Analysis Date2015-10-15 12:49:54
MD5ac86c62335424bc0369c04c1d27015b4
SHA1d74f7615b4579d5362c410d22d17249306f4debb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9ac15253c557a79d84512a3de39fc56f sha1: e50cecec12dab927c4d7f0ed6e1f39d221a26dca size: 836096
Section.rdata md5: 2e4174dea4fd0b90f3daaf81f33d75b5 sha1: 3e36c620c4a061e5d8fa1f2ddb2904fcd6d78c39 size: 318464
Section.data md5: f7c8483fa113b2f8b2d2fbe80695a15a sha1: c5c1f9813abc735f40bf0c8bb836a3a03356200e size: 7680
Timestamp2015-04-15 02:03:16
PackerMicrosoft Visual C++ ?.?
PEhash0f5bf9b70f16f2c43d468589c960feead498d8cc
IMPhash2b6c426a9e1f631db0da249d55b22804
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.293428
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesno_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ao9jrph1ks9psxrdxzxrom.exe
Creates FileC:\WINDOWS\system32\kyjgkkstpo\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ao9jrph1ks9psxrdxzxrom.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ao9jrph1ks9psxrdxzxrom.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Provider Secure Topology Virtual ➝
C:\WINDOWS\system32\drixcxn.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\kyjgkkstpo\lck
Creates FileC:\WINDOWS\system32\kyjgkkstpo\etc
Creates FileC:\WINDOWS\system32\drixcxn.exe
Creates FileC:\WINDOWS\system32\kyjgkkstpo\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\drixcxn.exe
Creates ServiceNetBIOS Video Device Receiver - C:\WINDOWS\system32\drixcxn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERdce8.dir00\svchost.exe.mdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERdce8.dir00\svchost.exe.hdmp
Creates Filepipe\PCHFaultRepExecPipe
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERdce8.dir00\svchost.exe.mdmp 16325836412030928

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\drixcxn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\kyjgkkstpo\rng
Creates FileC:\WINDOWS\system32\rydgugdxase.exe
Creates FileC:\WINDOWS\system32\kyjgkkstpo\run
Creates FileC:\WINDOWS\system32\kyjgkkstpo\cfg
Creates FileC:\WINDOWS\system32\kyjgkkstpo\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\ao9jrph1rd9psxrd.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\kyjgkkstpo\tst
Creates ProcessC:\WINDOWS\TEMP\ao9jrph1rd9psxrd.exe -r 22346 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\drixcxn.exe"

Process
↳ C:\WINDOWS\system32\drixcxn.exe

Creates FileC:\WINDOWS\system32\kyjgkkstpo\tst

Process
↳ C:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERdce8.dir00\svchost.exe.mdmp 16325836412030928

Process
↳ WATCHDOGPROC "c:\windows\system32\drixcxn.exe"

Creates FileC:\WINDOWS\system32\kyjgkkstpo\tst

Process
↳ C:\WINDOWS\TEMP\ao9jrph1rd9psxrd.exe -r 22346 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnailthere.net
Type: A
98.139.135.129
DNSgroupgrain.net
Type: A
208.91.197.241
DNSthreeonly.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSrockhome.net
Type: A
184.168.221.104
DNSrockover.net
Type: A
97.74.182.1
DNSmadehome.net
Type: A
23.236.62.147
DNSdutycloth.net
Type: A
195.22.26.253
DNSdutycloth.net
Type: A
195.22.26.254
DNSdutycloth.net
Type: A
195.22.26.231
DNSdutycloth.net
Type: A
195.22.26.252
DNSheadborn.net
Type: A
208.100.26.234
DNSquickborn.net
Type: A
27.121.64.91
DNSmostaugust.net
Type: A
98.139.135.129
DNSdarkpaid.net
Type: A
217.160.165.207
DNScloudborn.net
Type: A
184.168.221.96
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSfridayloss.net
Type: A
DNSwrongbelow.net
Type: A
DNShilldance.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSjoinover.net
Type: A
DNSwishover.net
Type: A
DNSjoingrain.net
Type: A
DNSwishgrain.net
Type: A
DNSjoingold.net
Type: A
DNSwishgold.net
Type: A
DNSdeadhome.net
Type: A
DNSdeadover.net
Type: A
DNSdeadgrain.net
Type: A
DNSrockgrain.net
Type: A
DNSdeadgold.net
Type: A
DNSrockgold.net
Type: A
DNSwronghome.net
Type: A
DNSwrongover.net
Type: A
DNSmadeover.net
Type: A
DNSwronggrain.net
Type: A
DNSmadegrain.net
Type: A
DNSwronggold.net
Type: A
DNSmadegold.net
Type: A
DNSmilkcloth.net
Type: A
DNStriedcloth.net
Type: A
DNSmilkpaid.net
Type: A
DNStriedpaid.net
Type: A
DNSmilkaugust.net
Type: A
DNStriedaugust.net
Type: A
DNSmilkborn.net
Type: A
DNStriedborn.net
Type: A
DNSwithcloth.net
Type: A
DNSwithpaid.net
Type: A
DNSdutypaid.net
Type: A
DNSwithaugust.net
Type: A
DNSdutyaugust.net
Type: A
DNSwithborn.net
Type: A
DNSdutyborn.net
Type: A
DNSthesecloth.net
Type: A
DNSsightcloth.net
Type: A
DNSthesepaid.net
Type: A
DNSsightpaid.net
Type: A
DNStheseaugust.net
Type: A
DNSsightaugust.net
Type: A
DNStheseborn.net
Type: A
DNSsightborn.net
Type: A
DNScasecloth.net
Type: A
DNSheadcloth.net
Type: A
DNScasepaid.net
Type: A
DNSheadpaid.net
Type: A
DNScaseaugust.net
Type: A
DNSheadaugust.net
Type: A
DNScaseborn.net
Type: A
DNSquickcloth.net
Type: A
DNSthencloth.net
Type: A
DNSquickpaid.net
Type: A
DNSthenpaid.net
Type: A
DNSquickaugust.net
Type: A
DNSthenaugust.net
Type: A
DNSthenborn.net
Type: A
DNSsundaycloth.net
Type: A
DNSmostcloth.net
Type: A
DNSsundaypaid.net
Type: A
DNSmostpaid.net
Type: A
DNSsundayaugust.net
Type: A
DNSsundayborn.net
Type: A
DNSmostborn.net
Type: A
DNSmeatcloth.net
Type: A
DNSsickcloth.net
Type: A
DNSmeatpaid.net
Type: A
DNSsickpaid.net
Type: A
DNSmeataugust.net
Type: A
DNSsickaugust.net
Type: A
DNSmeatborn.net
Type: A
DNSsickborn.net
Type: A
DNScloudcloth.net
Type: A
DNSdarkcloth.net
Type: A
DNScloudpaid.net
Type: A
DNScloudaugust.net
Type: A
DNSdarkaugust.net
Type: A
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://groupgrain.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://threeonly.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://rockhome.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://rockover.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://madehome.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://dutycloth.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://headborn.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://quickborn.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://mostaugust.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://darkpaid.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
HTTP GEThttp://cloudborn.net/index.php?method=validate&mode=sox&v=048&sox=48f21e00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1042 ➝ 97.74.182.1:80
Flows TCP192.168.1.1:1043 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1044 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 27.121.64.91:80
Flows TCP192.168.1.1:1047 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1048 ➝ 217.160.165.207:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.96:80

Raw Pcap

Strings