Analysis Date2016-03-08 05:34:06
MD5e3797c0c8ce1cccbfdf2b044b36a6b30
SHA18d06834e68ea7ff19511aca9d2cd4a480aa0f4af

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2f06735714c1f38d304ec68b82cb5073 sha1: 98253d2f85eebbfb3968739b5c208a748cec94f5 size: 802304
Section.rdata md5: f61acb8398559c06a0c6be779cf8f735 sha1: 39d285d651e4c7f6bfc2d0d16b68e592e4db4e08 size: 59392
Section.data md5: cf44cadbcb6abe9fc8a269b2c2c25256 sha1: 417d26e52c95c1ee67a51abbf92248f8e46a2bcf size: 412672
Timestamp2014-11-28 23:15:15
PackerMicrosoft Visual C++ ?.?
PEhash0955be9e196338b9cb23277152519457de677add
IMPhash2468c6751ad47d94ece0fbc1aaac8198
AVCA (E-Trust Ino)Gen:Variant.Symmi.22722
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)BDS/Zegost.Gen
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-OSY [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.22722
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\gseeikeoktbu\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\e6obes1ldzuxqmqogjvekev.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\e6obes1ldzuxqmqogjvekev.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\e6obes1ldzuxqmqogjvekev.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Connection Cache Networking ➝
C:\WINDOWS\system32\usrsywc.exe
Creates FileC:\WINDOWS\system32\gseeikeoktbu\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\gseeikeoktbu\tst
Creates FileC:\WINDOWS\system32\usrsywc.exe
Creates FileC:\WINDOWS\system32\gseeikeoktbu\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\usrsywc.exe
Creates ServiceManager Protected Control AutoConnect - C:\WINDOWS\system32\usrsywc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1888

Process
↳ Pid 1180

Process
↳ C:\WINDOWS\system32\usrsywc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\gseeikeoktbu\run
Creates FileC:\WINDOWS\system32\gseeikeoktbu\rng
Creates FileC:\WINDOWS\system32\gseeikeoktbu\cfg
Creates FileC:\WINDOWS\system32\gseeikeoktbu\lck
Creates FileC:\WINDOWS\system32\gseeikeoktbu\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\e6obes1s3auxqmq.exe
Creates FileC:\WINDOWS\system32\ceedhnbu.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\usrsywc.exe"
Creates ProcessC:\WINDOWS\TEMP\e6obes1s3auxqmq.exe -r 51964 tcp

Process
↳ C:\WINDOWS\system32\usrsywc.exe

Creates FileC:\WINDOWS\system32\gseeikeoktbu\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\usrsywc.exe"

Creates FileC:\WINDOWS\system32\gseeikeoktbu\tst

Process
↳ C:\WINDOWS\TEMP\e6obes1s3auxqmq.exe -r 51964 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSwalkloud.net
Type: A
50.63.202.40
DNSwalktree.net
Type: A
208.100.26.234
DNSstorytree.net
Type: A
180.210.34.47
DNSgainstock.net
Type: A
119.10.9.200
DNSstorystock.net
Type: A
188.93.10.94
DNSsellstock.net
Type: A
69.64.147.242
DNSsouthblood.net
Type: A
DNSpickgrave.net
Type: A
DNSableread.net
Type: A
DNSroomstock.net
Type: A
DNSwatcheasy.net
Type: A
DNSuponmail.net
Type: A
DNStakenhand.net
Type: A
DNSwatchsince.net
Type: A
DNSspotdont.net
Type: A
DNSofferaunt.net
Type: A
DNSmadethan.net
Type: A
DNSdrinkwide.net
Type: A
DNSpickmake.net
Type: A
DNSwhomfifth.net
Type: A
DNSmonthloud.net
Type: A
DNSmonthtree.net
Type: A
DNSstorysaturday.net
Type: A
DNSweaksaturday.net
Type: A
DNSstorythousand.net
Type: A
DNSweakthousand.net
Type: A
DNSstoryloud.net
Type: A
DNSweakloud.net
Type: A
DNSweaktree.net
Type: A
DNSaftersaturday.net
Type: A
DNSforcesaturday.net
Type: A
DNSafterthousand.net
Type: A
DNSforcethousand.net
Type: A
DNSafterloud.net
Type: A
DNSforceloud.net
Type: A
DNSaftertree.net
Type: A
DNSforcetree.net
Type: A
DNSsellsaturday.net
Type: A
DNSwednesdaysaturday.net
Type: A
DNSsellthousand.net
Type: A
DNSwednesdaythousand.net
Type: A
DNSsellloud.net
Type: A
DNSwednesdayloud.net
Type: A
DNSselltree.net
Type: A
DNSwednesdaytree.net
Type: A
DNSdrivesaturday.net
Type: A
DNSnailsaturday.net
Type: A
DNSdrivethousand.net
Type: A
DNSnailthousand.net
Type: A
DNSdriveloud.net
Type: A
DNSnailloud.net
Type: A
DNSdrivetree.net
Type: A
DNSnailtree.net
Type: A
DNSfieldstock.net
Type: A
DNSqueenstock.net
Type: A
DNSfieldthrow.net
Type: A
DNSqueenthrow.net
Type: A
DNSfieldreply.net
Type: A
DNSqueenreply.net
Type: A
DNSfieldwhole.net
Type: A
DNSqueenwhole.net
Type: A
DNSbothstock.net
Type: A
DNSboththrow.net
Type: A
DNSgainthrow.net
Type: A
DNSbothreply.net
Type: A
DNSgainreply.net
Type: A
DNSbothwhole.net
Type: A
DNSgainwhole.net
Type: A
DNSleaststock.net
Type: A
DNSfacestock.net
Type: A
DNSleastthrow.net
Type: A
DNSfacethrow.net
Type: A
DNSleastreply.net
Type: A
DNSfacereply.net
Type: A
DNSleastwhole.net
Type: A
DNSfacewhole.net
Type: A
DNSmonthstock.net
Type: A
DNSwalkstock.net
Type: A
DNSmonththrow.net
Type: A
DNSwalkthrow.net
Type: A
DNSmonthreply.net
Type: A
DNSwalkreply.net
Type: A
DNSmonthwhole.net
Type: A
DNSwalkwhole.net
Type: A
DNSweakstock.net
Type: A
DNSstorythrow.net
Type: A
DNSweakthrow.net
Type: A
DNSstoryreply.net
Type: A
DNSweakreply.net
Type: A
DNSstorywhole.net
Type: A
DNSweakwhole.net
Type: A
DNSafterstock.net
Type: A
DNSforcestock.net
Type: A
DNSafterthrow.net
Type: A
DNSforcethrow.net
Type: A
DNSafterreply.net
Type: A
DNSforcereply.net
Type: A
DNSafterwhole.net
Type: A
DNSforcewhole.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://walkloud.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://walktree.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://storytree.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://gainstock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://storystock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://sellstock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://walkloud.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://walktree.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://storytree.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://gainstock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://storystock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
HTTP GEThttp://sellstock.net/index.php?method=validate&mode=sox&v=034&sox=482fce0e&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.40:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 180.210.34.47:80
Flows TCP192.168.1.1:1041 ➝ 119.10.9.200:80
Flows TCP192.168.1.1:1042 ➝ 188.93.10.94:80
Flows TCP192.168.1.1:1043 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1044 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1045 ➝ 50.63.202.40:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 180.210.34.47:80
Flows TCP192.168.1.1:1048 ➝ 119.10.9.200:80
Flows TCP192.168.1.1:1049 ➝ 188.93.10.94:80
Flows TCP192.168.1.1:1050 ➝ 69.64.147.242:80

Raw Pcap

Strings