Analysis Date2015-11-05 05:04:45
MD5b88612265636be7145f701a792982b26
SHA157aac02397f85f3f1416ebda7dd4518747d77e0c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a90372f454d22fcef51fa5f965e0787a sha1: 2f635f63675c78081f2c9c9be75bb075b676dfbe size: 654848
Section.rdata md5: 4ff3354bc3d5464e3d8c879910be2fda sha1: bc9a1d66325844960acd48175e65d5946774525d size: 53760
Section.data md5: 764b92fc790afee36e5d2c26b780ff67 sha1: 5e5c97bedf16cf4a5c3fb89d418e6197f9c243a2 size: 124928
Timestamp2014-04-15 21:16:36
PackerMicrosoft Visual C++ ?.?
PEhash2f71aea8ea4ed7d382c33446f18d1afd793fe423
IMPhash98b7615b3dad1c88338a87801193ba69
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. WebTrojan.DownLoader17.37814
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend MicroTSPY_NIVDORT.SM
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusVirus.Win32.Cryptor
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 004cd0081 )
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetRiskware/Agent
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.BCFJ
AVAlwil (avast)Kryptik-NST [Trj]
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVAvira (antivir)TR/Crypt.ZPACK.198871
AVMcafeeno_virus
AVRising0x5932894f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\emirppkagmzp\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hhbjetym1km7yqkquxtmmd.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hhbjetym1km7yqkquxtmmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hhbjetym1km7yqkquxtmmd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Procedure UserMode Application Tools ➝
C:\WINDOWS\system32\fyssglg.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\fyssglg.exe
Creates FileC:\WINDOWS\system32\emirppkagmzp\tst
Creates FileC:\WINDOWS\system32\emirppkagmzp\etc
Creates FileC:\WINDOWS\system32\emirppkagmzp\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\fyssglg.exe
Creates ServiceIdentity AuthIP Web Services Device System - C:\WINDOWS\system32\fyssglg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 844

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\fyssglg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\hhbjetym1pqnyqk.exe
Creates FileC:\WINDOWS\system32\emirppkagmzp\rng
Creates FileC:\WINDOWS\system32\emirppkagmzp\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\emirppkagmzp\tst
Creates FileC:\WINDOWS\system32\mqpdcpvmi.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\emirppkagmzp\lck
Creates FileC:\WINDOWS\system32\emirppkagmzp\cfg
Creates ProcessC:\WINDOWS\TEMP\hhbjetym1pqnyqk.exe -r 49088 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\fyssglg.exe"

Process
↳ C:\WINDOWS\system32\fyssglg.exe

Creates FileC:\WINDOWS\system32\emirppkagmzp\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\fyssglg.exe"

Creates FileC:\WINDOWS\system32\emirppkagmzp\tst

Process
↳ C:\WINDOWS\TEMP\hhbjetym1pqnyqk.exe -r 49088 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSstickmarch.net
Type: A
52.0.217.44
DNStablefruit.net
Type: A
54.94.232.209
DNSequalfind.net
Type: A
208.100.26.234
DNSwatchfind.net
Type: A
69.172.201.208
DNSwatchwear.net
Type: A
184.168.221.96
DNSfairwear.net
Type: A
208.91.197.27
DNSdreamwear.net
Type: A
185.53.177.8
DNSspothelp.net
Type: A
184.168.221.40
DNSgrouphelp.net
Type: A
193.34.69.203
DNSmightglossary.net
Type: A
DNSrequireneither.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSgladfind.net
Type: A
DNStakenfind.net
Type: A
DNSgladwear.net
Type: A
DNStakenwear.net
Type: A
DNSgladhurt.net
Type: A
DNStakenhurt.net
Type: A
DNSequaltold.net
Type: A
DNSgrouptold.net
Type: A
DNSgroupfind.net
Type: A
DNSequalwear.net
Type: A
DNSgroupwear.net
Type: A
DNSequalhurt.net
Type: A
DNSgrouphurt.net
Type: A
DNSspoketold.net
Type: A
DNSvisittold.net
Type: A
DNSspokefind.net
Type: A
DNSvisitfind.net
Type: A
DNSspokewear.net
Type: A
DNSvisitwear.net
Type: A
DNSspokehurt.net
Type: A
DNSvisithurt.net
Type: A
DNSwatchtold.net
Type: A
DNSfairtold.net
Type: A
DNSfairfind.net
Type: A
DNSwatchhurt.net
Type: A
DNSfairhurt.net
Type: A
DNSdreamtold.net
Type: A
DNSthistold.net
Type: A
DNSdreamfind.net
Type: A
DNSthisfind.net
Type: A
DNSthiswear.net
Type: A
DNSdreamhurt.net
Type: A
DNSthishurt.net
Type: A
DNSariveslow.net
Type: A
DNSsouthslow.net
Type: A
DNSarivefebruary.net
Type: A
DNSsouthfebruary.net
Type: A
DNSarivehelp.net
Type: A
DNSsouthhelp.net
Type: A
DNSarivenovember.net
Type: A
DNSsouthnovember.net
Type: A
DNSuponslow.net
Type: A
DNSwhichslow.net
Type: A
DNSuponfebruary.net
Type: A
DNSwhichfebruary.net
Type: A
DNSuponhelp.net
Type: A
DNSwhichhelp.net
Type: A
DNSuponnovember.net
Type: A
DNSwhichnovember.net
Type: A
DNSspotslow.net
Type: A
DNSsaltslow.net
Type: A
DNSspotfebruary.net
Type: A
DNSsaltfebruary.net
Type: A
DNSsalthelp.net
Type: A
DNSspotnovember.net
Type: A
DNSsaltnovember.net
Type: A
DNSgladslow.net
Type: A
DNStakenslow.net
Type: A
DNSgladfebruary.net
Type: A
DNStakenfebruary.net
Type: A
DNSgladhelp.net
Type: A
DNStakenhelp.net
Type: A
DNSgladnovember.net
Type: A
DNStakennovember.net
Type: A
DNSequalslow.net
Type: A
DNSgroupslow.net
Type: A
DNSequalfebruary.net
Type: A
DNSgroupfebruary.net
Type: A
DNSequalhelp.net
Type: A
DNSequalnovember.net
Type: A
DNSgroupnovember.net
Type: A
DNSspokeslow.net
Type: A
DNSvisitslow.net
Type: A
DNSspokefebruary.net
Type: A
DNSvisitfebruary.net
Type: A
DNSspokehelp.net
Type: A
DNSvisithelp.net
Type: A
DNSspokenovember.net
Type: A
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://equalfind.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://watchfind.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://watchwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://fairwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://dreamwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://spothelp.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://grouphelp.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://equalfind.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://watchfind.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://watchwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://fairwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://dreamwear.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://spothelp.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
HTTP GEThttp://grouphelp.net/forum/search.php?method=validate&mode=sox&v=028&sox=3b655e00
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 52.0.217.44:80
Flows TCP192.168.1.1:1037 ➝ 54.94.232.209:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1043 ➝ 185.53.177.8:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1045 ➝ 193.34.69.203:80
Flows TCP192.168.1.1:1046 ➝ 52.0.217.44:80
Flows TCP192.168.1.1:1047 ➝ 54.94.232.209:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1052 ➝ 185.53.177.8:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1054 ➝ 193.34.69.203:80

Raw Pcap

Strings