Analysis Date2015-11-01 16:09:39
MD5ec67ac3a13796b69a9bfe979b8ee8ca8
SHA1d37780a530a7173efc66d766f10ea5a74b274c29

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 065418487e1d18446643633f89d4a198 sha1: 8bf1f6f4c7201beee527d737ed9dffff09bccaec size: 801792
Section.rdata md5: e9bd029b2d6e51902bfc7ccbc58f7a50 sha1: 526b91cf240483579cadb068f63a5538c3cbbd62 size: 325120
Section.data md5: 346b36e067c92f6db2ed2d3662b1d7fd sha1: c6c6a56ea3c8c2df927060b6a3f8727a6ae4a6f1 size: 8192
Section.reloc md5: 40ee04e131566a74e3293e96cc4489bf sha1: c86ae39fe2cd0d65cf2aa9b081402107edcf3007 size: 59392
Timestamp2015-02-06 20:48:05
PackerMicrosoft Visual C++ ?.?
PEhashbfda1fccacccb2a5dae8ad47af0b31081c3f89ab
IMPhash0649c8eed08f38095e4c3444407f1b6b
AVDr. WebTrojan.DownLoader17.33963
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Kazy.553443
AVEmsisoftGen:Variant.Kazy.553443
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Kryptik.CXVL
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Kryptik.DDQD!tr
AVAvira (antivir)TR/Crypt.Xpack.307417
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Downloader-TLD [Trj]
AVClamAVno_virus
AVF-SecureGen:Variant.Kazy.553443
AVMcafeeTrojan-FGIJ!EC67AC3A1379
AVTwisterno_virus
AVGrisoft (avg)Crypt5.IEI
AVBitDefenderGen:Variant.Kazy.553443
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVAd-AwareGen:Variant.Kazy.553443
AVCAT (quickheal)no_virus
AVK7Trojan ( 004c77f41 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Gen:Variant.Kazy.553443
AVKasperskyTrojan.Win32.Generic
AVBullGuardGen:Variant.Kazy.553443
AVMalwareBytesno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\l2maig1khuzln9zc7zplzy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Panel Transfer Class Internet Management ➝
C:\WINDOWS\system32\tejnitjkewnn.exe
Creates FileC:\WINDOWS\system32\tejnitjkewnn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\etc
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\lck
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\tejnitjkewnn.exe
Creates ServiceSocket Audio Peer iSCSI Print Configuration - C:\WINDOWS\system32\tejnitjkewnn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\lck
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\rng
Creates FileC:\WINDOWS\system32\imzsypuyneag.exe
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ijcitwmshnedph\cfg
Creates FileC:\WINDOWS\TEMP\l2maig1q1izln9z.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"
Creates ProcessC:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp

Process
↳ C:\WINDOWS\system32\tejnitjkewnn.exe

Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\tejnitjkewnn.exe"

Creates FileC:\WINDOWS\system32\ijcitwmshnedph\tst

Process
↳ C:\WINDOWS\TEMP\l2maig1q1izln9z.exe -r 23885 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNShumancolor.net
Type: A
219.94.203.116
DNShaircolor.net
Type: A
185.53.177.30
DNShaironly.net
Type: A
62.116.130.8
DNSmusicfeel.net
Type: A
89.161.255.8
DNSmusichigh.net
Type: A
64.29.151.221
DNSmusiconly.net
Type: A
207.148.248.143
DNSspendhigh.net
Type: A
208.100.26.234
DNSfrontfeel.net
Type: A
195.22.26.254
DNSfrontfeel.net
Type: A
195.22.26.231
DNSfrontfeel.net
Type: A
195.22.26.252
DNSfrontfeel.net
Type: A
195.22.26.253
DNSwishhigh.net
Type: A
69.64.147.242
DNSrockfeel.net
Type: A
211.196.153.94
DNShumanguide.net
Type: A
141.8.226.15
DNShairguide.net
Type: A
69.172.201.208
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSfearstate.net
Type: A
DNSrocktell.net
Type: A
DNSwrongdare.net
Type: A
DNSmadedare.net
Type: A
DNSwrongdance.net
Type: A
DNSmadedance.net
Type: A
DNSwrongbody.net
Type: A
DNSmadebody.net
Type: A
DNSwrongtell.net
Type: A
DNSmadetell.net
Type: A
DNShumanfeel.net
Type: A
DNShairfeel.net
Type: A
DNShumanhigh.net
Type: A
DNShairhigh.net
Type: A
DNShumanonly.net
Type: A
DNSyardfeel.net
Type: A
DNSyardhigh.net
Type: A
DNSyardcolor.net
Type: A
DNSmusiccolor.net
Type: A
DNSyardonly.net
Type: A
DNSwentfeel.net
Type: A
DNSspendfeel.net
Type: A
DNSwenthigh.net
Type: A
DNSwentcolor.net
Type: A
DNSspendcolor.net
Type: A
DNSwentonly.net
Type: A
DNSspendonly.net
Type: A
DNSofferfeel.net
Type: A
DNSfronthigh.net
Type: A
DNSofferhigh.net
Type: A
DNSfrontcolor.net
Type: A
DNSoffercolor.net
Type: A
DNSfrontonly.net
Type: A
DNSofferonly.net
Type: A
DNShangfeel.net
Type: A
DNSseptemberfeel.net
Type: A
DNShanghigh.net
Type: A
DNSseptemberhigh.net
Type: A
DNShangcolor.net
Type: A
DNSseptembercolor.net
Type: A
DNShangonly.net
Type: A
DNSseptemberonly.net
Type: A
DNSjoinfeel.net
Type: A
DNSwishfeel.net
Type: A
DNSjoinhigh.net
Type: A
DNSjoincolor.net
Type: A
DNSwishcolor.net
Type: A
DNSjoinonly.net
Type: A
DNSwishonly.net
Type: A
DNSdeadfeel.net
Type: A
DNSdeadhigh.net
Type: A
DNSrockhigh.net
Type: A
DNSdeadcolor.net
Type: A
DNSrockcolor.net
Type: A
DNSdeadonly.net
Type: A
DNSrockonly.net
Type: A
DNSwrongfeel.net
Type: A
DNSmadefeel.net
Type: A
DNSwronghigh.net
Type: A
DNSmadehigh.net
Type: A
DNSwrongcolor.net
Type: A
DNSmadecolor.net
Type: A
DNSwrongonly.net
Type: A
DNSmadeonly.net
Type: A
DNShumanhalf.net
Type: A
DNShairhalf.net
Type: A
DNShumanname.net
Type: A
DNShairname.net
Type: A
DNShumanlate.net
Type: A
DNShairlate.net
Type: A
DNSyardhalf.net
Type: A
DNSmusichalf.net
Type: A
DNSyardname.net
Type: A
DNSmusicname.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://haironly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://musiconly.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://spendhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://frontfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://wishhigh.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://rockfeel.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://humanguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
HTTP GEThttp://hairguide.net/index.php?method=validate&mode=sox&v=040&sox=3bb4d404&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 219.94.203.116:80
Flows TCP192.168.1.1:1046 ➝ 185.53.177.30:80
Flows TCP192.168.1.1:1047 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1048 ➝ 89.161.255.8:80
Flows TCP192.168.1.1:1049 ➝ 64.29.151.221:80
Flows TCP192.168.1.1:1050 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1052 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1053 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1054 ➝ 211.196.153.94:80
Flows TCP192.168.1.1:1055 ➝ 141.8.226.15:80
Flows TCP192.168.1.1:1056 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1057 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 219.94.203.116:80
Flows TCP192.168.1.1:1066 ➝ 185.53.177.30:80
Flows TCP192.168.1.1:1067 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1068 ➝ 89.161.255.8:80
Flows TCP192.168.1.1:1069 ➝ 64.29.151.221:80
Flows TCP192.168.1.1:1070 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1071 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1072 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1073 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1074 ➝ 211.196.153.94:80
Flows TCP192.168.1.1:1075 ➝ 141.8.226.15:80
Flows TCP192.168.1.1:1076 ➝ 69.172.201.208:80

Raw Pcap

Strings