Analysis Date2015-08-14 09:00:57
MD5100f17c713a6565c5e81087c54e0a011
SHA1f7e08080316fe7fb7f685c4e514d274f4aec16d2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d590445fa7e037dde683023f142de7e3 sha1: 806a8fe4cd0f643c2be70fa98fe1503483bc37ac size: 806912
Section.rdata md5: a4ba9c4df52e1c2848744c17b20d455e sha1: 7bf6c7e586c8eca9dd4adaf7d1cbba1bb01591dd size: 293888
Section.data md5: b06bf850a44e636c5427b523147778fa sha1: 711db03e4fa62be9d6b220657a8502e18ab78bb2 size: 7680
Section.reloc md5: c099ac5b03ba534aadf6a0c21a85857d sha1: 1873339104a4753244650e20e43ef764f7cb6098 size: 59904
Timestamp2015-02-06 22:09:45
PackerMicrosoft Visual C++ ?.?
PEhash0178d5af9764f242ad9e9d1138d643cb0a8cebcc
IMPhash7526da015ec713bf7194632410a38654
AVAd-AwareGen:Variant.Kazy.553443
AVFrisk (f-prot)no_virus
AVSymantecDownloader.Upatre!g15
AVF-SecureGen:Variant.Kazy.553443
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)Trojan.Generic.g4
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Gen:Variant.Kazy.553443
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVAlwil (avast)Downloader-TLD [Trj]
AVTwisterTrojan.Girtk.DDQD.frwy
AVZillya!no_virus
AVRisingno_virus
AVPadvishno_virus
AVMalwareBytesno_virus
AVVirusBlokAda (vba32)no_virus
AVFortinetW32/Kryptik.DDQD!tr
AVEmsisoftGen:Variant.Kazy.553443
AVBitDefenderGen:Variant.Kazy.553443
AVClamAVno_virus
AVIkarusTrojan.Win32.Crypt
AVAvira (antivir)TR/Agent.1169408.12
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Kazy.553443
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVK7Trojan ( 004c77f41 )
AVEset (nod32)Win32/Kryptik.DDQD
AVBullGuardGen:Variant.Kazy.553443
AVTrend Microno_virus
AVMcafeeTrojan-FGIJ!100F17C713A6
AVDr. Webno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\skimysq\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\l3xqkp31mglnanteuez3ic.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\l3xqkp31mglnanteuez3ic.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\l3xqkp31mglnanteuez3ic.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Background Encrypting Task ➝
C:\WINDOWS\system32\yyxbjck.exe
Creates FileC:\WINDOWS\system32\skimysq\lck
Creates FileC:\WINDOWS\system32\skimysq\tst
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yyxbjck.exe
Creates FileC:\WINDOWS\system32\skimysq\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yyxbjck.exe
Creates ServiceColor Adapter Audio Modules - C:\WINDOWS\system32\yyxbjck.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERe55a.dir00\svchost.exe.mdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERe55a.dir00\svchost.exe.hdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates Filepipe\PCHFaultRepExecPipe
Creates ProcessC:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERe55a.dir00\svchost.exe.mdmp 16325836412030928

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\yyxbjck.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\skimysq\run
Creates FileC:\WINDOWS\system32\skimysq\tst
Creates FileC:\WINDOWS\system32\vxwhavnxq.exe
Creates FileC:\WINDOWS\TEMP\l3xqkp31swtnant.exe
Creates FileC:\WINDOWS\system32\skimysq\lck
Creates FileC:\WINDOWS\system32\skimysq\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\skimysq\rng
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\l3xqkp31swtnant.exe -r 28404 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yyxbjck.exe"

Process
↳ C:\WINDOWS\system32\yyxbjck.exe

Creates FileC:\WINDOWS\system32\skimysq\tst

Process
↳ C:\WINDOWS\system32\dumprep.exe 1016 -dm 7 7 C:\Documents and Settings\Administrator\Local Settings\Temp\WERe55a.dir00\svchost.exe.mdmp 16325836412030928

Process
↳ WATCHDOGPROC "c:\windows\system32\yyxbjck.exe"

Creates FileC:\WINDOWS\system32\skimysq\tst

Process
↳ C:\WINDOWS\TEMP\l3xqkp31swtnant.exe -r 28404 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNStakenews.net
Type: A
114.200.196.31
DNSfillking.net
Type: A
195.22.26.254
DNSfillking.net
Type: A
195.22.26.231
DNSfillking.net
Type: A
195.22.26.252
DNSfillking.net
Type: A
195.22.26.253
DNStorethan.net
Type: A
216.104.165.91
DNStorethan.net
Type: A
216.104.165.31
DNSveryread.net
Type: A
112.124.104.218
DNSpieceread.net
Type: A
95.211.230.75
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSfearstate.net
Type: A
DNStakemark.net
Type: A
DNSwaitnews.net
Type: A
DNStriesthan.net
Type: A
DNSyourthan.net
Type: A
DNStriesread.net
Type: A
DNSyourread.net
Type: A
DNStriesmile.net
Type: A
DNSyourmile.net
Type: A
DNStriesking.net
Type: A
DNSyourking.net
Type: A
DNSlrstnthan.net
Type: A
DNSviewthan.net
Type: A
DNSlrstnread.net
Type: A
DNSviewread.net
Type: A
DNSlrstnmile.net
Type: A
DNSviewmile.net
Type: A
DNSlrstnking.net
Type: A
DNSviewking.net
Type: A
DNSplantthan.net
Type: A
DNSfillthan.net
Type: A
DNSplantread.net
Type: A
DNSfillread.net
Type: A
DNSplantmile.net
Type: A
DNSfillmile.net
Type: A
DNSplantking.net
Type: A
DNSsensethan.net
Type: A
DNSlearnthan.net
Type: A
DNSsenseread.net
Type: A
DNSlearnread.net
Type: A
DNSsensemile.net
Type: A
DNSlearnmile.net
Type: A
DNSsenseking.net
Type: A
DNSlearnking.net
Type: A
DNSfallthan.net
Type: A
DNStoreread.net
Type: A
DNSfallread.net
Type: A
DNStoremile.net
Type: A
DNSfallmile.net
Type: A
DNStoreking.net
Type: A
DNSfallking.net
Type: A
DNSweekthan.net
Type: A
DNSverythan.net
Type: A
DNSweekread.net
Type: A
DNSweekmile.net
Type: A
DNSverymile.net
Type: A
DNSweekking.net
Type: A
DNSveryking.net
Type: A
DNSpiecethan.net
Type: A
DNSmuchthan.net
Type: A
DNSmuchread.net
Type: A
DNSpiecemile.net
Type: A
DNSmuchmile.net
Type: A
DNSpieceking.net
Type: A
DNSmuchking.net
Type: A
DNSwaitthan.net
Type: A
DNStakethan.net
Type: A
DNSwaitread.net
Type: A
DNStakeread.net
Type: A
DNSwaitmile.net
Type: A
DNStakemile.net
Type: A
DNSwaitking.net
Type: A
DNStakeking.net
Type: A
DNStriessaturday.net
Type: A
DNSyoursaturday.net
Type: A
DNStriesthousand.net
Type: A
DNSyourthousand.net
Type: A
DNStriesloud.net
Type: A
DNSyourloud.net
Type: A
DNStriestree.net
Type: A
DNSyourtree.net
Type: A
DNSlrstnsaturday.net
Type: A
DNSviewsaturday.net
Type: A
DNSlrstnthousand.net
Type: A
DNSviewthousand.net
Type: A
DNSlrstnloud.net
Type: A
DNSviewloud.net
Type: A
DNSlrstntree.net
Type: A
DNSviewtree.net
Type: A
DNSplantsaturday.net
Type: A
DNSfillsaturday.net
Type: A
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://takenews.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://fillking.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://torethan.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://veryread.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
HTTP GEThttp://pieceread.net/index.php?method=validate&mode=sox&v=040&sox=492bb600&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 114.200.196.31:80
Flows TCP192.168.1.1:1045 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1046 ➝ 216.104.165.91:80
Flows TCP192.168.1.1:1047 ➝ 112.124.104.218:80
Flows TCP192.168.1.1:1048 ➝ 95.211.230.75:80

Raw Pcap

Strings