Analysis Date2016-03-14 15:37:56
MD58c1b7c20f6be29f37d993048b31c808e
SHA1da3a1d0ed917093a8cf3a971289d0d04cc829fcc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e3f0c85462427bc91a8e719fa9f6f95c sha1: 3b1e84f306e26ad85580061aeaa164def59d2e30 size: 796160
Section.rdata md5: 163286bf398f6aeb70f64d61776b58a1 sha1: 2731fef22d867ff41b23b7e6fe610c171d043772 size: 59392
Section.data md5: 6a1649e0ca37050c32bc3248da3c9b57 sha1: b0deb50ce9bcb0c25e223a25a5a54dcc4a53023c size: 396800
Timestamp2015-01-27 09:20:43
PackerMicrosoft Visual C++ ?.?
PEhashf66d9e6fe789529cbef60453a92f325a2e6368cc
IMPhasheb68ad513baf68d94d6cd815ca03ccb7
AVCA (E-Trust Ino)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVRisingNo Virus
AVMcafeeNo Virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesNo Virus
AVAvira (antivir)BDS/Zegost.Gen
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEmsisoftGen:Variant.Symmi.22722
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVSymantecDownloader.Upatre!g15
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVFortinetW32/Kryptik.DDQD!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Symmi.22722
AVDr. WebNo Virus
AVK7Trojan ( 004cd0081 )
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\e9uayem1ldzplkfuhcmhtrab.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IP Provider Tools Health DHCP Browser ➝
C:\WINDOWS\system32\oyuhvfpcs.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\etc
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates FileC:\WINDOWS\system32\oyuhvfpcs.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\oyuhvfpcs.exe
Creates ServiceBrightness Transaction Endpoint Connections - C:\WINDOWS\system32\oyuhvfpcs.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1116

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\rng
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\run
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\lck
Creates FileC:\WINDOWS\system32\pyrhzpdipfy.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\cfg
Creates ProcessC:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Process
↳ C:\WINDOWS\system32\oyuhvfpcs.exe

Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\oyuhvfpcs.exe"

Creates FileC:\WINDOWS\system32\rxmlzvkdcocwf\tst

Process
↳ C:\WINDOWS\TEMP\e9uayem1ryyplkfu.exe -r 43543 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSlearnstart.net
Type: A
184.168.80.46
DNSyourcook.net
Type: A
79.170.40.4
DNSyournext.net
Type: A
207.148.248.143
DNSlearncook.net
Type: A
121.254.178.252
DNSlearnnext.net
Type: A
216.21.239.197
DNSfallcook.net
Type: A
195.22.28.198
DNSfallcook.net
Type: A
195.22.28.197
DNSfallcook.net
Type: A
195.22.28.196
DNSfallcook.net
Type: A
195.22.28.199
DNSweektall.net
Type: A
208.100.26.234
DNSverycook.net
Type: A
68.64.161.187
DNSableread.net
Type: A
DNSenemyguess.net
Type: A
DNSsoilunder.net
Type: A
DNSqueentell.net
Type: A
DNSwednesdayhalf.net
Type: A
DNSmouthrest.net
Type: A
DNSdrivethirteen.net
Type: A
DNSfaceboat.net
Type: A
DNSsensesound.net
Type: A
DNSmuchhappy.net
Type: A
DNSfillsing.net
Type: A
DNSsensenever.net
Type: A
DNSlearnnever.net
Type: A
DNSsensenine.net
Type: A
DNSlearnnine.net
Type: A
DNSsensestart.net
Type: A
DNSsensesing.net
Type: A
DNSlearnsing.net
Type: A
DNStorenever.net
Type: A
DNSfallnever.net
Type: A
DNStorenine.net
Type: A
DNSfallnine.net
Type: A
DNStorestart.net
Type: A
DNSfallstart.net
Type: A
DNStoresing.net
Type: A
DNSfallsing.net
Type: A
DNSweeknever.net
Type: A
DNSverynever.net
Type: A
DNSweeknine.net
Type: A
DNSverynine.net
Type: A
DNSweekstart.net
Type: A
DNSverystart.net
Type: A
DNSweeksing.net
Type: A
DNSverysing.net
Type: A
DNSpiecenever.net
Type: A
DNSmuchnever.net
Type: A
DNSpiecenine.net
Type: A
DNSmuchnine.net
Type: A
DNSpiecestart.net
Type: A
DNSmuchstart.net
Type: A
DNSpiecesing.net
Type: A
DNSmuchsing.net
Type: A
DNSwaitnever.net
Type: A
DNStakenever.net
Type: A
DNSwaitnine.net
Type: A
DNStakenine.net
Type: A
DNSwaitstart.net
Type: A
DNStakestart.net
Type: A
DNSwaitsing.net
Type: A
DNStakesing.net
Type: A
DNStriestall.net
Type: A
DNSyourtall.net
Type: A
DNStriescook.net
Type: A
DNStriesnext.net
Type: A
DNStriesbeen.net
Type: A
DNSyourbeen.net
Type: A
DNSlrstntall.net
Type: A
DNSviewtall.net
Type: A
DNSlrstncook.net
Type: A
DNSviewcook.net
Type: A
DNSlrstnnext.net
Type: A
DNSviewnext.net
Type: A
DNSlrstnbeen.net
Type: A
DNSviewbeen.net
Type: A
DNSplanttall.net
Type: A
DNSfilltall.net
Type: A
DNSplantcook.net
Type: A
DNSfillcook.net
Type: A
DNSplantnext.net
Type: A
DNSfillnext.net
Type: A
DNSplantbeen.net
Type: A
DNSfillbeen.net
Type: A
DNSsensetall.net
Type: A
DNSlearntall.net
Type: A
DNSsensecook.net
Type: A
DNSsensenext.net
Type: A
DNSsensebeen.net
Type: A
DNSlearnbeen.net
Type: A
DNStoretall.net
Type: A
DNSfalltall.net
Type: A
DNStorecook.net
Type: A
DNStorenext.net
Type: A
DNSfallnext.net
Type: A
DNStorebeen.net
Type: A
DNSfallbeen.net
Type: A
DNSverytall.net
Type: A
DNSweekcook.net
Type: A
HTTP GEThttp://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learncook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learnnext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://fallcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://weektall.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://verycook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://learnstart.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yourcook.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
HTTP GEThttp://yournext.net/index.php?method=validate&mode=sox&v=036&sox=3ce5b800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 184.168.80.46:80
Flows TCP192.168.1.1:1038 ➝ 79.170.40.4:80
Flows TCP192.168.1.1:1039 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1040 ➝ 121.254.178.252:80
Flows TCP192.168.1.1:1041 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1042 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 68.64.161.187:80
Flows TCP192.168.1.1:1045 ➝ 184.168.80.46:80
Flows TCP192.168.1.1:1046 ➝ 79.170.40.4:80
Flows TCP192.168.1.1:1047 ➝ 207.148.248.143:80

Raw Pcap

Strings