Analysis | #totalhash

Analysis Date	2016-03-14 15:37:56
MD5	8c1b7c20f6be29f37d993048b31c808e
SHA1	da3a1d0ed917093a8cf3a971289d0d04cc829fcc

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: e3f0c85462427bc91a8e719fa9f6f95c sha1: 3b1e84f306e26ad85580061aeaa164def59d2e30 size: 796160
Section	.rdata md5: 163286bf398f6aeb70f64d61776b58a1 sha1: 2731fef22d867ff41b23b7e6fe610c171d043772 size: 59392
Section	.data md5: 6a1649e0ca37050c32bc3248da3c9b57 sha1: b0deb50ce9bcb0c25e223a25a5a54dcc4a53023c size: 396800
Timestamp	2015-01-27 09:20:43
Packer	Microsoft Visual C++ ?.?
PEhash	f66d9e6fe789529cbef60453a92f325a2e6368cc
IMPhash	eb68ad513baf68d94d6cd815ca03ccb7
AV	CA (E-Trust Ino)	Gen:Variant.Symmi.22722
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AE
AV	Rising	No Virus
AV	Mcafee	No Virus
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	MalwareBytes	No Virus
AV	Avira (antivir)	BDS/Zegost.Gen
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	No Virus
AV	Authentium	W32/Nivdort.A.gen!Eldorado
AV	Emsisoft	Gen:Variant.Symmi.22722
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	TROJ_WONTON.SMJ1
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Eset (nod32)	Win32/Kryptik.CCLE
AV	Grisoft (avg)	Win32/Cryptor
AV	CAT (quickheal)	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	Symantec	Downloader.Upatre!g15
AV	BullGuard	Gen:Variant.Symmi.22722
AV	Arcabit (arcavir)	Gen:Variant.Symmi.22722
AV	Fortinet	W32/Kryptik.DDQD!tr
AV	ClamAV	No Virus
AV	BitDefender	Gen:Variant.Symmi.22722
AV	Dr. Web	No Virus
AV	K7	Trojan ( 004cd0081 )
AV	F-Secure	Gen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IP Provider Tools Health DHCP Browser ➝ C:\WINDOWS\system32\oyuhvfpcs.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\etc
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates File	C:\WINDOWS\system32\oyuhvfpcs.exe
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\oyuhvfpcs.exe
Creates Service	Brightness Transaction Endpoint Connections - C:\WINDOWS\system32\oyuhvfpcs.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1116

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\rng
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\run
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates File	C:\WINDOWS\system32\pyrhzpdipfy.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\cfg
Creates Process	C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp
Creates Process	WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Creates File	C:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	learnstart.net Type: A 184.168.80.46
DNS	yourcook.net Type: A 79.170.40.4
DNS	yournext.net Type: A 207.148.248.143
DNS	learncook.net Type: A 121.254.178.252
DNS	learnnext.net Type: A 216.21.239.197
DNS	fallcook.net Type: A 195.22.28.198
DNS	fallcook.net Type: A 195.22.28.197
DNS	fallcook.net Type: A 195.22.28.196
DNS	fallcook.net Type: A 195.22.28.199
DNS	weektall.net Type: A 208.100.26.234
DNS	verycook.net Type: A 68.64.161.187
DNS	ableread.net Type: A
DNS	enemyguess.net Type: A
DNS	soilunder.net Type: A
DNS	queentell.net Type: A
DNS	wednesdayhalf.net Type: A
DNS	mouthrest.net Type: A
DNS	drivethirteen.net Type: A
DNS	faceboat.net Type: A
DNS	sensesound.net Type: A
DNS	muchhappy.net Type: A
DNS	fillsing.net Type: A
DNS	sensenever.net Type: A
DNS	learnnever.net Type: A
DNS	sensenine.net Type: A
DNS	learnnine.net Type: A
DNS	sensestart.net Type: A
DNS	sensesing.net Type: A
DNS	learnsing.net Type: A
DNS	torenever.net Type: A
DNS	fallnever.net Type: A
DNS	torenine.net Type: A
DNS	fallnine.net Type: A
DNS	torestart.net Type: A
DNS	fallstart.net Type: A
DNS	toresing.net Type: A
DNS	fallsing.net Type: A
DNS	weeknever.net Type: A
DNS	verynever.net Type: A
DNS	weeknine.net Type: A
DNS	verynine.net Type: A
DNS	weekstart.net Type: A
DNS	verystart.net Type: A
DNS	weeksing.net Type: A
DNS	verysing.net Type: A
DNS	piecenever.net Type: A
DNS	muchnever.net Type: A
DNS	piecenine.net Type: A
DNS	muchnine.net Type: A
DNS	piecestart.net Type: A
DNS	muchstart.net Type: A
DNS	piecesing.net Type: A
DNS	muchsing.net Type: A
DNS	waitnever.net Type: A
DNS	takenever.net Type: A
DNS	waitnine.net Type: A
DNS	takenine.net Type: A
DNS	waitstart.net Type: A
DNS	takestart.net Type: A
DNS	waitsing.net Type: A
DNS	takesing.net Type: A
DNS	triestall.net Type: A
DNS	yourtall.net Type: A
DNS	triescook.net Type: A
DNS	triesnext.net Type: A
DNS	triesbeen.net Type: A
DNS	yourbeen.net Type: A
DNS	lrstntall.net Type: A
DNS	viewtall.net Type: A
DNS	lrstncook.net Type: A
DNS	viewcook.net Type: A
DNS	lrstnnext.net Type: A
DNS	viewnext.net Type: A
DNS	lrstnbeen.net Type: A
DNS	viewbeen.net Type: A
DNS	planttall.net Type: A
DNS	filltall.net Type: A
DNS	plantcook.net Type: A
DNS	fillcook.net Type: A
DNS	plantnext.net Type: A
DNS	fillnext.net Type: A
DNS	plantbeen.net Type: A
DNS	fillbeen.net Type: A
DNS	sensetall.net Type: A
DNS	learntall.net Type: A
DNS	sensecook.net Type: A
DNS	sensenext.net Type: A
DNS	sensebeen.net Type: A
DNS	learnbeen.net Type: A
DNS	toretall.net Type: A
DNS	falltall.net Type: A
DNS	torecook.net Type: A
DNS	torenext.net Type: A
DNS	fallnext.net Type: A
DNS	torebeen.net Type: A
DNS	fallbeen.net Type: A
DNS	verytall.net Type: A
DNS	weekcook.net Type: A
HTTP GET	http://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://learncook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://learnnext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://fallcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://weektall.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://verycook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
HTTP GET	http://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 184.168.80.46:80
Flows TCP	192.168.1.1:1038 ➝ 79.170.40.4:80
Flows TCP	192.168.1.1:1039 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1040 ➝ 121.254.178.252:80
Flows TCP	192.168.1.1:1041 ➝ 216.21.239.197:80
Flows TCP	192.168.1.1:1042 ➝ 195.22.28.198:80
Flows TCP	192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1044 ➝ 68.64.161.187:80
Flows TCP	192.168.1.1:1045 ➝ 184.168.80.46:80
Flows TCP	192.168.1.1:1046 ➝ 79.170.40.4:80
Flows TCP	192.168.1.1:1047 ➝ 207.148.248.143:80

Raw Pcap

Strings