Analysis Date2016-02-05 05:41:10
MD51fa65335e9fd01b4d1107a6a5a7a34a1
SHA1afa6dc949d41126c88052e6521298a09bd643ca8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1a23661a8519b0473108f1a5ee16d4bb sha1: 2127261e80f20c006623115c8268da517d530ddb size: 334336
Section.rdata md5: a21fdfb019978a0d678d51b79f8ebf0e sha1: 198860c29034777cd70f09ce57fd958d4f36ee47 size: 153088
Section.data md5: e8e386cc26f709a0a079eeed8e38c428 sha1: 41ffa6d879813682bdf9be4ed37d15771a4e1278 size: 26624
Section.rsrc md5: 7f65e0454d4064f71beeb64376b4e9e3 sha1: df71927794d195671045633cb80480edc2f183d5 size: 2238976
Timestamp1970-01-01 03:40:58
Pdb pathd:\IEExplorer\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 8, 2614
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhash993a4f701141dfc4b2c6c289ee1d79c5e424d65b
IMPhash5f183cf8d571f9e14eed0cddfa97d0e0
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.118140
AVDr. WebTrojan.Rootkit.15981
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVArcabit (arcavir)Trojan.Generic.14934268
AVBullGuardGen:Variant.Zusy.118140
AVCAT (quickheal)Trojan.Skeeyah.017639
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.NSAnti.Gen.1
AVTrend MicroBKDR_IXESHE.SML
AVKasperskyTrojan-Dropper.Win32.Daws.dtdj
AVZillya!Trojan.Zzinfor.Win32.126
AVIkarusPUA.Zzinfor
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.118140
AVAuthentiumW32/Trojan.PVDY-8694
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVMicrosoft Security EssentialsTrojan:Win32/Rofin.B
AVK7No Virus
AVBitDefenderGen:Variant.Zusy.118140
AVFortinetW32/Daws.DTDJ!tr
AVSymantecNo Virus
AVGrisoft (avg)Win32/DH{ZxMlKA?}
AVEset (nod32)No Virus
AVAlwil (avast)Win32:Trojan-gen
AVRisingTrojan.Win32.Zzinfor.f
AVAd-AwareGen:Variant.Zusy.118140
AVTwisterNo Virus
AVAvira (antivir)TR/Downloader.Gen7
AVMcafeeRDN/Generic.bfr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\curly.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\curly.exe
Creates FileFixTool
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexDBWinMutex
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
220.243.235.201
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.237.3
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.229.3
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.229.4
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.229.5
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.234.20
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.234.21
DNS1st.ecoma.ourwebpic.com
Type: A
220.243.234.22
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 220.243.235.201:80

Raw Pcap

Strings