Analysis Date2015-07-30 13:48:58
MD5ad3ebec2e5ebf1d66ba1301a72d556a1
SHA1c2c4a0f61889d2637debbc9d252d220ca0bb21bc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 01c1708f1ab286868efb71d0e33f0078 sha1: f119a42a5c59348ecf16cc2e51aeef5535e44d4c size: 155136
Section.rdata md5: 1daa129a54f8e44535040c1f8e548a86 sha1: 1fee332bbd52d890b7b3eb682a14050b4c0659bc size: 38400
Section.data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168
Timestamp2015-03-13 09:11:43
PackerMicrosoft Visual C++ ?.?
PEhash925c3cae40a36486f9b0832e476a971d41b9bcb2
IMPhashe921a65fc9b7860831fbf9ef211d9384
AVBullGuardGen:Variant.Zusy.138111
AVFrisk (f-prot)no_virus
AVKasperskyTrojan.Win32.Generic
AVAd-AwareGen:Variant.Zusy.138111
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Kryptik-PDK [Trj]
AVK7Trojan ( 004bda2e1 )
AVMicroWorld (escan)Gen:Variant.Zusy.138111
AVTwisterTrojan.Scar.iyes.fkks
AVZillya!Trojan.Scar.Win32.88823
AVIkarusTrojan.Win32.Rodecap
AVCAT (quickheal)Trojan.Scar.r3
AVBitDefenderGen:Variant.Zusy.138111
AVEmsisoftGen:Variant.Zusy.138111
AVRisingno_virus
AVClamAVno_virus
AVMalwareBytesTrojan.Agent
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Zusy.138111
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVF-SecureGen:Variant.Zusy.138111
AVFortinetW32/Rodecap.BJ!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVSymantecDownloader.Upatre!g15
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Win32/Cryptor
AVMcafeeTrojan-FEVX!AD3EBEC2E5EB
AVAvira (antivir)TR/Spy.ZBot.xbbeoiq
AVDr. WebTrojan.DownLoader13.13228
AVTrend Microno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\ljh1nhhoifxisvkadsad.exe
Deletes FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates ProcessC:\bzwjhwwvckf\ljh1nhhoifxisvkadsad.exe

Process
↳ C:\bzwjhwwvckf\ljh1nhhoifxisvkadsad.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IP Error Removal COM WLAN Controls ➝
C:\bzwjhwwvckf\ejzitwc.exe
Creates FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\ejzitwc.exe
Creates FileC:\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\miwovkusxpb
Deletes FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates ProcessC:\bzwjhwwvckf\ejzitwc.exe
Creates ServiceSolutions Update Copy Plug Accounts - C:\bzwjhwwvckf\ejzitwc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1840

Process
↳ Pid 1140

Process
↳ C:\bzwjhwwvckf\ejzitwc.exe

Creates FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates Filepipe\net\NtControlPipe10
Creates FileC:\bzwjhwwvckf\oq5bpvgoxqu
Creates FileC:\bzwjhwwvckf\gzbkywoyzn.exe
Creates FileC:\bzwjhwwvckf\wygsms
Creates File\Device\Afd\Endpoint
Creates FileC:\bzwjhwwvckf\miwovkusxpb
Deletes FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates Processv1hhwo18mjwl "c:\bzwjhwwvckf\ejzitwc.exe"

Process
↳ C:\bzwjhwwvckf\ejzitwc.exe

Creates FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\wygsms
Deletes FileC:\WINDOWS\bzwjhwwvckf\wygsms

Process
↳ v1hhwo18mjwl "c:\bzwjhwwvckf\ejzitwc.exe"

Creates FileC:\WINDOWS\bzwjhwwvckf\wygsms
Creates FileC:\bzwjhwwvckf\wygsms
Deletes FileC:\WINDOWS\bzwjhwwvckf\wygsms

Network Details:

DNSpartyready.net
Type: A
8.5.1.51
DNSpartypeople.net
Type: A
217.138.13.211
DNSalreadycondition.net
Type: A
95.211.230.75
DNScrowdnation.net
Type: A
107.161.23.204
DNScrowdnation.net
Type: A
142.4.203.239
DNScrowdnation.net
Type: A
107.191.99.114
DNSwaterplease.net
Type: A
182.162.94.49
DNSwatercondition.net
Type: A
204.11.56.25
DNSwomannation.net
Type: A
50.63.202.46
DNSsmokecondition.net
Type: A
208.91.197.241
DNSpartynation.net
Type: A
72.52.4.91
DNSpartyplease.net
Type: A
209.157.71.176
DNSfreshpower.net
Type: A
195.149.84.100
DNSfreshpower.net
Type: A
195.149.84.101
DNSwomandaughter.net
Type: A
DNSsmokedaughter.net
Type: A
DNSfightready.net
Type: A
DNSpartybrown.net
Type: A
DNSfightbrown.net
Type: A
DNSfightpeople.net
Type: A
DNSpartydaughter.net
Type: A
DNSfightdaughter.net
Type: A
DNSfreshnation.net
Type: A
DNSexperiencenation.net
Type: A
DNSfreshsoldier.net
Type: A
DNSexperiencesoldier.net
Type: A
DNSfreshplease.net
Type: A
DNSexperienceplease.net
Type: A
DNSfreshcondition.net
Type: A
DNSexperiencecondition.net
Type: A
DNSgentlemannation.net
Type: A
DNSalreadynation.net
Type: A
DNSgentlemansoldier.net
Type: A
DNSalreadysoldier.net
Type: A
DNSgentlemanplease.net
Type: A
DNSalreadyplease.net
Type: A
DNSgentlemancondition.net
Type: A
DNSfollownation.net
Type: A
DNSmembernation.net
Type: A
DNSfollowsoldier.net
Type: A
DNSmembersoldier.net
Type: A
DNSfollowplease.net
Type: A
DNSmemberplease.net
Type: A
DNSfollowcondition.net
Type: A
DNSmembercondition.net
Type: A
DNSbeginnation.net
Type: A
DNSknownnation.net
Type: A
DNSbeginsoldier.net
Type: A
DNSknownsoldier.net
Type: A
DNSbeginplease.net
Type: A
DNSknownplease.net
Type: A
DNSbegincondition.net
Type: A
DNSknowncondition.net
Type: A
DNSsummernation.net
Type: A
DNSsummersoldier.net
Type: A
DNScrowdsoldier.net
Type: A
DNSsummerplease.net
Type: A
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNScrowdcondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSsmokenation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
HTTP GEThttp://partyready.net/index.php?method&len
User-Agent:
HTTP GEThttp://partypeople.net/index.php?method&len
User-Agent:
HTTP GEThttp://alreadycondition.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdnation.net/index.php?method&len
User-Agent:
HTTP GEThttp://waterplease.net/index.php?method&len
User-Agent:
HTTP GEThttp://watercondition.net/index.php?method&len
User-Agent:
HTTP GEThttp://womannation.net/index.php?method&len
User-Agent:
HTTP GEThttp://smokecondition.net/index.php?method&len
User-Agent:
HTTP GEThttp://partynation.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyplease.net/index.php?method&len
User-Agent:
HTTP GEThttp://freshpower.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1032 ➝ 217.138.13.211:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 107.161.23.204:80
Flows TCP192.168.1.1:1035 ➝ 182.162.94.49:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.25:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.46:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1040 ➝ 209.157.71.176:80
Flows TCP192.168.1.1:1041 ➝ 195.149.84.100:80

Raw Pcap

Strings