Analysis Date | 2015-11-15 16:00:48 |
---|---|
MD5 | 6f98af6d50730d967e94b602d9e73a6f |
SHA1 | 45821db7fab4c0d67d5c00864e98db0a42d14df6 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 3bdaad09ba2e26b20bb7b4c6949f739a sha1: 11df74969cc5d0d4cb50de2552452cfd84ee0648 size: 805376 | |
Section | .rdata md5: 63a2f370c7a2b6ceee632e3e414076b5 sha1: 40badc82774c65988b00a819ebbef8ca80592f73 size: 59904 | |
Section | .data md5: 67c49ab0221a45ba22c3cfb3102ba719 sha1: 05831304eb1a4ca08f8bca1fab54f7eb0cce2f12 size: 411648 | |
Timestamp | 2014-11-28 22:42:25 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 0cdbdfd6a1e8e2270be3e4fc2cff759f70d404a3 | |
IMPhash | 8a2da73e066cedda220bb687fe53e02c | |
AV | F-Secure | Gen:Variant.Symmi.22722 |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | MalwareBytes | no_virus |
AV | Dr. Web | Trojan.DownLoader17.49536 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | MalwareBytes | no_virus |
AV | Eset (nod32) | Win32/Kryptik.CCLE |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Trend Micro | TROJ_WONTON.SMJ1 |
AV | ClamAV | no_virus |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Eset (nod32) | Win32/Kryptik.CCLE |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | Avira (antivir) | BDS/Zegost.Gen |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Fortinet | W32/Generic!tr |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AE |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Kaspersky | Trojan.Win32.Generic |
AV | VirusBlokAda (vba32) | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | Mcafee | no_virus |
AV | Twister | no_virus |
AV | Avira (antivir) | BDS/Zegost.Gen |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Generic!tr |
AV | K7 | Trojan ( 004cd0081 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AE |
AV | Rising | 0x59414d5e |
AV | Mcafee | no_virus |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | K7 | Trojan ( 004cd0081 ) |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | Frisk (f-prot) | no_virus |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Zillya! | Adware.BrowseFox.Win32.162494 |
AV | CAT (quickheal) | no_virus |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | CA (E-Trust Ino) | no_virus |
AV | Rising | 0x59414d5e |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe |
---|---|
Creates File | C:\WINDOWS\system32\zsohlmvvwx\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Resolution Audio Firewall Registrar ➝ C:\WINDOWS\system32\yvzuezgzlu.exe |
---|---|
Creates File | C:\WINDOWS\system32\yvzuezgzlu.exe |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\lck |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\tst |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\etc |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\yvzuezgzlu.exe |
Creates Service | Encryption Storage Offline UserMode - C:\WINDOWS\system32\yvzuezgzlu.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1136
Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\zsohlmvvwx\run |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\cfg |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\lck |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\rng |
Creates File | C:\WINDOWS\system32\zsohlmvvwx\tst |
Creates File | C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\zbuiplgo.exe |
Creates Process | C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp |
Creates Process | WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe" |
Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe
Creates File | C:\WINDOWS\system32\zsohlmvvwx\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"
Creates File | C:\WINDOWS\system32\zsohlmvvwx\tst |
---|
Process
↳ C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | saltsecond.net Type: A 74.220.199.6 |
---|---|
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | ableread.net Type: A 208.91.197.241 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | drinkwide.net Type: A 208.91.197.241 |
DNS | pickmake.net Type: A 208.91.197.241 |
DNS | mostcross.net Type: A 195.22.28.197 |
DNS | mostcross.net Type: A 195.22.28.198 |
DNS | mostcross.net Type: A 195.22.28.199 |
DNS | mostcross.net Type: A 195.22.28.196 |
DNS | darkcross.net Type: A 50.63.202.31 |
DNS | withgrave.net Type: A 208.100.26.234 |
DNS | thesecould.net Type: A 184.168.221.54 |
DNS | quickteach.net Type: A 203.124.119.1 |
DNS | southblood.net Type: A |
DNS | pickgrave.net Type: A |
DNS | roomstock.net Type: A |
DNS | watcheasy.net Type: A |
DNS | uponmail.net Type: A |
DNS | takenhand.net Type: A |
DNS | watchsince.net Type: A |
DNS | spotdont.net Type: A |
DNS | offeraunt.net Type: A |
DNS | madethan.net Type: A |
DNS | whomfifth.net Type: A |
DNS | quickshade.net Type: A |
DNS | thenshade.net Type: A |
DNS | quickfloor.net Type: A |
DNS | thenfloor.net Type: A |
DNS | sundaythrew.net Type: A |
DNS | mostthrew.net Type: A |
DNS | sundaycross.net Type: A |
DNS | sundayshade.net Type: A |
DNS | mostshade.net Type: A |
DNS | sundayfloor.net Type: A |
DNS | mostfloor.net Type: A |
DNS | meatthrew.net Type: A |
DNS | sickthrew.net Type: A |
DNS | meatcross.net Type: A |
DNS | sickcross.net Type: A |
DNS | meatshade.net Type: A |
DNS | sickshade.net Type: A |
DNS | meatfloor.net Type: A |
DNS | sickfloor.net Type: A |
DNS | cloudthrew.net Type: A |
DNS | darkthrew.net Type: A |
DNS | cloudcross.net Type: A |
DNS | cloudshade.net Type: A |
DNS | darkshade.net Type: A |
DNS | cloudfloor.net Type: A |
DNS | darkfloor.net Type: A |
DNS | milkusual.net Type: A |
DNS | triedusual.net Type: A |
DNS | milkcould.net Type: A |
DNS | triedcould.net Type: A |
DNS | milkteach.net Type: A |
DNS | triedteach.net Type: A |
DNS | milkgrave.net Type: A |
DNS | triedgrave.net Type: A |
DNS | withusual.net Type: A |
DNS | dutyusual.net Type: A |
DNS | withcould.net Type: A |
DNS | dutycould.net Type: A |
DNS | withteach.net Type: A |
DNS | dutyteach.net Type: A |
DNS | dutygrave.net Type: A |
DNS | theseusual.net Type: A |
DNS | sightusual.net Type: A |
DNS | sightcould.net Type: A |
DNS | theseteach.net Type: A |
DNS | sightteach.net Type: A |
DNS | thesegrave.net Type: A |
DNS | sightgrave.net Type: A |
DNS | caseusual.net Type: A |
DNS | headusual.net Type: A |
DNS | casecould.net Type: A |
DNS | headcould.net Type: A |
DNS | caseteach.net Type: A |
DNS | headteach.net Type: A |
DNS | casegrave.net Type: A |
DNS | headgrave.net Type: A |
DNS | quickusual.net Type: A |
DNS | thenusual.net Type: A |
DNS | quickcould.net Type: A |
DNS | thencould.net Type: A |
DNS | thenteach.net Type: A |
DNS | quickgrave.net Type: A |
DNS | thengrave.net Type: A |
DNS | sundayusual.net Type: A |
DNS | mostusual.net Type: A |
DNS | sundaycould.net Type: A |
DNS | mostcould.net Type: A |
DNS | sundayteach.net Type: A |
DNS | mostteach.net Type: A |
DNS | sundaygrave.net Type: A |
DNS | mostgrave.net Type: A |
DNS | meatusual.net Type: A |
DNS | sickusual.net Type: A |
DNS | meatcould.net Type: A |
DNS | sickcould.net Type: A |
DNS | meatteach.net Type: A |
DNS | sickteach.net Type: A |
DNS | meatgrave.net Type: A |
DNS | sickgrave.net Type: A |
DNS | cloudusual.net Type: A |
HTTP GET | http://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
HTTP GET | http://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 74.220.199.6:80 |
Flows TCP | 192.168.1.1:1037 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1040 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1041 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1042 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1044 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1045 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1046 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1047 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1048 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1049 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1050 ➝ 195.22.28.197:80 |
Flows TCP | 192.168.1.1:1051 ➝ 50.63.202.31:80 |
Flows TCP | 192.168.1.1:1052 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1053 ➝ 184.168.221.54:80 |
Flows TCP | 192.168.1.1:1054 ➝ 203.124.119.1:80 |
Flows TCP | 192.168.1.1:1055 ➝ 74.220.199.6:80 |
Flows TCP | 192.168.1.1:1056 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1057 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1058 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1059 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1060 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1061 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1062 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1063 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1064 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1065 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1066 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1067 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1068 ➝ 195.22.28.197:80 |
Flows TCP | 192.168.1.1:1069 ➝ 50.63.202.31:80 |
Flows TCP | 192.168.1.1:1070 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1071 ➝ 184.168.221.54:80 |
Flows TCP | 192.168.1.1:1072 ➝ 203.124.119.1:80 |
Raw Pcap
Strings