Analysis Date2015-11-20 06:28:20
MD5ccaf1e857acf50da3f030c9ae2117e07
SHA14b325a274f2fdb785c98762054148451b86623f4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9cf27c9b74fa2696afb73e97496d12a3 sha1: dd8d8ada127fb4e253ebb0d1cde833a702c8ff58 size: 850944
Section.rdata md5: fb81c672fd6500411a741f924a7e7ab4 sha1: e23c7379b5de6ca4655f25b3af66fb128d2c548f size: 336384
Section.data md5: eb6c75326fb06a16f867f88fb195a190 sha1: ff3886a5e6481bac0012db6de20c58b538cda3a8 size: 8192
Timestamp2015-03-13 07:31:50
PackerMicrosoft Visual C++ ?.?
PEhashb4c25a55ced7e73bab36d07af64ed14237b90d42
IMPhashedaddeb6e60de8482d82b41f6b0eb5ad
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Kryptik-PHB [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Crypt4.GO
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesno_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.61357
AVF-SecureGen:Variant.Zusy.133308
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\j3mbigkyoom0hwh8qfqmeiz.exe
Creates FileC:\WINDOWS\system32\wnzltlciggx\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\j3mbigkyoom0hwh8qfqmeiz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\j3mbigkyoom0hwh8qfqmeiz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Instrumentation CardSpace SNMP ➝
C:\WINDOWS\system32\izyuupsa.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\izyuupsa.exe
Creates FileC:\WINDOWS\system32\wnzltlciggx\lck
Creates FileC:\WINDOWS\system32\wnzltlciggx\tst
Creates FileC:\WINDOWS\system32\wnzltlciggx\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\izyuupsa.exe
Creates ServiceBus Program Superfetch Browser Window - C:\WINDOWS\system32\izyuupsa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\IZYUUPSA.EXE-214B0A93.pf
Creates FileC:\WINDOWS\Prefetch\WYJZCTXVS.EXE-310D8A70.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\J3MBIGKYOOM0HWH8QFQMEIZ.EXE-239910EF.pf
Creates FileC:\WINDOWS\Prefetch\J3MBIGKYOWA2HWH8Q.EXE-3B977582.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1320

Process
↳ Pid 1856

Process
↳ Pid 516

Process
↳ C:\WINDOWS\system32\izyuupsa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\wnzltlciggx\cfg
Creates FileC:\WINDOWS\system32\wyjzctxvs.exe
Creates FileC:\WINDOWS\TEMP\j3mbigkyowa2hwh8q.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\wnzltlciggx\run
Creates FileC:\WINDOWS\system32\wnzltlciggx\tst
Creates FileC:\WINDOWS\system32\wnzltlciggx\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\wnzltlciggx\rng
Deletes FileC:\WINDOWS\TEMP\j3mbigkyowa2hwh8q.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\izyuupsa.exe"
Creates ProcessC:\WINDOWS\TEMP\j3mbigkyowa2hwh8q.exe -r 31939 tcp

Process
↳ C:\WINDOWS\system32\izyuupsa.exe

Creates FileC:\WINDOWS\system32\wnzltlciggx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\izyuupsa.exe"

Creates FileC:\WINDOWS\system32\wnzltlciggx\tst

Process
↳ C:\WINDOWS\TEMP\j3mbigkyowa2hwh8q.exe -r 31939 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSwalkword.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSablereply.net
Type: A
208.100.26.234
DNSpickstock.net
Type: A
217.160.117.125
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSsignstock.net
Type: A
50.63.202.2
DNSmovestock.net
Type: A
195.22.28.197
DNSmovestock.net
Type: A
195.22.28.198
DNSmovestock.net
Type: A
195.22.28.199
DNSmovestock.net
Type: A
195.22.28.196
DNSjumpstock.net
Type: A
184.168.221.96
DNSjumpthrow.net
Type: A
50.63.202.54
DNShillreply.net
Type: A
52.4.209.250
DNSlookstock.net
Type: A
136.243.22.194
DNSknowfire.net
Type: A
50.63.202.62
DNSsongbone.net
Type: A
198.143.132.130
DNSsongfire.net
Type: A
213.83.55.240
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSmonthnext.net
Type: A
DNSstoryocean.net
Type: A
DNSdecemberknew.net
Type: A
DNSmouthgray.net
Type: A
DNSfridayloss.net
Type: A
DNSeggbraker.com
Type: A
DNSknowwhole.net
Type: A
DNSablewhole.net
Type: A
DNSsongstock.net
Type: A
DNSpickthrow.net
Type: A
DNSsongthrow.net
Type: A
DNSpickreply.net
Type: A
DNSsongreply.net
Type: A
DNSpickwhole.net
Type: A
DNSsongwhole.net
Type: A
DNSroomstock.net
Type: A
DNSroomthrow.net
Type: A
DNSsignthrow.net
Type: A
DNSroomreply.net
Type: A
DNSsignreply.net
Type: A
DNSroomwhole.net
Type: A
DNSsignwhole.net
Type: A
DNSmovethrow.net
Type: A
DNSmovereply.net
Type: A
DNSjumpreply.net
Type: A
DNSmovewhole.net
Type: A
DNSjumpwhole.net
Type: A
DNShillstock.net
Type: A
DNSwhomstock.net
Type: A
DNShillthrow.net
Type: A
DNSwhomthrow.net
Type: A
DNSwhomreply.net
Type: A
DNShillwhole.net
Type: A
DNSwhomwhole.net
Type: A
DNSfeltstock.net
Type: A
DNSfeltthrow.net
Type: A
DNSlookthrow.net
Type: A
DNSfeltreply.net
Type: A
DNSlookreply.net
Type: A
DNSfeltwhole.net
Type: A
DNSlookwhole.net
Type: A
DNSthreestock.net
Type: A
DNSlordstock.net
Type: A
DNSthreethrow.net
Type: A
DNSlordthrow.net
Type: A
DNSthreereply.net
Type: A
DNSlordreply.net
Type: A
DNSthreewhole.net
Type: A
DNSlordwhole.net
Type: A
DNSdrinkstock.net
Type: A
DNSwifestock.net
Type: A
DNSdrinkthrow.net
Type: A
DNSwifethrow.net
Type: A
DNSdrinkreply.net
Type: A
DNSwifereply.net
Type: A
DNSdrinkwhole.net
Type: A
DNSwifewhole.net
Type: A
DNSknowcold.net
Type: A
DNSablecold.net
Type: A
DNSknowwrote.net
Type: A
DNSablewrote.net
Type: A
DNSknowbone.net
Type: A
DNSablebone.net
Type: A
DNSablefire.net
Type: A
DNSpickcold.net
Type: A
DNSsongcold.net
Type: A
DNSpickwrote.net
Type: A
DNSsongwrote.net
Type: A
DNSpickbone.net
Type: A
DNSpickfire.net
Type: A
DNSroomcold.net
Type: A
DNSsigncold.net
Type: A
DNSroomwrote.net
Type: A
DNSsignwrote.net
Type: A
DNSroombone.net
Type: A
DNSsignbone.net
Type: A
DNSroomfire.net
Type: A
DNSsignfire.net
Type: A
DNSmovecold.net
Type: A
DNSjumpcold.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://ablereply.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://pickstock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://signstock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://movestock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://jumpstock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://jumpthrow.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://hillreply.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://lookstock.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://knowfire.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://songbone.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://songfire.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=041&sox=48104212&lenhdr
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 217.160.117.125:80
Flows TCP192.168.1.1:1046 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1047 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1048 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1050 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1051 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1052 ➝ 136.243.22.194:80
Flows TCP192.168.1.1:1053 ➝ 50.63.202.62:80
Flows TCP192.168.1.1:1054 ➝ 198.143.132.130:80
Flows TCP192.168.1.1:1055 ➝ 213.83.55.240:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 98.139.135.129:80

Raw Pcap

Strings