Analysis Date2015-07-08 01:59:04
MD5db8028d6247616301668c24c38896cae
SHA17515372e39e0e0f535175ba74ae646debae4b1fd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7eeebd1e121b17b5349fbb89423a826b sha1: 4cb09dd44652a1e9111232450d981619f1d9c8c7 size: 1317888
Section.rdata md5: cf00c708c443443d7640a7563098ab44 sha1: 8b376c1b5ba86423984f9e046fca6b9188add06a size: 325632
Section.data md5: d9e6c5b3aa8c89f185fb5859eca9df28 sha1: 7a31901800911360154387168fb6c5b8e733e92d size: 8192
Section.reloc md5: 7bd8c9f4ca3a04d0551d382fbb4b859f sha1: af7820981bdfd113a572a72b7183712074c88101 size: 180224
Timestamp2015-05-11 03:57:09
PackerVC8 -> Microsoft Corporation
PEhash30bb860925ffcb2597eb5c22ab4b8ecfd5e82f51
IMPhash26bb288d3a82df938c491286f7d42fc3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\vdexblxsohw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ommpvkhh7olfuihfagf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ommpvkhh7olfuihfagf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ommpvkhh7olfuihfagf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NetBIOS Profile Base Plug IKE Launcher ➝
C:\WINDOWS\system32\vfqjetjt.exe
Creates FileC:\WINDOWS\system32\vfqjetjt.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\vdexblxsohw\tst
Creates FileC:\WINDOWS\system32\vdexblxsohw\etc
Creates FileC:\WINDOWS\system32\vdexblxsohw\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\vfqjetjt.exe
Creates ServiceAuto-Discovery PNRP Experience - C:\WINDOWS\system32\vfqjetjt.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ Pid 1304

Process
↳ Pid 1852

Process
↳ Pid 252

Process
↳ C:\WINDOWS\system32\vfqjetjt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\ommpvkhhf0xfu.exe
Creates FileC:\WINDOWS\system32\rcgheqt.exe
Creates FileC:\WINDOWS\system32\vdexblxsohw\rng
Creates FileC:\WINDOWS\system32\vdexblxsohw\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\vdexblxsohw\run
Creates FileC:\WINDOWS\system32\vdexblxsohw\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\vdexblxsohw\lck
Deletes FileC:\WINDOWS\TEMP\ommpvkhhf0xfu.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\vfqjetjt.exe"
Creates ProcessC:\WINDOWS\TEMP\ommpvkhhf0xfu.exe -r 51030 tcp

Process
↳ C:\WINDOWS\system32\vfqjetjt.exe

Creates FileC:\WINDOWS\system32\vdexblxsohw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\vfqjetjt.exe"

Creates FileC:\WINDOWS\system32\vdexblxsohw\tst

Process
↳ C:\WINDOWS\TEMP\ommpvkhhf0xfu.exe -r 51030 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSdrivetalk.net
Type: A
112.140.180.152
DNSnailtalk.net
Type: A
125.209.214.79
DNSfieldsure.net
Type: A
50.63.202.58
DNSfieldback.net
Type: A
88.159.158.85
DNSfaceback.net
Type: A
72.52.4.119
DNSwalksure.net
Type: A
184.168.221.38
DNSwalkback.net
Type: A
184.168.221.86
DNSsellsure.net
Type: A
41.193.5.58
DNSsellback.net
Type: A
82.165.105.104
DNSdrivesure.net
Type: A
72.52.4.119
DNSdrivecause.net
Type: A
95.211.230.75
DNSdriveshot.net
Type: A
184.168.221.20
DNSdriveback.net
Type: A
217.70.142.55
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSsellbelow.net
Type: A
DNSwednesdaybelow.net
Type: A
DNSselltalk.net
Type: A
DNSwednesdaytalk.net
Type: A
DNSsellshirt.net
Type: A
DNSwednesdayshirt.net
Type: A
DNSdrivewash.net
Type: A
DNSnailwash.net
Type: A
DNSdrivebelow.net
Type: A
DNSnailbelow.net
Type: A
DNSdriveshirt.net
Type: A
DNSnailshirt.net
Type: A
DNSqueensure.net
Type: A
DNSfieldcause.net
Type: A
DNSqueencause.net
Type: A
DNSfieldshot.net
Type: A
DNSqueenshot.net
Type: A
DNSqueenback.net
Type: A
DNSbothsure.net
Type: A
DNSgainsure.net
Type: A
DNSbothcause.net
Type: A
DNSgaincause.net
Type: A
DNSbothshot.net
Type: A
DNSgainshot.net
Type: A
DNSbothback.net
Type: A
DNSgainback.net
Type: A
DNSleastsure.net
Type: A
DNSfacesure.net
Type: A
DNSleastcause.net
Type: A
DNSfacecause.net
Type: A
DNSleastshot.net
Type: A
DNSfaceshot.net
Type: A
DNSleastback.net
Type: A
DNSmonthsure.net
Type: A
DNSmonthcause.net
Type: A
DNSwalkcause.net
Type: A
DNSmonthshot.net
Type: A
DNSwalkshot.net
Type: A
DNSmonthback.net
Type: A
DNSstorysure.net
Type: A
DNSweaksure.net
Type: A
DNSstorycause.net
Type: A
DNSweakcause.net
Type: A
DNSstoryshot.net
Type: A
DNSweakshot.net
Type: A
DNSstoryback.net
Type: A
DNSweakback.net
Type: A
DNSaftersure.net
Type: A
DNSforcesure.net
Type: A
DNSaftercause.net
Type: A
DNSforcecause.net
Type: A
DNSaftershot.net
Type: A
DNSforceshot.net
Type: A
DNSafterback.net
Type: A
DNSforceback.net
Type: A
DNSwednesdaysure.net
Type: A
DNSsellcause.net
Type: A
DNSwednesdaycause.net
Type: A
DNSsellshot.net
Type: A
DNSwednesdayshot.net
Type: A
DNSwednesdayback.net
Type: A
DNSnailsure.net
Type: A
DNSnailcause.net
Type: A
DNSnailshot.net
Type: A
DNSnailback.net
Type: A
DNSfieldslept.net
Type: A
DNSqueenslept.net
Type: A
DNSfieldhers.net
Type: A
DNSqueenhers.net
Type: A
DNSfieldprove.net
Type: A
DNSqueenprove.net
Type: A
DNSfieldbreak.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://drivetalk.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://nailtalk.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://fieldsure.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://fieldback.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://faceback.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://walksure.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://walkback.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://sellsure.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://sellback.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://drivesure.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://drivecause.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://driveshot.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://driveback.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f96a201&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 112.140.180.152:80
Flows TCP192.168.1.1:1051 ➝ 125.209.214.79:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.58:80
Flows TCP192.168.1.1:1053 ➝ 88.159.158.85:80
Flows TCP192.168.1.1:1054 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1055 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1056 ➝ 184.168.221.86:80
Flows TCP192.168.1.1:1057 ➝ 41.193.5.58:80
Flows TCP192.168.1.1:1058 ➝ 82.165.105.104:80
Flows TCP192.168.1.1:1059 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1060 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1061 ➝ 184.168.221.20:80
Flows TCP192.168.1.1:1062 ➝ 217.70.142.55:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80

Raw Pcap

Strings