Analysis Date2015-10-14 00:42:51
MD5e5e7ff620f7e8204d1e8129a4233b074
SHA13b8e80b084780583eb583b96ddb43a8e6b082c5b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8152c67b65aa5bd639e0a580f93f49a7 sha1: eb4037a35436b63be3eef778c54cfcc80c93f465 size: 334336
Section.rdata md5: 1e34f2cf38f79e6c0e1b45e12b27b4a3 sha1: 426e3835aad4b30e87a512eaa066b5b26d6edf69 size: 153088
Section.data md5: b88c6f81271680f45fc4793954eba410 sha1: e3d33e0ccb8c536c5333d2b38fb9a3bfe14fec5e size: 26624
Section.rsrc md5: 865d8de4a2debaf8e01486f46de001a4 sha1: 9dff54d125eb1bb05731cf0d1e095159ddf7dbfc size: 2239488
Timestamp1970-01-01 01:49:49
Pdb pathC:\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 8, 2910
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhashe278fa0be89bfbe7e98218f355c8d62bbc8acc89
IMPhash5f183cf8d571f9e14eed0cddfa97d0e0
AVRisingTrojan.Win32.Zzinfor.d:Trojan.Win32.Zzinfor.f
AVMcafeeRDN/Generic Dropper:RDN/Generic.bfr
AVAvira (antivir)TR/Rogue.27840:TR/Spy.Agent.58880.2:TR/Downloader.Gen7
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.118140
AVAlwil (avast)Malware-gen:GenMaliciousA-NAP [Trj]:Trojan-gen:Rofin-A [Trj]:Win32:Malware-gen:Win32:Trojan-gen
AVEset (nod32)no_virus
AVGrisoft (avg)Hider.ADZR.dropper
AVSymantecno_virus
AVFortinetW32/Daws.DTDJ!tr
AVBitDefenderGen:Variant.Zusy.118140
AVK7no_virus
AVMicrosoft Security EssentialsTrojan:Win32/Skeeyah.A!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVMalwareBytesno_virus
AVAuthentiumW32/Trojan.RIYT-3285
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVIkarusPUA.Zzinfor
AVEmsisoftGen:Variant.Zusy.118140
AVZillya!Trojan.Zzinfor.Win32.120
AVKasperskyTrojan.Win32.Generic:Trojan-Dropper.Win32.Daws.dtdj
AVTrend MicroBKDR_IXESHE.SML
AVCAT (quickheal)Backdoor.Dusenr.08124
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.NSAnti.Gen.1
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.118140
AVArcabit (arcavir)Gen:Variant.Zusy.118140:Gen:Variant.Mikey.25218:DeepScan:Generic.Malware.P!Pk!.B27A4187:Trojan.Generic.14936877:Trojan.Generic.11782610:Gen:Trojan.Heur.LP.du4@aaYL6Cpi:Trojan.Generic.14934268
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVDr. WebTrojan.DownLoader16.2745:DLOADER.Trojan - infected container
AVF-SecureGen:Variant.Zusy.118140
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\create.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\create.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileFixTool
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.37.236.6:80

Raw Pcap
0x00000000 (00000)   47455420 2f737461 7469632f 686f746b   GET /static/hotk
0x00000010 (00016)   65792e74 78742048 5454502f 312e310d   ey.txt HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2061 642e7a7a 696e666f   .Host: ad.zzinfo
0x00000030 (00048)   722e636e 0d0a0d0a                     r.cn....


Strings