Analysis Date2015-10-10 12:29:23
MD541fd9971a40842ace076ba857415d3cf
SHA14d681b3f534f448003a04ee98a67a933efdd34f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 27e00b58398a4f9b2bdd255b851ce238 sha1: 7c70cbb2e6ee995922123baabd0ba22542a3f2f4 size: 800768
Section.rdata md5: 2c3781fbc8e1ba7367653d0339d92077 sha1: 69545a3df0695f534aef907df8bf650e45f7f0bd size: 61440
Section.data md5: 1b2fd314d64f605bc89d7ae13fafcc99 sha1: 088d29c65884e621b80687d4dd66381ba6849215 size: 403968
Timestamp2015-01-27 08:46:33
PackerMicrosoft Visual C++ ?.?
PEhash15a123566a4eb1b22791b9d983755cca7c7b9776
IMPhash3c7ea123dad99991157d3d34fd45c090
AVFrisk (f-prot)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)Kryptik-PJV [Trj]
AVDr. Webno_virus
AVClamAVno_virus
AVPadvishno_virus
AVAvira (antivir)TR/Crypt.Xpack.285460
AVIkarusTrojan.Win32.Crypt
AVMalwareBytesno_virus
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVF-SecureGen:Variant.Symmi.22722
AVCAT (quickheal)no_virus
AVBullGuardGen:Variant.Symmi.22722
AVMcafeeno_virus
AVRisingno_virus
AVFortinetW32/Kryptik.DDQD!tr
AVEmsisoftGen:Variant.Symmi.22722
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderGen:Variant.Symmi.22722
AVVirusBlokAda (vba32)no_virus
AVTwisterno_virus
AVTrend MicroTROJ_WONTON.SMJ1
AVAd-AwareGen:Variant.Symmi.22722
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEset (nod32)Win32/Kryptik.DXVJ
AVArcabit (arcavir)Gen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yzohnyl1l9mst1ucpi7y7rk.exe
Creates FileC:\WINDOWS\system32\sadqxbdb\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yzohnyl1l9mst1ucpi7y7rk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yzohnyl1l9mst1ucpi7y7rk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Drive Modules Name Net.Tcp Alerts ➝
C:\WINDOWS\system32\fhdafhjdwhap.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\sadqxbdb\lck
Creates FileC:\WINDOWS\system32\sadqxbdb\etc
Creates FileC:\WINDOWS\system32\sadqxbdb\tst
Creates FileC:\WINDOWS\system32\fhdafhjdwhap.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\fhdafhjdwhap.exe
Creates ServiceKtmRm Encrypting Presentation Logs - C:\WINDOWS\system32\fhdafhjdwhap.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 824

Process
↳ Pid 868

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1224

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1156

Process
↳ C:\WINDOWS\system32\fhdafhjdwhap.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\yzohnyl1ry3st1u.exe
Creates FileC:\WINDOWS\system32\sadqxbdb\tst
Creates FileC:\WINDOWS\system32\sadqxbdb\run
Creates FileC:\WINDOWS\system32\sadqxbdb\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\sadqxbdb\cfg
Creates FileC:\WINDOWS\system32\zdymdqi.exe
Creates FileC:\WINDOWS\system32\sadqxbdb\lck
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\yzohnyl1ry3st1u.exe -r 47602 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\fhdafhjdwhap.exe"

Process
↳ C:\WINDOWS\system32\fhdafhjdwhap.exe

Creates FileC:\WINDOWS\system32\sadqxbdb\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\fhdafhjdwhap.exe"

Creates FileC:\WINDOWS\system32\sadqxbdb\tst

Process
↳ C:\WINDOWS\TEMP\yzohnyl1ry3st1u.exe -r 47602 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSsaltnice.net
Type: A
208.100.26.234
DNSwatchfine.net
Type: A
45.35.9.136
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSequalbreak.net
Type: A
DNSgroupbreak.net
Type: A
DNSspokeslept.net
Type: A
DNSvisitslept.net
Type: A
DNSspokehers.net
Type: A
DNSvisithers.net
Type: A
DNSspokeprove.net
Type: A
DNSvisitprove.net
Type: A
DNSspokebreak.net
Type: A
DNSvisitbreak.net
Type: A
DNSwatchslept.net
Type: A
DNSfairslept.net
Type: A
DNSwatchhers.net
Type: A
DNSfairhers.net
Type: A
DNSwatchprove.net
Type: A
DNSfairprove.net
Type: A
DNSwatchbreak.net
Type: A
DNSfairbreak.net
Type: A
DNSdreamslept.net
Type: A
DNSthisslept.net
Type: A
DNSdreamhers.net
Type: A
DNSthishers.net
Type: A
DNSdreamprove.net
Type: A
DNSthisprove.net
Type: A
DNSdreambreak.net
Type: A
DNSthisbreak.net
Type: A
DNSarivefine.net
Type: A
DNSsouthfine.net
Type: A
DNSarivenice.net
Type: A
DNSsouthnice.net
Type: A
DNSariveelse.net
Type: A
DNSsouthelse.net
Type: A
DNSariveimportant.net
Type: A
DNSsouthimportant.net
Type: A
DNSuponfine.net
Type: A
DNSwhichfine.net
Type: A
DNSuponnice.net
Type: A
DNSwhichnice.net
Type: A
DNSuponelse.net
Type: A
DNSwhichelse.net
Type: A
DNSuponimportant.net
Type: A
DNSwhichimportant.net
Type: A
DNSspotfine.net
Type: A
DNSsaltfine.net
Type: A
DNSspotnice.net
Type: A
DNSspotelse.net
Type: A
DNSsaltelse.net
Type: A
DNSspotimportant.net
Type: A
DNSsaltimportant.net
Type: A
DNSgladfine.net
Type: A
DNStakenfine.net
Type: A
DNSgladnice.net
Type: A
DNStakennice.net
Type: A
DNSgladelse.net
Type: A
DNStakenelse.net
Type: A
DNSgladimportant.net
Type: A
DNStakenimportant.net
Type: A
DNSequalfine.net
Type: A
DNSgroupfine.net
Type: A
DNSequalnice.net
Type: A
DNSgroupnice.net
Type: A
DNSequalelse.net
Type: A
DNSgroupelse.net
Type: A
DNSequalimportant.net
Type: A
DNSgroupimportant.net
Type: A
DNSspokefine.net
Type: A
DNSvisitfine.net
Type: A
DNSspokenice.net
Type: A
DNSvisitnice.net
Type: A
DNSspokeelse.net
Type: A
DNSvisitelse.net
Type: A
DNSspokeimportant.net
Type: A
DNSvisitimportant.net
Type: A
DNSfairfine.net
Type: A
DNSwatchnice.net
Type: A
DNSfairnice.net
Type: A
DNSwatchelse.net
Type: A
DNSfairelse.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://saltnice.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://saltnice.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=036&sox=4b1a4c01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1048 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1049 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1054 ➝ 45.35.9.136:80

Raw Pcap

Strings