Analysis Date2015-10-10 23:29:25
MD5cab089ad24aee5b87845d8f973f6f9c2
SHA1ad9fc79a5daf8a17dff5d37fcb0f489573e296c8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2044ab610780492d0385b014da743a34 sha1: 1e1601454a70eca6487513b68d0794c80b59a11d size: 783872
Section.rdata md5: 61e0d07072b9632e7e3600ac0c051711 sha1: 4775f35e6f42f777a04c85b1ef328b3ecb87c49d size: 58880
Section.data md5: a711868292b3ecb8af75b0b6d93b5d0d sha1: 8ccf12aa995bad94d7573dd6cb081f8bda12a1bc size: 412160
Timestamp2014-07-24 03:14:14
PackerMicrosoft Visual C++ ?.?
PEhashba453f3a0a2d69160901beb312541d6d0995928c
IMPhash3301260f9b1d991b9c245a197018948b
AVTwisterno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVVirusBlokAda (vba32)no_virus
AVDr. Webno_virus
AVK7Trojan ( 004cd0081 )
AVTrend MicroTROJ_WONTON.SMJ1
AVF-SecureGen:Variant.Symmi.22722
AVFrisk (f-prot)no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVKasperskyTrojan.Win32.Generic
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.CCLE
AVMcafeeno_virus
AVFortinetW32/Kryptik.DDQD!tr
AVIkarusTrojan.Win32.Crypt
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVSymantecDownloader.Upatre!g15
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVBullGuardGen:Variant.Symmi.22722
AVRisingno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMalwareBytesTrojan.FakePDF
AVAlwil (avast)Kryptik-OOC [Trj]
AVAuthentiumW32/Nivdort.A.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x2nduzyq6r8ffeuk6gn.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\x2nduzyq6r8ffeuk6gn.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\x2nduzyq6r8ffeuk6gn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Thread Detection Notification ➝
C:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates ServiceExtensible Configuration TPM - C:\WINDOWS\system32\iwjdgrljrpb.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\IWJDGRLJRPB.EXE-0E32D2BC.pf
Creates FileC:\WINDOWS\Prefetch\X2NDUZYQ6R8FFEUK6GN.EXE-08CF30D8.pf
Creates FileC:\WINDOWS\Prefetch\X2NDUZYQGEWFF.EXE-1DAFBBCD.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\JSBODPHXUNEU.EXE-1912574D.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\AD9FC79A5DAF8A17DFF5D37FCB0F4-371EAA0F.pf

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ Pid 1304

Process
↳ Pid 1812

Process
↳ Pid 1316

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jsbodphxuneu.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\cfg
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\rng
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\run
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\x2nduzyqgewff.exe
Deletes FileC:\WINDOWS\TEMP\x2nduzyqgewff.exe
Creates ProcessC:\WINDOWS\TEMP\x2nduzyqgewff.exe -r 21769 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ C:\WINDOWS\TEMP\x2nduzyqgewff.exe -r 21769 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSwatchfine.net
Type: A
45.35.9.136
DNSsaltrain.net
Type: A
208.73.211.70
DNSgrouprain.net
Type: A
208.100.26.234
DNSdreamsleep.net
Type: A
87.106.242.29
DNSsignarmy.net
Type: A
DNSsouthblood.net
Type: A
DNSwifeknew.net
Type: A
DNSrockknew.net
Type: A
DNSspendstudy.net
Type: A
DNSringfirst.net
Type: A
DNSpointdeal.net
Type: A
DNSgroupimportant.net
Type: A
DNSspokefine.net
Type: A
DNSvisitfine.net
Type: A
DNSspokenice.net
Type: A
DNSvisitnice.net
Type: A
DNSspokeelse.net
Type: A
DNSvisitelse.net
Type: A
DNSspokeimportant.net
Type: A
DNSvisitimportant.net
Type: A
DNSfairfine.net
Type: A
DNSwatchnice.net
Type: A
DNSfairnice.net
Type: A
DNSwatchelse.net
Type: A
DNSfairelse.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
DNSthisnice.net
Type: A
DNSdreamelse.net
Type: A
DNSthiselse.net
Type: A
DNSdreamimportant.net
Type: A
DNSthisimportant.net
Type: A
DNSarivesleep.net
Type: A
DNSsouthsleep.net
Type: A
DNSariveheight.net
Type: A
DNSsouthheight.net
Type: A
DNSariveheld.net
Type: A
DNSsouthheld.net
Type: A
DNSariverain.net
Type: A
DNSsouthrain.net
Type: A
DNSuponsleep.net
Type: A
DNSwhichsleep.net
Type: A
DNSuponheight.net
Type: A
DNSwhichheight.net
Type: A
DNSuponheld.net
Type: A
DNSwhichheld.net
Type: A
DNSuponrain.net
Type: A
DNSwhichrain.net
Type: A
DNSspotsleep.net
Type: A
DNSsaltsleep.net
Type: A
DNSspotheight.net
Type: A
DNSsaltheight.net
Type: A
DNSspotheld.net
Type: A
DNSsaltheld.net
Type: A
DNSspotrain.net
Type: A
DNSgladsleep.net
Type: A
DNStakensleep.net
Type: A
DNSgladheight.net
Type: A
DNStakenheight.net
Type: A
DNSgladheld.net
Type: A
DNStakenheld.net
Type: A
DNSgladrain.net
Type: A
DNStakenrain.net
Type: A
DNSequalsleep.net
Type: A
DNSgroupsleep.net
Type: A
DNSequalheight.net
Type: A
DNSgroupheight.net
Type: A
DNSequalheld.net
Type: A
DNSgroupheld.net
Type: A
DNSequalrain.net
Type: A
DNSspokesleep.net
Type: A
DNSvisitsleep.net
Type: A
DNSspokeheight.net
Type: A
DNSvisitheight.net
Type: A
DNSspokeheld.net
Type: A
DNSvisitheld.net
Type: A
DNSspokerain.net
Type: A
DNSvisitrain.net
Type: A
DNSwatchsleep.net
Type: A
DNSfairsleep.net
Type: A
DNSwatchheight.net
Type: A
DNSfairheight.net
Type: A
DNSwatchheld.net
Type: A
DNSfairheld.net
Type: A
DNSwatchrain.net
Type: A
DNSfairrain.net
Type: A
DNSthissleep.net
Type: A
DNSdreamheight.net
Type: A
DNSthisheight.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://dreamsleep.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://grouprain.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
HTTP GEThttp://dreamsleep.net/index.php?method=validate&mode=sox&v=030&sox=3ca05000
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1033 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1039 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 87.106.242.29:80
Flows TCP192.168.1.1:1042 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1043 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1044 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 87.106.242.29:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 61746368   ose..Host: watch
0x00000070 (00112)   66696e65 2e6e6574 0d0a0d0a 0a         fine.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7472   ose..Host: saltr
0x00000070 (00112)   61696e2e 6e65740d 0a0d0a0a 0a         ain.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2067 726f7570   ose..Host: group
0x00000070 (00112)   7261696e 2e6e6574 0d0a0d0a 0a         rain.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2064 7265616d   ose..Host: dream
0x00000070 (00112)   736c6565 702e6e65 740d0a0d 0a         sleep.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a         econd.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 61746368   ose..Host: watch
0x00000070 (00112)   66696e65 2e6e6574 0d0a0d0a 0a         fine.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7472   ose..Host: saltr
0x00000070 (00112)   61696e2e 6e65740d 0a0d0a0a 0a         ain.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2067 726f7570   ose..Host: group
0x00000070 (00112)   7261696e 2e6e6574 0d0a0d0a 0a         rain.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3026736f   ode=sox&v=030&so
0x00000030 (00048)   783d3363 61303530 30302048 5454502f   x=3ca05000 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2064 7265616d   ose..Host: dream
0x00000070 (00112)   736c6565 702e6e65 740d0a0d 0a         sleep.net....


Strings