Analysis Date2015-11-01 04:12:40
MD5f32d42bc5afec7794ecfb07fce469fd9
SHA166e581bae9e84ecd28bdbdd3fd8b3e34bfe392c5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8c18c9aa985930f033448763d9f2b989 sha1: bdac99b3c725f029ad54936fc362bfc6c9e0fcb2 size: 690688
Section.rdata md5: 0816d1005da77587a93bef9f010b32cf sha1: 429410b0d5bad198d5c05c4e2c500d616eb69691 size: 54784
Section.data md5: 19efca8a8f87e98eddf7b0463316d0f9 sha1: 32e801935a9623d2f6a614910bba55a34eae3fc9 size: 395264
Timestamp2014-05-09 21:59:36
PackerMicrosoft Visual C++ ?.?
PEhash61bc4ae0f8bb1cddee0195a2a6c52fb39b6d4e8d
IMPhash67c4af9479902d0f01e618f3d8262cfe
AVAlwil (avast)Kryptik-PLS [Trj]
AVBullGuardGen:Variant.Symmi.22722
AVFortinetRiskware/Agent
AVCAT (quickheal)no_virus
AVRisingno_virus
AVSymantecDownloader.Upatre!g15
AVMalwareBytesno_virus
AVIkarusTrojan.Crypt2
AVZillya!no_virus
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVTrend Microno_virus
AVGrisoft (avg)Win32/Cryptor
AVKasperskyTrojan.Win32.Generic
AVBitDefenderGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVVirusBlokAda (vba32)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVPadvishno_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVMcafeeno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Kryptik.CCLE
AVAd-AwareGen:Variant.Symmi.22722
AVDr. WebTrojan.KillFiles.13541

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\osdqdihd1lxxyzxikq6mgvuq.exe
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\osdqdihd1lxxyzxikq6mgvuq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\osdqdihd1lxxyzxikq6mgvuq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Panel Transfer Class Internet Management ➝
C:\WINDOWS\system32\tejnitjkewnn.exe
Creates FileC:\WINDOWS\system32\tejnitjkewnn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\etc
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\lck
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\tejnitjkewnn.exe
Creates ServiceSocket Audio Peer iSCSI Print Configuration - C:\WINDOWS\system32\tejnitjkewnn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ Pid 1328

Process
↳ Pid 1896

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\osdqdihd1sjcyzxi.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\run
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\lck
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\rng
Creates FileC:\WINDOWS\system32\imzsypuyneag.exe
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\cfg
Creates ProcessC:\WINDOWS\TEMP\osdqdihd1sjcyzxi.exe -r 52373 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"

Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ C:\WINDOWS\TEMP\osdqdihd1sjcyzxi.exe -r 52373 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNStablefruit.net
Type: A
52.0.217.44
DNSwishfood.net
Type: A
172.246.1.234
DNSdeadneck.net
Type: A
195.22.26.231
DNSdeadneck.net
Type: A
195.22.26.252
DNSdeadneck.net
Type: A
195.22.26.253
DNSdeadneck.net
Type: A
195.22.26.254
DNSdeadfood.net
Type: A
8.5.1.38
DNSrockfood.net
Type: A
8.5.1.51
DNSwrongfood.net
Type: A
208.91.197.27
DNShairsome.net
Type: A
217.70.184.38
DNSmusictoday.net
Type: A
72.52.4.91
DNSfrontseven.net
Type: A
50.63.202.5
DNSofferseven.net
Type: A
185.26.97.195
DNSoffertoday.net
Type: A
173.192.64.147
DNShangsome.net
Type: A
54.186.220.79
DNSjointoday.net
Type: A
141.8.225.124
DNSwishtoday.net
Type: A
184.168.221.57
DNSrocktoday.net
Type: A
208.91.197.46
DNSmadetoday.net
Type: A
198.71.232.3
DNSmadesuch.net
Type: A
208.100.26.234
DNSmightglossary.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSfrontride.net
Type: A
DNSspendmarry.net
Type: A
DNSuponloud.net
Type: A
DNSwrongthrew.net
Type: A
DNSjinoplasker.com
Type: A
DNSjoinmeet.net
Type: A
DNSwishmeet.net
Type: A
DNSrockneck.net
Type: A
DNSdeadshown.net
Type: A
DNSrockshown.net
Type: A
DNSdeadmeet.net
Type: A
DNSrockmeet.net
Type: A
DNSwrongneck.net
Type: A
DNSmadeneck.net
Type: A
DNSwrongshown.net
Type: A
DNSmadeshown.net
Type: A
DNSmadefood.net
Type: A
DNSwrongmeet.net
Type: A
DNSmademeet.net
Type: A
DNShumansome.net
Type: A
DNShumanseven.net
Type: A
DNShairseven.net
Type: A
DNShumantoday.net
Type: A
DNShairtoday.net
Type: A
DNShumansuch.net
Type: A
DNShairsuch.net
Type: A
DNSyardsome.net
Type: A
DNSmusicsome.net
Type: A
DNSyardseven.net
Type: A
DNSmusicseven.net
Type: A
DNSyardtoday.net
Type: A
DNSyardsuch.net
Type: A
DNSmusicsuch.net
Type: A
DNSwentsome.net
Type: A
DNSspendsome.net
Type: A
DNSwentseven.net
Type: A
DNSspendseven.net
Type: A
DNSwenttoday.net
Type: A
DNSspendtoday.net
Type: A
DNSwentsuch.net
Type: A
DNSspendsuch.net
Type: A
DNSfrontsome.net
Type: A
DNSoffersome.net
Type: A
DNSfronttoday.net
Type: A
DNSfrontsuch.net
Type: A
DNSoffersuch.net
Type: A
DNSseptembersome.net
Type: A
DNShangseven.net
Type: A
DNSseptemberseven.net
Type: A
DNShangtoday.net
Type: A
DNSseptembertoday.net
Type: A
DNShangsuch.net
Type: A
DNSseptembersuch.net
Type: A
DNSjoinsome.net
Type: A
DNSwishsome.net
Type: A
DNSjoinseven.net
Type: A
DNSwishseven.net
Type: A
DNSjoinsuch.net
Type: A
DNSwishsuch.net
Type: A
DNSdeadsome.net
Type: A
DNSrocksome.net
Type: A
DNSdeadseven.net
Type: A
DNSrockseven.net
Type: A
DNSdeadtoday.net
Type: A
DNSdeadsuch.net
Type: A
DNSrocksuch.net
Type: A
DNSwrongsome.net
Type: A
DNSmadesome.net
Type: A
DNSwrongseven.net
Type: A
DNSmadeseven.net
Type: A
DNSwrongtoday.net
Type: A
DNSwrongsuch.net
Type: A
DNShumandare.net
Type: A
DNShairdare.net
Type: A
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wishfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://deadneck.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://deadfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://rockfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wrongfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://hairsome.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://musictoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://frontseven.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://offerseven.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://offertoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://hangsome.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://jointoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wishtoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://rocktoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://madetoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://madesuch.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wishfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://deadneck.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://deadfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://rockfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wrongfood.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://hairsome.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://musictoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://frontseven.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://offerseven.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://offertoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://hangsome.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://jointoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://wishtoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://rocktoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://madetoday.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
HTTP GEThttp://madesuch.net/index.php?method=validate&mode=sox&v=029&sox=3bb4d404
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 52.0.217.44:80
Flows TCP192.168.1.1:1038 ➝ 172.246.1.234:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1040 ➝ 8.5.1.38:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1043 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1044 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1045 ➝ 50.63.202.5:80
Flows TCP192.168.1.1:1046 ➝ 185.26.97.195:80
Flows TCP192.168.1.1:1047 ➝ 173.192.64.147:80
Flows TCP192.168.1.1:1048 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1049 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.57:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1052 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1054 ➝ 52.0.217.44:80
Flows TCP192.168.1.1:1055 ➝ 172.246.1.234:80
Flows TCP192.168.1.1:1056 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1057 ➝ 8.5.1.38:80
Flows TCP192.168.1.1:1058 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1060 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1036 ➝ 202.191.62.125:443
Flows TCP192.168.1.1:1061 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1062 ➝ 50.63.202.5:80
Flows TCP192.168.1.1:1063 ➝ 185.26.97.195:80
Flows TCP192.168.1.1:1064 ➝ 173.192.64.147:80
Flows TCP192.168.1.1:1065 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1066 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1067 ➝ 184.168.221.57:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1069 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1070 ➝ 208.100.26.234:80

Raw Pcap

Strings