Analysis Date2015-10-03 08:41:52
MD54d98554342fb4eac87c85114803aa552
SHA1dbebec636464ac2b78951889adba99040accc4b8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aa6654c11b6ab8715520297eb477c3a8 sha1: dabfec7683b17eaaf215b2149391e1c390ac1d01 size: 803840
Section.rdata md5: 639332400f7406480610fb1c7a63dde3 sha1: 04e4e3956dc677c13f0d5595b958983fdc16ce33 size: 58880
Section.data md5: 2f3bfa0e420e6ccaf36d8472e5e321cd sha1: 87647eb0db3d6face9d1e50c61109d31b273076c size: 417280
Timestamp2015-01-27 08:35:18
PackerMicrosoft Visual C++ ?.?
PEhasha1c774f2536f3abc3dbd54af01bd76dd5fefc7fd
IMPhashcd6e40f0729c0a945f9ef30e2e09a1d3
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.273552
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DXVJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.FakePDF
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.39500
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a2xkpcow1l7wk1drcmd9tyq.exe
Creates FileC:\WINDOWS\system32\gjuutoj\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\a2xkpcow1l7wk1drcmd9tyq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\a2xkpcow1l7wk1drcmd9tyq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DHCP iSCSI Initiator Provider Biometric User-mode ➝
C:\WINDOWS\system32\jglqozczfkhm.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\gjuutoj\etc
Creates FileC:\WINDOWS\system32\gjuutoj\lck
Creates FileC:\WINDOWS\system32\gjuutoj\tst
Creates FileC:\WINDOWS\system32\jglqozczfkhm.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\jglqozczfkhm.exe
Creates ServiceDefender Extensible PNRP Microsoft - C:\WINDOWS\system32\jglqozczfkhm.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\jglqozczfkhm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\a2xkpcow1pmbk1d.exe
Creates FileC:\WINDOWS\system32\lgiskxo.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\gjuutoj\tst
Creates FileC:\WINDOWS\system32\gjuutoj\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\gjuutoj\rng
Creates FileC:\WINDOWS\system32\gjuutoj\run
Creates FileC:\WINDOWS\system32\gjuutoj\cfg
Creates ProcessC:\WINDOWS\TEMP\a2xkpcow1pmbk1d.exe -r 29447 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\jglqozczfkhm.exe"

Process
↳ C:\WINDOWS\system32\jglqozczfkhm.exe

Creates FileC:\WINDOWS\system32\gjuutoj\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\jglqozczfkhm.exe"

Creates FileC:\WINDOWS\system32\gjuutoj\tst

Process
↳ C:\WINDOWS\TEMP\a2xkpcow1pmbk1d.exe -r 29447 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSlordover.net
Type: A
208.113.186.207
DNSlordgold.net
Type: A
109.226.13.193
DNSsouthfirst.net
Type: A
125.171.1.95
DNSgroupguess.net
Type: A
50.63.202.48
DNSspokestood.net
Type: A
95.211.230.75
DNSspokekill.net
Type: A
193.166.255.171
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSthreegrain.net
Type: A
DNSlordgrain.net
Type: A
DNSthreegold.net
Type: A
DNSdrinkhome.net
Type: A
DNSwifehome.net
Type: A
DNSdrinkover.net
Type: A
DNSwifeover.net
Type: A
DNSdrinkgrain.net
Type: A
DNSwifegrain.net
Type: A
DNSdrinkgold.net
Type: A
DNSwifegold.net
Type: A
DNSarivestood.net
Type: A
DNSsouthstood.net
Type: A
DNSarivekill.net
Type: A
DNSsouthkill.net
Type: A
DNSarivefirst.net
Type: A
DNSariveguess.net
Type: A
DNSsouthguess.net
Type: A
DNSuponstood.net
Type: A
DNSwhichstood.net
Type: A
DNSuponkill.net
Type: A
DNSwhichkill.net
Type: A
DNSuponfirst.net
Type: A
DNSwhichfirst.net
Type: A
DNSuponguess.net
Type: A
DNSwhichguess.net
Type: A
DNSspotstood.net
Type: A
DNSsaltstood.net
Type: A
DNSspotkill.net
Type: A
DNSsaltkill.net
Type: A
DNSspotfirst.net
Type: A
DNSsaltfirst.net
Type: A
DNSspotguess.net
Type: A
DNSsaltguess.net
Type: A
DNSgladstood.net
Type: A
DNStakenstood.net
Type: A
DNSgladkill.net
Type: A
DNStakenkill.net
Type: A
DNSgladfirst.net
Type: A
DNStakenfirst.net
Type: A
DNSgladguess.net
Type: A
DNStakenguess.net
Type: A
DNSequalstood.net
Type: A
DNSgroupstood.net
Type: A
DNSequalkill.net
Type: A
DNSgroupkill.net
Type: A
DNSequalfirst.net
Type: A
DNSgroupfirst.net
Type: A
DNSequalguess.net
Type: A
DNSvisitstood.net
Type: A
DNSvisitkill.net
Type: A
DNSspokefirst.net
Type: A
DNSvisitfirst.net
Type: A
DNSspokeguess.net
Type: A
DNSvisitguess.net
Type: A
DNSwatchstood.net
Type: A
DNSfairstood.net
Type: A
DNSwatchkill.net
Type: A
DNSfairkill.net
Type: A
DNSwatchfirst.net
Type: A
DNSfairfirst.net
Type: A
DNSwatchguess.net
Type: A
DNSfairguess.net
Type: A
DNSdreamstood.net
Type: A
DNSthisstood.net
Type: A
DNSdreamkill.net
Type: A
DNSthiskill.net
Type: A
DNSdreamfirst.net
Type: A
DNSthisfirst.net
Type: A
DNSdreamguess.net
Type: A
DNSthisguess.net
Type: A
DNSarivetaste.net
Type: A
DNSsouthtaste.net
Type: A
DNSariveearth.net
Type: A
DNSsouthearth.net
Type: A
DNSariveallow.net
Type: A
DNSsouthallow.net
Type: A
DNSarivegives.net
Type: A
DNSsouthgives.net
Type: A
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://lordover.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://lordgold.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://southfirst.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://groupguess.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://spokestood.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://spokekill.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=47a03c03&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.113.186.207:80
Flows TCP192.168.1.1:1045 ➝ 109.226.13.193:80
Flows TCP192.168.1.1:1046 ➝ 125.171.1.95:80
Flows TCP192.168.1.1:1047 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1048 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1049 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80

Raw Pcap

Strings