Analysis Date2015-10-17 14:19:53
MD5183e3742443747e6452fdb27b0ae2160
SHA1cf89c7d066b2361a6b357351623baaa4edffe72d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 714beccafe4e6b9c762ef7170d2a5400 sha1: 0a0fed431ddfaa5031f33b419869e1f8b97843e8 size: 334848
Section.rdata md5: 1f1770ad623e1df0c232b0bab4bc1fcc sha1: ef22c91aefbcf449dd0de277e29f0bb12aa64ba2 size: 153088
Section.data md5: a0cc10c54ff58bb908a439ff0cf26780 sha1: 245deb65a0163b9de6b352765bdf154e848058bc size: 26624
Section.rsrc md5: e1494ddf4e4ace88164727fe354d5850 sha1: dbddff56b2bd6496657830cb4e95cfd7f2c087cf size: 2239488
Timestamp1970-01-01 06:27:13
Pdb pathC:\Bin\setup.pdb
VersionLegalCopyright: Copyright ? 2013
FileVersion: 3, 15, 9, 1711
CompanyName: MICROSOFT
ProductName: sunshine
ProductVersion: 1, 0, 0, 2
OriginalFilename: tomgo
PackerMicrosoft Visual C++ ?.?
PEhash77a6086c237c4a1d70035b8423d7a57e3ce1edfb
IMPhash4ca0a24dbc751324aa7e7f0cb8c2109f
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Zusy.118140
AVDr. WebTrojan.DownLoader16.40181:DLOADER.Trojan - infected container
AVClamAVWin.Trojan.Ascii.115_238_251_56-1
AVArcabit (arcavir)Gen:Variant.Zusy.118140:Gen:Variant.Mikey.25218:DeepScan:Generic.Malware.P!Pk!.B27A4187:Trojan.Generic.14936877:Trojan.Generic.11782610:Gen:Trojan.Heur.LP.du4@aaYL6Cpi:Trojan.Generic.14934268
AVBullGuardGen:Variant.Zusy.118140
AVPadvishno_virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.NSAnti.Gen.1
AVCAT (quickheal)Backdoor.Dusenr.08124
AVTrend MicroBKDR_IXESHE.SML
AVKasperskyTrojan.Win32.Generic:Trojan-Dropper.Win32.Daws.dtdj
AVZillya!Trojan.Zzinfor.Win32.133
AVEmsisoftGen:Variant.Zusy.118140
AVIkarusPUA.Zzinfor
AVFrisk (f-prot)W32/SYStroj.N.gen!Eldorado
AVAuthentiumW32/Trojan.XRIC-1106
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.118140
AVMicrosoft Security EssentialsTrojan:Win32/Skeeyah.A!rfn
AVK7no_virus
AVBitDefenderGen:Variant.Zusy.118140
AVFortinetW32/Daws.DTDJ!tr
AVSymantecno_virus
AVGrisoft (avg)Hider.ADZR.dropper
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:GenMaliciousA-NAP [Trj]:Trojan-gen:Rofin-A [Trj]:Win32:Malware-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Zusy.118140
AVTwisterTrojan.Generic.qdwn
AVAvira (antivir)TR/Rogue.27840:TR/Spy.Agent.58880.2:TR/Downloader.Gen7
AVMcafeeRDN/Generic Dropper:RDN/Generic.bfr
AVRisingTrojan.Win32.Zzinfor.d:Trojan.Win32.Zzinfor.f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝
NULL
RegistryHKEY_CLASSES_ROOT\Microsoft.IE\ ➝
C:\lactose.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝
NULL
Creates FileC:\DProEx.sys
Creates FileC:\configWord.cf
Creates FileC:\reTcp.sys
Creates FileDProEx
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\config.ini
Creates FileC:\lactose.exe
Creates FileC:\Windows\System32\clk.ini
Creates FileC:\WINDOWS\he1p
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileFixTool
Creates FileC:\Windows\System32\cBLK.dll
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceDProEx.sys - C:\DProEx.sys
Creates ServicereTcp.sys - C:\reTcp.sys
Starts ServiceDProEx
Starts ServiceFixTool
Winsock URLhttp://ad.zzinfor.cn/static/hotkey.txt

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 868

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG

Process
↳ Pid 1128

Process
↳ Pid 1224

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.235.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.2
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.5
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.236.6
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.20
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.21
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.231.22
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.3
DNS1st.ecoma.ourwebpic.com
Type: A
8.37.234.4
DNSad.zzinfor.cn
Type: A
HTTP GEThttp://ad.zzinfor.cn/static/hotkey.txt
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.37.235.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f737461 7469632f 686f746b   GET /static/hotk
0x00000010 (00016)   65792e74 78742048 5454502f 312e310d   ey.txt HTTP/1.1.
0x00000020 (00032)   0a486f73 743a2061 642e7a7a 696e666f   .Host: ad.zzinfo
0x00000030 (00048)   722e636e 0d0a0d0a                     r.cn....

Strings