Analysis Date2016-02-23 21:27:34
MD52baf3f1d3f8313bd9156af627a239c83
SHA1400aecb8b3d0d6097d8764cfcf4fc175ebe9c0c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7a21930cc9c3f2ff9940a7a2442db9b7 sha1: a5f1c35899cc2ba120996851a17d9c85f6259955 size: 833024
Section.rdata md5: f9ea320a0f5c3e35c00634d6048a5ef1 sha1: 0cbd56f373a5ace7a640992a720d339bf197dfed size: 301568
Section.data md5: b2dc54f4de13ac9e777368305fb43536 sha1: f9affa24e2ce339a5d51477b55f4eb3ffa3c371d size: 8192
Timestamp2015-04-15 02:18:35
PackerMicrosoft Visual C++ ?.?
PEhash80738c520ce73cb50092468cb52e302c6c76c82c
IMPhash4c48d406040472f62adaddaa4e4dcf2a
AVCA (E-Trust Ino)Gen:Variant.Injector.47
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.409948
AVTwisterNo Virus
AVAd-AwareGen:Variant.Injector.47
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Injector.47
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CE
AVMicroWorld (escan)Gen:Variant.Injector.47
AVMalwareBytesNo Virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVEmsisoftGen:Variant.Injector.47
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Injector.47
AVArcabit (arcavir)Gen:Variant.Injector.47
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Injector.47

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xeylbaw1la2umtdxkdfbjy.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xeylbaw1la2umtdxkdfbjy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xeylbaw1la2umtdxkdfbjy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UPnP Grouping HomeGroup Group Scheduler ➝
C:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\etc
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\phxpatgggm.exe
Creates ServiceConfiguration Host Authentication - C:\WINDOWS\system32\phxpatgggm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1144

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\bzpyrhklbv.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\run
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Creates FileC:\WINDOWS\TEMP\xeylbaw1saoumtd.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\cfg
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\rng
Creates ProcessC:\WINDOWS\TEMP\xeylbaw1saoumtd.exe -r 26475 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ C:\WINDOWS\TEMP\xeylbaw1saoumtd.exe -r 26475 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSlearnteach.net
Type: A
216.239.36.21
DNSlearnteach.net
Type: A
216.239.34.21
DNSlearnteach.net
Type: A
216.239.32.21
DNSlearnteach.net
Type: A
216.239.38.21
DNSyourmark.net
Type: A
162.242.249.192
DNSyournews.net
Type: A
31.193.140.221
DNSlrstnstate.net
Type: A
195.22.28.196
DNSlrstnstate.net
Type: A
195.22.28.199
DNSlrstnstate.net
Type: A
195.22.28.198
DNSlrstnstate.net
Type: A
195.22.28.197
DNSviewstate.net
Type: A
141.8.224.239
DNSviewmark.net
Type: A
203.189.109.246
DNSlrstnnews.net
Type: A
208.100.26.234
DNSviewnews.net
Type: A
188.165.91.212
DNSplantnews.net
Type: A
184.168.47.225
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSyourteach.net
Type: A
DNStriesgrave.net
Type: A
DNSyourgrave.net
Type: A
DNSlrstnusual.net
Type: A
DNSviewusual.net
Type: A
DNSlrstncould.net
Type: A
DNSviewcould.net
Type: A
DNSlrstnteach.net
Type: A
DNSviewteach.net
Type: A
DNSlrstngrave.net
Type: A
DNSviewgrave.net
Type: A
DNSplantusual.net
Type: A
DNSfillusual.net
Type: A
DNSplantcould.net
Type: A
DNSfillcould.net
Type: A
DNSplantteach.net
Type: A
DNSfillteach.net
Type: A
DNSplantgrave.net
Type: A
DNSfillgrave.net
Type: A
DNSsenseusual.net
Type: A
DNSlearnusual.net
Type: A
DNSsensecould.net
Type: A
DNSlearncould.net
Type: A
DNSsenseteach.net
Type: A
DNSsensegrave.net
Type: A
DNSlearngrave.net
Type: A
DNStoreusual.net
Type: A
DNSfallusual.net
Type: A
DNStorecould.net
Type: A
DNSfallcould.net
Type: A
DNStoreteach.net
Type: A
DNSfallteach.net
Type: A
DNStoregrave.net
Type: A
DNSfallgrave.net
Type: A
DNSweekusual.net
Type: A
DNSveryusual.net
Type: A
DNSweekcould.net
Type: A
DNSverycould.net
Type: A
DNSweekteach.net
Type: A
DNSveryteach.net
Type: A
DNSweekgrave.net
Type: A
DNSverygrave.net
Type: A
DNSpieceusual.net
Type: A
DNSmuchusual.net
Type: A
DNSpiececould.net
Type: A
DNSmuchcould.net
Type: A
DNSpieceteach.net
Type: A
DNSmuchteach.net
Type: A
DNSpiecegrave.net
Type: A
DNSmuchgrave.net
Type: A
DNSwaitusual.net
Type: A
DNStakeusual.net
Type: A
DNSwaitcould.net
Type: A
DNStakecould.net
Type: A
DNSwaitteach.net
Type: A
DNStaketeach.net
Type: A
DNSwaitgrave.net
Type: A
DNStakegrave.net
Type: A
DNStriesstate.net
Type: A
DNSyourstate.net
Type: A
DNStriesbroke.net
Type: A
DNSyourbroke.net
Type: A
DNStriesmark.net
Type: A
DNStriesnews.net
Type: A
DNSlrstnbroke.net
Type: A
DNSviewbroke.net
Type: A
DNSlrstnmark.net
Type: A
DNSplantstate.net
Type: A
DNSfillstate.net
Type: A
DNSplantbroke.net
Type: A
DNSfillbroke.net
Type: A
DNSplantmark.net
Type: A
DNSfillmark.net
Type: A
DNSfillnews.net
Type: A
DNSsensestate.net
Type: A
DNSlearnstate.net
Type: A
HTTP GEThttp://fearstate.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://longcold.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://learnteach.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yourmark.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yournews.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnstate.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewstate.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewmark.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnnews.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewnews.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://plantnews.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://fearstate.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://longcold.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=3b5d7801&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1043 ➝ 216.239.36.21:80
Flows TCP192.168.1.1:1044 ➝ 162.242.249.192:80
Flows TCP192.168.1.1:1045 ➝ 31.193.140.221:80
Flows TCP192.168.1.1:1046 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1047 ➝ 141.8.224.239:80
Flows TCP192.168.1.1:1048 ➝ 203.189.109.246:80
Flows TCP192.168.1.1:1049 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1050 ➝ 188.165.91.212:80
Flows TCP192.168.1.1:1051 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1052 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1053 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1054 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80

Raw Pcap

Strings