Analysis Date2015-12-06 04:52:55
MD56b9e8da15e572617dee595f3c5a1ff99
SHA13adab7a3535ab7c59d6225b29c99769ff1851d1e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cbd7f781eed05d68eb2dca64a80c918d sha1: 9aef38bf02f2f748913b2a79bd2d750f9b07f84e size: 1366528
Section.rdata md5: bafc62505063f0530f5a42585a18d821 sha1: 003457d1aeea4a27f429b9d14335089f89667766 size: 305152
Section.data md5: 80b8105821fab69b3c90c16a5e27bc06 sha1: ac7cb0ee614290c98a5358a71dfa744cb090b9f2 size: 8192
Section.reloc md5: a45db0e0ae5f0923f6d48487eee31a97 sha1: a08fd827ed449a2e994834c16de9c3cc194a4995 size: 187904
Timestamp2015-05-11 04:34:52
PackerVC8 -> Microsoft Corporation
PEhash2e0f5b8c5e44a14f29ff3c9b96efc1e4fa15cf10
IMPhash4dd504319ecb934d76e10170061a164c
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Trojan.Generic.15280355
AVFrisk (f-prot)no_virus
AVK7Trojan ( 004c77f41 )
AVMcafeeTrojan-FGIJ!6B9E8DA15E57
AVMicroWorld (escan)Trojan.Generic.15280355
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Trojan.FGIJ!tr
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004c77f41 )
AVMalwareBytesTrojan.Agent.KVTGen
AVMcafeeTrojan-FGIJ!6B9E8DA15E57
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVCAT (quickheal)no_virus
AVDr. WebTrojan.Bayrob.5
AVEset (nod32)Win32/Bayrob.Z
AVFortinetW32/Trojan.FGIJ!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.15280355
AVIkarusTrojan.Win32.Bayrob
AVIkarusTrojan.Win32.Bayrob
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.KVTGen
AVDr. WebTrojan.Bayrob.5
AVAd-AwareTrojan.Generic.15280355
AVEmsisoftTrojan.Generic.15280355
AVAlwil (avast)Dropper-OJQ [Drp]
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVAlwil (avast)Dropper-OJQ [Drp]
AVAd-AwareTrojan.Generic.15280355
AVBullGuardTrojan.Generic.15280355
AVCAT (quickheal)no_virus
AVEmsisoftTrojan.Generic.15280355
AVEset (nod32)Win32/Bayrob.Z
AVAvira (antivir)TR/Crypt.Xpack.320503
AVAvira (antivir)TR/Crypt.Xpack.320503
AVClamAVno_virus
AVF-SecureTrojan.Generic.15280355
AVBullGuardTrojan.Generic.15280355
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVArcabit (arcavir)Trojan.Generic.15280355
AVBitDefenderTrojan.Generic.15280355
AVBitDefenderTrojan.Generic.15280355
AVArcabit (arcavir)Trojan.Generic.15280355
AVRisingno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wqg6bu1n7ymdusku2fyz7.exe
Creates FileC:\WINDOWS\system32\yzpjbptis\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wqg6bu1n7ymdusku2fyz7.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wqg6bu1n7ymdusku2fyz7.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutoConnect User-mode Center Connectivity ➝
C:\WINDOWS\system32\khwxbhjvhrf.exe
Creates FileC:\WINDOWS\system32\khwxbhjvhrf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yzpjbptis\lck
Creates FileC:\WINDOWS\system32\yzpjbptis\etc
Creates FileC:\WINDOWS\system32\yzpjbptis\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\khwxbhjvhrf.exe
Creates ServiceControls Remote Shadow Program AutoConnect - C:\WINDOWS\system32\khwxbhjvhrf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1048

Process
↳ C:\WINDOWS\system32\khwxbhjvhrf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yzpjbptis\rng
Creates FileC:\WINDOWS\system32\yzpjbptis\cfg
Creates FileC:\WINDOWS\TEMP\wqg6bu1uphmdusk.exe
Creates FileC:\WINDOWS\system32\yzpjbptis\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\aprrfowt.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\yzpjbptis\tst
Creates FileC:\WINDOWS\system32\yzpjbptis\run
Creates ProcessC:\WINDOWS\TEMP\wqg6bu1uphmdusk.exe -r 23451 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\khwxbhjvhrf.exe"

Process
↳ C:\WINDOWS\system32\khwxbhjvhrf.exe

Creates FileC:\WINDOWS\system32\yzpjbptis\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\khwxbhjvhrf.exe"

Creates FileC:\WINDOWS\system32\yzpjbptis\tst

Process
↳ C:\WINDOWS\TEMP\wqg6bu1uphmdusk.exe -r 23451 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSroomfull.net
Type: A
184.168.221.104
DNSjumpdaily.net
Type: A
72.52.4.121
DNSfeltblood.net
Type: A
195.22.28.196
DNSfeltblood.net
Type: A
195.22.28.197
DNSfeltblood.net
Type: A
195.22.28.198
DNSfeltblood.net
Type: A
195.22.28.199
DNSsonghold.net
Type: A
208.91.197.46
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSpickblood.net
Type: A
DNSsongblood.net
Type: A
DNSpickdaily.net
Type: A
DNSsongdaily.net
Type: A
DNSpicklose.net
Type: A
DNSsonglose.net
Type: A
DNSpickfull.net
Type: A
DNSsongfull.net
Type: A
DNSroomblood.net
Type: A
DNSsignblood.net
Type: A
DNSroomdaily.net
Type: A
DNSsigndaily.net
Type: A
DNSroomlose.net
Type: A
DNSsignlose.net
Type: A
DNSsignfull.net
Type: A
DNSmoveblood.net
Type: A
DNSjumpblood.net
Type: A
DNSmovedaily.net
Type: A
DNSmovelose.net
Type: A
DNSjumplose.net
Type: A
DNSmovefull.net
Type: A
DNSjumpfull.net
Type: A
DNShillblood.net
Type: A
DNSwhomblood.net
Type: A
DNShilldaily.net
Type: A
DNSwhomdaily.net
Type: A
DNShilllose.net
Type: A
DNSwhomlose.net
Type: A
DNShillfull.net
Type: A
DNSwhomfull.net
Type: A
DNSlookblood.net
Type: A
DNSfeltdaily.net
Type: A
DNSlookdaily.net
Type: A
DNSfeltlose.net
Type: A
DNSlooklose.net
Type: A
DNSfeltfull.net
Type: A
DNSlookfull.net
Type: A
DNSthreeblood.net
Type: A
DNSlordblood.net
Type: A
DNSthreedaily.net
Type: A
DNSlorddaily.net
Type: A
DNSthreelose.net
Type: A
DNSlordlose.net
Type: A
DNSthreefull.net
Type: A
DNSlordfull.net
Type: A
DNSdrinkblood.net
Type: A
DNSwifeblood.net
Type: A
DNSdrinkdaily.net
Type: A
DNSwifedaily.net
Type: A
DNSdrinklose.net
Type: A
DNSwifelose.net
Type: A
DNSdrinkfull.net
Type: A
DNSwifefull.net
Type: A
DNSknowhold.net
Type: A
DNSablehold.net
Type: A
DNSknowsecond.net
Type: A
DNSablesecond.net
Type: A
DNSknowocean.net
Type: A
DNSableocean.net
Type: A
DNSknowhave.net
Type: A
DNSablehave.net
Type: A
DNSpickhold.net
Type: A
DNSpicksecond.net
Type: A
DNSsongsecond.net
Type: A
DNSpickocean.net
Type: A
DNSsongocean.net
Type: A
DNSpickhave.net
Type: A
DNSsonghave.net
Type: A
DNSroomhold.net
Type: A
DNSsignhold.net
Type: A
DNSroomsecond.net
Type: A
DNSsignsecond.net
Type: A
DNSroomocean.net
Type: A
DNSsignocean.net
Type: A
DNSroomhave.net
Type: A
DNSsignhave.net
Type: A
DNSmovehold.net
Type: A
DNSjumphold.net
Type: A
DNSmovesecond.net
Type: A
DNSjumpsecond.net
Type: A
DNSmoveocean.net
Type: A
DNSjumpocean.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://roomfull.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://jumpdaily.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://feltblood.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://songhold.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://roomfull.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://jumpdaily.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://feltblood.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://songhold.net/index.php?method=validate&mode=sox&v=050&sox=4e6f3600&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1051 ➝ 72.52.4.121:80
Flows TCP192.168.1.1:1052 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1065 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1066 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1067 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1068 ➝ 72.52.4.121:80
Flows TCP192.168.1.1:1069 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.46:80

Raw Pcap

Strings