Analysis Date2015-07-07 22:59:03
MD528e13da2ad155a8b28bd25cca50136c7
SHA1b37d73c26bb4a0099b9b05f143b2175902860b0f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5d8632190f83870d2fd24d847664286d sha1: 2887f5d68e3ad828fb2131c952400afe9edc9735 size: 1407488
Section.rdata md5: 6f5521ddd95576bf83b6bdf19e3a2537 sha1: c2ab4a13041fc3a5824891a730b8922ae233f5fe size: 311296
Section.data md5: b15e1318b905edcdf59e8296811823ca sha1: b941bcef4f503663515f9207e55da91ea30b346a size: 8192
Section.reloc md5: 0c736120f7c1faef987a4116fa5fcf32 sha1: 1e46e3a177c1439684f2b2f554fe26d3f9f3c7bc size: 197632
Timestamp2015-05-11 04:24:26
PackerVC8 -> Microsoft Corporation
PEhash9fc3bce6c69b0e4339880807f038673c79abb8be
IMPhashbb50220560d54d4b7706924775aa54a8

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\bfujnk1lpockdtdqqwocowj.exe
Creates FileC:\WINDOWS\system32\osfdsfbapa\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\bfujnk1lpockdtdqqwocowj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\bfujnk1lpockdtdqqwocowj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protected Office Assistant Microsoft ➝
C:\WINDOWS\system32\cjxbjnkizl.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\cjxbjnkizl.exe
Creates FileC:\WINDOWS\system32\osfdsfbapa\tst
Creates FileC:\WINDOWS\system32\osfdsfbapa\etc
Creates FileC:\WINDOWS\system32\osfdsfbapa\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\cjxbjnkizl.exe
Creates ServiceConfiguration WMI Adapter Connection - C:\WINDOWS\system32\cjxbjnkizl.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\cjxbjnkizl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\osfdsfbapa\run
Creates FileC:\WINDOWS\system32\osfdsfbapa\cfg
Creates FileC:\WINDOWS\system32\osfdsfbapa\tst
Creates FileC:\WINDOWS\TEMP\bfujnk1r4kckdtd.exe
Creates FileC:\WINDOWS\system32\osfdsfbapa\lck
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\osfdsfbapa\rng
Creates FileC:\WINDOWS\system32\hkyrrxxjavqb.exe
Creates ProcessC:\WINDOWS\TEMP\bfujnk1r4kckdtd.exe -r 49706 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\cjxbjnkizl.exe"

Process
↳ C:\WINDOWS\system32\cjxbjnkizl.exe

Creates FileC:\WINDOWS\system32\osfdsfbapa\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\cjxbjnkizl.exe"

Creates FileC:\WINDOWS\system32\osfdsfbapa\tst

Process
↳ C:\WINDOWS\TEMP\bfujnk1r4kckdtd.exe -r 49706 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSdrivetalk.net
Type: A
112.140.180.152
DNSnailtalk.net
Type: A
125.209.214.79
DNSfieldsure.net
Type: A
50.63.202.58
DNSfieldback.net
Type: A
88.159.158.85
DNSfaceback.net
Type: A
72.52.4.119
DNSwalksure.net
Type: A
184.168.221.38
DNSwalkback.net
Type: A
184.168.221.86
DNSsellsure.net
Type: A
41.193.5.58
DNSsellback.net
Type: A
82.165.105.104
DNSdrivesure.net
Type: A
72.52.4.119
DNSdrivecause.net
Type: A
95.211.230.75
DNSdriveshot.net
Type: A
184.168.221.20
DNSdriveback.net
Type: A
217.70.142.55
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSafterbelow.net
Type: A
DNSforcebelow.net
Type: A
DNSaftertalk.net
Type: A
DNSforcetalk.net
Type: A
DNSaftershirt.net
Type: A
DNSforceshirt.net
Type: A
DNSsellwash.net
Type: A
DNSwednesdaywash.net
Type: A
DNSsellbelow.net
Type: A
DNSwednesdaybelow.net
Type: A
DNSselltalk.net
Type: A
DNSwednesdaytalk.net
Type: A
DNSsellshirt.net
Type: A
DNSwednesdayshirt.net
Type: A
DNSdrivewash.net
Type: A
DNSnailwash.net
Type: A
DNSdrivebelow.net
Type: A
DNSnailbelow.net
Type: A
DNSdriveshirt.net
Type: A
DNSnailshirt.net
Type: A
DNSqueensure.net
Type: A
DNSfieldcause.net
Type: A
DNSqueencause.net
Type: A
DNSfieldshot.net
Type: A
DNSqueenshot.net
Type: A
DNSqueenback.net
Type: A
DNSbothsure.net
Type: A
DNSgainsure.net
Type: A
DNSbothcause.net
Type: A
DNSgaincause.net
Type: A
DNSbothshot.net
Type: A
DNSgainshot.net
Type: A
DNSbothback.net
Type: A
DNSgainback.net
Type: A
DNSleastsure.net
Type: A
DNSfacesure.net
Type: A
DNSleastcause.net
Type: A
DNSfacecause.net
Type: A
DNSleastshot.net
Type: A
DNSfaceshot.net
Type: A
DNSleastback.net
Type: A
DNSmonthsure.net
Type: A
DNSmonthcause.net
Type: A
DNSwalkcause.net
Type: A
DNSmonthshot.net
Type: A
DNSwalkshot.net
Type: A
DNSmonthback.net
Type: A
DNSstorysure.net
Type: A
DNSweaksure.net
Type: A
DNSstorycause.net
Type: A
DNSweakcause.net
Type: A
DNSstoryshot.net
Type: A
DNSweakshot.net
Type: A
DNSstoryback.net
Type: A
DNSweakback.net
Type: A
DNSaftersure.net
Type: A
DNSforcesure.net
Type: A
DNSaftercause.net
Type: A
DNSforcecause.net
Type: A
DNSaftershot.net
Type: A
DNSforceshot.net
Type: A
DNSafterback.net
Type: A
DNSforceback.net
Type: A
DNSwednesdaysure.net
Type: A
DNSsellcause.net
Type: A
DNSwednesdaycause.net
Type: A
DNSsellshot.net
Type: A
DNSwednesdayshot.net
Type: A
DNSwednesdayback.net
Type: A
DNSnailsure.net
Type: A
DNSnailcause.net
Type: A
DNSnailshot.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://drivetalk.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://nailtalk.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://fieldsure.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://fieldback.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://faceback.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://walksure.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://walkback.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://sellsure.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://sellback.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://drivesure.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://drivecause.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://driveshot.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://driveback.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4ea48002&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 112.140.180.152:80
Flows TCP192.168.1.1:1051 ➝ 125.209.214.79:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.58:80
Flows TCP192.168.1.1:1053 ➝ 88.159.158.85:80
Flows TCP192.168.1.1:1054 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1055 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1056 ➝ 184.168.221.86:80
Flows TCP192.168.1.1:1057 ➝ 41.193.5.58:80
Flows TCP192.168.1.1:1058 ➝ 82.165.105.104:80
Flows TCP192.168.1.1:1059 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1060 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1061 ➝ 184.168.221.20:80
Flows TCP192.168.1.1:1062 ➝ 217.70.142.55:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80

Raw Pcap

Strings