Analysis Date2015-10-11 14:38:29
MD5059bbe17b4eae7a57e97c18fbdaca84e
SHA13646cd3c28d3204a720e48b90666dd164ffb3897

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd781a8953c7676282846381cd2f585c sha1: 22f10b05e90eaea967ba788796f1e6ce4b73d378 size: 77824
Section.rdata md5: 5321f71f8af0ca1222a608662508cafa sha1: 23027380f2a6d033ff91f6b3df74aacf02f0af67 size: 10752
Section.data md5: 85944440aeb876fb61376fe6deecc22e sha1: d6e2609778c76452bf1d49b91cc1b29276cb0dbe size: 7168
Section.rsrc md5: 7f60a59ceae6259136fbde92e40860ee sha1: aac5cdfab7fbf7f0f40f27a3edc8ff42849b6e3e size: 568832
Section.reloc md5: f5d3c5adf2b02717f5bd5ebdf00c4399 sha1: fd8718c3a526965e6708bd1c5384f777082dceb9 size: 6144
Timestamp2015-09-09 06:34:44
Pdb pathG:\Working\SVN\vc\XP2P\NP2P\Release\NP2P.pdb
VersionLegalCopyright: Copyright (C) 2015
InternalName: NP2P
FileVersion: 1, 1, 15, 9093
ProductName: NP2P 应用程序
ProductVersion: 1, 1, 15, 9093
FileDescription: NP2P 应用程序
OriginalFilename: NP2P.exe
PackerMicrosoft Visual C++ ?.?
PEhashe3817987d47fba62b885de376a816660f408521c
IMPhash1f1e457af2c3479681d26d73af8e0de1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVMicrosoft Security Essentialsno_virus
AVF-SecureGen:Variant.Mikey.25035
AVAvira (antivir)TR/Hijacker.Gen
AVArcabit (arcavir)Gen:Variant.Mikey.25035:Trojan.GenericKD.2767046
AVSymantecno_virus
AVMcafeeno_virus
AVFortinetW32/Injector.NKKR!tr
AVMicroWorld (escan)Gen:Variant.Mikey.25035
AVKasperskyTrojan-Dropper.Win32.Injector.nkkr
AVFrisk (f-prot)W32/Downloader.C.gen!Eldorado
AVMalwareBytesno_virus
AVBitDefenderGen:Variant.Mikey.25035
AVEset (nod32)no_virus
AVAuthentiumW32/Downloader.C.gen!Eldorado
AVAd-AwareGen:Variant.Mikey.25035
AVDr. WebTrojan.DownLoader16.35178
AVEmsisoftGen:Variant.Mikey.25035
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVZillya!Dropper.Injector.Win32.71450
AVTrend Microno_virus
AVPadvishno_virus
AVGrisoft (avg)BackDoor.PoisonIvy.AT.dropper
AVCA (E-Trust Ino)no_virus
AVK7Riskware ( 0040eff71 )
AVIkarusTrojan.Backdoor.PoisonIvy
AVRisingno_virus
AVTwisterno_virus
AVBullGuardGen:Variant.Mikey.25035

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\drivers\xtfilemon.inf
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\y8k0P50\q3oUnka.dll
Creates FileC:\WINDOWS\SBYQDLP\sccon0987.txt
Creates FileC:\WINDOWS\system32\drivers\xtfilemon.sys
Creates FileC:\jSZRtx0.sys
Creates FileC:\WINDOWS\system32\drivers\blackList.base
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\y8k0P50\ebES2Ft.dll
Deletes FileC:\jSZRtx0.sys
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/y8k0P50/q3oUnka.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==
Creates Processnet start xtfilemon
Creates ProcessC:/WINDOWS/system32/rundll32.exe C:/WINDOWS/y8k0P50/q3oUnka.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates Processc:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf
Creates MutexXROMain
Creates ServicenOzib - C:\jSZRtx0.sys
Winsock URLhttp://cdn.p2ptool.com/p2p/black.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates File\Device\Afd\Endpoint

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1128

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/y8k0P50/q3oUnka.dll,DllLoad dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDcxIHBhcmFtOg==

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileM2ProcProt
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexXMX_XP2P_YT_3275
Creates MutexXROMain
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSnp2p.soomeng.com

Process
↳ C:/WINDOWS/system32/rundll32.exe C:/WINDOWS/y8k0P50/q3oUnka.dll,DllLoadX dHlwZTpwMnAgcGF0aDogZnVuY25hbWU6QDc1IHBhcmFtOg==

Creates File\Device\Tcp
Creates MutexZonesLockedCacheCounterMutex
Creates MutexZonesCounterMutex
Creates MutexZonesCacheCounterMutex

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xtfilemon\DebugFlags ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv ➝
grpconv -o\\x00
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\GroupOrderList\FSFilter Activity Monitor ➝
NULL
Creates Processrunonce -r
Creates Servicextfilemon - system32\DRIVERS\xtfilemon.sys

Process
↳ c:\windows\system32\rundll32.exe syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:/WINDOWS/system32/drivers/xtfilemon.inf

Creates FilePIPE\lsarpc

Process
↳ net start xtfilemon

Creates Processnet1 start xtfilemon

Process
↳ runonce -r

Creates ProcessC:\WINDOWS\system32\grpconv.exe -o

Process
↳ net1 start xtfilemon

Starts Servicextfilemon

Process
↳ C:\WINDOWS\system32\grpconv.exe -o

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\Log ➝
Init Application.\\x00

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSso.qh-lb.com
Type: A
106.120.160.134
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.239.17
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.239.17
DNSwww.baidu.com
Type: A
DNSwww.so.com
Type: A
DNScdn.p2ptool.com
Type: A
DNSnp2p.soomeng.com
Type: A
HTTP GEThttp://np2p.soomeng.com/bmy/?usr=capslock.4&mac=XXXXXXXXXXXX&ver=1.1.15.9093
User-Agent: Test
HTTP GEThttp://cdn.p2ptool.com/p2p/black.txt
User-Agent: Test
Flows TCP192.168.1.1:1031 ➝ 106.120.160.134:80
Flows TCP192.168.1.1:1034 ➝ 8.37.239.17:80
Flows TCP192.168.1.1:1036 ➝ 8.37.239.17:80

Raw Pcap

Strings