Analysis | #totalhash

Analysis Date	2015-11-01 16:09:39
MD5	ec67ac3a13796b69a9bfe979b8ee8ca8
SHA1	d37780a530a7173efc66d766f10ea5a74b274c29

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 065418487e1d18446643633f89d4a198 sha1: 8bf1f6f4c7201beee527d737ed9dffff09bccaec size: 801792
Section	.rdata md5: e9bd029b2d6e51902bfc7ccbc58f7a50 sha1: 526b91cf240483579cadb068f63a5538c3cbbd62 size: 325120
Section	.data md5: 346b36e067c92f6db2ed2d3662b1d7fd sha1: c6c6a56ea3c8c2df927060b6a3f8727a6ae4a6f1 size: 8192
Section	.reloc md5: 40ee04e131566a74e3293e96cc4489bf sha1: c86ae39fe2cd0d65cf2aa9b081402107edcf3007 size: 59392
Timestamp	2015-02-06 20:48:05
Packer	Microsoft Visual C++ ?.?
PEhash	bfda1fccacccb2a5dae8ad47af0b31081c3f89ab
IMPhash	0649c8eed08f38095e4c3444407f1b6b
AV	Dr. Web	Trojan.DownLoader17.33963
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	Arcabit (arcavir)	Gen:Variant.Kazy.553443
AV	Emsisoft	Gen:Variant.Kazy.553443
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.Z
AV	Symantec	Downloader.Upatre!g15
AV	Eset (nod32)	Win32/Kryptik.CXVL
AV	Padvish	no_virus
AV	CA (E-Trust Ino)	no_virus
AV	Fortinet	W32/Kryptik.DDQD!tr
AV	Avira (antivir)	TR/Crypt.Xpack.307417
AV	Trend Micro	no_virus
AV	Frisk (f-prot)	no_virus
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	ClamAV	no_virus
AV	F-Secure	Gen:Variant.Kazy.553443
AV	Mcafee	Trojan-FGIJ!EC67AC3A1379
AV	Twister	no_virus
AV	Grisoft (avg)	Crypt5.IEI
AV	BitDefender	Gen:Variant.Kazy.553443
AV	Rising	no_virus
AV	Ikarus	Trojan.Win32.Crypt
AV	Ad-Aware	Gen:Variant.Kazy.553443
AV	CAT (quickheal)	no_virus
AV	K7	Trojan ( 004c77f41 )
AV	VirusBlokAda (vba32)	no_virus
AV	MicroWorld (escan)	Gen:Variant.Kazy.553443
AV	Kaspersky	Trojan.Win32.Generic
AV	BullGuard	Gen:Variant.Kazy.553443
AV	MalwareBytes	no_virus
AV	Zillya!	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Panel Transfer Class Internet Management ➝ C:\WINDOWS\system32\tejnitjkewnn.exe
Creates File	C:\WINDOWS\system32\tejnitjkewnn.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\etc
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\lck
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\tst
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\tejnitjkewnn.exe
Creates Service	Socket Audio Peer iSCSI Print Configuration - C:\WINDOWS\system32\tejnitjkewnn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\run
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\lck
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\rng
Creates File	C:\WINDOWS\system32\imzsypuyneag.exe
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\tst
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\ijcitwmshnedph\cfg
Creates File	C:\WINDOWS\TEMP\l2maig1q1izln9z.exe
Creates Process	WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"
Creates Process	C:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

Creates File	C:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"

Creates File	C:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ C:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	queentell.net Type: A 208.91.197.241
DNS	wednesdayhalf.net Type: A 208.91.197.241
DNS	mouthrest.net Type: A 208.91.197.241
DNS	drivethirteen.net Type: A 208.91.197.241
DNS	faceboat.net Type: A 208.91.197.241
DNS	muchhappy.net Type: A 208.91.197.241
DNS	callmile.net Type: A 208.91.197.241
DNS	humancolor.net Type: A 219.94.203.116
DNS	haircolor.net Type: A 185.53.177.30
DNS	haironly.net Type: A 62.116.130.8
DNS	musicfeel.net Type: A 89.161.255.8
DNS	musichigh.net Type: A 64.29.151.221
DNS	musiconly.net Type: A 207.148.248.143
DNS	spendhigh.net Type: A 208.100.26.234
DNS	frontfeel.net Type: A 195.22.26.254
DNS	frontfeel.net Type: A 195.22.26.231
DNS	frontfeel.net Type: A 195.22.26.252
DNS	frontfeel.net Type: A 195.22.26.253
DNS	wishhigh.net Type: A 69.64.147.242
DNS	rockfeel.net Type: A 211.196.153.94
DNS	humanguide.net Type: A 141.8.226.15
DNS	hairguide.net Type: A 69.172.201.208
DNS	ableread.net Type: A
DNS	soilunder.net Type: A
DNS	fearstate.net Type: A
DNS	rocktell.net Type: A
DNS	wrongdare.net Type: A
DNS	madedare.net Type: A
DNS	wrongdance.net Type: A
DNS	madedance.net Type: A
DNS	wrongbody.net Type: A
DNS	madebody.net Type: A
DNS	wrongtell.net Type: A
DNS	madetell.net Type: A
DNS	humanfeel.net Type: A
DNS	hairfeel.net Type: A
DNS	humanhigh.net Type: A
DNS	hairhigh.net Type: A
DNS	humanonly.net Type: A
DNS	yardfeel.net Type: A
DNS	yardhigh.net Type: A
DNS	yardcolor.net Type: A
DNS	musiccolor.net Type: A
DNS	yardonly.net Type: A
DNS	wentfeel.net Type: A
DNS	spendfeel.net Type: A
DNS	wenthigh.net Type: A
DNS	wentcolor.net Type: A
DNS	spendcolor.net Type: A
DNS	wentonly.net Type: A
DNS	spendonly.net Type: A
DNS	offerfeel.net Type: A
DNS	fronthigh.net Type: A
DNS	offerhigh.net Type: A
DNS	frontcolor.net Type: A
DNS	offercolor.net Type: A
DNS	frontonly.net Type: A
DNS	offeronly.net Type: A
DNS	hangfeel.net Type: A
DNS	septemberfeel.net Type: A
DNS	hanghigh.net Type: A
DNS	septemberhigh.net Type: A
DNS	hangcolor.net Type: A
DNS	septembercolor.net Type: A
DNS	hangonly.net Type: A
DNS	septemberonly.net Type: A
DNS	joinfeel.net Type: A
DNS	wishfeel.net Type: A
DNS	joinhigh.net Type: A
DNS	joincolor.net Type: A
DNS	wishcolor.net Type: A
DNS	joinonly.net Type: A
DNS	wishonly.net Type: A
DNS	deadfeel.net Type: A
DNS	deadhigh.net Type: A
DNS	rockhigh.net Type: A
DNS	deadcolor.net Type: A
DNS	rockcolor.net Type: A
DNS	deadonly.net Type: A
DNS	rockonly.net Type: A
DNS	wrongfeel.net Type: A
DNS	madefeel.net Type: A
DNS	wronghigh.net Type: A
DNS	madehigh.net Type: A
DNS	wrongcolor.net Type: A
DNS	madecolor.net Type: A
DNS	wrongonly.net Type: A
DNS	madeonly.net Type: A
DNS	humanhalf.net Type: A
DNS	hairhalf.net Type: A
DNS	humanname.net Type: A
DNS	hairname.net Type: A
DNS	humanlate.net Type: A
DNS	hairlate.net Type: A
DNS	yardhalf.net Type: A
DNS	musichalf.net Type: A
DNS	yardname.net Type: A
DNS	musicname.net Type: A
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
HTTP GET	http://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1045 ➝ 219.94.203.116:80
Flows TCP	192.168.1.1:1046 ➝ 185.53.177.30:80
Flows TCP	192.168.1.1:1047 ➝ 62.116.130.8:80
Flows TCP	192.168.1.1:1048 ➝ 89.161.255.8:80
Flows TCP	192.168.1.1:1049 ➝ 64.29.151.221:80
Flows TCP	192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1052 ➝ 195.22.26.254:80
Flows TCP	192.168.1.1:1053 ➝ 69.64.147.242:80
Flows TCP	192.168.1.1:1054 ➝ 211.196.153.94:80
Flows TCP	192.168.1.1:1055 ➝ 141.8.226.15:80
Flows TCP	192.168.1.1:1056 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1057 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1065 ➝ 219.94.203.116:80
Flows TCP	192.168.1.1:1066 ➝ 185.53.177.30:80
Flows TCP	192.168.1.1:1067 ➝ 62.116.130.8:80
Flows TCP	192.168.1.1:1068 ➝ 89.161.255.8:80
Flows TCP	192.168.1.1:1069 ➝ 64.29.151.221:80
Flows TCP	192.168.1.1:1070 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1071 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1072 ➝ 195.22.26.254:80
Flows TCP	192.168.1.1:1073 ➝ 69.64.147.242:80
Flows TCP	192.168.1.1:1074 ➝ 211.196.153.94:80
Flows TCP	192.168.1.1:1075 ➝ 141.8.226.15:80
Flows TCP	192.168.1.1:1076 ➝ 69.172.201.208:80

Raw Pcap

Strings