Analysis Date2015-10-03 10:01:41
MD5bb6efbfdec7b615b99653732b8ee79b1
SHA1bde3e38a3cba9c1d903d6e8ab2f210c5a38f464e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 269cb0c2a7da3202efc8d6bf05bb208a sha1: 8b3a41d95ef7ff678d3cec4ced770cfd4bbafd9f size: 791040
Section.rdata md5: b9bc77abc20ea1550d07e5922b701d5d sha1: 9fb5fe882bd65b2a84285d39fb6c6d7bdaa0e9f3 size: 59392
Section.data md5: 3b7a77558b2f2572cb8b43ecd96a954f sha1: 86ec946b072dd8e5e93e198b2eed67a2357b8466 size: 421888
Timestamp2015-01-27 08:45:54
PackerMicrosoft Visual C++ ?.?
PEhash66cbd1c0d31509884ad34e5a5dde32c92ff5f492
IMPhashc23aaad04b5ec6803907694e2a75299a
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.62279
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-OOC [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesno_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusWin32.Cryptor
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jp2mjcuvtipdvbe5gjiw.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\jp2mjcuvtipdvbe5gjiw.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\jp2mjcuvtipdvbe5gjiw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Player Detection User-mode Parental ➝
C:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\mlmhvthz\etc
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yhjqhphyvx.exe
Creates ServiceClass Protected Debugger HomeGroup - C:\WINDOWS\system32\yhjqhphyvx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Prefetch\JP2MJCUVZV0DVB.EXE-04CFB00C.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\JP2MJCUVTIPDVBE5GJIW.EXE-206C2785.pf
Creates FileC:\WINDOWS\Prefetch\BDE3E38A3CBA9C1D903D6E8AB2F21-12DCED27.pf
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\ELIMVBUXZGVR.EXE-34819178.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf
Creates FileC:\WINDOWS\Prefetch\YHJQHPHYVX.EXE-0F894E21.pf

Process
↳ Pid 1212

Process
↳ Pid 1324

Process
↳ Pid 1880

Process
↳ Pid 756

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\jp2mjcuvzv0dvb.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\elimvbuxzgvr.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Creates FileC:\WINDOWS\system32\mlmhvthz\run
Creates FileC:\WINDOWS\system32\mlmhvthz\rng
Creates FileC:\WINDOWS\system32\mlmhvthz\cfg
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\TEMP\jp2mjcuvzv0dvb.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"
Creates ProcessC:\WINDOWS\TEMP\jp2mjcuvzv0dvb.exe -r 23472 tcp

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ C:\WINDOWS\TEMP\jp2mjcuvzv0dvb.exe -r 23472 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNShillgold.net
Type: A
98.124.253.216
DNSlookhome.net
Type: A
202.228.150.6
DNSlookover.net
Type: A
69.172.201.208
DNSthreehome.net
Type: A
69.89.22.140
DNSlordover.net
Type: A
208.113.186.207
DNSlordgold.net
Type: A
109.226.13.193
DNSsouthfirst.net
Type: A
125.171.1.95
DNSgroupguess.net
Type: A
50.63.202.48
DNSspokestood.net
Type: A
95.211.230.75
DNSspokekill.net
Type: A
193.166.255.171
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSwhomhome.net
Type: A
DNShillover.net
Type: A
DNSwhomover.net
Type: A
DNShillgrain.net
Type: A
DNSwhomgrain.net
Type: A
DNSwhomgold.net
Type: A
DNSfelthome.net
Type: A
DNSfeltover.net
Type: A
DNSfeltgrain.net
Type: A
DNSlookgrain.net
Type: A
DNSfeltgold.net
Type: A
DNSlookgold.net
Type: A
DNSlordhome.net
Type: A
DNSthreeover.net
Type: A
DNSthreegrain.net
Type: A
DNSlordgrain.net
Type: A
DNSthreegold.net
Type: A
DNSdrinkhome.net
Type: A
DNSwifehome.net
Type: A
DNSdrinkover.net
Type: A
DNSwifeover.net
Type: A
DNSdrinkgrain.net
Type: A
DNSwifegrain.net
Type: A
DNSdrinkgold.net
Type: A
DNSwifegold.net
Type: A
DNSarivestood.net
Type: A
DNSsouthstood.net
Type: A
DNSarivekill.net
Type: A
DNSsouthkill.net
Type: A
DNSarivefirst.net
Type: A
DNSariveguess.net
Type: A
DNSsouthguess.net
Type: A
DNSuponstood.net
Type: A
DNSwhichstood.net
Type: A
DNSuponkill.net
Type: A
DNSwhichkill.net
Type: A
DNSuponfirst.net
Type: A
DNSwhichfirst.net
Type: A
DNSuponguess.net
Type: A
DNSwhichguess.net
Type: A
DNSspotstood.net
Type: A
DNSsaltstood.net
Type: A
DNSspotkill.net
Type: A
DNSsaltkill.net
Type: A
DNSspotfirst.net
Type: A
DNSsaltfirst.net
Type: A
DNSspotguess.net
Type: A
DNSsaltguess.net
Type: A
DNSgladstood.net
Type: A
DNStakenstood.net
Type: A
DNSgladkill.net
Type: A
DNStakenkill.net
Type: A
DNSgladfirst.net
Type: A
DNStakenfirst.net
Type: A
DNSgladguess.net
Type: A
DNStakenguess.net
Type: A
DNSequalstood.net
Type: A
DNSgroupstood.net
Type: A
DNSequalkill.net
Type: A
DNSgroupkill.net
Type: A
DNSequalfirst.net
Type: A
DNSgroupfirst.net
Type: A
DNSequalguess.net
Type: A
DNSvisitstood.net
Type: A
DNSvisitkill.net
Type: A
DNSspokefirst.net
Type: A
DNSvisitfirst.net
Type: A
DNSspokeguess.net
Type: A
DNSvisitguess.net
Type: A
DNSwatchstood.net
Type: A
DNSfairstood.net
Type: A
DNSwatchkill.net
Type: A
DNSfairkill.net
Type: A
DNSwatchfirst.net
Type: A
DNSfairfirst.net
Type: A
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://hillgold.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://lookhome.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://lookover.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://threehome.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://lordover.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://lordgold.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://southfirst.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://groupguess.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://spokestood.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://spokekill.net/index.php?method=validate&mode=sox&v=036&sox=3e566c01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 98.124.253.216:80
Flows TCP192.168.1.1:1045 ➝ 202.228.150.6:80
Flows TCP192.168.1.1:1046 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1047 ➝ 69.89.22.140:80
Flows TCP192.168.1.1:1048 ➝ 208.113.186.207:80
Flows TCP192.168.1.1:1049 ➝ 109.226.13.193:80
Flows TCP192.168.1.1:1050 ➝ 125.171.1.95:80
Flows TCP192.168.1.1:1051 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1052 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1053 ➝ 193.166.255.171:80

Raw Pcap

Strings