Analysis Date2015-10-10 15:03:50
MD52aa309ae1362cccad8ed1e3347c2675c
SHA141727978b00aee59afbfe81523ae86ec858d218f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5efe5c7d82d492bc43af5ce689531160 sha1: 408b4607deaae41cff3fed84ee193d6e39e91c89 size: 684544
Section.rdata md5: 1fe943caecf4ae6341db56fb35624a5f sha1: d7a7cce2e33bd0f215ff20b48ad18cde660fd867 size: 54784
Section.data md5: 556828a5db29c6c7fe06b13a2f512d1d sha1: 5cdec16c9378678dc7021219939494b9cfc86403 size: 398848
Timestamp2014-05-09 20:28:46
PackerMicrosoft Visual C++ ?.?
PEhash9a4640317c6dd589fd7e172da64bc637cad33c2c
IMPhash5202425be30d968e3a6ae1ba12ac7746
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVIkarusVirus.Win32.Cryptor
AVBitDefenderGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Kryptik.DXVJ
AVVirusBlokAda (vba32)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVF-SecureGen:Variant.Symmi.22722
AVRisingno_virus
AVZillya!no_virus
AVAlwil (avast)Downloader-VHF [Trj]
AVFortinetRiskware/Agent
AVDr. Webno_virus
AVCAT (quickheal)no_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVBullGuardGen:Variant.Symmi.22722
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVFrisk (f-prot)no_virus
AVSymantecDownloader.Upatre!g15
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVTrend MicroTSPY_NIVDORT.SMA
AVAd-AwareGen:Variant.Symmi.22722
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVPadvishno_virus
AVK7Trojan ( 004cd0081 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\f3filbmd1kt5russzrjvvk.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\f3filbmd1kt5russzrjvvk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\f3filbmd1kt5russzrjvvk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Thread Detection Notification ➝
C:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates ServiceExtensible Configuration TPM - C:\WINDOWS\system32\iwjdgrljrpb.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1128

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1200

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jsbodphxuneu.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\cfg
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\rng
Creates FileC:\WINDOWS\TEMP\f3filbmd1q4zruss.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\run
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"
Creates ProcessC:\WINDOWS\TEMP\f3filbmd1q4zruss.exe -r 41172 tcp

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ C:\WINDOWS\TEMP\f3filbmd1q4zruss.exe -r 41172 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNStablefruit.net
Type: A
52.4.209.250
DNSsaltnice.net
Type: A
208.100.26.234
DNSgladelse.net
Type: A
195.22.26.253
DNSgladelse.net
Type: A
195.22.26.254
DNSgladelse.net
Type: A
195.22.26.231
DNSgladelse.net
Type: A
195.22.26.252
DNSwatchfine.net
Type: A
45.35.9.136
DNSmightglossary.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSfrontride.net
Type: A
DNSspendmarry.net
Type: A
DNSuponloud.net
Type: A
DNSwrongthrew.net
Type: A
DNSjinoplasker.com
Type: A
DNSfairbreak.net
Type: A
DNSdreamslept.net
Type: A
DNSthisslept.net
Type: A
DNSdreamhers.net
Type: A
DNSthishers.net
Type: A
DNSdreamprove.net
Type: A
DNSthisprove.net
Type: A
DNSdreambreak.net
Type: A
DNSthisbreak.net
Type: A
DNSarivefine.net
Type: A
DNSsouthfine.net
Type: A
DNSarivenice.net
Type: A
DNSsouthnice.net
Type: A
DNSariveelse.net
Type: A
DNSsouthelse.net
Type: A
DNSariveimportant.net
Type: A
DNSsouthimportant.net
Type: A
DNSuponfine.net
Type: A
DNSwhichfine.net
Type: A
DNSuponnice.net
Type: A
DNSwhichnice.net
Type: A
DNSuponelse.net
Type: A
DNSwhichelse.net
Type: A
DNSuponimportant.net
Type: A
DNSwhichimportant.net
Type: A
DNSspotfine.net
Type: A
DNSsaltfine.net
Type: A
DNSspotnice.net
Type: A
DNSspotelse.net
Type: A
DNSsaltelse.net
Type: A
DNSspotimportant.net
Type: A
DNSsaltimportant.net
Type: A
DNSgladfine.net
Type: A
DNStakenfine.net
Type: A
DNSgladnice.net
Type: A
DNStakennice.net
Type: A
DNStakenelse.net
Type: A
DNSgladimportant.net
Type: A
DNStakenimportant.net
Type: A
DNSequalfine.net
Type: A
DNSgroupfine.net
Type: A
DNSequalnice.net
Type: A
DNSgroupnice.net
Type: A
DNSequalelse.net
Type: A
DNSgroupelse.net
Type: A
DNSequalimportant.net
Type: A
DNSgroupimportant.net
Type: A
DNSspokefine.net
Type: A
DNSvisitfine.net
Type: A
DNSspokenice.net
Type: A
DNSvisitnice.net
Type: A
DNSspokeelse.net
Type: A
DNSvisitelse.net
Type: A
DNSspokeimportant.net
Type: A
DNSvisitimportant.net
Type: A
DNSfairfine.net
Type: A
DNSwatchnice.net
Type: A
DNSfairnice.net
Type: A
DNSwatchelse.net
Type: A
DNSfairelse.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
DNSthisnice.net
Type: A
DNSdreamelse.net
Type: A
DNSthiselse.net
Type: A
DNSdreamimportant.net
Type: A
DNSthisimportant.net
Type: A
DNSarivesleep.net
Type: A
DNSsouthsleep.net
Type: A
DNSariveheight.net
Type: A
DNSsouthheight.net
Type: A
DNSariveheld.net
Type: A
DNSsouthheld.net
Type: A
DNSariverain.net
Type: A
DNSsouthrain.net
Type: A
DNSuponsleep.net
Type: A
DNSwhichsleep.net
Type: A
DNSuponheight.net
Type: A
DNSwhichheight.net
Type: A
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://saltnice.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://saltnice.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=029&sox=3ca05000
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1040 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1041 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1044 ➝ 45.35.9.136:80

Raw Pcap

Strings