Analysis Date2015-11-20 11:17:30
MD579ef48ae8c9c3ae10b777bce51434b24
SHA183f99b59a39b7694e07cc3dad8970299b68e4740

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 78db9eddccc2a2761017ce78a7520b34 sha1: db8a89ede7b4479df40c59fe9591ccf080c35f3a size: 1199104
Section.rdata md5: fb7d7ffc464e646a5aa7b45828bbf35b sha1: efd563940bd3ae3d3f7c86a80de2425cbf96df63 size: 303104
Section.data md5: 189d6744f4aa1d5cce6bebdfb05e6a34 sha1: 76ab00d2318319550ceb0e07fee87bd0b0b8d25b size: 8704
Section.reloc md5: 47e94c2afa022635f1a4183ec7201d0f sha1: 219823f006ed92761cfea0da7b19a9174f52ba8c size: 151552
Timestamp2015-05-11 03:59:24
PackerVC8 -> Microsoft Corporation
PEhashce4a2765312cd63fe0dab53a99229e0094003e59
IMPhash6bad7cffd25e7e16e4094f16bbdfa650
AVF-Secureno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.5
AVGrisoft (avg)Crypt4.ADUM
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMicroWorld (escan)no_virus
AVTrend Microno_virus
AVClamAVno_virus
AVTwisterno_virus
AVEset (nod32)Win32/Bayrob.Y
AVBitDefenderno_virus
AVMicroWorld (escan)no_virus
AVAvira (antivir)TR/Crypt.Xpack.313732
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Kryptik.EETB!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)no_virus
AVMcafeeTrojan-FGIJ!79EF48AE8C9C
AVAvira (antivir)TR/Crypt.Xpack.313732
AVAd-Awareno_virus
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.EETB!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRisingno_virus
AVMcafeeTrojan-FGIJ!79EF48AE8C9C
AVTwisterno_virus
AVAd-Awareno_virus
AVGrisoft (avg)Crypt4.ADUM
AVSymantecDownloader.Upatre!g15
AVBitDefenderno_virus
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftno_virus
AVZillya!Backdoor.SoxGrave.Win32.385
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\toozwhas1lc8ztpnuenqhp.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\toozwhas1lc8ztpnuenqhp.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\toozwhas1lc8ztpnuenqhp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Parental Publication Networking ➝
C:\WINDOWS\system32\kggnzamqa.exe
Creates FileC:\WINDOWS\system32\sqhrfur\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\sqhrfur\etc
Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates FileC:\WINDOWS\system32\kggnzamqa.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kggnzamqa.exe
Creates ServiceTPM Print Hardware Tracking Desktop - C:\WINDOWS\system32\kggnzamqa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\kggnzamqa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\sqhrfur\lck
Creates FileC:\WINDOWS\system32\sqhrfur\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\sqhrfur\rng
Creates FileC:\WINDOWS\system32\jxtlvoqmkcyt.exe
Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates FileC:\WINDOWS\TEMP\toozwhas1sgbztp.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\sqhrfur\run
Creates ProcessWATCHDOGPROC "c:\windows\system32\kggnzamqa.exe"
Creates ProcessC:\WINDOWS\TEMP\toozwhas1sgbztp.exe -r 43936 tcp

Process
↳ C:\WINDOWS\system32\kggnzamqa.exe

Creates FileC:\WINDOWS\system32\sqhrfur\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kggnzamqa.exe"

Creates FileC:\WINDOWS\system32\sqhrfur\tst

Process
↳ C:\WINDOWS\TEMP\toozwhas1sgbztp.exe -r 43936 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlookstock.net
Type: A
136.243.22.194
DNSknowfire.net
Type: A
50.63.202.62
DNSsongbone.net
Type: A
198.143.132.130
DNSsongfire.net
Type: A
213.83.55.240
DNSmovewrote.net
Type: A
208.100.26.234
DNSjumpfire.net
Type: A
108.59.4.71
DNSwhomwrote.net
Type: A
95.211.230.75
DNSfeltwrote.net
Type: A
95.211.230.75
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSfeltstock.net
Type: A
DNSfeltthrow.net
Type: A
DNSlookthrow.net
Type: A
DNSfeltreply.net
Type: A
DNSlookreply.net
Type: A
DNSfeltwhole.net
Type: A
DNSlookwhole.net
Type: A
DNSthreestock.net
Type: A
DNSlordstock.net
Type: A
DNSthreethrow.net
Type: A
DNSlordthrow.net
Type: A
DNSthreereply.net
Type: A
DNSlordreply.net
Type: A
DNSthreewhole.net
Type: A
DNSlordwhole.net
Type: A
DNSdrinkstock.net
Type: A
DNSwifestock.net
Type: A
DNSdrinkthrow.net
Type: A
DNSwifethrow.net
Type: A
DNSdrinkreply.net
Type: A
DNSwifereply.net
Type: A
DNSdrinkwhole.net
Type: A
DNSwifewhole.net
Type: A
DNSknowcold.net
Type: A
DNSablecold.net
Type: A
DNSknowwrote.net
Type: A
DNSablewrote.net
Type: A
DNSknowbone.net
Type: A
DNSablebone.net
Type: A
DNSablefire.net
Type: A
DNSpickcold.net
Type: A
DNSsongcold.net
Type: A
DNSpickwrote.net
Type: A
DNSsongwrote.net
Type: A
DNSpickbone.net
Type: A
DNSpickfire.net
Type: A
DNSroomcold.net
Type: A
DNSsigncold.net
Type: A
DNSroomwrote.net
Type: A
DNSsignwrote.net
Type: A
DNSroombone.net
Type: A
DNSsignbone.net
Type: A
DNSroomfire.net
Type: A
DNSsignfire.net
Type: A
DNSmovecold.net
Type: A
DNSjumpcold.net
Type: A
DNSjumpwrote.net
Type: A
DNSmovebone.net
Type: A
DNSjumpbone.net
Type: A
DNSmovefire.net
Type: A
DNShillcold.net
Type: A
DNSwhomcold.net
Type: A
DNShillwrote.net
Type: A
DNShillbone.net
Type: A
DNSwhombone.net
Type: A
DNShillfire.net
Type: A
DNSwhomfire.net
Type: A
DNSfeltcold.net
Type: A
DNSlookcold.net
Type: A
DNSlookwrote.net
Type: A
DNSfeltbone.net
Type: A
DNSlookbone.net
Type: A
DNSfeltfire.net
Type: A
DNSlookfire.net
Type: A
DNSthreecold.net
Type: A
DNSlordcold.net
Type: A
DNSthreewrote.net
Type: A
DNSlordwrote.net
Type: A
DNSthreebone.net
Type: A
DNSlordbone.net
Type: A
DNSthreefire.net
Type: A
DNSlordfire.net
Type: A
DNSdrinkcold.net
Type: A
DNSwifecold.net
Type: A
DNSdrinkwrote.net
Type: A
DNSwifewrote.net
Type: A
DNSdrinkbone.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://lookstock.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://knowfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://songbone.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://songfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://movewrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://jumpfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://whomwrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://feltwrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://lookstock.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://knowfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://songbone.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://songfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://movewrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://jumpfire.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://whomwrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
HTTP GEThttp://feltwrote.net/index.php?method=validate&mode=sox&v=050&sox=4f3ba001&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 136.243.22.194:80
Flows TCP192.168.1.1:1051 ➝ 50.63.202.62:80
Flows TCP192.168.1.1:1052 ➝ 198.143.132.130:80
Flows TCP192.168.1.1:1053 ➝ 213.83.55.240:80
Flows TCP192.168.1.1:1054 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1055 ➝ 108.59.4.71:80
Flows TCP192.168.1.1:1056 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1057 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1069 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1070 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1071 ➝ 136.243.22.194:80
Flows TCP192.168.1.1:1072 ➝ 50.63.202.62:80
Flows TCP192.168.1.1:1073 ➝ 198.143.132.130:80
Flows TCP192.168.1.1:1074 ➝ 213.83.55.240:80
Flows TCP192.168.1.1:1075 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1076 ➝ 108.59.4.71:80
Flows TCP192.168.1.1:1077 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1078 ➝ 95.211.230.75:80

Raw Pcap

Strings