Analysis Date2015-10-31 16:57:18
MD5e543b5f5fd7cf245880a029d6adee439
SHA1f756092392338799a534a3c7bf4bef5e44200cac

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 49a26bbf477d2865f79b033019de3bd5 sha1: 9069aa2a74e1729fb9a912d829e959e31b9d48f7 size: 825856
Section.rdata md5: 157214a43a6f4045986bd4a726ceedcc sha1: 2456793e9431e38c730b0ef8de71c7d008d9142b size: 312832
Section.data md5: 62a4dc04442adc72e94275d74f53c68d sha1: b9f7f4a1f33330d6bc8228aa845dd282b845ca8a size: 7680
Timestamp2015-03-20 09:32:21
PackerMicrosoft Visual C++ ?.?
PEhash7c002a1d9f8e444cdd445170fe664819402c7ef7
IMPhash8ccfb66396c5f12c1c7bd2fc9ce83908
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.ZPACK.195948
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.133308
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.DDQD
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Zusy.133308
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Zusy.133308
AVMalwareBytesno_virus
AVAuthentiumW32/Zusy.X.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Zusy.133308
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.133308
AVArcabit (arcavir)Gen:Variant.Zusy.133308
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.34210
AVF-SecureGen:Variant.Zusy.133308

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\z5fsah1mg6gmvjoeista.exe
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\z5fsah1mg6gmvjoeista.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\z5fsah1mg6gmvjoeista.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secondary Web Remote Intelligent Bluetooth ➝
C:\WINDOWS\system32\zhzokfn.exe
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zhzokfn.exe
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\lck
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\zhzokfn.exe
Creates ServiceLogon Isolation Offline - C:\WINDOWS\system32\zhzokfn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\zhzokfn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\rng
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\lck
Creates FileC:\WINDOWS\system32\iggsyfoxyxse.exe
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\cfg
Creates FileC:\WINDOWS\system32\phkwnqrmxtl\tst
Creates FileC:\WINDOWS\TEMP\z5fsah1tgrgm.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\zhzokfn.exe"
Creates ProcessC:\WINDOWS\TEMP\z5fsah1tgrgm.exe -r 47148 tcp

Process
↳ C:\WINDOWS\system32\zhzokfn.exe

Creates FileC:\WINDOWS\system32\phkwnqrmxtl\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\zhzokfn.exe"

Creates FileC:\WINDOWS\system32\phkwnqrmxtl\tst

Process
↳ C:\WINDOWS\TEMP\z5fsah1tgrgm.exe -r 47148 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSnailthere.net
Type: A
98.139.135.129
DNSbothplain.net
Type: A
208.91.197.241
DNSwalkword.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSwishshown.net
Type: A
208.100.26.234
DNSwishfood.net
Type: A
172.246.1.234
DNSdeadneck.net
Type: A
195.22.26.253
DNSdeadneck.net
Type: A
195.22.26.254
DNSdeadneck.net
Type: A
195.22.26.231
DNSdeadneck.net
Type: A
195.22.26.252
DNSdeadfood.net
Type: A
8.5.1.38
DNSrockfood.net
Type: A
8.5.1.51
DNSwrongfood.net
Type: A
208.91.197.27
DNShairsome.net
Type: A
217.70.184.38
DNSmusictoday.net
Type: A
72.52.4.91
DNSfrontseven.net
Type: A
50.63.202.5
DNSofferseven.net
Type: A
185.26.97.195
DNSoffertoday.net
Type: A
173.192.64.147
DNShangsome.net
Type: A
54.186.220.79
DNSjointoday.net
Type: A
141.8.225.124
DNSwishtoday.net
Type: A
184.168.221.57
DNSrocktoday.net
Type: A
208.91.197.46
DNSableread.net
Type: A
DNSfearstate.net
Type: A
DNSlongcold.net
Type: A
DNSmonthnext.net
Type: A
DNSstoryocean.net
Type: A
DNSmouthgray.net
Type: A
DNSfridayloss.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNShangshown.net
Type: A
DNSseptembershown.net
Type: A
DNShangfood.net
Type: A
DNSseptemberfood.net
Type: A
DNShangmeet.net
Type: A
DNSseptembermeet.net
Type: A
DNSjoinneck.net
Type: A
DNSwishneck.net
Type: A
DNSjoinshown.net
Type: A
DNSjoinfood.net
Type: A
DNSjoinmeet.net
Type: A
DNSwishmeet.net
Type: A
DNSrockneck.net
Type: A
DNSdeadshown.net
Type: A
DNSrockshown.net
Type: A
DNSdeadmeet.net
Type: A
DNSrockmeet.net
Type: A
DNSwrongneck.net
Type: A
DNSmadeneck.net
Type: A
DNSwrongshown.net
Type: A
DNSmadeshown.net
Type: A
DNSmadefood.net
Type: A
DNSwrongmeet.net
Type: A
DNSmademeet.net
Type: A
DNShumansome.net
Type: A
DNShumanseven.net
Type: A
DNShairseven.net
Type: A
DNShumantoday.net
Type: A
DNShairtoday.net
Type: A
DNShumansuch.net
Type: A
DNShairsuch.net
Type: A
DNSyardsome.net
Type: A
DNSmusicsome.net
Type: A
DNSyardseven.net
Type: A
DNSmusicseven.net
Type: A
DNSyardtoday.net
Type: A
DNSyardsuch.net
Type: A
DNSmusicsuch.net
Type: A
DNSwentsome.net
Type: A
DNSspendsome.net
Type: A
DNSwentseven.net
Type: A
DNSspendseven.net
Type: A
DNSwenttoday.net
Type: A
DNSspendtoday.net
Type: A
DNSwentsuch.net
Type: A
DNSspendsuch.net
Type: A
DNSfrontsome.net
Type: A
DNSoffersome.net
Type: A
DNSfronttoday.net
Type: A
DNSfrontsuch.net
Type: A
DNSoffersuch.net
Type: A
DNSseptembersome.net
Type: A
DNShangseven.net
Type: A
DNSseptemberseven.net
Type: A
DNShangtoday.net
Type: A
DNSseptembertoday.net
Type: A
DNShangsuch.net
Type: A
DNSseptembersuch.net
Type: A
DNSjoinsome.net
Type: A
DNSwishsome.net
Type: A
DNSjoinseven.net
Type: A
DNSwishseven.net
Type: A
DNSjoinsuch.net
Type: A
DNSwishsuch.net
Type: A
DNSdeadsome.net
Type: A
DNSrocksome.net
Type: A
DNSdeadseven.net
Type: A
DNSrockseven.net
Type: A
DNSdeadtoday.net
Type: A
DNSdeadsuch.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wishshown.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wishfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://deadneck.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://deadfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://rockfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wrongfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://hairsome.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://musictoday.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://frontseven.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://offerseven.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://offertoday.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://hangsome.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://jointoday.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wishtoday.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://rocktoday.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://nailthere.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://bothplain.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://walkword.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wishshown.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wishfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://deadneck.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://deadfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://rockfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://wrongfood.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
HTTP GEThttp://hairsome.net/index.php?method=validate&mode=sox&v=043&sox=48f0e20b&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 172.246.1.234:80
Flows TCP192.168.1.1:1044 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1045 ➝ 8.5.1.38:80
Flows TCP192.168.1.1:1046 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1047 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1048 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1049 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1050 ➝ 50.63.202.5:80
Flows TCP192.168.1.1:1051 ➝ 185.26.97.195:80
Flows TCP192.168.1.1:1052 ➝ 173.192.64.147:80
Flows TCP192.168.1.1:1053 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1054 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1055 ➝ 184.168.221.57:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.46:80
Flows TCP192.168.1.1:1057 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1058 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1062 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1063 ➝ 172.246.1.234:80
Flows TCP192.168.1.1:1064 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1065 ➝ 8.5.1.38:80
Flows TCP192.168.1.1:1066 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1068 ➝ 217.70.184.38:80

Raw Pcap

Strings