Analysis Date2015-08-14 02:51:14
MD5a5be27ffee2a2c3e94841b82bdc43370
SHA1012c74f187ca24b50e676384415229dcc94d5f20

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 783d19dadd0c82d76b4d9e4080387a8f sha1: 1af47455afc2b291b3f904b848f37319c578c7a5 size: 898048
Section.rdata md5: 347c6daef59b3f204a6867bc17eae36d sha1: f4e232e75ad05fbed1c779b616c24e87f59310eb size: 107008
Section.data md5: 935ec54c662cae4d2c5c913b1ed8c4ed sha1: f2c5c5c43fd69eb4811f20ea9766c75f2fbd3447 size: 7168
Section.reloc md5: 3829f013830c8b55b26db22b49725d76 sha1: 113424744d04db480d929451101620dc35597424 size: 96768
Timestamp2015-05-08 07:26:34
PackerMicrosoft Visual C++ 8
PEhash7b87051a2b7668dd41681a08d33ac4ea854e9362
IMPhashc06e3e241ce8c696de006b15977016de
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.609544
AVDr. WebTrojan.DownLoader13.16477
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.609544
AVBullGuardGen:Variant.Kazy.609544
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Scar.Win32.90225
AVEmsisoftGen:Variant.Kazy.609544
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R2.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.609544
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.609544
AVFortinetW32/Generic.A!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.T
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.609544
AVTwisterno_virus
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FFNF!A5BE27FFEE2A
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\syesrjtdf\eg7wnlga
Creates FileC:\syesrjtdf\dar1md4hvttpktqgq.exe
Creates FileC:\WINDOWS\syesrjtdf\eg7wnlga
Deletes FileC:\WINDOWS\syesrjtdf\eg7wnlga
Creates ProcessC:\syesrjtdf\dar1md4hvttpktqgq.exe

Process
↳ C:\syesrjtdf\dar1md4hvttpktqgq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Alerts Routing Port Gateway ➝
C:\syesrjtdf\ntspukj.exe
Creates FileC:\syesrjtdf\ntspukj.exe
Creates FileC:\syesrjtdf\ragvaqg70m
Creates FileC:\syesrjtdf\eg7wnlga
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\syesrjtdf\eg7wnlga
Deletes FileC:\WINDOWS\syesrjtdf\eg7wnlga
Creates ProcessC:\syesrjtdf\ntspukj.exe
Creates ServiceBiometric Scheduler Block Program - C:\syesrjtdf\ntspukj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1148

Process
↳ C:\syesrjtdf\ntspukj.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\syesrjtdf\ragvaqg70m
Creates FileC:\syesrjtdf\eg7wnlga
Creates File\Device\Afd\Endpoint
Creates FileC:\syesrjtdf\slqfag
Creates FileC:\syesrjtdf\wzuefjfwfcow.exe
Creates FileC:\WINDOWS\syesrjtdf\eg7wnlga
Deletes FileC:\WINDOWS\syesrjtdf\eg7wnlga
Creates Processjlcqyetamsse "c:\syesrjtdf\ntspukj.exe"

Process
↳ C:\syesrjtdf\ntspukj.exe

Creates FileC:\syesrjtdf\eg7wnlga
Creates FileC:\WINDOWS\syesrjtdf\eg7wnlga
Deletes FileC:\WINDOWS\syesrjtdf\eg7wnlga

Process
↳ jlcqyetamsse "c:\syesrjtdf\ntspukj.exe"

Creates FileC:\syesrjtdf\eg7wnlga
Creates FileC:\WINDOWS\syesrjtdf\eg7wnlga
Deletes FileC:\WINDOWS\syesrjtdf\eg7wnlga

Network Details:

DNSwhetherforest.net
Type: A
95.211.230.75
DNSrightforest.net
Type: A
98.130.238.135
DNSenglishforest.net
Type: A
59.188.232.88
DNSpersonschool.net
Type: A
165.160.13.20
DNSpersonschool.net
Type: A
165.160.15.20
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSsuddenalways.net
Type: A
DNSforeignalways.net
Type: A
DNSsuddenforest.net
Type: A
DNSforeignforest.net
Type: A
DNSwhetherwheat.net
Type: A
DNSrightwheat.net
Type: A
DNSwhetheranger.net
Type: A
DNSrightanger.net
Type: A
DNSwhetheralways.net
Type: A
DNSrightalways.net
Type: A
DNSfigurewheat.net
Type: A
DNSthoughwheat.net
Type: A
DNSfigureanger.net
Type: A
DNSthoughanger.net
Type: A
DNSfigurealways.net
Type: A
DNSthoughalways.net
Type: A
DNSfigureforest.net
Type: A
DNSthoughforest.net
Type: A
DNSpicturewheat.net
Type: A
DNScigarettewheat.net
Type: A
DNSpictureanger.net
Type: A
DNScigaretteanger.net
Type: A
DNSpicturealways.net
Type: A
DNScigarettealways.net
Type: A
DNSpictureforest.net
Type: A
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSforeignquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
HTTP GEThttp://whetherforest.net/index.php
User-Agent:
HTTP GEThttp://rightforest.net/index.php
User-Agent:
HTTP GEThttp://englishforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 98.130.238.135:80
Flows TCP192.168.1.1:1033 ➝ 59.188.232.88:80
Flows TCP192.168.1.1:1034 ➝ 165.160.13.20:80
Flows TCP192.168.1.1:1035 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   68657468 6572666f 72657374 2e6e6574   hetherforest.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 666f7265 73742e6e 65740d0a   ightforest.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 7368666f 72657374 2e6e6574   nglishforest.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6572736f 6e736368 6f6f6c2e 6e65740d   ersonschool.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 7363686f 6f6c2e6e 65740d0a   ightschool.net..
0x00000050 (00080)   0d0a0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 71756573 74696f6e 2e6e6574   ightquestion.net
0x00000050 (00080)   0d0a0d0a                              ....


Strings