Analysis Date2015-12-06 04:30:44
MD500c4b53338de8fef0321fc7c51b1cf8f
SHA159f91d4f8e9efc70c02af1abac4e10022c43428c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cb2bcfcffbe10dbe7bfbde2e15109b48 sha1: 8b60f36ed86833ac7c8901b548ef6ca2e51ab53f size: 834048
Section.rdata md5: 015415807a337c39b354d123e9d4d0cc sha1: c79c9150e2e06fa762ec94c14165ea862c90350f size: 311808
Section.data md5: b977d71fb04958f14b95c158be974e23 sha1: 417235df3bd73d0cc26812c49161226c27fdb10d size: 8192
Timestamp2015-04-15 01:52:36
PackerMicrosoft Visual C++ ?.?
PEhashc03bb0000aebcc8f55e5a62470ad9e063d2f64a0
IMPhash8d3469298b116cad3720bcb34cf45293
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVFrisk (f-prot)no_virus
AVK7Trojan ( 004cd0081 )
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Kryptik.DDQD!tr
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004cd0081 )
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVCAT (quickheal)no_virus
AVDr. WebTrojan.DownLoader17.52883
AVEset (nod32)Win32/Kryptik.DCRW
AVFortinetW32/Kryptik.DDQD!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.133308
AVIkarusTrojan.Win32.Crypt
AVIkarusTrojan.Win32.Crypt
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader17.52883
AVAd-AwareGen:Variant.Zusy.133308
AVEmsisoftGen:Variant.Zusy.133308
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVCAT (quickheal)no_virus
AVEmsisoftGen:Variant.Zusy.133308
AVEset (nod32)Win32/Kryptik.DCRW
AVAvira (antivir)TR/Crypt.Xpack.320519
AVAvira (antivir)TR/Crypt.Xpack.320519
AVClamAVno_virus
AVF-SecureGen:Variant.Zusy.133308
AVBullGuardGen:Variant.Zusy.133308
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVBitDefenderGen:Variant.Zusy.133308
AVBitDefenderGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVRisingno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ihwkjs1loebhembhnz9e.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ihwkjs1loebhembhnz9e.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ihwkjs1loebhembhnz9e.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Event iSCSI RPC DLL Input IKE Update ➝
C:\WINDOWS\system32\jzzdoqcjnqqp.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yfrcgqo\lck
Creates FileC:\WINDOWS\system32\yfrcgqo\etc
Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates FileC:\WINDOWS\system32\jzzdoqcjnqqp.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\jzzdoqcjnqqp.exe
Creates ServiceInformation Studio Logon Discovery - C:\WINDOWS\system32\jzzdoqcjnqqp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1156

Process
↳ C:\WINDOWS\system32\jzzdoqcjnqqp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yfrcgqo\cfg
Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates FileC:\WINDOWS\system32\fmgpjvf.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\yfrcgqo\lck
Creates FileC:\WINDOWS\TEMP\ihwkjs1t0abhe.exe
Creates FileC:\WINDOWS\system32\yfrcgqo\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\yfrcgqo\run
Creates ProcessWATCHDOGPROC "c:\windows\system32\jzzdoqcjnqqp.exe"
Creates ProcessC:\WINDOWS\TEMP\ihwkjs1t0abhe.exe -r 42467 tcp

Process
↳ C:\WINDOWS\system32\jzzdoqcjnqqp.exe

Creates FileC:\WINDOWS\system32\yfrcgqo\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\jzzdoqcjnqqp.exe"

Creates FileC:\WINDOWS\system32\yfrcgqo\tst

Process
↳ C:\WINDOWS\TEMP\ihwkjs1t0abhe.exe -r 42467 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSdarksugar.net
Type: A
208.91.197.54
DNSroomfull.net
Type: A
184.168.221.104
DNSjumpdaily.net
Type: A
72.52.4.121
DNSfeltblood.net
Type: A
195.22.28.198
DNSfeltblood.net
Type: A
195.22.28.199
DNSfeltblood.net
Type: A
195.22.28.196
DNSfeltblood.net
Type: A
195.22.28.197
DNSsonghold.net
Type: A
208.91.197.46
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNScloudsugar.net
Type: A
DNScloudstand.net
Type: A
DNSdarkstand.net
Type: A
DNSknowblood.net
Type: A
DNSableblood.net
Type: A
DNSknowdaily.net
Type: A
DNSabledaily.net
Type: A
DNSknowlose.net
Type: A
DNSablelose.net
Type: A
DNSknowfull.net
Type: A
DNSablefull.net
Type: A
DNSpickblood.net
Type: A
DNSsongblood.net
Type: A
DNSpickdaily.net
Type: A
DNSsongdaily.net
Type: A
DNSpicklose.net
Type: A
DNSsonglose.net
Type: A
DNSpickfull.net
Type: A
DNSsongfull.net
Type: A
DNSroomblood.net
Type: A
DNSsignblood.net
Type: A
DNSroomdaily.net
Type: A
DNSsigndaily.net
Type: A
DNSroomlose.net
Type: A
DNSsignlose.net
Type: A
DNSsignfull.net
Type: A
DNSmoveblood.net
Type: A
DNSjumpblood.net
Type: A
DNSmovedaily.net
Type: A
DNSmovelose.net
Type: A
DNSjumplose.net
Type: A
DNSmovefull.net
Type: A
DNSjumpfull.net
Type: A
DNShillblood.net
Type: A
DNSwhomblood.net
Type: A
DNShilldaily.net
Type: A
DNSwhomdaily.net
Type: A
DNShilllose.net
Type: A
DNSwhomlose.net
Type: A
DNShillfull.net
Type: A
DNSwhomfull.net
Type: A
DNSlookblood.net
Type: A
DNSfeltdaily.net
Type: A
DNSlookdaily.net
Type: A
DNSfeltlose.net
Type: A
DNSlooklose.net
Type: A
DNSfeltfull.net
Type: A
DNSlookfull.net
Type: A
DNSthreeblood.net
Type: A
DNSlordblood.net
Type: A
DNSthreedaily.net
Type: A
DNSlorddaily.net
Type: A
DNSthreelose.net
Type: A
DNSlordlose.net
Type: A
DNSthreefull.net
Type: A
DNSlordfull.net
Type: A
DNSdrinkblood.net
Type: A
DNSwifeblood.net
Type: A
DNSdrinkdaily.net
Type: A
DNSwifedaily.net
Type: A
DNSdrinklose.net
Type: A
DNSwifelose.net
Type: A
DNSdrinkfull.net
Type: A
DNSwifefull.net
Type: A
DNSknowhold.net
Type: A
DNSablehold.net
Type: A
DNSknowsecond.net
Type: A
DNSablesecond.net
Type: A
DNSknowocean.net
Type: A
DNSableocean.net
Type: A
DNSknowhave.net
Type: A
DNSablehave.net
Type: A
DNSpickhold.net
Type: A
DNSpicksecond.net
Type: A
DNSsongsecond.net
Type: A
DNSpickocean.net
Type: A
DNSsongocean.net
Type: A
DNSpickhave.net
Type: A
DNSsonghave.net
Type: A
DNSroomhold.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://darksugar.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://roomfull.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://jumpdaily.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://feltblood.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://songhold.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=4e6f3600&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.54:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1044 ➝ 72.52.4.121:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.241:80

Raw Pcap

Strings