskyTrojan-Dropper.Win32.Daws.dtdj
AVTrend MicroBKDR_IXESHE.SML
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.NSAnti.Gen.1
AVCAT (quickheal)Trojan.Skeeyah.017639
AVBullGuardGen:Variant.Zusy.118140
AVArcabit (arcavir)Trojan.Generic.14934268
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVDr. WebTrojan.Rootkit.15975
AVF-SecureGen:Variant.Zusy.118140

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\tabs.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileFixTool
Creates FileC:\tabs.exe
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

Process
↳ Pid 1104

Process
↳ Pid 1204

Process
↳ Pid 1312

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ Pid 452

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache\AdminPinStartTime ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing ➝
NULL
RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
220.243.230.17
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 220.243.230.17:80

Raw Pcap
0x00000000 (00000)   47455420 2f737461 7469632f 686f746b   GET /static/hotk
0x00000010 (00016)   65792e74 78742048 5454502f 312e310d   ey.txt HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2061 642e7a7a 696e666f   .Host: ad.zzinfo
0x00000030 (00048)   722e636e 0d0a0d0a                     r.cn....


Strings