Analysis Date2015-09-29 17:03:46
MD52c0f4941b450f0064df12c8b31997a5f
SHA1961c9211235acdbbaa9e5fb17bc0d56ee41a8bc5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b40acdea895e2479a2fdbcf9c8c38882 sha1: 56d8c51c72306e1a8fc25160cde659faf7c15071 size: 973824
Section.rdata md5: a79fd474b8c03252e6c4e77d7c36838f sha1: cd7877571807305f4291d01c3bbad713a9ff4fdb size: 31232
Section.data md5: 3668515f1e46c596b5037f27b483d9ec sha1: b4181d5d14624e01cfc598281d764170cb624fe5 size: 117248
Timestamp2013-03-07 20:57:07
PackerMicrosoft Visual C++ ?.?
PEhashc004abd6737b45c35a19b676a82ffe0b0817bb15
IMPhash5f4db9821e22985591aa9d48c2f3a1a2
AVEmsisoftGen:Variant.Kazy.164619
AVMalwareBytesTrojan.Agent
AVGrisoft (avg)Generic_r.CDN
AVIkarusTrojan.Win32.Spy
AVBullGuardGen:Variant.Kazy.164619
AVMicroWorld (escan)Gen:Variant.Kazy.164619
AVK7Backdoor ( 04c540d41 )
AVSymantecTrojan.Bayrob!gen4
AVTwisterVirus.CB0000E978FEFFFF50.mg
AVRisingno_virus
AVAlwil (avast)Downloader-TLD [Trj]
AVF-SecureGen:Variant.Kazy.164619
AVCA (E-Trust Ino)Win32/Tnega.XAMV!suspicious
AVAuthentiumW32/Symmi.G.gen!Eldorado
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVBitDefenderGen:Variant.Kazy.164619
AVFortinetW32/Bayrob.N!tr
AVEset (nod32)Win32/Bayrob.N.Gen
AVAd-AwareGen:Variant.Kazy.164619
AVAvira (antivir)BDS/Zegost.Gen
AVMcafeeno_virus
AVFrisk (f-prot)W32/Symmi.G.gen!Eldorado
AVCAT (quickheal)no_virus
AVTrend MicroTSPY_NIVDORT.SM
AVVirusBlokAda (vba32)no_virus
AVKasperskyTrojan.Win32.Generic
AVPadvishno_virus
AVDr. WebTrojan.DownLoader9.26795
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.164619
AVZillya!Trojan.Bayrob.Win32.1504

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aqjbel31kq3mmvdiooz.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\aqjbel31kq3mmvdiooz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\aqjbel31kq3mmvdiooz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shadow Credential Notification ActiveX ➝
C:\WINDOWS\system32\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\pujxhbhm\lck
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates FileC:\WINDOWS\system32\pujxhbhm\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\wpvqzmlf.exe
Creates ServiceColor Awareness Grouping List Engine - C:\WINDOWS\system32\wpvqzmlf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 820

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\wpvqzmlf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\gwhkjoab.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates FileC:\WINDOWS\system32\pujxhbhm\cfg
Creates FileC:\WINDOWS\system32\pujxhbhm\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\aqjbel31q80mms.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\pujxhbhm\rng
Creates ProcessWATCHDOGPROC "c:\windows\system32\wpvqzmlf.exe"
Creates ProcessC:\WINDOWS\TEMP\aqjbel31q80mms.exe -r 38537 tcp

Process
↳ C:\WINDOWS\system32\wpvqzmlf.exe

Creates FileC:\WINDOWS\system32\pujxhbhm\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\wpvqzmlf.exe"

Creates FileC:\WINDOWS\system32\pujxhbhm\tst

Process
↳ C:\WINDOWS\TEMP\aqjbel31q80mms.exe -r 38537 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmojoguia.com
Type: A
204.11.56.48
DNSvillemojo.com
Type: A
209.99.40.222
DNScloudlive.net
Type: A
50.63.202.27
DNSdarklive.net
Type: A
88.208.252.147
DNSmilkhouse.net
Type: A
207.148.248.143
DNSmilktuesday.net
Type: A
95.211.230.75
DNSwithhouse.net
Type: A
116.126.87.94
DNSwithgift.net
Type: A
183.111.174.143
DNSsightgift.net
Type: A
173.220.70.26
DNScasehouse.net
Type: A
50.63.202.55
DNSheadhouse.net
Type: A
192.185.85.237
DNScasegift.net
Type: A
195.22.26.253
DNScasegift.net
Type: A
195.22.26.254
DNScasegift.net
Type: A
195.22.26.231
DNScasegift.net
Type: A
195.22.26.252
DNSquickhouse.net
Type: A
207.148.248.143
DNSquickgift.net
Type: A
207.148.248.143
DNSmeathouse.net
Type: A
89.19.29.109
DNSsickhouse.net
Type: A
146.0.42.103
DNScloudhouse.net
Type: A
208.91.197.26
DNScloudgift.net
Type: A
210.157.1.134
DNSmilkhome.net
Type: A
121.78.88.38
DNSwithhome.net
Type: A
112.175.85.235
DNSdominoclub-grup.com
Type: A
DNSelementarimagine.com
Type: A
DNSjarybuter.com
Type: A
DNSmojositio.com
Type: A
DNScloudmine.net
Type: A
DNSdarkmine.net
Type: A
DNScloudserve.net
Type: A
DNSdarkserve.net
Type: A
DNStriedhouse.net
Type: A
DNSmilkgift.net
Type: A
DNStriedgift.net
Type: A
DNStriedtuesday.net
Type: A
DNSmilkpeace.net
Type: A
DNStriedpeace.net
Type: A
DNSdutyhouse.net
Type: A
DNSdutygift.net
Type: A
DNSwithtuesday.net
Type: A
DNSdutytuesday.net
Type: A
DNSwithpeace.net
Type: A
DNSdutypeace.net
Type: A
DNSthesehouse.net
Type: A
DNSsighthouse.net
Type: A
DNSthesegift.net
Type: A
DNSthesetuesday.net
Type: A
DNSsighttuesday.net
Type: A
DNSthesepeace.net
Type: A
DNSsightpeace.net
Type: A
DNSheadgift.net
Type: A
DNScasetuesday.net
Type: A
DNSheadtuesday.net
Type: A
DNScasepeace.net
Type: A
DNSheadpeace.net
Type: A
DNSthenhouse.net
Type: A
DNSthengift.net
Type: A
DNSquicktuesday.net
Type: A
DNSthentuesday.net
Type: A
DNSquickpeace.net
Type: A
DNSthenpeace.net
Type: A
DNSsundayhouse.net
Type: A
DNSmosthouse.net
Type: A
DNSsundaygift.net
Type: A
DNSmostgift.net
Type: A
DNSsundaytuesday.net
Type: A
DNSmosttuesday.net
Type: A
DNSsundaypeace.net
Type: A
DNSmostpeace.net
Type: A
DNSmeatgift.net
Type: A
DNSsickgift.net
Type: A
DNSmeattuesday.net
Type: A
DNSsicktuesday.net
Type: A
DNSmeatpeace.net
Type: A
DNSsickpeace.net
Type: A
DNSdarkhouse.net
Type: A
DNSdarkgift.net
Type: A
DNScloudtuesday.net
Type: A
DNSdarktuesday.net
Type: A
DNScloudpeace.net
Type: A
DNSdarkpeace.net
Type: A
DNStriedhome.net
Type: A
DNSmilkover.net
Type: A
DNStriedover.net
Type: A
DNSmilkgrain.net
Type: A
DNStriedgrain.net
Type: A
DNSmilkgold.net
Type: A
DNStriedgold.net
Type: A
DNSdutyhome.net
Type: A
DNSwithover.net
Type: A
DNSdutyover.net
Type: A
DNSwithgrain.net
Type: A
DNSdutygrain.net
Type: A
DNSwithgold.net
Type: A
HTTP GEThttp://mojoguia.com/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://villemojo.com/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudlive.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://darklive.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milkhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milktuesday.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://sightgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://casehouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://headhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://casegift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://quickhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://quickgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://meathouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://sickhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milkhome.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withhome.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://mojoguia.com/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://villemojo.com/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudlive.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://darklive.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milkhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milktuesday.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://sightgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://casehouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://headhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://casegift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://quickhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://quickgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://meathouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://sickhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudhouse.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://cloudgift.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://milkhome.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
HTTP GEThttp://withhome.net/forum/search.php?method=validate&mode=sox&v=002&sox=2c220600
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1038 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.27:80
Flows TCP192.168.1.1:1040 ➝ 88.208.252.147:80
Flows TCP192.168.1.1:1041 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1042 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1043 ➝ 116.126.87.94:80
Flows TCP192.168.1.1:1044 ➝ 183.111.174.143:80
Flows TCP192.168.1.1:1045 ➝ 173.220.70.26:80
Flows TCP192.168.1.1:1046 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1047 ➝ 192.185.85.237:80
Flows TCP192.168.1.1:1048 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1049 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 89.19.29.109:80
Flows TCP192.168.1.1:1052 ➝ 146.0.42.103:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.26:80
Flows TCP192.168.1.1:1054 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1055 ➝ 121.78.88.38:80
Flows TCP192.168.1.1:1056 ➝ 112.175.85.235:80
Flows TCP192.168.1.1:1057 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1058 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1059 ➝ 50.63.202.27:80
Flows TCP192.168.1.1:1060 ➝ 88.208.252.147:80
Flows TCP192.168.1.1:1061 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1062 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1063 ➝ 116.126.87.94:80
Flows TCP192.168.1.1:1064 ➝ 183.111.174.143:80
Flows TCP192.168.1.1:1065 ➝ 173.220.70.26:80
Flows TCP192.168.1.1:1066 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1067 ➝ 192.185.85.237:80
Flows TCP192.168.1.1:1068 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1069 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1070 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1071 ➝ 89.19.29.109:80
Flows TCP192.168.1.1:1072 ➝ 146.0.42.103:80
Flows TCP192.168.1.1:1073 ➝ 208.91.197.26:80
Flows TCP192.168.1.1:1074 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1075 ➝ 121.78.88.38:80
Flows TCP192.168.1.1:1076 ➝ 112.175.85.235:80

Raw Pcap

Strings