Analysis Date2015-10-10 16:43:35
MD528f37de0891a8de930c42f734c1cd590
SHA1fa65fe8985acf20c307d45d077f0207827102978

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 31b0273f5a67cb5172ebe358e2922b1c sha1: 38bb055d122c7b9ae272464bfef2a1e35192b11f size: 686592
Section.rdata md5: 1be3104320cb8de300a54e8046395e66 sha1: 45501dd7de7fa62bad8f5dd23db29911847a5331 size: 53760
Section.data md5: e1d4ffd52fa205f1e6ff6675f59ea217 sha1: 0f5cd8e61bd72b8dbdc5ec9b6fc4a75903be1999 size: 124928
Timestamp2014-04-15 23:17:39
PackerMicrosoft Visual C++ ?.?
PEhash62b99ecae03417d7e30094cd8b0663f86a9196ec
IMPhash3a5aec87f6483698a0bbcbc2334ba547
AVK7Trojan ( 004cd0081 )
AVAlwil (avast)Kryptik-PLS [Trj]
AVAd-AwareGen:Variant.Kazy.164619
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVEset (nod32)Win32/Kryptik.DXVJ
AVMalwareBytesno_virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Kazy.164619
AVAuthentiumW32/Symmi.AH.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVCAT (quickheal)no_virus
AVCA (E-Trust Ino)no_virus
AVDr. Webno_virus
AVMcafeeno_virus
AVVirusBlokAda (vba32)no_virus
AVBitDefenderGen:Variant.Kazy.164619
AVTrend MicroTSPY_NIVDORT.SM
AVIkarusTrojan.Crypt2
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVTwisterTrojan.Girtk.BCFJ.cpsn.mg
AVEmsisoftGen:Variant.Kazy.164619
AVClamAVno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.164619
AVAvira (antivir)BDS/Zegost.Gen4
AVF-SecureGen:Variant.Kazy.164619
AVPadvishno_virus
AVRisingno_virus
AVFortinetRiskware/Agent
AVBullGuardGen:Variant.Kazy.164619

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\epmsjq1l7weipuicctiy.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\epmsjq1l7weipuicctiy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\epmsjq1l7weipuicctiy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Resolution Thread Detection Notification ➝
C:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\iwjdgrljrpb.exe
Creates ServiceExtensible Configuration TPM - C:\WINDOWS\system32\iwjdgrljrpb.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\jsbodphxuneu.exe
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\cfg
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\rng
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\lck
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst
Creates FileC:\WINDOWS\system32\tpcfejrwnyw\run
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\epmsjq1qwrei.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"
Creates ProcessC:\WINDOWS\TEMP\epmsjq1qwrei.exe -r 43297 tcp

Process
↳ C:\WINDOWS\system32\iwjdgrljrpb.exe

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\iwjdgrljrpb.exe"

Creates FileC:\WINDOWS\system32\tpcfejrwnyw\tst

Process
↳ C:\WINDOWS\TEMP\epmsjq1qwrei.exe -r 43297 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSstickmarch.net
Type: A
52.4.209.250
DNStablefruit.net
Type: A
52.4.209.250
DNSsaltnice.net
Type: A
208.100.26.234
DNSgladelse.net
Type: A
195.22.26.253
DNSgladelse.net
Type: A
195.22.26.254
DNSgladelse.net
Type: A
195.22.26.231
DNSgladelse.net
Type: A
195.22.26.252
DNSwatchfine.net
Type: A
45.35.9.136
DNSsaltrain.net
Type: A
208.73.211.70
DNSmightglossary.net
Type: A
DNSrequireneither.net
Type: A
DNSgentlefriend.net
Type: A
DNSglasshealth.net
Type: A
DNSnecessarydress.net
Type: A
DNSrememberpaint.net
Type: A
DNSlittleappear.net
Type: A
DNSthroughcountry.net
Type: A
DNSsouthnice.net
Type: A
DNSariveelse.net
Type: A
DNSsouthelse.net
Type: A
DNSariveimportant.net
Type: A
DNSsouthimportant.net
Type: A
DNSuponfine.net
Type: A
DNSwhichfine.net
Type: A
DNSuponnice.net
Type: A
DNSwhichnice.net
Type: A
DNSuponelse.net
Type: A
DNSwhichelse.net
Type: A
DNSuponimportant.net
Type: A
DNSwhichimportant.net
Type: A
DNSspotfine.net
Type: A
DNSsaltfine.net
Type: A
DNSspotnice.net
Type: A
DNSspotelse.net
Type: A
DNSsaltelse.net
Type: A
DNSspotimportant.net
Type: A
DNSsaltimportant.net
Type: A
DNSgladfine.net
Type: A
DNStakenfine.net
Type: A
DNSgladnice.net
Type: A
DNStakennice.net
Type: A
DNStakenelse.net
Type: A
DNSgladimportant.net
Type: A
DNStakenimportant.net
Type: A
DNSequalfine.net
Type: A
DNSgroupfine.net
Type: A
DNSequalnice.net
Type: A
DNSgroupnice.net
Type: A
DNSequalelse.net
Type: A
DNSgroupelse.net
Type: A
DNSequalimportant.net
Type: A
DNSgroupimportant.net
Type: A
DNSspokefine.net
Type: A
DNSvisitfine.net
Type: A
DNSspokenice.net
Type: A
DNSvisitnice.net
Type: A
DNSspokeelse.net
Type: A
DNSvisitelse.net
Type: A
DNSspokeimportant.net
Type: A
DNSvisitimportant.net
Type: A
DNSfairfine.net
Type: A
DNSwatchnice.net
Type: A
DNSfairnice.net
Type: A
DNSwatchelse.net
Type: A
DNSfairelse.net
Type: A
DNSwatchimportant.net
Type: A
DNSfairimportant.net
Type: A
DNSdreamfine.net
Type: A
DNSthisfine.net
Type: A
DNSdreamnice.net
Type: A
DNSthisnice.net
Type: A
DNSdreamelse.net
Type: A
DNSthiselse.net
Type: A
DNSdreamimportant.net
Type: A
DNSthisimportant.net
Type: A
DNSarivesleep.net
Type: A
DNSsouthsleep.net
Type: A
DNSariveheight.net
Type: A
DNSsouthheight.net
Type: A
DNSariveheld.net
Type: A
DNSsouthheld.net
Type: A
DNSariverain.net
Type: A
DNSsouthrain.net
Type: A
DNSuponsleep.net
Type: A
DNSwhichsleep.net
Type: A
DNSuponheight.net
Type: A
DNSwhichheight.net
Type: A
DNSuponheld.net
Type: A
DNSwhichheld.net
Type: A
DNSuponrain.net
Type: A
DNSwhichrain.net
Type: A
DNSspotsleep.net
Type: A
DNSsaltsleep.net
Type: A
DNSspotheight.net
Type: A
DNSsaltheight.net
Type: A
DNSspotheld.net
Type: A
DNSsaltheld.net
Type: A
DNSspotrain.net
Type: A
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://saltnice.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://stickmarch.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://tablefruit.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://saltnice.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://gladelse.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://watchfine.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
HTTP GEThttp://saltrain.net/forum/search.php?method=validate&mode=sox&v=028&sox=3ca05000
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1037 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1040 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1041 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1042 ➝ 208.73.211.70:80
Flows TCP192.168.1.1:1043 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1044 ➝ 52.4.209.250:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1047 ➝ 45.35.9.136:80
Flows TCP192.168.1.1:1048 ➝ 208.73.211.70:80

Raw Pcap

Strings