Analysis Date | 2015-10-17 14:19:53 |
---|---|
MD5 | 183e3742443747e6452fdb27b0ae2160 |
SHA1 | cf89c7d066b2361a6b357351623baaa4edffe72d |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 714beccafe4e6b9c762ef7170d2a5400 sha1: 0a0fed431ddfaa5031f33b419869e1f8b97843e8 size: 334848 | |
Section | .rdata md5: 1f1770ad623e1df0c232b0bab4bc1fcc sha1: ef22c91aefbcf449dd0de277e29f0bb12aa64ba2 size: 153088 | |
Section | .data md5: a0cc10c54ff58bb908a439ff0cf26780 sha1: 245deb65a0163b9de6b352765bdf154e848058bc size: 26624 | |
Section | .rsrc md5: e1494ddf4e4ace88164727fe354d5850 sha1: dbddff56b2bd6496657830cb4e95cfd7f2c087cf size: 2239488 | |
Timestamp | 1970-01-01 06:27:13 | |
Pdb path | C:\Bin\setup.pdb | |
Version | LegalCopyright: Copyright ? 2013 FileVersion: 3, 15, 9, 1711 CompanyName: MICROSOFT ProductName: sunshine ProductVersion: 1, 0, 0, 2 OriginalFilename: tomgo | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 77a6086c237c4a1d70035b8423d7a57e3ce1edfb | |
IMPhash | 4ca0a24dbc751324aa7e7f0cb8c2109f | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Zusy.118140 |
AV | Dr. Web | Trojan.DownLoader16.40181:DLOADER.Trojan - infected container |
AV | ClamAV | Win.Trojan.Ascii.115_238_251_56-1 |
AV | Arcabit (arcavir) | Gen:Variant.Zusy.118140:Gen:Variant.Mikey.25218:DeepScan:Generic.Malware.P!Pk!.B27A4187:Trojan.Generic.14936877:Trojan.Generic.11782610:Gen:Trojan.Heur.LP.du4@aaYL6Cpi:Trojan.Generic.14934268 |
AV | BullGuard | Gen:Variant.Zusy.118140 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | BScope.Malware-Cryptor.NSAnti.Gen.1 |
AV | CAT (quickheal) | Backdoor.Dusenr.08124 |
AV | Trend Micro | BKDR_IXESHE.SML |
AV | Kaspersky | Trojan.Win32.Generic:Trojan-Dropper.Win32.Daws.dtdj |
AV | Zillya! | Trojan.Zzinfor.Win32.133 |
AV | Emsisoft | Gen:Variant.Zusy.118140 |
AV | Ikarus | PUA.Zzinfor |
AV | Frisk (f-prot) | W32/SYStroj.N.gen!Eldorado |
AV | Authentium | W32/Trojan.XRIC-1106 |
AV | MalwareBytes | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Zusy.118140 |
AV | Microsoft Security Essentials | Trojan:Win32/Skeeyah.A!rfn |
AV | K7 | no_virus |
AV | BitDefender | Gen:Variant.Zusy.118140 |
AV | Fortinet | W32/Daws.DTDJ!tr |
AV | Symantec | no_virus |
AV | Grisoft (avg) | Hider.ADZR.dropper |
AV | Eset (nod32) | no_virus |
AV | Alwil (avast) | Malware-gen:GenMaliciousA-NAP [Trj]:Trojan-gen:Rofin-A [Trj]:Win32:Malware-gen:Win32:Trojan-gen |
AV | Ad-Aware | Gen:Variant.Zusy.118140 |
AV | Twister | Trojan.Generic.qdwn |
AV | Avira (antivir) | TR/Rogue.27840:TR/Spy.Agent.58880.2:TR/Downloader.Gen7 |
AV | Mcafee | RDN/Generic Dropper:RDN/Generic.bfr |
AV | Rising | Trojan.Win32.Zzinfor.d:Trojan.Win32.Zzinfor.f |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_LOCAL_MACHINE\SOFTWARE\123\AddShExe ➝ NULL |
---|---|
Registry | HKEY_CLASSES_ROOT\Microsoft.IE\ ➝ C:\lactose.exe |
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing ➝ NULL |
Creates File | C:\DProEx.sys |
Creates File | C:\configWord.cf |
Creates File | C:\reTcp.sys |
Creates File | DProEx |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | C:\config.ini |
Creates File | C:\lactose.exe |
Creates File | C:\Windows\System32\clk.ini |
Creates File | C:\WINDOWS\he1p |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | FixTool |
Creates File | C:\Windows\System32\cBLK.dll |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Service | DProEx.sys - C:\DProEx.sys |
Creates Service | reTcp.sys - C:\reTcp.sys |
Starts Service | DProEx |
Starts Service | FixTool |
Winsock URL | http://ad.zzinfor.cn/static/hotkey.txt |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 868
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Process
↳ Pid 1128
Process
↳ Pid 1224
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝ NULL |
Creates File | WMIDataDevice |
Process
↳ C:\WINDOWS\System32\alg.exe
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ C:\WINDOWS\Explorer.EXE
Network Details:
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.235.3 |
---|---|
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.235.5 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.235.6 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.236.2 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.236.3 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.236.5 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.236.6 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.231.20 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.231.21 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.231.22 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.234.3 |
DNS | 1st.ecoma.ourwebpic.com Type: A 8.37.234.4 |
DNS | ad.zzinfor.cn Type: A |
HTTP GET | http://ad.zzinfor.cn/static/hotkey.txt User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 8.37.235.3:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f737461 7469632f 686f746b GET /static/hotk 0x00000010 (00016) 65792e74 78742048 5454502f 312e310d ey.txt HTTP/1.1. 0x00000020 (00032) 0a486f73 743a2061 642e7a7a 696e666f .Host: ad.zzinfo 0x00000030 (00048) 722e636e 0d0a0d0a r.cn....
Strings