Analysis Date2015-11-30 05:09:28
MD594410ad08057eb210378aca4041b8944
SHA1cc91cafc685f4c47c2491a61d86b69a2b5ea6519

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 89d4427ee57586a7d4390b2b254570a3 sha1: 713c52e9518dc173a63e6e080183b9c567db6b53 size: 839168
Section.rdata md5: 6cff000a787aa1e30e49006c08b4d91c sha1: 3a7c4190ced9bcec1f4439455f835b236fef4572 size: 318464
Section.data md5: db162d615b92e3f5af30e1b2bac8f0f2 sha1: 00bafaa45156c892ac42b41fb1777ddc4d4d2835 size: 8192
Timestamp2015-04-15 02:02:42
PackerMicrosoft Visual C++ ?.?
PEhash8ab5450aa4a6f98413e9b73fc8bacf505dfa4409
IMPhashef4afdd899c5e65d7f9770a5b2fb02e3
AVF-SecureGen:Variant.Zusy.133308
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader17.46394
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Kryptik.DDQD
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVTrend Microno_virus
AVClamAVno_virus
AVTwisterno_virus
AVEset (nod32)Win32/Kryptik.DDQD
AVBitDefenderGen:Variant.Zusy.133308
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVAvira (antivir)TR/Crypt.Xpack.315552
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Kryptik.DDQD!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.315552
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVRising0x593cea84
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!Trojan.Kryptik.Win32.816394
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVCA (E-Trust Ino)no_virus
AVRising0x593cea84
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\evlfczt1ld3ijhmcztnz.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\evlfczt1ld3ijhmcztnz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\evlfczt1ld3ijhmcztnz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Framework NetBIOS Experience KtmRm ➝
C:\WINDOWS\system32\bgpjgpzdrhsl.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\tst
Creates FileC:\WINDOWS\system32\bgpjgpzdrhsl.exe
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\etc
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\bgpjgpzdrhsl.exe
Creates ServiceBackground AutoConnect Superfetch Call PNRP - C:\WINDOWS\system32\bgpjgpzdrhsl.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\bgpjgpzdrhsl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\evlfczt1su7ijh.exe
Creates FileC:\WINDOWS\system32\buydzdrky.exe
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\rng
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\tst
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\lck
Creates ProcessWATCHDOGPROC "c:\windows\system32\bgpjgpzdrhsl.exe"
Creates ProcessC:\WINDOWS\TEMP\evlfczt1su7ijh.exe -r 32966 tcp

Process
↳ C:\WINDOWS\system32\bgpjgpzdrhsl.exe

Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\bgpjgpzdrhsl.exe"

Creates FileC:\WINDOWS\system32\oucuyffkwemorhg\tst

Process
↳ C:\WINDOWS\TEMP\evlfczt1su7ijh.exe -r 32966 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSoffernoise.net
Type: A
208.100.26.234
DNSdeadfruit.net
Type: A
195.22.28.199
DNSdeadfruit.net
Type: A
195.22.28.196
DNSdeadfruit.net
Type: A
195.22.28.197
DNSdeadfruit.net
Type: A
195.22.28.198
DNSdeadrise.net
Type: A
5.196.169.153
DNSrocknoise.net
Type: A
80.67.28.246
DNSdeadpull.net
Type: A
50.21.182.30
DNShumancross.net
Type: A
112.78.117.11
DNShairfloor.net
Type: A
80.237.132.84
DNSmusicfloor.net
Type: A
137.117.172.102
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSspendnoise.net
Type: A
DNSwentpull.net
Type: A
DNSspendpull.net
Type: A
DNSfrontfruit.net
Type: A
DNSofferfruit.net
Type: A
DNSfrontrise.net
Type: A
DNSofferrise.net
Type: A
DNSfrontnoise.net
Type: A
DNSfrontpull.net
Type: A
DNSofferpull.net
Type: A
DNShangfruit.net
Type: A
DNSseptemberfruit.net
Type: A
DNShangrise.net
Type: A
DNSseptemberrise.net
Type: A
DNShangnoise.net
Type: A
DNSseptembernoise.net
Type: A
DNShangpull.net
Type: A
DNSseptemberpull.net
Type: A
DNSjoinfruit.net
Type: A
DNSwishfruit.net
Type: A
DNSjoinrise.net
Type: A
DNSwishrise.net
Type: A
DNSjoinnoise.net
Type: A
DNSwishnoise.net
Type: A
DNSjoinpull.net
Type: A
DNSwishpull.net
Type: A
DNSrockfruit.net
Type: A
DNSrockrise.net
Type: A
DNSdeadnoise.net
Type: A
DNSrockpull.net
Type: A
DNSwrongfruit.net
Type: A
DNSmadefruit.net
Type: A
DNSwrongrise.net
Type: A
DNSmaderise.net
Type: A
DNSwrongnoise.net
Type: A
DNSmadenoise.net
Type: A
DNSwrongpull.net
Type: A
DNSmadepull.net
Type: A
DNShumanthrew.net
Type: A
DNShairthrew.net
Type: A
DNShaircross.net
Type: A
DNShumanshade.net
Type: A
DNShairshade.net
Type: A
DNShumanfloor.net
Type: A
DNSyardthrew.net
Type: A
DNSmusicthrew.net
Type: A
DNSyardcross.net
Type: A
DNSmusiccross.net
Type: A
DNSyardshade.net
Type: A
DNSmusicshade.net
Type: A
DNSyardfloor.net
Type: A
DNSwentthrew.net
Type: A
DNSspendthrew.net
Type: A
DNSwentcross.net
Type: A
DNSspendcross.net
Type: A
DNSwentshade.net
Type: A
DNSspendshade.net
Type: A
DNSwentfloor.net
Type: A
DNSspendfloor.net
Type: A
DNSfrontthrew.net
Type: A
DNSofferthrew.net
Type: A
DNSfrontcross.net
Type: A
DNSoffercross.net
Type: A
DNSfrontshade.net
Type: A
DNSoffershade.net
Type: A
DNSfrontfloor.net
Type: A
DNSofferfloor.net
Type: A
DNShangthrew.net
Type: A
DNSseptemberthrew.net
Type: A
DNShangcross.net
Type: A
DNSseptembercross.net
Type: A
DNShangshade.net
Type: A
DNSseptembershade.net
Type: A
DNShangfloor.net
Type: A
DNSseptemberfloor.net
Type: A
DNSjointhrew.net
Type: A
DNSwishthrew.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://offernoise.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://deadfruit.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://deadrise.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://rocknoise.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://deadpull.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://humancross.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://hairfloor.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://musicfloor.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=048&sox=4b490800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1044 ➝ 5.196.169.153:80
Flows TCP192.168.1.1:1045 ➝ 80.67.28.246:80
Flows TCP192.168.1.1:1046 ➝ 50.21.182.30:80
Flows TCP192.168.1.1:1047 ➝ 112.78.117.11:80
Flows TCP192.168.1.1:1048 ➝ 80.237.132.84:80
Flows TCP192.168.1.1:1049 ➝ 137.117.172.102:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80

Raw Pcap

Strings