Analysis Date2015-09-07 06:22:14
MD5683553acebfb1c870eb02270af9e7e33
SHA195b69f3d3fb787d350df4e29cb594ab482d84ee1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f31fbb0ad8feb01df162c91d8793c7fa sha1: 1f1d03aae896a3e5d52a67b01cb1d8ba73b58d4c size: 796160
Section.rdata md5: 8622257a3b4268d16edea716a4298f5c sha1: 1446b2cf0fd1548f8235131c60328c2c9440b37c size: 60416
Section.data md5: 2084b9e6b7a1d41382739702da1eff39 sha1: a1a4b5efcd953d9c5c186985b5eff633248d373e size: 410624
Timestamp2014-10-29 06:21:05
PackerMicrosoft Visual C++ ?.?
PEhashd85f084fca0dbfde796d800d0104ce65c09a81c6
IMPhash3029ebb6a1c64ed9834bce0951624e7c
AVDr. WebTrojan.KillFiles.28018
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVEmsisoftGen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Kryptik.CCLE
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Kryptik.DDQD!tr
AVAvira (antivir)TR/Crypt.Xpack.241588
AVTrend MicroTROJ_WONTON.SMJ1
AVFrisk (f-prot)no_virus
AVAlwil (avast)Kryptik-OOC [Trj]
AVClamAVno_virus
AVF-SecureGen:Variant.Symmi.22722
AVMcafeeno_virus
AVTwisterno_virus
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderGen:Variant.Symmi.22722
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVAd-AwareGen:Variant.Symmi.22722
AVCAT (quickheal)Trojan.Generic.g3
AVK7Trojan ( 0049a7ec1 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jutyuwsn1kosasabbnhtonfk.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\jutyuwsn1kosasabbnhtonfk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\jutyuwsn1kosasabbnhtonfk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\List Internet Time AutoConnect ➝
C:\WINDOWS\system32\trcnwkdrzoni.exe
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\lck
Creates FileC:\WINDOWS\system32\trcnwkdrzoni.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\etc
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\trcnwkdrzoni.exe
Creates ServiceGroup Performance DHCP Location - C:\WINDOWS\system32\trcnwkdrzoni.exe

Process
↳ Pid 796

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERdea3.dir00\svchost.exe.hdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERdea3.dir00\svchost.exe.mdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates Filepipe\PCHFaultRepExecPipe
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERdea3.dir00\svchost.exe.mdmp 16325836412030876

Process
↳ Pid 1120

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\trcnwkdrzoni.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\run
Creates FileC:\WINDOWS\system32\alenohsem.exe
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\rng
Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\tst
Creates FileC:\WINDOWS\TEMP\jutyuwsn1qzsasabb.exe
Creates ProcessC:\WINDOWS\TEMP\jutyuwsn1qzsasabb.exe -r 34745 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\trcnwkdrzoni.exe"

Process
↳ C:\WINDOWS\system32\trcnwkdrzoni.exe

Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\tst

Process
↳ C:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERdea3.dir00\svchost.exe.mdmp 16325836412030876

Process
↳ WATCHDOGPROC "c:\windows\system32\trcnwkdrzoni.exe"

Creates FileC:\WINDOWS\system32\ynffaqnbmxnsjaw\tst

Process
↳ C:\WINDOWS\TEMP\jutyuwsn1qzsasabb.exe -r 34745 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSwheelreply.net
Type: A
8.5.1.30
DNStakerush.net
Type: A
50.63.202.11
DNSyourfeet.net
Type: A
184.168.221.104
DNSyoureach.net
Type: A
63.236.74.25
DNStriesyesterday.net
Type: A
95.211.230.75
DNSsouthblood.net
Type: A
DNSenemydont.net
Type: A
DNSsellsmall.net
Type: A
DNSwaitclock.net
Type: A
DNStakeclock.net
Type: A
DNSwaitmake.net
Type: A
DNStakemake.net
Type: A
DNSwaitrush.net
Type: A
DNStriesfifth.net
Type: A
DNSyourfifth.net
Type: A
DNStriesshine.net
Type: A
DNSyourshine.net
Type: A
DNStriesdone.net
Type: A
DNSyourdone.net
Type: A
DNStriesknew.net
Type: A
DNSyourknew.net
Type: A
DNSlrstnfifth.net
Type: A
DNSviewfifth.net
Type: A
DNSlrstnshine.net
Type: A
DNSviewshine.net
Type: A
DNSlrstndone.net
Type: A
DNSviewdone.net
Type: A
DNSlrstnknew.net
Type: A
DNSviewknew.net
Type: A
DNSplantfifth.net
Type: A
DNSfillfifth.net
Type: A
DNSplantshine.net
Type: A
DNSfillshine.net
Type: A
DNSplantdone.net
Type: A
DNSfilldone.net
Type: A
DNSplantknew.net
Type: A
DNSfillknew.net
Type: A
DNSsensefifth.net
Type: A
DNSlearnfifth.net
Type: A
DNSsenseshine.net
Type: A
DNSlearnshine.net
Type: A
DNSsensedone.net
Type: A
DNSlearndone.net
Type: A
DNSsenseknew.net
Type: A
DNSlearnknew.net
Type: A
DNStorefifth.net
Type: A
DNSfallfifth.net
Type: A
DNStoreshine.net
Type: A
DNSfallshine.net
Type: A
DNStoredone.net
Type: A
DNSfalldone.net
Type: A
DNStoreknew.net
Type: A
DNSfallknew.net
Type: A
DNSweekfifth.net
Type: A
DNSveryfifth.net
Type: A
DNSweekshine.net
Type: A
DNSveryshine.net
Type: A
DNSweekdone.net
Type: A
DNSverydone.net
Type: A
DNSweekknew.net
Type: A
DNSveryknew.net
Type: A
DNSpiecefifth.net
Type: A
DNSmuchfifth.net
Type: A
DNSpieceshine.net
Type: A
DNSmuchshine.net
Type: A
DNSpiecedone.net
Type: A
DNSmuchdone.net
Type: A
DNSpieceknew.net
Type: A
DNSmuchknew.net
Type: A
DNSwaitfifth.net
Type: A
DNStakefifth.net
Type: A
DNSwaitshine.net
Type: A
DNStakeshine.net
Type: A
DNSwaitdone.net
Type: A
DNStakedone.net
Type: A
DNSwaitknew.net
Type: A
DNStakeknew.net
Type: A
DNStriesfeet.net
Type: A
DNStrieseach.net
Type: A
DNSyouryesterday.net
Type: A
DNStrieswedge.net
Type: A
DNSyourwedge.net
Type: A
DNSlrstnfeet.net
Type: A
DNSviewfeet.net
Type: A
DNSlrstneach.net
Type: A
DNSvieweach.net
Type: A
DNSlrstnyesterday.net
Type: A
DNSviewyesterday.net
Type: A
DNSlrstnwedge.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://wheelreply.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://takerush.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://yourfeet.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://youreach.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://triesyesterday.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://wheelreply.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://takerush.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://yourfeet.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://youreach.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
HTTP GEThttp://triesyesterday.net/index.php?method=validate&mode=sox&v=032&sox=40019801&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1038 ➝ 8.5.1.30:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1041 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1042 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1043 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1044 ➝ 8.5.1.30:80
Flows TCP192.168.1.1:1045 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1046 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1047 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1048 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747365 636f6e64 2e6e6574   : saltsecond.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207768 65656c72 65706c79 2e6e6574   : wheelreply.net
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b657275 73682e6e 65740d0a   : takerush.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726665 65742e6e 65740d0a   : yourfeet.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726561 63682e6e 65740d0a   : youreach.net..
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207472 69657379 65737465 72646179   : triesyesterday
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207361 6c747365 636f6e64 2e6e6574   : saltsecond.net
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207768 65656c72 65706c79 2e6e6574   : wheelreply.net
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207461 6b657275 73682e6e 65740d0a   : takerush.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726665 65742e6e 65740d0a   : yourfeet.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a20796f 75726561 63682e6e 65740d0a   : youreach.net..
0x00000080 (00128)   0d0a0d0a 0d0a0d0a                     ........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3226736f   ode=sox&v=032&so
0x00000030 (00048)   783d3430 30313938 3031266c 656e6864   x=40019801&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a207472 69657379 65737465 72646179   : triesyesterday
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....


Strings