Analysis Date | 2015-11-01 16:09:39 |
---|---|
MD5 | ec67ac3a13796b69a9bfe979b8ee8ca8 |
SHA1 | d37780a530a7173efc66d766f10ea5a74b274c29 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 065418487e1d18446643633f89d4a198 sha1: 8bf1f6f4c7201beee527d737ed9dffff09bccaec size: 801792 | |
Section | .rdata md5: e9bd029b2d6e51902bfc7ccbc58f7a50 sha1: 526b91cf240483579cadb068f63a5538c3cbbd62 size: 325120 | |
Section | .data md5: 346b36e067c92f6db2ed2d3662b1d7fd sha1: c6c6a56ea3c8c2df927060b6a3f8727a6ae4a6f1 size: 8192 | |
Section | .reloc md5: 40ee04e131566a74e3293e96cc4489bf sha1: c86ae39fe2cd0d65cf2aa9b081402107edcf3007 size: 59392 | |
Timestamp | 2015-02-06 20:48:05 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | bfda1fccacccb2a5dae8ad47af0b31081c3f89ab | |
IMPhash | 0649c8eed08f38095e4c3444407f1b6b | |
AV | Dr. Web | Trojan.DownLoader17.33963 |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.553443 |
AV | Emsisoft | Gen:Variant.Kazy.553443 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.Z |
AV | Symantec | Downloader.Upatre!g15 |
AV | Eset (nod32) | Win32/Kryptik.CXVL |
AV | Padvish | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | Avira (antivir) | TR/Crypt.Xpack.307417 |
AV | Trend Micro | no_virus |
AV | Frisk (f-prot) | no_virus |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | ClamAV | no_virus |
AV | F-Secure | Gen:Variant.Kazy.553443 |
AV | Mcafee | Trojan-FGIJ!EC67AC3A1379 |
AV | Twister | no_virus |
AV | Grisoft (avg) | Crypt5.IEI |
AV | BitDefender | Gen:Variant.Kazy.553443 |
AV | Rising | no_virus |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Ad-Aware | Gen:Variant.Kazy.553443 |
AV | CAT (quickheal) | no_virus |
AV | K7 | Trojan ( 004c77f41 ) |
AV | VirusBlokAda (vba32) | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Kazy.553443 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | BullGuard | Gen:Variant.Kazy.553443 |
AV | MalwareBytes | no_virus |
AV | Zillya! | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe |
---|---|
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Panel Transfer Class Internet Management ➝ C:\WINDOWS\system32\tejnitjkewnn.exe |
---|---|
Creates File | C:\WINDOWS\system32\tejnitjkewnn.exe |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\etc |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\lck |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\tst |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\tejnitjkewnn.exe |
Creates Service | Socket Audio Peer iSCSI Print Configuration - C:\WINDOWS\system32\tejnitjkewnn.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1128
Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\run |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\lck |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\rng |
Creates File | C:\WINDOWS\system32\imzsypuyneag.exe |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\tst |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\cfg |
Creates File | C:\WINDOWS\TEMP\l2maig1q1izln9z.exe |
Creates Process | WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe" |
Creates Process | C:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp |
Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"
Creates File | C:\WINDOWS\system32\ijcitwmshnedph\tst |
---|
Process
↳ C:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
---|---|
DNS | queentell.net Type: A 208.91.197.241 |
DNS | wednesdayhalf.net Type: A 208.91.197.241 |
DNS | mouthrest.net Type: A 208.91.197.241 |
DNS | drivethirteen.net Type: A 208.91.197.241 |
DNS | faceboat.net Type: A 208.91.197.241 |
DNS | muchhappy.net Type: A 208.91.197.241 |
DNS | callmile.net Type: A 208.91.197.241 |
DNS | humancolor.net Type: A 219.94.203.116 |
DNS | haircolor.net Type: A 185.53.177.30 |
DNS | haironly.net Type: A 62.116.130.8 |
DNS | musicfeel.net Type: A 89.161.255.8 |
DNS | musichigh.net Type: A 64.29.151.221 |
DNS | musiconly.net Type: A 207.148.248.143 |
DNS | spendhigh.net Type: A 208.100.26.234 |
DNS | frontfeel.net Type: A 195.22.26.254 |
DNS | frontfeel.net Type: A 195.22.26.231 |
DNS | frontfeel.net Type: A 195.22.26.252 |
DNS | frontfeel.net Type: A 195.22.26.253 |
DNS | wishhigh.net Type: A 69.64.147.242 |
DNS | rockfeel.net Type: A 211.196.153.94 |
DNS | humanguide.net Type: A 141.8.226.15 |
DNS | hairguide.net Type: A 69.172.201.208 |
DNS | ableread.net Type: A |
DNS | soilunder.net Type: A |
DNS | fearstate.net Type: A |
DNS | rocktell.net Type: A |
DNS | wrongdare.net Type: A |
DNS | madedare.net Type: A |
DNS | wrongdance.net Type: A |
DNS | madedance.net Type: A |
DNS | wrongbody.net Type: A |
DNS | madebody.net Type: A |
DNS | wrongtell.net Type: A |
DNS | madetell.net Type: A |
DNS | humanfeel.net Type: A |
DNS | hairfeel.net Type: A |
DNS | humanhigh.net Type: A |
DNS | hairhigh.net Type: A |
DNS | humanonly.net Type: A |
DNS | yardfeel.net Type: A |
DNS | yardhigh.net Type: A |
DNS | yardcolor.net Type: A |
DNS | musiccolor.net Type: A |
DNS | yardonly.net Type: A |
DNS | wentfeel.net Type: A |
DNS | spendfeel.net Type: A |
DNS | wenthigh.net Type: A |
DNS | wentcolor.net Type: A |
DNS | spendcolor.net Type: A |
DNS | wentonly.net Type: A |
DNS | spendonly.net Type: A |
DNS | offerfeel.net Type: A |
DNS | fronthigh.net Type: A |
DNS | offerhigh.net Type: A |
DNS | frontcolor.net Type: A |
DNS | offercolor.net Type: A |
DNS | frontonly.net Type: A |
DNS | offeronly.net Type: A |
DNS | hangfeel.net Type: A |
DNS | septemberfeel.net Type: A |
DNS | hanghigh.net Type: A |
DNS | septemberhigh.net Type: A |
DNS | hangcolor.net Type: A |
DNS | septembercolor.net Type: A |
DNS | hangonly.net Type: A |
DNS | septemberonly.net Type: A |
DNS | joinfeel.net Type: A |
DNS | wishfeel.net Type: A |
DNS | joinhigh.net Type: A |
DNS | joincolor.net Type: A |
DNS | wishcolor.net Type: A |
DNS | joinonly.net Type: A |
DNS | wishonly.net Type: A |
DNS | deadfeel.net Type: A |
DNS | deadhigh.net Type: A |
DNS | rockhigh.net Type: A |
DNS | deadcolor.net Type: A |
DNS | rockcolor.net Type: A |
DNS | deadonly.net Type: A |
DNS | rockonly.net Type: A |
DNS | wrongfeel.net Type: A |
DNS | madefeel.net Type: A |
DNS | wronghigh.net Type: A |
DNS | madehigh.net Type: A |
DNS | wrongcolor.net Type: A |
DNS | madecolor.net Type: A |
DNS | wrongonly.net Type: A |
DNS | madeonly.net Type: A |
DNS | humanhalf.net Type: A |
DNS | hairhalf.net Type: A |
DNS | humanname.net Type: A |
DNS | hairname.net Type: A |
DNS | humanlate.net Type: A |
DNS | hairlate.net Type: A |
DNS | yardhalf.net Type: A |
DNS | musichalf.net Type: A |
DNS | yardname.net Type: A |
DNS | musicname.net Type: A |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
HTTP GET | http://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1042 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1045 ➝ 219.94.203.116:80 |
Flows TCP | 192.168.1.1:1046 ➝ 185.53.177.30:80 |
Flows TCP | 192.168.1.1:1047 ➝ 62.116.130.8:80 |
Flows TCP | 192.168.1.1:1048 ➝ 89.161.255.8:80 |
Flows TCP | 192.168.1.1:1049 ➝ 64.29.151.221:80 |
Flows TCP | 192.168.1.1:1050 ➝ 207.148.248.143:80 |
Flows TCP | 192.168.1.1:1051 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1052 ➝ 195.22.26.254:80 |
Flows TCP | 192.168.1.1:1053 ➝ 69.64.147.242:80 |
Flows TCP | 192.168.1.1:1054 ➝ 211.196.153.94:80 |
Flows TCP | 192.168.1.1:1055 ➝ 141.8.226.15:80 |
Flows TCP | 192.168.1.1:1056 ➝ 69.172.201.208:80 |
Flows TCP | 192.168.1.1:1057 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1058 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1059 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1060 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1061 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1062 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1063 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1064 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1065 ➝ 219.94.203.116:80 |
Flows TCP | 192.168.1.1:1066 ➝ 185.53.177.30:80 |
Flows TCP | 192.168.1.1:1067 ➝ 62.116.130.8:80 |
Flows TCP | 192.168.1.1:1068 ➝ 89.161.255.8:80 |
Flows TCP | 192.168.1.1:1069 ➝ 64.29.151.221:80 |
Flows TCP | 192.168.1.1:1070 ➝ 207.148.248.143:80 |
Flows TCP | 192.168.1.1:1071 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1072 ➝ 195.22.26.254:80 |
Flows TCP | 192.168.1.1:1073 ➝ 69.64.147.242:80 |
Flows TCP | 192.168.1.1:1074 ➝ 211.196.153.94:80 |
Flows TCP | 192.168.1.1:1075 ➝ 141.8.226.15:80 |
Flows TCP | 192.168.1.1:1076 ➝ 69.172.201.208:80 |
Raw Pcap
Strings