Analysis Date2015-09-29 17:39:08
MD539d2eb26d76f405d9af572becf8f9d51
SHA19973736ad8a54ff1c17c5f5b6a8fa8f29986d352

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0483b8173e3aa3ff38f9c40183dc7960 sha1: f48f3e47dd73457e13bf746019647f6a552437d3 size: 977920
Section.rdata md5: f8ab812a94419f34ebc4919831efdc28 sha1: b0ca51221e4ac76663f451f0041e5e49cdf4d464 size: 31232
Section.data md5: f19145f2325a23d626cb34574f3b74ba sha1: d60f8116819717e8e64d220e9bbc7b1348722e30 size: 117248
Timestamp2013-03-13 20:02:37
PackerMicrosoft Visual C++ ?.?
PEhashf3af4693e80643df1eff31404eda3a5b2b56d2e4
IMPhash58f8146d362c069f4a538b7d8780b7e8
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)BDS/Zegost.Gen
AVTwisterVirus.CB0000E978FEFFFF50.mg
AVAd-AwareGen:Variant.Kazy.164619
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Bayrob.N.Gen
AVGrisoft (avg)Generic_r.CDN
AVSymantecTrojan.Bayrob!gen4
AVFortinetW32/Bayrob.N!tr
AVBitDefenderGen:Variant.Kazy.164619
AVK7Backdoor ( 04c540d41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Kazy.164619
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Symmi.G.gen!Eldorado
AVFrisk (f-prot)W32/Symmi.G.gen!Eldorado
AVIkarusTrojan.Win32.Spy
AVEmsisoftGen:Variant.Kazy.164619
AVZillya!Trojan.Bayrob.Win32.1505
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SM
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.164619
AVArcabit (arcavir)Gen:Variant.Kazy.164619
AVClamAVno_virus
AVDr. WebTrojan.DownLoader9.23449
AVF-SecureGen:Variant.Kazy.164619
AVCA (E-Trust Ino)Win32/Tnega.XAMV!suspicious

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fymrso1lg5wwmwqdxss.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fymrso1lg5wwmwqdxss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fymrso1lg5wwmwqdxss.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shadow Credential Notification ActiveX ➝
C:\WINDOWS\system32\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\pujxhbhm\lck
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\wpvqzmlf.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates FileC:\WINDOWS\system32\pujxhbhm\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\wpvqzmlf.exe
Creates ServiceColor Awareness Grouping List Engine - C:\WINDOWS\system32\wpvqzmlf.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\wpvqzmlf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\fymrso1pl0wwma.exe
Creates FileC:\WINDOWS\system32\gwhkjoab.exe
Creates FileC:\WINDOWS\system32\pujxhbhm\tst
Creates FileC:\WINDOWS\system32\pujxhbhm\cfg
Creates FileC:\WINDOWS\system32\pujxhbhm\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\pujxhbhm\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\pujxhbhm\rng
Creates ProcessC:\WINDOWS\TEMP\fymrso1pl0wwma.exe -r 41853 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\wpvqzmlf.exe"

Process
↳ C:\WINDOWS\system32\wpvqzmlf.exe

Creates FileC:\WINDOWS\system32\pujxhbhm\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\wpvqzmlf.exe"

Creates FileC:\WINDOWS\system32\pujxhbhm\tst

Process
↳ C:\WINDOWS\TEMP\fymrso1pl0wwma.exe -r 41853 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmojoguia.com
Type: A
204.11.56.48
DNSvillemojo.com
Type: A
209.99.40.223
DNScloudelse.net
Type: A
195.22.26.252
DNScloudelse.net
Type: A
195.22.26.253
DNScloudelse.net
Type: A
195.22.26.254
DNScloudelse.net
Type: A
195.22.26.231
DNSwithheld.net
Type: A
69.172.201.208
DNSquicksleep.net
Type: A
8.5.1.51
DNSmeatsleep.net
Type: A
95.211.230.75
DNScloudrain.net
Type: A
217.131.129.11
DNSdominoclub-grup.com
Type: A
DNSelementarimagine.com
Type: A
DNSjarybuter.com
Type: A
DNSmojositio.com
Type: A
DNSaminastol.com
Type: A
DNSmeatelse.net
Type: A
DNSsickelse.net
Type: A
DNSmeatimportant.net
Type: A
DNSsickimportant.net
Type: A
DNScloudfine.net
Type: A
DNSdarkfine.net
Type: A
DNScloudnice.net
Type: A
DNSdarknice.net
Type: A
DNSdarkelse.net
Type: A
DNScloudimportant.net
Type: A
DNSdarkimportant.net
Type: A
DNSmilksleep.net
Type: A
DNStriedsleep.net
Type: A
DNSmilkheight.net
Type: A
DNStriedheight.net
Type: A
DNSmilkheld.net
Type: A
DNStriedheld.net
Type: A
DNSmilkrain.net
Type: A
DNStriedrain.net
Type: A
DNSwithsleep.net
Type: A
DNSdutysleep.net
Type: A
DNSwithheight.net
Type: A
DNSdutyheight.net
Type: A
DNSdutyheld.net
Type: A
DNSwithrain.net
Type: A
DNSdutyrain.net
Type: A
DNSthesesleep.net
Type: A
DNSsightsleep.net
Type: A
DNStheseheight.net
Type: A
DNSsightheight.net
Type: A
DNStheseheld.net
Type: A
DNSsightheld.net
Type: A
DNStheserain.net
Type: A
DNSsightrain.net
Type: A
DNScasesleep.net
Type: A
DNSheadsleep.net
Type: A
DNScaseheight.net
Type: A
DNSheadheight.net
Type: A
DNScaseheld.net
Type: A
DNSheadheld.net
Type: A
DNScaserain.net
Type: A
DNSheadrain.net
Type: A
DNSthensleep.net
Type: A
DNSquickheight.net
Type: A
DNSthenheight.net
Type: A
DNSquickheld.net
Type: A
DNSthenheld.net
Type: A
DNSquickrain.net
Type: A
DNSthenrain.net
Type: A
DNSsundaysleep.net
Type: A
DNSmostsleep.net
Type: A
DNSsundayheight.net
Type: A
DNSmostheight.net
Type: A
DNSsundayheld.net
Type: A
DNSmostheld.net
Type: A
DNSsundayrain.net
Type: A
DNSmostrain.net
Type: A
DNSsicksleep.net
Type: A
DNSmeatheight.net
Type: A
DNSsickheight.net
Type: A
DNSmeatheld.net
Type: A
DNSsickheld.net
Type: A
DNSmeatrain.net
Type: A
DNSsickrain.net
Type: A
DNScloudsleep.net
Type: A
DNSdarksleep.net
Type: A
DNScloudheight.net
Type: A
DNSdarkheight.net
Type: A
DNScloudheld.net
Type: A
DNSdarkheld.net
Type: A
DNSdarkrain.net
Type: A
DNSmilkhello.net
Type: A
DNStriedhello.net
Type: A
DNSmilkmine.net
Type: A
DNStriedmine.net
Type: A
DNSmilklive.net
Type: A
DNStriedlive.net
Type: A
DNSmilkserve.net
Type: A
DNStriedserve.net
Type: A
DNSwithhello.net
Type: A
HTTP GEThttp://mojoguia.com/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://villemojo.com/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://cloudelse.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://withheld.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://quicksleep.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://meatsleep.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://cloudrain.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://mojoguia.com/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://villemojo.com/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://cloudelse.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://withheld.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://quicksleep.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://meatsleep.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
HTTP GEThttp://cloudrain.net/forum/search.php?method=validate&mode=sox&v=003&sox=2c220600
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1038 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1039 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1042 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1043 ➝ 217.131.129.11:80
Flows TCP192.168.1.1:1044 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1045 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1047 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1048 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1049 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1050 ➝ 217.131.129.11:80
Flows TCP192.168.1.1:1060 ➝ 173.243.255.79:443

Raw Pcap

Strings