Analysis Date2015-10-10 22:36:39
MD5c450b54bd778faecbbaa30b2b4116fe2
SHA15e996e746281f3c1e9f4d5062d5d73f04fc7e60e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cc1d43f43fe052f8db7e3428e5b27416 sha1: e3860d46257a0f1ff1dcde846bed7a0469da4934 size: 684544
Section.rdata md5: 40479ba380277fb2f8658108d1b1c506 sha1: 5d4677c92934eade5fd0c7f120c66afcae45b7eb size: 54272
Section.data md5: a233c301d78bfeee90e319f2de9f4ce5 sha1: dce5ccc136e4bb2a57441b1fa2ea2a50d145f49d size: 125440
Timestamp2014-04-07 06:54:09
PackerMicrosoft Visual C++ ?.?
PEhash151cd477b1a0897b914ea72d0e03cc2eab2adb7f
IMPhash66adfaf0955b6fbbe0c9256e05eef34c
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.ZPACK.Gen2
AVEmsisoftGen:Variant.Symmi.22722
AVVirusBlokAda (vba32)no_virus
AVFortinetW32/COMROKI.A!tr
AVDr. Webno_virus
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVBitDefenderGen:Variant.Symmi.22722
AVAd-AwareGen:Variant.Symmi.22722
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVFrisk (f-prot)no_virus
AVK7Trojan ( 004cd0081 )
AVIkarusTrojan.Crypt2
AVBullGuardGen:Variant.Symmi.22722
AVSymantecDownloader.Upatre!g15
AVRisingno_virus
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVF-SecureGen:Variant.Symmi.22722
AVCAT (quickheal)no_virus
AVEset (nod32)Win32/Kryptik.DXVJ
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVZillya!no_virus
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)Kryptik-NST [Trj]
AVPadvishno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend MicroTSPY_NIVDORT.SM

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xvsmalv1laxblrqnoajiz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xvsmalv1laxblrqnoajiz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xvsmalv1laxblrqnoajiz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Thread Detection Notification ➝
C:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates ServiceExtensible Configuration TPM - C:\WINDOWS\system32\iwjdgrljrpb.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jsbodphxuneu.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\cfg
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\rng
Creates FileC:\WINDOWS\TEMP\xvsmalv1rlhblrq.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\run
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"
Creates ProcessC:\WINDOWS\TEMP\xvsmalv1rlhblrq.exe -r 51613 tcp

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ C:\WINDOWS\TEMP\xvsmalv1rlhblrq.exe -r 51613 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSstickmarch.net
Type: A
52.4.209.250
DNStablefruit.net
Type: A
52.4.209.250
DNSgladelse.net
Type: A
195.22.26.252
DNSgladelse.net
Type: A
195.22.26.253
DNSgladelse.net
Type: A
195.22.26.254
DNSgladelse.net
Type: A
195.22.26.231
DNSwatchfine.net
Type: A
45.35.9.136
DNSsaltrain.net
Type: A
208.73.211.70
DNSgrouprain.net
Type: A
208.100.26.234
DNSmightglossary.net
Type: A
DNSrequireneither.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSgladnice.net
Type: A
DNStakennice.net
Type: A
DNStakenelse.net
Type: A
DNSgladimportant.net
Type: A
DNStakenimportant.net
Type: A
DNSequalfine.net
Type: A
DNSgroupfine.net
Type: A
DNSequalnice.net
Type: A
DNSgroupnice.net
Type: A
DNSequalelse.net
Type: A
DNSgroupelse.net
Type: A
DNSequalimportant.net
Type: A
DNSgroupimportant.net
Type: A
DNSspokefine.net
Type: A
DNSvisitfine.net
Type: A
DNSspokenice.net
Type: A
DNSvisitnice.net
Type: A
DNSspokeelse.net
Type: A
DNSvisitelse.net
Type: A
DNSspokeimportant.net
Type: A
DNSvisitimportant.net
Type: A
DNSfairfine.net
Type: A
DNSwatchnice.net
Type: A
DNSfairnice.net
Type: A
DNSwatchelse.net
Type: A
DNSfairelse.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
DNSthisnice.net
Type: A
DNSdreamelse.net
Type: A
DNSthiselse.net
Type: A
DNSdreamimportant.net
Type: A
DNSthisimportant.net
Type: A
DNSarivesleep.net
Type: A
DNSsouthsleep.net
Type: A
DNSariveheight.net
Type: A
DNSsouthheight.net
Type: A
DNSariveheld.net
Type: A
DNSsouthheld.net
Type: A
DNSariverain.net
Type: A
DNSsouthrain.net
Type: A
DNSuponsleep.net
Type: A
DNSwhichsleep.net
Type: A
DNSuponheight.net
Type: A
DNSwhichheight.net
Type: A
DNSuponheld.net
Type: A
DNSwhichheld.net
Type: A
DNSuponrain.net
Type: A
DNSwhichrain.net
Type: A
DNSspotsleep.net
Type: A
DNSsaltsleep.net
Type: A
DNSspotheight.net
Type: A
DNSsaltheight.net
Type: A
DNSspotheld.net
Type: A
DNSsaltheld.net
Type: A
DNSspotrain.net
Type: A
DNSgladsleep.net
Type: A
DNStakensleep.net
Type: A
DNSgladheight.net
Type: A
DNStakenheight.net
Type: A
DNSgladheld.net
Type: A
DNStakenheld.net
Type: A
DNSgladrain.net
Type: A
DNStakenrain.net
Type: A
DNSequalsleep.net
Type: A
DNSgroupsleep.net
Type: A
DNSequalheight.net
Type: A
DNSgroupheight.net
Type: A
DNSequalheld.net
Type: A
DNSgroupheld.net
Type: A
DNSequalrain.net
Type: A
DNSspokesleep.net
Type: A
DNSvisitsleep.net
Type: A
DNSspokeheight.net
Type: A
DNSvisitheight.net
Type: A
DNSspokeheld.net
Type: A
DNSvisitheld.net
Type: A
DNSspokerain.net
Type: A
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/forum/search.php?method=validate&mode=sox&v=027&sox=3ca05000
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1037 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1038 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1039 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1041 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1044 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1045 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1046 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1047 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80

Raw Pcap
0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20676c 6164656c 73652e6e 65740d0a   : gladelse.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207761 74636866 696e652e 6e65740d   : watchfine.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747261 696e2e6e 65740d0a   : saltrain.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206772 6f757072 61696e2e 6e65740d   : grouprain.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207374 69636b6d 61726368 2e6e6574   : stickmarch.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 626c6566 72756974 2e6e6574   : tablefruit.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20676c 6164656c 73652e6e 65740d0a   : gladelse.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207761 74636866 696e652e 6e65740d   : watchfine.net.
0x00000080 (00128)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747261 696e2e6e 65740d0a   : saltrain.net..
0x00000080 (00128)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f666f72 756d2f73 65617263   GET /forum/searc
0x00000010 (00016)   682e7068 703f6d65 74686f64 3d76616c   h.php?method=val
0x00000020 (00032)   69646174 65266d6f 64653d73 6f782676   idate&mode=sox&v
0x00000030 (00048)   3d303237 26736f78 3d336361 30353030   =027&sox=3ca0500
0x00000040 (00064)   30204854 54502f31 2e300d0a 41636365   0 HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206772 6f757072 61696e2e 6e65740d   : grouprain.net.
0x00000080 (00128)   0a0d0a0a                              ....


Strings