Analysis Date2015-08-26 03:51:54
MD5bbf5584f52dfd00f059cc2241d83aefe
SHA1cf041b240d6191362b399f7c6969d1cdb7616c22

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 63f6433c8a08e5f6e144ca0b62eab432 sha1: 52345555484f58293cfd1601473cbc182c223311 size: 1405952
Section.rdata md5: 9c03711718f7c8a5abf91dd95280a52f sha1: 28734b372f872620ccc1d7d1df05f8c5234ba762 size: 336896
Section.data md5: 248c066547b05c9330e529fdc11ffa1e sha1: 0611b87889a56ab21ef4e2d895a9c7aa35cd6ae0 size: 8192
Section.reloc md5: 19f1b5df1f08c61831667b29a869375c sha1: 7f455590853f518852b46c33b8a1f564ce28424b size: 202240
Timestamp2015-05-11 04:34:46
PackerVC8 -> Microsoft Corporation
PEhashe76dfd3665c3be67251fa612fc9621522742e7e6
IMPhash466b74eae9c45797feb8bbfaace8736b
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611782
AVDr. WebTrojan.Bayrob.5
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVBullGuardGen:Variant.Kazy.611782
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.SoxGrave.aht
AVZillya!Backdoor.SoxGrave.Win32.232
AVEmsisoftGen:Variant.Kazy.611782
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.611782
AVFortinetW32/Bayrob.X!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Z
AVAlwil (avast)Dropper-OJQ [Drp]
AVAd-AwareGen:Variant.Kazy.611782
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.254136
AVMcafeeTrojan-FGIJ!BBF5584F52DF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\iddpevleqgb\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\keidbbq1mairh3dkor2tj.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\keidbbq1mairh3dkor2tj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\keidbbq1mairh3dkor2tj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adaptive Workstation Presentation RPC ➝
C:\WINDOWS\system32\twcyekpfu.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\iddpevleqgb\etc
Creates FileC:\WINDOWS\system32\iddpevleqgb\tst
Creates FileC:\WINDOWS\system32\twcyekpfu.exe
Creates FileC:\WINDOWS\system32\iddpevleqgb\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\twcyekpfu.exe
Creates ServiceSystem Solutions Call Network Task - C:\WINDOWS\system32\twcyekpfu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1880

Process
↳ Pid 1176

Process
↳ C:\WINDOWS\system32\twcyekpfu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\keidbbq1u52rh3.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\iddpevleqgb\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\iddpevleqgb\cfg
Creates FileC:\WINDOWS\system32\iddpevleqgb\rng
Creates FileC:\WINDOWS\system32\iddpevleqgb\run
Creates FileC:\WINDOWS\system32\vxzcijqqynt.exe
Creates FileC:\WINDOWS\system32\iddpevleqgb\lck
Creates ProcessWATCHDOGPROC "c:\windows\system32\twcyekpfu.exe"
Creates ProcessC:\WINDOWS\TEMP\keidbbq1u52rh3.exe -r 33245 tcp

Process
↳ C:\WINDOWS\system32\twcyekpfu.exe

Creates FileC:\WINDOWS\system32\iddpevleqgb\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\twcyekpfu.exe"

Creates FileC:\WINDOWS\system32\iddpevleqgb\tst

Process
↳ C:\WINDOWS\TEMP\keidbbq1u52rh3.exe -r 33245 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSfieldmark.net
Type: A
184.168.221.55
DNSqueenmark.net
Type: A
50.63.202.49
DNSqueennews.net
Type: A
95.211.230.75
DNSfacebroke.net
Type: A
184.168.221.96
DNSfacemark.net
Type: A
104.27.132.14
DNSfacemark.net
Type: A
104.27.133.14
DNSwalkmark.net
Type: A
216.239.34.21
DNSwalkmark.net
Type: A
216.239.32.21
DNSwalkmark.net
Type: A
216.239.38.21
DNSwalkmark.net
Type: A
216.239.36.21
DNSstorymark.net
Type: A
217.160.43.180
DNSstorynews.net
Type: A
211.234.63.232
DNSaftermark.net
Type: A
192.254.190.141
DNSforcemark.net
Type: A
85.214.44.166
DNSafternews.net
Type: A
184.168.221.20
DNSsellbroke.net
Type: A
50.63.202.2
DNSsellmark.net
Type: A
23.229.139.168
DNSdrivemark.net
Type: A
129.247.247.157
DNSdrivenews.net
Type: A
5.22.149.135
DNSnailnews.net
Type: A
116.126.87.97
DNSfieldthan.net
Type: A
208.91.197.241
DNSqueenking.net
Type: A
8.5.1.51
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSdrivegrave.net
Type: A
DNSnailgrave.net
Type: A
DNSfieldstate.net
Type: A
DNSqueenstate.net
Type: A
DNSfieldbroke.net
Type: A
DNSqueenbroke.net
Type: A
DNSfieldnews.net
Type: A
DNSbothstate.net
Type: A
DNSgainstate.net
Type: A
DNSbothbroke.net
Type: A
DNSgainbroke.net
Type: A
DNSbothmark.net
Type: A
DNSgainmark.net
Type: A
DNSbothnews.net
Type: A
DNSgainnews.net
Type: A
DNSleaststate.net
Type: A
DNSfacestate.net
Type: A
DNSleastbroke.net
Type: A
DNSleastmark.net
Type: A
DNSleastnews.net
Type: A
DNSfacenews.net
Type: A
DNSmonthstate.net
Type: A
DNSwalkstate.net
Type: A
DNSmonthbroke.net
Type: A
DNSwalkbroke.net
Type: A
DNSmonthmark.net
Type: A
DNSmonthnews.net
Type: A
DNSwalknews.net
Type: A
DNSstorystate.net
Type: A
DNSweakstate.net
Type: A
DNSstorybroke.net
Type: A
DNSweakbroke.net
Type: A
DNSweakmark.net
Type: A
DNSweaknews.net
Type: A
DNSafterstate.net
Type: A
DNSforcestate.net
Type: A
DNSafterbroke.net
Type: A
DNSforcebroke.net
Type: A
DNSforcenews.net
Type: A
DNSsellstate.net
Type: A
DNSwednesdaystate.net
Type: A
DNSwednesdaybroke.net
Type: A
DNSwednesdaymark.net
Type: A
DNSsellnews.net
Type: A
DNSwednesdaynews.net
Type: A
DNSdrivestate.net
Type: A
DNSnailstate.net
Type: A
DNSdrivebroke.net
Type: A
DNSnailbroke.net
Type: A
DNSnailmark.net
Type: A
DNSqueenthan.net
Type: A
DNSfieldread.net
Type: A
DNSqueenread.net
Type: A
DNSfieldmile.net
Type: A
DNSqueenmile.net
Type: A
DNSfieldking.net
Type: A
DNSboththan.net
Type: A
DNSgainthan.net
Type: A
DNSbothread.net
Type: A
DNSgainread.net
Type: A
DNSbothmile.net
Type: A
DNSgainmile.net
Type: A
DNSbothking.net
Type: A
DNSgainking.net
Type: A
DNSleastthan.net
Type: A
DNSfacethan.net
Type: A
DNSleastread.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://fieldmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://queenmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://queennews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://facebroke.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://facemark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://walkmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://storymark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://storynews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://aftermark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://forcemark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://afternews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://sellbroke.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://sellmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://drivemark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://drivenews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://nailnews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://fieldthan.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://queenking.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://fieldmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://queenmark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://queennews.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://facebroke.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
HTTP GEThttp://facemark.net/index.php?method=validate&mode=sox&v=050&sox=4f5d0407&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1051 ➝ 50.63.202.49:80
Flows TCP192.168.1.1:1052 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1054 ➝ 104.27.132.14:80
Flows TCP192.168.1.1:1055 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1056 ➝ 217.160.43.180:80
Flows TCP192.168.1.1:1057 ➝ 211.234.63.232:80
Flows TCP192.168.1.1:1058 ➝ 192.254.190.141:80
Flows TCP192.168.1.1:1059 ➝ 85.214.44.166:80
Flows TCP192.168.1.1:1060 ➝ 184.168.221.20:80
Flows TCP192.168.1.1:1061 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1062 ➝ 23.229.139.168:80
Flows TCP192.168.1.1:1063 ➝ 129.247.247.157:80
Flows TCP192.168.1.1:1064 ➝ 5.22.149.135:80
Flows TCP192.168.1.1:1065 ➝ 116.126.87.97:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1072 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1073 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1074 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1075 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1076 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1077 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1078 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1079 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1080 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1081 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1082 ➝ 50.63.202.49:80
Flows TCP192.168.1.1:1083 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1084 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1085 ➝ 104.27.132.14:80

Raw Pcap

Strings