Analysis Date2015-09-19 21:00:18
MD507ec600123788996624b42274e55bba2
SHA15b847ad3b7d37b0b20140289b612c79422cf4988

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b33cada7f0395d1719e512b41480290c sha1: 0d75b9edbf4582ec892beedeab82698637e54ed4 size: 536576
Section.rdata md5: e5a171f570119fca7f5c9428e1c9e53a sha1: 32e0ef7a6afffb1d9df0dcdb0106accdc94ffd7f size: 2277376
Section.data md5: 4937d7c2cbf22e8b888b70ad1c35e888 sha1: 911ba234863b7f53f3dfbd6c6348c66dad2b44f8 size: 65536
Section.rsrc md5: b278469624886bc92bc2520d3ea30e7c sha1: f89898b9e7ae07d32049dff351c844777de5c410 size: 86016
Timestamp2014-05-05 08:47:13
VersionLegalCopyright: ゛专家ゝ 刷钻业务QQ1410001858
FileVersion: 1.0.0.0
CompanyName: ゛专家ゝ 刷钻业务QQ1410001858
Comments: ゛专家ゝ 刷Q币业务QQ1410001858
ProductName: ゛专家ゝ 刷钻业务QQ1410001858
ProductVersion: 1.0.0.0
FileDescription: ゛专家ゝ 刷Q币QQ1410001858
PackerMicrosoft Visual C++ v6.0
PEhasha1f79297a7e6be2074be2a534851f3ec69526cd6
IMPhash6688161fb225aa4ca4b72e426f2c25d0
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Zegost!49D2
AVMcafeeno_virus
AVAvira (antivir)BDS/Morix.bh.1
AVTwisterBackdoor.Zegost.you.qmyv
AVAd-AwareGen:Variant.Zusy.117041
AVAlwil (avast)Farfli-AP [Trj]
AVEset (nod32)Win32/PSW.QQPass.OCL
AVGrisoft (avg)PSW.Generic12.ATNL
AVSymantecno_virus
AVFortinetW32/QQPass.ELG!tr.pws
AVBitDefenderGen:Variant.Zusy.117041
AVK7no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.117041
AVMalwareBytesno_virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado
AVIkarusTrojan.Win32.Pasta
AVEmsisoftGen:Variant.Zusy.117041
AVZillya!Backdoor.Zegost.Win32.1667
AVKasperskyTrojan.Win32.Generic:Trojan-Spy.Win32.Agent.cbot
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)BScope.Trojan.SvcHorse.01643
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.117041
AVArcabit (arcavir)Gen:Variant.Zusy.117041
AVClamAVWIN.Trojan.Morix
AVDr. WebTrojan.PWS.Gamania.44731
AVF-SecureTrojan:W32/DelfInject.R

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page ➝
http://www.2345.com/?kqqgm\\x00
Creates FileC:\WINDOWS\system32\yy.exe
Creates ProcessC:\WINDOWS\system32\yy.exe

Process
↳ C:\WINDOWS\system32\yy.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\245CE7AD ➝
C:\WINDOWS\245CE7AD\svchsot.exe\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\InfoTime\InfoTime ➝
20150919\\x00
Creates FilePIPE\DAV RPC SERVICE
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FilePIPE\atsvc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\245CE7AD.key
Creates Processnet start "Task Scheduler"
Creates Mutexasd1738402137.f3322.org:2012asd1738402137.f3322.org:2012asd1738402137.f3322.org:2012

Process
↳ net start "Task Scheduler"

Creates Processnet1 start "Task Scheduler"

Process
↳ net1 start "Task Scheduler"

Network Details:

DNScncert-sinkhole.net
Type: A
111.74.238.109
DNScncert-sinkhole.net
Type: A
117.21.224.222
DNSasd1738402137.f3322.org
Type: A
Flows TCP192.168.1.1:1031 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1032 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1033 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1034 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1035 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1036 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1037 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1038 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1039 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1040 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1041 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1042 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1043 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1044 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1045 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1046 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1047 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1048 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1049 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1050 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1051 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1052 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1053 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1054 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1055 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1056 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1057 ➝ 111.74.238.109:2012
Flows TCP192.168.1.1:1058 ➝ 111.74.238.109:2012

Raw Pcap

Strings