Analysis Date2015-11-18 09:31:14
MD57e41b8af05c68384dff7c97477f7712b
SHA147800c11a2cdb825ddb9475d410800f856de3347

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ea563db84652f8884c2f689aee30535d sha1: f25a29c211f59cbed0d056edc61133084e57fbd3 size: 1442304
Section.rdata md5: 0e1b1018162ed7d9d5870b659737ab2a sha1: a862d02b1d2a7bd7a457d955bdc9dd2055ab6157 size: 331776
Section.data md5: 66f702e9f87da1c3c857fe4f7b04ed58 sha1: f79507aadbaf2103574806a455a27293ecf763b6 size: 8192
Section.reloc md5: 892956fef164639a6bd35becc65056f0 sha1: d58858710e8548527577c372ceeabed93e6047fd size: 206336
Timestamp2015-05-11 04:50:15
PackerVC8 -> Microsoft Corporation
PEhash87734814cc32fc697407c1e2837e10b7dd001bea
IMPhash39a88e041859c12fb4cb099c5e3ecef5
AVF-SecureGen:Trojan.Heur.TP.5rW@bGaVR8
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.5
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Trojan.Heur.TP.5rW@bGaVR8
AVEset (nod32)Win32/Bayrob.Y
AVBitDefenderGen:Trojan.Heur.TP.5rW@bGaVR8
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVAvira (antivir)TR/Crypt.Xpack.315810
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Generic.Y!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Trojan.Heur.TP.5rW@bGaVR8
AVMcafeeTrojan-FGIJ!7E41B8AF05C6
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.315810
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.Y!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRising0x593e4ecc
AVMcafeeTrojan-FGIJ!7E41B8AF05C6
AVTwisterno_virus
AVAd-AwareGen:Trojan.Heur.TP.5rW@bGaVR8
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Trojan.Heur.TP.5rW@bGaVR8
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Trojan.Heur.TP.5rW@bGaVR8
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Trojan.Heur.TP.5rW@bGaVR8
AVCA (E-Trust Ino)no_virus
AVRising0x593e4ecc
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ipngpxvh1llcs2il34qb.exe
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ipngpxvh1llcs2il34qb.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ipngpxvh1llcs2il34qb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WWAN Ordering Assistant ➝
C:\WINDOWS\system32\xxhtwhe.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\etc
Creates FileC:\WINDOWS\system32\xxhtwhe.exe
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\tst
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\xxhtwhe.exe
Creates ServiceThread Telephony Auto-Discovery Installer - C:\WINDOWS\system32\xxhtwhe.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1208

Process
↳ Pid 1328

Process
↳ Pid 1864

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\xxhtwhe.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\rng
Creates FileC:\WINDOWS\system32\pxfiwpeqkpql.exe
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\cfg
Creates FileC:\WINDOWS\TEMP\ipngpxvh1t20s2.exe
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\lck
Creates ProcessC:\WINDOWS\TEMP\ipngpxvh1t20s2.exe -r 30078 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\xxhtwhe.exe"

Process
↳ C:\WINDOWS\system32\xxhtwhe.exe

Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\xxhtwhe.exe"

Creates FileC:\WINDOWS\system32\iqhqutkmofbmlji\tst

Process
↳ C:\WINDOWS\TEMP\ipngpxvh1t20s2.exe -r 30078 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSroomfloor.net
Type: A
209.99.40.223
DNShillcross.net
Type: A
185.26.230.129
DNShillshade.net
Type: A
50.63.202.53
DNSpickusual.net
Type: A
208.100.26.234
DNSsongteach.net
Type: A
50.63.202.37
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSpickshade.net
Type: A
DNSsongshade.net
Type: A
DNSpickfloor.net
Type: A
DNSsongfloor.net
Type: A
DNSroomthrew.net
Type: A
DNSsignthrew.net
Type: A
DNSroomcross.net
Type: A
DNSsigncross.net
Type: A
DNSroomshade.net
Type: A
DNSsignshade.net
Type: A
DNSsignfloor.net
Type: A
DNSmovethrew.net
Type: A
DNSjumpthrew.net
Type: A
DNSmovecross.net
Type: A
DNSjumpcross.net
Type: A
DNSmoveshade.net
Type: A
DNSjumpshade.net
Type: A
DNSmovefloor.net
Type: A
DNSjumpfloor.net
Type: A
DNShillthrew.net
Type: A
DNSwhomthrew.net
Type: A
DNSwhomcross.net
Type: A
DNSwhomshade.net
Type: A
DNShillfloor.net
Type: A
DNSwhomfloor.net
Type: A
DNSfeltthrew.net
Type: A
DNSlookthrew.net
Type: A
DNSfeltcross.net
Type: A
DNSlookcross.net
Type: A
DNSfeltshade.net
Type: A
DNSlookshade.net
Type: A
DNSfeltfloor.net
Type: A
DNSlookfloor.net
Type: A
DNSthreethrew.net
Type: A
DNSlordthrew.net
Type: A
DNSthreecross.net
Type: A
DNSlordcross.net
Type: A
DNSthreeshade.net
Type: A
DNSlordshade.net
Type: A
DNSthreefloor.net
Type: A
DNSlordfloor.net
Type: A
DNSdrinkthrew.net
Type: A
DNSwifethrew.net
Type: A
DNSdrinkcross.net
Type: A
DNSwifecross.net
Type: A
DNSdrinkshade.net
Type: A
DNSwifeshade.net
Type: A
DNSdrinkfloor.net
Type: A
DNSwifefloor.net
Type: A
DNSknowusual.net
Type: A
DNSableusual.net
Type: A
DNSknowcould.net
Type: A
DNSablecould.net
Type: A
DNSknowteach.net
Type: A
DNSableteach.net
Type: A
DNSknowgrave.net
Type: A
DNSablegrave.net
Type: A
DNSsongusual.net
Type: A
DNSpickcould.net
Type: A
DNSsongcould.net
Type: A
DNSpickteach.net
Type: A
DNSpickgrave.net
Type: A
DNSsonggrave.net
Type: A
DNSroomusual.net
Type: A
DNSsignusual.net
Type: A
DNSroomcould.net
Type: A
DNSsigncould.net
Type: A
DNSroomteach.net
Type: A
DNSsignteach.net
Type: A
DNSroomgrave.net
Type: A
DNSsigngrave.net
Type: A
DNSmoveusual.net
Type: A
DNSjumpusual.net
Type: A
DNSmovecould.net
Type: A
DNSjumpcould.net
Type: A
DNSmoveteach.net
Type: A
DNSjumpteach.net
Type: A
DNSmovegrave.net
Type: A
DNSjumpgrave.net
Type: A
DNShillusual.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://roomfloor.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://hillcross.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://hillshade.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://pickusual.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://songteach.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://roomfloor.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://hillcross.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://hillshade.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://pickusual.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://songteach.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=050&sox=4f30fa00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1051 ➝ 185.26.230.129:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1054 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1055 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1067 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1068 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1069 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1070 ➝ 185.26.230.129:80
Flows TCP192.168.1.1:1071 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1072 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1073 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1074 ➝ 8.5.1.16:80

Raw Pcap

Strings