Analysis Date | 2015-09-16 02:15:32 |
---|---|
MD5 | b10d29d48f3a241ca6ad4d7debecbfc7 |
SHA1 | da0684e051713dac993fa906bb6558465f865c09 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: e046fe5d1b7e61a2d6752194523f132c sha1: c46bfff70559d086f07505599506a51009738037 size: 835072 | |
Section | .rdata md5: c4305036007ffc4fcd412e4a123a1642 sha1: 2523211db1075a23fcd5e8f13f8b0d98d9ed55c2 size: 315392 | |
Section | .data md5: 34f66e01ab067c82f469711484aa2b5d sha1: 7bda02679dabe558fe7501b673d6c4b4f2c8570e size: 7680 | |
Timestamp | 2015-04-12 19:54:23 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | a55f8860c3c6e1d7dadfa4aa15fd336be1ad142d | |
IMPhash | 6903b7878273ddf02664c2ed611caf2f | |
AV | CA (E-Trust Ino) | no_virus |
AV | Rising | 0x590623c9 |
AV | Mcafee | no_virus |
AV | Avira (antivir) | TR/Crypt.Xpack.251612 |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Zusy.133308 |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Eset (nod32) | Win32/Kryptik.DDQD |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | BitDefender | Gen:Variant.Zusy.133308 |
AV | K7 | Trojan ( 004bb8ba1 ) |
AV | Microsoft Security Essentials | Trojan:Win32/Dynamer!ac |
AV | MicroWorld (escan) | Gen:Variant.Zusy.133308 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/Zusy.X.gen!Eldorado |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Emsisoft | Gen:Variant.Zusy.133308 |
AV | Zillya! | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | no_virus |
AV | CAT (quickheal) | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Zusy.133308 |
AV | Arcabit (arcavir) | Gen:Variant.Zusy.133308 |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.DownLoader16.22421 |
AV | F-Secure | Gen:Variant.Zusy.133308 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe |
---|---|
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dfzzhsbv1kiqwrq5tnvjvhjub.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Presentation Resource IPsec Plug Collector ➝ C:\WINDOWS\system32\aquzbmn.exe |
---|---|
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\etc |
Creates File | C:\WINDOWS\system32\aquzbmn.exe |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\lck |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\tst |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\aquzbmn.exe |
Creates Service | Provider Acquisition Bluetooth - C:\WINDOWS\system32\aquzbmn.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1860
Process
↳ Pid 1128
Process
↳ C:\WINDOWS\system32\aquzbmn.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\cfg |
Creates File | C:\WINDOWS\system32\fgfpilmqrkc.exe |
Creates File | C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\rng |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\tst |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\lck |
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\run |
Creates Process | WATCHDOGPROC "c:\windows\system32\aquzbmn.exe" |
Creates Process | C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe -r 48316 tcp |
Process
↳ C:\WINDOWS\system32\aquzbmn.exe
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\aquzbmn.exe"
Creates File | C:\WINDOWS\system32\vzzhzppuhrigk\tst |
---|
Process
↳ C:\WINDOWS\TEMP\dfzzhsbv1rpuwrq5t.exe -r 48316 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | nailthere.net Type: A 98.139.135.129 |
---|---|
DNS | groupgrain.net Type: A 208.91.197.241 |
DNS | threeonly.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | lifeclock.net Type: A 198.46.51.193 |
DNS | lifeclock.net Type: A 162.212.2.137 |
DNS | lifemake.net Type: A 192.64.119.44 |
DNS | enemyrush.net Type: A 95.211.230.75 |
DNS | deeprush.net Type: A 184.168.221.26 |
DNS | pushhard.net Type: A 66.96.147.159 |
DNS | pushclock.net Type: A 217.70.184.38 |
DNS | pushmake.net Type: A 37.59.4.217 |
DNS | longshine.net Type: A 218.107.207.37 |
DNS | ableread.net Type: A |
DNS | fearstate.net Type: A |
DNS | longcold.net Type: A |
DNS | fridayloss.net Type: A |
DNS | wrongbelow.net Type: A |
DNS | hilldance.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | longrush.net Type: A |
DNS | soilrush.net Type: A |
DNS | wheelhard.net Type: A |
DNS | saidhard.net Type: A |
DNS | wheelclock.net Type: A |
DNS | saidclock.net Type: A |
DNS | wheelmake.net Type: A |
DNS | saidmake.net Type: A |
DNS | wheelrush.net Type: A |
DNS | saidrush.net Type: A |
DNS | stickhard.net Type: A |
DNS | ballhard.net Type: A |
DNS | stickclock.net Type: A |
DNS | ballclock.net Type: A |
DNS | stickmake.net Type: A |
DNS | ballmake.net Type: A |
DNS | stickrush.net Type: A |
DNS | ballrush.net Type: A |
DNS | enemyhard.net Type: A |
DNS | lifehard.net Type: A |
DNS | enemyclock.net Type: A |
DNS | enemymake.net Type: A |
DNS | liferush.net Type: A |
DNS | mouthhard.net Type: A |
DNS | tillhard.net Type: A |
DNS | mouthclock.net Type: A |
DNS | tillclock.net Type: A |
DNS | mouthmake.net Type: A |
DNS | tillmake.net Type: A |
DNS | mouthrush.net Type: A |
DNS | tillrush.net Type: A |
DNS | shallhard.net Type: A |
DNS | deephard.net Type: A |
DNS | shallclock.net Type: A |
DNS | deepclock.net Type: A |
DNS | shallmake.net Type: A |
DNS | deepmake.net Type: A |
DNS | shallrush.net Type: A |
DNS | fridayhard.net Type: A |
DNS | fridayclock.net Type: A |
DNS | fridaymake.net Type: A |
DNS | pushrush.net Type: A |
DNS | fridayrush.net Type: A |
DNS | alonghard.net Type: A |
DNS | decemberhard.net Type: A |
DNS | alongclock.net Type: A |
DNS | decemberclock.net Type: A |
DNS | alongmake.net Type: A |
DNS | decembermake.net Type: A |
DNS | alongrush.net Type: A |
DNS | decemberrush.net Type: A |
DNS | longfifth.net Type: A |
DNS | soilfifth.net Type: A |
DNS | soilshine.net Type: A |
DNS | longdone.net Type: A |
DNS | soildone.net Type: A |
DNS | longknew.net Type: A |
DNS | soilknew.net Type: A |
DNS | wheelfifth.net Type: A |
DNS | saidfifth.net Type: A |
DNS | wheelshine.net Type: A |
DNS | saidshine.net Type: A |
DNS | wheeldone.net Type: A |
DNS | saiddone.net Type: A |
DNS | wheelknew.net Type: A |
DNS | saidknew.net Type: A |
DNS | stickfifth.net Type: A |
DNS | ballfifth.net Type: A |
DNS | stickshine.net Type: A |
DNS | ballshine.net Type: A |
DNS | stickdone.net Type: A |
DNS | balldone.net Type: A |
DNS | stickknew.net Type: A |
DNS | ballknew.net Type: A |
DNS | enemyfifth.net Type: A |
DNS | lifefifth.net Type: A |
DNS | enemyshine.net Type: A |
HTTP GET | http://nailthere.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://groupgrain.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://threeonly.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://lifeclock.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://lifemake.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://enemyrush.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://deeprush.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://pushhard.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://pushclock.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://pushmake.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
HTTP GET | http://longshine.net/index.php?method=validate&mode=sox&v=047&sox=4b4e6800&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1037 ➝ 98.139.135.129:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1041 ➝ 198.46.51.193:80 |
Flows TCP | 192.168.1.1:1042 ➝ 192.64.119.44:80 |
Flows TCP | 192.168.1.1:1043 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1044 ➝ 184.168.221.26:80 |
Flows TCP | 192.168.1.1:1045 ➝ 66.96.147.159:80 |
Flows TCP | 192.168.1.1:1046 ➝ 217.70.184.38:80 |
Flows TCP | 192.168.1.1:1047 ➝ 37.59.4.217:80 |
Flows TCP | 192.168.1.1:1048 ➝ 218.107.207.37:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206e61 696c7468 6572652e 6e65740d : nailthere.net. 0x00000080 (00128) 0a0d0a ... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206772 6f757067 7261696e 2e6e6574 : groupgrain.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a207468 7265656f 6e6c792e 6e65740d : threeonly.net. 0x00000080 (00128) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206e61 696c6465 65702e63 6f6d0d0a : naildeep.com.. 0x00000080 (00128) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206c69 6665636c 6f636b2e 6e65740d : lifeclock.net. 0x00000080 (00128) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206c69 66656d61 6b652e6e 65740d0a : lifemake.net.. 0x00000080 (00128) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a20656e 656d7972 7573682e 6e65740d : enemyrush.net. 0x00000080 (00128) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206465 65707275 73682e6e 65740d0a : deeprush.net.. 0x00000080 (00128) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a207075 73686861 72642e6e 65740d0a : pushhard.net.. 0x00000080 (00128) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a207075 7368636c 6f636b2e 6e65740d : pushclock.net. 0x00000080 (00128) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a207075 73686d61 6b652e6e 65740d0a : pushmake.net.. 0x00000080 (00128) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 643d7661 6c696461 7465266d ethod=validate&m 0x00000020 (00032) 6f64653d 736f7826 763d3034 3726736f ode=sox&v=047&so 0x00000030 (00048) 783d3462 34653638 3030266c 656e6864 x=4b4e6800&lenhd 0x00000040 (00064) 72204854 54502f31 2e300d0a 41636365 r HTTP/1.0..Acce 0x00000050 (00080) 70743a20 2a2f2a0d 0a436f6e 6e656374 pt: */*..Connect 0x00000060 (00096) 696f6e3a 20636c6f 73650d0a 486f7374 ion: close..Host 0x00000070 (00112) 3a206c6f 6e677368 696e652e 6e65740d : longshine.net. 0x00000080 (00128) 0a0d0a0a ....
Strings