Analysis Date2015-10-10 23:01:52
MD5c6ae4ea6c62668eaaf6b84960c86c0f0
SHA1a41412f235e9961f03726393c63adb7b8e253893

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a2d3ac8fe57ef4ef8bcea267bb9f087f sha1: e58d39ffeba99c74de87ee1036818237ddb91d20 size: 788992
Section.rdata md5: e38f42abeb48c92f3b9bc666375e3282 sha1: 2d04c6399dccba543a85ab7798235a29275375c2 size: 59392
Section.data md5: d30a782cb8dcd2b7c737a0a9bd4a8baa sha1: 193a657ed74665265ed6a96f71e64d3b700dc4ab size: 409088
Timestamp2014-09-05 10:43:48
PackerMicrosoft Visual C++ ?.?
PEhash42c5b6fdf62774fc8204341e6827ae3861f408b2
IMPhash705808da4441443218bac4b0e4cb6bde
AVFrisk (f-prot)no_virus
AVPadvishno_virus
AVCAT (quickheal)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVAlwil (avast)Kryptik-OSY [Trj]
AVMalwareBytesTrojan.FakePDF
AVZillya!no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVIkarusWin32.Cryptor
AVAvira (antivir)TR/Crypt.Xpack.285346
AVMcafeeno_virus
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVRisingno_virus
AVKasperskyTrojan.Win32.Generic
AVDr. Webno_virus
AVBullGuardGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.DXVJ
AVF-SecureGen:Variant.Symmi.22722
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVTwisterno_virus
AVVirusBlokAda (vba32)no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVEmsisoftGen:Variant.Symmi.22722
AVSymantecDownloader.Upatre!g15
AVTrend MicroTROJ_WONTON.SMJ1
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\f6yaacbp1kvqza3niwy9lh10.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\f6yaacbp1kvqza3niwy9lh10.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\f6yaacbp1kvqza3niwy9lh10.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Thread Detection Notification ➝
C:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates ServiceExtensible Configuration TPM - C:\WINDOWS\system32\iwjdgrljrpb.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jsbodphxuneu.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\cfg
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\rng
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\f6yaacbp1ro3za3ni.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\f6yaacbp1ro3za3ni.exe -r 47949 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ C:\WINDOWS\TEMP\f6yaacbp1ro3za3ni.exe -r 47949 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSsaltrain.net
Type: A
208.73.211.70
DNSgrouprain.net
Type: A
208.100.26.234
DNSdreamsleep.net
Type: A
87.106.242.29
DNSsouthblood.net
Type: A
DNSenemydont.net
Type: A
DNSsellsmall.net
Type: A
DNSwheelreply.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
DNSthisnice.net
Type: A
DNSdreamelse.net
Type: A
DNSthiselse.net
Type: A
DNSdreamimportant.net
Type: A
DNSthisimportant.net
Type: A
DNSarivesleep.net
Type: A
DNSsouthsleep.net
Type: A
DNSariveheight.net
Type: A
DNSsouthheight.net
Type: A
DNSariveheld.net
Type: A
DNSsouthheld.net
Type: A
DNSariverain.net
Type: A
DNSsouthrain.net
Type: A
DNSuponsleep.net
Type: A
DNSwhichsleep.net
Type: A
DNSuponheight.net
Type: A
DNSwhichheight.net
Type: A
DNSuponheld.net
Type: A
DNSwhichheld.net
Type: A
DNSuponrain.net
Type: A
DNSwhichrain.net
Type: A
DNSspotsleep.net
Type: A
DNSsaltsleep.net
Type: A
DNSspotheight.net
Type: A
DNSsaltheight.net
Type: A
DNSspotheld.net
Type: A
DNSsaltheld.net
Type: A
DNSspotrain.net
Type: A
DNSgladsleep.net
Type: A
DNStakensleep.net
Type: A
DNSgladheight.net
Type: A
DNStakenheight.net
Type: A
DNSgladheld.net
Type: A
DNStakenheld.net
Type: A
DNSgladrain.net
Type: A
DNStakenrain.net
Type: A
DNSequalsleep.net
Type: A
DNSgroupsleep.net
Type: A
DNSequalheight.net
Type: A
DNSgroupheight.net
Type: A
DNSequalheld.net
Type: A
DNSgroupheld.net
Type: A
DNSequalrain.net
Type: A
DNSspokesleep.net
Type: A
DNSvisitsleep.net
Type: A
DNSspokeheight.net
Type: A
DNSvisitheight.net
Type: A
DNSspokeheld.net
Type: A
DNSvisitheld.net
Type: A
DNSspokerain.net
Type: A
DNSvisitrain.net
Type: A
DNSwatchsleep.net
Type: A
DNSfairsleep.net
Type: A
DNSwatchheight.net
Type: A
DNSfairheight.net
Type: A
DNSwatchheld.net
Type: A
DNSfairheld.net
Type: A
DNSwatchrain.net
Type: A
DNSfairrain.net
Type: A
DNSthissleep.net
Type: A
DNSdreamheight.net
Type: A
DNSthisheight.net
Type: A
DNSdreamheld.net
Type: A
DNSthisheld.net
Type: A
DNSdreamrain.net
Type: A
DNSthisrain.net
Type: A
DNSarivehello.net
Type: A
DNSsouthhello.net
Type: A
DNSarivemine.net
Type: A
DNSsouthmine.net
Type: A
DNSarivelive.net
Type: A
DNSsouthlive.net
Type: A
DNSariveserve.net
Type: A
DNSsouthserve.net
Type: A
DNSuponhello.net
Type: A
DNSwhichhello.net
Type: A
DNSuponmine.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://dreamsleep.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
HTTP GEThttp://dreamsleep.net/index.php?method=validate&mode=sox&v=031&sox=3ca05000
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 87.106.242.29:80
Flows TCP192.168.1.1:1041 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1042 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 87.106.242.29:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7472   ose..Host: saltr
0x00000070 (00112)   61696e2e 6e65740d 0a0d0a0d 0a         ain.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2067 726f7570   ose..Host: group
0x00000070 (00112)   7261696e 2e6e6574 0d0a0d0a 0a         rain.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2064 7265616d   ose..Host: dream
0x00000070 (00112)   736c6565 702e6e65 740d0a0d 0a         sleep.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7472   ose..Host: saltr
0x00000070 (00112)   61696e2e 6e65740d 0a0d0a0d 0a         ain.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2067 726f7570   ose..Host: group
0x00000070 (00112)   7261696e 2e6e6574 0d0a0d0a 0a         rain.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2064 7265616d   ose..Host: dream
0x00000070 (00112)   736c6565 702e6e65 740d0a0d 0a         sleep.net....


Strings