Analysis Date | 2016-03-14 15:37:56 |
---|---|
MD5 | 8c1b7c20f6be29f37d993048b31c808e |
SHA1 | da3a1d0ed917093a8cf3a971289d0d04cc829fcc |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: e3f0c85462427bc91a8e719fa9f6f95c sha1: 3b1e84f306e26ad85580061aeaa164def59d2e30 size: 796160 | |
Section | .rdata md5: 163286bf398f6aeb70f64d61776b58a1 sha1: 2731fef22d867ff41b23b7e6fe610c171d043772 size: 59392 | |
Section | .data md5: 6a1649e0ca37050c32bc3248da3c9b57 sha1: b0deb50ce9bcb0c25e223a25a5a54dcc4a53023c size: 396800 | |
Timestamp | 2015-01-27 09:20:43 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | f66d9e6fe789529cbef60453a92f325a2e6368cc | |
IMPhash | eb68ad513baf68d94d6cd815ca03ccb7 | |
AV | CA (E-Trust Ino) | Gen:Variant.Symmi.22722 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AE |
AV | Rising | No Virus |
AV | Mcafee | No Virus |
AV | MicroWorld (escan) | Gen:Variant.Symmi.22722 |
AV | MalwareBytes | No Virus |
AV | Avira (antivir) | BDS/Zegost.Gen |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | No Virus |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Symmi.22722 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Symmi.22722 |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | TROJ_WONTON.SMJ1 |
AV | Alwil (avast) | Downloader-TLD [Trj] |
AV | Eset (nod32) | Win32/Kryptik.CCLE |
AV | Grisoft (avg) | Win32/Cryptor |
AV | CAT (quickheal) | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | Symantec | Downloader.Upatre!g15 |
AV | BullGuard | Gen:Variant.Symmi.22722 |
AV | Arcabit (arcavir) | Gen:Variant.Symmi.22722 |
AV | Fortinet | W32/Kryptik.DDQD!tr |
AV | ClamAV | No Virus |
AV | BitDefender | Gen:Variant.Symmi.22722 |
AV | Dr. Web | No Virus |
AV | K7 | Trojan ( 004cd0081 ) |
AV | F-Secure | Gen:Variant.Symmi.22722 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe |
---|---|
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IP Provider Tools Health DHCP Browser ➝ C:\WINDOWS\system32\oyuhvfpcs.exe |
---|---|
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\tst |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\etc |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\lck |
Creates File | C:\WINDOWS\system32\oyuhvfpcs.exe |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\oyuhvfpcs.exe |
Creates Service | Brightness Transaction Endpoint Connections - C:\WINDOWS\system32\oyuhvfpcs.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL |
---|---|
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1852
Process
↳ Pid 1116
Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\rng |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\run |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\tst |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\lck |
Creates File | C:\WINDOWS\system32\pyrhzpdipfy.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\cfg |
Creates Process | C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp |
Creates Process | WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe" |
Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"
Creates File | C:\WINDOWS\system32\rxmlzvkdcocwf\tst |
---|
Process
↳ C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | learnstart.net Type: A 184.168.80.46 |
---|---|
DNS | yourcook.net Type: A 79.170.40.4 |
DNS | yournext.net Type: A 207.148.248.143 |
DNS | learncook.net Type: A 121.254.178.252 |
DNS | learnnext.net Type: A 216.21.239.197 |
DNS | fallcook.net Type: A 195.22.28.198 |
DNS | fallcook.net Type: A 195.22.28.197 |
DNS | fallcook.net Type: A 195.22.28.196 |
DNS | fallcook.net Type: A 195.22.28.199 |
DNS | weektall.net Type: A 208.100.26.234 |
DNS | verycook.net Type: A 68.64.161.187 |
DNS | ableread.net Type: A |
DNS | enemyguess.net Type: A |
DNS | soilunder.net Type: A |
DNS | queentell.net Type: A |
DNS | wednesdayhalf.net Type: A |
DNS | mouthrest.net Type: A |
DNS | drivethirteen.net Type: A |
DNS | faceboat.net Type: A |
DNS | sensesound.net Type: A |
DNS | muchhappy.net Type: A |
DNS | fillsing.net Type: A |
DNS | sensenever.net Type: A |
DNS | learnnever.net Type: A |
DNS | sensenine.net Type: A |
DNS | learnnine.net Type: A |
DNS | sensestart.net Type: A |
DNS | sensesing.net Type: A |
DNS | learnsing.net Type: A |
DNS | torenever.net Type: A |
DNS | fallnever.net Type: A |
DNS | torenine.net Type: A |
DNS | fallnine.net Type: A |
DNS | torestart.net Type: A |
DNS | fallstart.net Type: A |
DNS | toresing.net Type: A |
DNS | fallsing.net Type: A |
DNS | weeknever.net Type: A |
DNS | verynever.net Type: A |
DNS | weeknine.net Type: A |
DNS | verynine.net Type: A |
DNS | weekstart.net Type: A |
DNS | verystart.net Type: A |
DNS | weeksing.net Type: A |
DNS | verysing.net Type: A |
DNS | piecenever.net Type: A |
DNS | muchnever.net Type: A |
DNS | piecenine.net Type: A |
DNS | muchnine.net Type: A |
DNS | piecestart.net Type: A |
DNS | muchstart.net Type: A |
DNS | piecesing.net Type: A |
DNS | muchsing.net Type: A |
DNS | waitnever.net Type: A |
DNS | takenever.net Type: A |
DNS | waitnine.net Type: A |
DNS | takenine.net Type: A |
DNS | waitstart.net Type: A |
DNS | takestart.net Type: A |
DNS | waitsing.net Type: A |
DNS | takesing.net Type: A |
DNS | triestall.net Type: A |
DNS | yourtall.net Type: A |
DNS | triescook.net Type: A |
DNS | triesnext.net Type: A |
DNS | triesbeen.net Type: A |
DNS | yourbeen.net Type: A |
DNS | lrstntall.net Type: A |
DNS | viewtall.net Type: A |
DNS | lrstncook.net Type: A |
DNS | viewcook.net Type: A |
DNS | lrstnnext.net Type: A |
DNS | viewnext.net Type: A |
DNS | lrstnbeen.net Type: A |
DNS | viewbeen.net Type: A |
DNS | planttall.net Type: A |
DNS | filltall.net Type: A |
DNS | plantcook.net Type: A |
DNS | fillcook.net Type: A |
DNS | plantnext.net Type: A |
DNS | fillnext.net Type: A |
DNS | plantbeen.net Type: A |
DNS | fillbeen.net Type: A |
DNS | sensetall.net Type: A |
DNS | learntall.net Type: A |
DNS | sensecook.net Type: A |
DNS | sensenext.net Type: A |
DNS | sensebeen.net Type: A |
DNS | learnbeen.net Type: A |
DNS | toretall.net Type: A |
DNS | falltall.net Type: A |
DNS | torecook.net Type: A |
DNS | torenext.net Type: A |
DNS | fallnext.net Type: A |
DNS | torebeen.net Type: A |
DNS | fallbeen.net Type: A |
DNS | verytall.net Type: A |
DNS | weekcook.net Type: A |
HTTP GET | http://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://learncook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://learnnext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://fallcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://weektall.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://verycook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
HTTP GET | http://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 184.168.80.46:80 |
Flows TCP | 192.168.1.1:1038 ➝ 79.170.40.4:80 |
Flows TCP | 192.168.1.1:1039 ➝ 207.148.248.143:80 |
Flows TCP | 192.168.1.1:1040 ➝ 121.254.178.252:80 |
Flows TCP | 192.168.1.1:1041 ➝ 216.21.239.197:80 |
Flows TCP | 192.168.1.1:1042 ➝ 195.22.28.198:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1044 ➝ 68.64.161.187:80 |
Flows TCP | 192.168.1.1:1045 ➝ 184.168.80.46:80 |
Flows TCP | 192.168.1.1:1046 ➝ 79.170.40.4:80 |
Flows TCP | 192.168.1.1:1047 ➝ 207.148.248.143:80 |
Raw Pcap
Strings