Analysis Date2015-11-28 07:32:52
MD5d97eaebd1f2022d745304b9310d9dee1
SHA1b7e321ce553796ea60047c63fd81941cbb9d00e2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cf7ee22a73c28ce1562c80eb686d17a4 sha1: ab7b75266344afbde092d59e06b29d7bfb404abf size: 804352
Section.rdata md5: 9ffbb3fc2e3312f28aca790b821bccd7 sha1: bd6115540dd9c22e1a3ecd30e1a51994d6afa086 size: 58880
Section.data md5: 394238ac65f805e95d301cd8f3063174 sha1: 39e1acd6e4547ac2ab07343dc4bc18896db38e67 size: 402944
Timestamp2015-01-27 08:59:55
PackerMicrosoft Visual C++ ?.?
PEhash8f598e3b694fcf8dec4567a100c52dec796b0eed
IMPhash81728458ce16324f22a48daccc501cd0
AVF-SecureGen:Variant.Symmi.22722
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.FakePDF
AVDr. WebTrojan.DownLoader17.50500
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesTrojan.FakePDF
AVEset (nod32)Win32/Kryptik.CCLE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend MicroTROJ_WONTON.SMJ1
AVClamAVno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.CCLE
AVBitDefenderGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Kryptik-OOC [Trj]
AVFortinetW32/Kryptik.DDQD!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Kryptik-OOC [Trj]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVRising0x5941a4c2
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVRising0x5941a4c2
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\gctkjopinxgw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\xmexdxs1m5blvx3cal7nyb.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\xmexdxs1m5blvx3cal7nyb.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\xmexdxs1m5blvx3cal7nyb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shadow Service Remote Initiator Video Web Health ➝
C:\WINDOWS\system32\dvhxbzdjm.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\gctkjopinxgw\tst
Creates FileC:\WINDOWS\system32\gctkjopinxgw\etc
Creates FileC:\WINDOWS\system32\dvhxbzdjm.exe
Creates FileC:\WINDOWS\system32\gctkjopinxgw\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\dvhxbzdjm.exe
Creates ServiceSoftware Notification DHCP Visual Sharing - C:\WINDOWS\system32\dvhxbzdjm.exe

Process
↳ Pid 816

Process
↳ Pid 868

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1128

Process
↳ Pid 1224

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1184

Process
↳ C:\WINDOWS\system32\dvhxbzdjm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\xmexdxs1t0plvx3.exe
Creates FileC:\WINDOWS\system32\gctkjopinxgw\tst
Creates FileC:\WINDOWS\system32\gctkjopinxgw\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\pslaueo.exe
Creates FileC:\WINDOWS\system32\gctkjopinxgw\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\gctkjopinxgw\lck
Creates FileC:\WINDOWS\system32\gctkjopinxgw\rng
Creates ProcessWATCHDOGPROC "c:\windows\system32\dvhxbzdjm.exe"
Creates ProcessC:\WINDOWS\TEMP\xmexdxs1t0plvx3.exe -r 32911 tcp

Process
↳ C:\WINDOWS\system32\dvhxbzdjm.exe

Creates FileC:\WINDOWS\system32\gctkjopinxgw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\dvhxbzdjm.exe"

Creates FileC:\WINDOWS\system32\gctkjopinxgw\tst

Process
↳ C:\WINDOWS\TEMP\xmexdxs1t0plvx3.exe -r 32911 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSequalcould.net
Type: A
195.22.28.197
DNSequalcould.net
Type: A
195.22.28.198
DNSequalcould.net
Type: A
195.22.28.199
DNSequalcould.net
Type: A
195.22.28.196
DNSthisgrave.net
Type: A
66.96.163.136
DNSsouthnews.net
Type: A
183.63.143.81
DNSwhichbroke.net
Type: A
208.100.26.234
DNSspotmark.net
Type: A
184.168.221.48
DNSspotnews.net
Type: A
207.148.248.143
DNSsaltnews.net
Type: A
64.202.189.170
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSspotusual.net
Type: A
DNSsaltusual.net
Type: A
DNSspotcould.net
Type: A
DNSsaltcould.net
Type: A
DNSspotteach.net
Type: A
DNSsaltteach.net
Type: A
DNSspotgrave.net
Type: A
DNSsaltgrave.net
Type: A
DNSgladusual.net
Type: A
DNStakenusual.net
Type: A
DNSgladcould.net
Type: A
DNStakencould.net
Type: A
DNSgladteach.net
Type: A
DNStakenteach.net
Type: A
DNSgladgrave.net
Type: A
DNStakengrave.net
Type: A
DNSequalusual.net
Type: A
DNSgroupusual.net
Type: A
DNSgroupcould.net
Type: A
DNSequalteach.net
Type: A
DNSgroupteach.net
Type: A
DNSequalgrave.net
Type: A
DNSgroupgrave.net
Type: A
DNSspokeusual.net
Type: A
DNSvisitusual.net
Type: A
DNSspokecould.net
Type: A
DNSvisitcould.net
Type: A
DNSspoketeach.net
Type: A
DNSvisitteach.net
Type: A
DNSspokegrave.net
Type: A
DNSvisitgrave.net
Type: A
DNSwatchusual.net
Type: A
DNSfairusual.net
Type: A
DNSwatchcould.net
Type: A
DNSfaircould.net
Type: A
DNSwatchteach.net
Type: A
DNSfairteach.net
Type: A
DNSwatchgrave.net
Type: A
DNSfairgrave.net
Type: A
DNSdreamusual.net
Type: A
DNSthisusual.net
Type: A
DNSdreamcould.net
Type: A
DNSthiscould.net
Type: A
DNSdreamteach.net
Type: A
DNSthisteach.net
Type: A
DNSdreamgrave.net
Type: A
DNSarivestate.net
Type: A
DNSsouthstate.net
Type: A
DNSarivebroke.net
Type: A
DNSsouthbroke.net
Type: A
DNSarivemark.net
Type: A
DNSsouthmark.net
Type: A
DNSarivenews.net
Type: A
DNSuponstate.net
Type: A
DNSwhichstate.net
Type: A
DNSuponbroke.net
Type: A
DNSuponmark.net
Type: A
DNSwhichmark.net
Type: A
DNSuponnews.net
Type: A
DNSwhichnews.net
Type: A
DNSspotstate.net
Type: A
DNSsaltstate.net
Type: A
DNSspotbroke.net
Type: A
DNSsaltbroke.net
Type: A
DNSsaltmark.net
Type: A
DNSgladstate.net
Type: A
DNStakenstate.net
Type: A
DNSgladbroke.net
Type: A
DNStakenbroke.net
Type: A
DNSgladmark.net
Type: A
DNStakenmark.net
Type: A
DNSgladnews.net
Type: A
DNStakennews.net
Type: A
DNSequalstate.net
Type: A
DNSgroupstate.net
Type: A
DNSequalbroke.net
Type: A
DNSgroupbroke.net
Type: A
DNSequalmark.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://equalcould.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://thisgrave.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://southnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://whichbroke.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://spotmark.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://spotnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://saltnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://equalcould.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://thisgrave.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://southnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://whichbroke.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://spotmark.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://spotnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
HTTP GEThttp://saltnews.net/index.php?method=validate&mode=sox&v=036&sox=4aff3800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1046 ➝ 66.96.163.136:80
Flows TCP192.168.1.1:1047 ➝ 183.63.143.81:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.48:80
Flows TCP192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 64.202.189.170:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1061 ➝ 66.96.163.136:80
Flows TCP192.168.1.1:1062 ➝ 183.63.143.81:80
Flows TCP192.168.1.1:1063 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1064 ➝ 184.168.221.48:80
Flows TCP192.168.1.1:1065 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1066 ➝ 64.202.189.170:80

Raw Pcap

Strings