Analysis Date2015-09-07 06:52:47
MD54fb481d82b47746bb8cb7ba21912bd38
SHA1ab000911edb6251750ac169053e7b4c28ace04cd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0447b0842ba933b5fbd01f54f03e5766 sha1: dbc42768b0f48e04db5bb0a141a29b6bdf0e6260 size: 661504
Section.rdata md5: 53cf6b090b0f4acd584a2d92777b0d2b sha1: c03a461c6f92003df7257175e2c4193962cd7ea5 size: 54272
Section.data md5: 4f2b9ce93c814dd6be0859c0538733cf sha1: 300d844b7449c6018054cb10b199d718d8f737ec size: 391168
Timestamp2014-05-09 22:08:15
PackerMicrosoft Visual C++ ?.?
PEhash6a045e362fe3fb02742c654902b8d29d244f0ed1
IMPhash4ce6091e12ce7b8b5bbec203d117bd36
AVCA (E-Trust Ino)no_virus
AVFrisk (f-prot)no_virus
AVArcabit (arcavir)Gen:Variant.Sirefef.121
AVIkarusTrojan.Crypt2
AVKasperskyTrojan.Win32.Generic
AVAlwil (avast)Kryptik-PLS [Trj]
AVFortinetRiskware/Agent
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVBullGuardGen:Variant.Sirefef.121
AVVirusBlokAda (vba32)no_virus
AVEmsisoftGen:Variant.Sirefef.121
AVMalwareBytesno_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVRisingno_virus
AVEset (nod32)Win32/Kryptik.CCLE
AVMicroWorld (escan)Gen:Variant.Sirefef.121
AVZillya!no_virus
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVF-SecureGen:Variant.Sirefef.121
AVAd-AwareGen:Variant.Sirefef.121
AVMicrosoft Security Essentialsno_virus
AVTrend MicroTSPY_NIVDORT.SMA
AVDr. Webno_virus
AVPadvishno_virus
AVCAT (quickheal)Trojan.Generic.g3
AVMcafeeno_virus
AVBitDefenderGen:Variant.Sirefef.121
AVK7Trojan ( 0049a7ec1 )
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ktxkmdnd1m98kmxryeugkem.exe
Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ktxkmdnd1m98kmxryeugkem.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ktxkmdnd1m98kmxryeugkem.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Visual Event WLAN Manager User-mode ➝
C:\WINDOWS\system32\hcoqgrn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates FileC:\WINDOWS\system32\yumfrwvjpt\etc
Creates FileC:\WINDOWS\system32\yumfrwvjpt\lck
Creates FileC:\WINDOWS\system32\hcoqgrn.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\hcoqgrn.exe
Creates ServiceSystem Discovery Endpoint BranchCache - C:\WINDOWS\system32\hcoqgrn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1192

Process
↳ C:\WINDOWS\system32\hcoqgrn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yumfrwvjpt\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst
Creates FileC:\WINDOWS\system32\yumfrwvjpt\run
Creates FileC:\WINDOWS\system32\yumfrwvjpt\rng
Creates FileC:\WINDOWS\system32\drvtmnixw.exe
Creates FileC:\WINDOWS\system32\yumfrwvjpt\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\ktxkmdnd1slikmx.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\hcoqgrn.exe"
Creates ProcessC:\WINDOWS\TEMP\ktxkmdnd1slikmx.exe -r 35394 tcp

Process
↳ C:\WINDOWS\system32\hcoqgrn.exe

Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\hcoqgrn.exe"

Creates FileC:\WINDOWS\system32\yumfrwvjpt\tst

Process
↳ C:\WINDOWS\TEMP\ktxkmdnd1slikmx.exe -r 35394 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNStablefruit.net
Type: A
69.195.129.70
DNStakerush.net
Type: A
50.63.202.11
DNSyourfeet.net
Type: A
184.168.221.104
DNSyoureach.net
Type: A
63.236.74.25
DNStriesyesterday.net
Type: A
95.211.230.75
DNSplantfeet.net
Type: A
50.63.202.52
DNSmightglossary.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSfrontride.net
Type: A
DNSspendmarry.net
Type: A
DNSuponloud.net
Type: A
DNSwrongthrew.net
Type: A
DNSjinoplasker.com
Type: A
DNStakemake.net
Type: A
DNSwaitrush.net
Type: A
DNStriesfifth.net
Type: A
DNSyourfifth.net
Type: A
DNStriesshine.net
Type: A
DNSyourshine.net
Type: A
DNStriesdone.net
Type: A
DNSyourdone.net
Type: A
DNStriesknew.net
Type: A
DNSyourknew.net
Type: A
DNSlrstnfifth.net
Type: A
DNSviewfifth.net
Type: A
DNSlrstnshine.net
Type: A
DNSviewshine.net
Type: A
DNSlrstndone.net
Type: A
DNSviewdone.net
Type: A
DNSlrstnknew.net
Type: A
DNSviewknew.net
Type: A
DNSplantfifth.net
Type: A
DNSfillfifth.net
Type: A
DNSplantshine.net
Type: A
DNSfillshine.net
Type: A
DNSplantdone.net
Type: A
DNSfilldone.net
Type: A
DNSplantknew.net
Type: A
DNSfillknew.net
Type: A
DNSsensefifth.net
Type: A
DNSlearnfifth.net
Type: A
DNSsenseshine.net
Type: A
DNSlearnshine.net
Type: A
DNSsensedone.net
Type: A
DNSlearndone.net
Type: A
DNSsenseknew.net
Type: A
DNSlearnknew.net
Type: A
DNStorefifth.net
Type: A
DNSfallfifth.net
Type: A
DNStoreshine.net
Type: A
DNSfallshine.net
Type: A
DNStoredone.net
Type: A
DNSfalldone.net
Type: A
DNStoreknew.net
Type: A
DNSfallknew.net
Type: A
DNSweekfifth.net
Type: A
DNSveryfifth.net
Type: A
DNSweekshine.net
Type: A
DNSveryshine.net
Type: A
DNSweekdone.net
Type: A
DNSverydone.net
Type: A
DNSweekknew.net
Type: A
DNSveryknew.net
Type: A
DNSpiecefifth.net
Type: A
DNSmuchfifth.net
Type: A
DNSpieceshine.net
Type: A
DNSmuchshine.net
Type: A
DNSpiecedone.net
Type: A
DNSmuchdone.net
Type: A
DNSpieceknew.net
Type: A
DNSmuchknew.net
Type: A
DNSwaitfifth.net
Type: A
DNStakefifth.net
Type: A
DNSwaitshine.net
Type: A
DNStakeshine.net
Type: A
DNSwaitdone.net
Type: A
DNStakedone.net
Type: A
DNSwaitknew.net
Type: A
DNStakeknew.net
Type: A
DNStriesfeet.net
Type: A
DNStrieseach.net
Type: A
DNSyouryesterday.net
Type: A
DNStrieswedge.net
Type: A
DNSyourwedge.net
Type: A
DNSlrstnfeet.net
Type: A
DNSviewfeet.net
Type: A
DNSlrstneach.net
Type: A
DNSvieweach.net
Type: A
DNSlrstnyesterday.net
Type: A
DNSviewyesterday.net
Type: A
DNSlrstnwedge.net
Type: A
DNSviewwedge.net
Type: A
DNSfillfeet.net
Type: A
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://takerush.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://yourfeet.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://youreach.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://triesyesterday.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://plantfeet.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://tablefruit.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://takerush.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://yourfeet.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://youreach.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://triesyesterday.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
HTTP GEThttp://plantfeet.net/index.php?method=validate&mode=sox&v=029&sox=3ef4a802
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1058 ➝ 38.124.72.224:443
Flows TCP192.168.1.1:1038 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1039 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1040 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.52:80
Flows TCP192.168.1.1:1043 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1044 ➝ 50.63.202.11:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1046 ➝ 63.236.74.25:80
Flows TCP192.168.1.1:1047 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1048 ➝ 50.63.202.52:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 61626c65   ose..Host: table
0x00000070 (00112)   66727569 742e6e65 740d0a0d 0a         fruit.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 616b6572   ose..Host: taker
0x00000070 (00112)   7573682e 6e65740d 0a0d0a0d 0a         ush.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2079 6f757266   ose..Host: yourf
0x00000070 (00112)   6565742e 6e65740d 0a0d0a0d 0a         eet.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2079 6f757265   ose..Host: youre
0x00000070 (00112)   6163682e 6e65740d 0a0d0a0d 0a         ach.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 72696573   ose..Host: tries
0x00000070 (00112)   79657374 65726461 792e6e65 740d0a0d   yesterday.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 6c616e74   ose..Host: plant
0x00000070 (00112)   66656574 2e6e6574 0d0a0d0a 740d0a0d   feet.net....t...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 61626c65   ose..Host: table
0x00000070 (00112)   66727569 742e6e65 740d0a0d 0a0d0a0d   fruit.net.......
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 616b6572   ose..Host: taker
0x00000070 (00112)   7573682e 6e65740d 0a0d0a0d 0a0d0a0d   ush.net.........
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2079 6f757266   ose..Host: yourf
0x00000070 (00112)   6565742e 6e65740d 0a0d0a0d 0a0d0a0d   eet.net.........
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2079 6f757265   ose..Host: youre
0x00000070 (00112)   6163682e 6e65740d 0a0d0a0d 0a0d0a0d   ach.net.........
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 72696573   ose..Host: tries
0x00000070 (00112)   79657374 65726461 792e6e65 740d0a0d   yesterday.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3032 3926736f   ode=sox&v=029&so
0x00000030 (00048)   783d3365 66346138 30322048 5454502f   x=3ef4a802 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 6c616e74   ose..Host: plant
0x00000070 (00112)   66656574 2e6e6574 0d0a0d0a 740d0a0d   feet.net....t...
0x00000080 (00128)   0a                                    .


Strings