Analysis Date2015-10-04 17:12:54
MD57d348d69cb293e6a2b5f963b30c83f6c
SHA12da9995ca66f8ec71cf470f64a16c9af5b182dd1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd781a8953c7676282846381cd2f585c sha1: 22f10b05e90eaea967ba788796f1e6ce4b73d378 size: 77824
Section.rdata md5: dbe3d8a97dd41fedeb789ce523313154 sha1: f347e9bbe75ada069ea44ea6a9fabc7ff44be2d0 size: 10752
Section.data md5: 85944440aeb876fb61376fe6deecc22e sha1: d6e2609778c76452bf1d49b91cc1b29276cb0dbe size: 7168
Section.rsrc md5: 201eea47f80f1ae976788ff5ac6d1358 sha1: a45169d7935615976270e9e99d9121379f79fd06 size: 573440
Section.reloc md5: 80c647c743816381d171b5fa4470220e sha1: 04d0ffdb1981465f880a46d5e03e266734136eaf size: 6656
Timestamp2015-09-10 04:33:04
Pdb pathG:\Working\SVN\vc\XP2P\NP2P\Release\NP2P.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: NP2P
FileVersion: 1, 1, 15, 910
ProductName: NP2P 应用程序
ProductVersion: 1, 1, 15, 910
FileDescription: NP2P 应用程序
OriginalFilename: NP2P.exe
PackerMicrosoft Visual C++ ?.?
PEhashd9dbc2059b107429c97c6af6a4c33d13f0e39ac9
IMPhash1f1e457af2c3479681d26d73af8e0de1
AVCA (E-Trust Ino)no_virus
AVF-Secureno_virus
AVDr. WebTrojan.DownLoader16.35178
AVClamAVno_virus
AVArcabit (arcavir)no_virus
AVBullGuardno_virus
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Dropper.Win32.Injector.njmc
AVZillya!no_virus
AVEmsisoftno_virus
AVIkarusTrojan.Backdoor.PoisonIvy
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)no_virus
AVMicrosoft Security Essentialsno_virus
AVK7Riskware ( 0040eff71 )
AVBitDefenderno_virus
AVFortinetW32/Injector.NJMC!tr
AVSymantecno_virus
AVGrisoft (avg)BackDoor.PoisonIvy.AT.dropper
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-Awareno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Hijacker.Gen
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\mczdeYc\u6K2Exz.dll
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.inf
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\zvHsQ68.sys
Creates FileC:\WINDOWS\mczdeYc\cNH0Cu1.dll
Creates FileC:\WINDOWS\SBYQDLP\sccon0987.txt
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.sys
Creates FileC:\WINDOWS\system32\drivers\blackList.base
Creates File\Device\Afd\Endpoint
Deletes FileC:/WINDOWS/zvHsQ68.sys
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/mczdeYc/cNH0Cu1.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==
Creates Processnet start xtfilemon
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/mczdeYc/cNH0Cu1.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates MutexXROMain
Creates Servicew8brh - C:/WINDOWS/zvHsQ68.sys
Winsock URLhttp://cdn.p2ptool.com/p2p/black.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1172

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/mczdeYc/cNH0Cu1.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileM2ProcProt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexXMX_XP2P_YT_3275
Creates MutexXROMain
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnp2p.soomeng.com

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/mczdeYc/cNH0Cu1.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xtfilemon\DebugFlags ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv ➝
grpconv -o\\x00
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList\FSFilter Activity Monitor ➝
NULL
Creates Processrunonce -r
Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex
Creates Servicextfilemon - system32\DRIVERS\xtfilemon.sys

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

Creates FilePIPE\lsarpc

Process
↳ net start xtfilemon

Creates Processnet1 start xtfilemon

Process
↳ runonce -r

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates Process"C:\WINDOWS\system32\grpconv.exe" -o

Process
↳ net1 start xtfilemon

Starts Servicextfilemon

Process
↳ "C:\WINDOWS\system32\grpconv.exe" -o

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\Log ➝
Init Application.\\x00

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSso.qh-lb.com
Type: A
106.120.160.134
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNSwww.baidu.com
Type: A
DNSwww.so.com
Type: A
DNSnp2p.soomeng.com
Type: A
DNScdn.p2ptool.com
Type: A
HTTP GEThttp://cdn.p2ptool.com/p2p/black.txt
User-Agent: Test
HTTP GEThttp://np2p.soomeng.com/bmy/?usr=yahoo198852.1&mac=XXXXXXXXXXXX&ver=1.1.15.910
User-Agent: Test
Flows TCP192.168.1.1:1031 ➝ 106.120.160.134:80
Flows TCP192.168.1.1:1035 ➝ 8.37.235.5:80
Flows TCP192.168.1.1:1034 ➝ 8.37.235.5:80

Raw Pcap

Strings