Analysis Date2015-09-28 04:03:13
MD5f01a011e8fee43edc9db9a25e4a8cd28
SHA1033b34530aa957b5ce624c858a06ccd1108cefb7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8ed325dca47099d79534c1c501847180 sha1: 197ba17008b50c816a4ab179da17a62b22967e55 size: 296960
Section.rdata md5: e1351ef9e8fca9f97c1a0abdc9481c38 sha1: 190c062e63e0e9200216111fcdda894e12157b77 size: 57856
Section.data md5: c46c06341cfe74b66ef04425170cec6a sha1: de3458abd9c2a15043e5348afd44bd9a10bceca6 size: 7680
Section.reloc md5: a7ab42b5ebe09d8db277edca9d26f7bf sha1: e5d796b8ba72858d132734e98998d588faec9fcf size: 22016
Timestamp2015-05-11 06:58:05
PackerMicrosoft Visual C++ 8
PEhash577dd1e34c5af4b2dbc588975d0b9e5100b8a55b
IMPhash06acc8d9247531071c137d6206c7b6c3
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!F01A011E8FEE
AVAvira (antivir)TR/Kryptik.qgmqe
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.V.gen
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\lgnhvmv\y01m7xqys22feryoni.exe
Creates FileC:\WINDOWS\lgnhvmv\vpctoox
Creates FileC:\lgnhvmv\vpctoox
Deletes FileC:\WINDOWS\lgnhvmv\vpctoox
Creates ProcessC:\lgnhvmv\y01m7xqys22feryoni.exe

Process
↳ C:\lgnhvmv\y01m7xqys22feryoni.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SNMP VC AuthIP User-mode Solutions ➝
C:\lgnhvmv\cnazkzotkg.exe
Creates FileC:\lgnhvmv\cnazkzotkg.exe
Creates FilePIPE\lsarpc
Creates FileC:\lgnhvmv\afobt5zice
Creates FileC:\WINDOWS\lgnhvmv\vpctoox
Creates FileC:\lgnhvmv\vpctoox
Deletes FileC:\WINDOWS\lgnhvmv\vpctoox
Creates ProcessC:\lgnhvmv\cnazkzotkg.exe
Creates ServiceService Superfetch Socket - C:\lgnhvmv\cnazkzotkg.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1140

Process
↳ C:\lgnhvmv\cnazkzotkg.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\lgnhvmv\wtrzjg
Creates File\Device\Afd\Endpoint
Creates FileC:\lgnhvmv\afobt5zice
Creates FileC:\WINDOWS\lgnhvmv\vpctoox
Creates FileC:\lgnhvmv\yaiglqewtqap.exe
Creates FileC:\lgnhvmv\vpctoox
Deletes FileC:\WINDOWS\lgnhvmv\vpctoox
Creates Processsinfly2boaph "c:\lgnhvmv\cnazkzotkg.exe"

Process
↳ C:\lgnhvmv\cnazkzotkg.exe

Creates FileC:\WINDOWS\lgnhvmv\vpctoox
Creates FileC:\lgnhvmv\vpctoox
Deletes FileC:\WINDOWS\lgnhvmv\vpctoox

Process
↳ sinfly2boaph "c:\lgnhvmv\cnazkzotkg.exe"

Creates FileC:\WINDOWS\lgnhvmv\vpctoox
Creates FileC:\lgnhvmv\vpctoox
Deletes FileC:\WINDOWS\lgnhvmv\vpctoox

Network Details:

DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSlittleminute.net
Type: A
74.220.199.8
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
DNSdestroyminute.net
Type: A
DNSdestroyspecial.net
Type: A
DNSlittlespecial.net
Type: A
DNSdestroycorner.net
Type: A
DNSlittlecorner.net
Type: A
DNSriddenflower.net
Type: A
DNSbelongflower.net
Type: A
DNSriddenminute.net
Type: A
DNSbelongminute.net
Type: A
DNSriddenspecial.net
Type: A
DNSbelongspecial.net
Type: A
DNSriddencorner.net
Type: A
DNSbelongcorner.net
Type: A
DNSchairflower.net
Type: A
DNSthoseflower.net
Type: A
DNSchairminute.net
Type: A
DNSthoseminute.net
Type: A
DNSchairspecial.net
Type: A
DNSthosespecial.net
Type: A
DNSchaircorner.net
Type: A
DNSthosecorner.net
Type: A
DNSwithinflower.net
Type: A
DNSsufferflower.net
Type: A
DNSwithinminute.net
Type: A
DNSsufferminute.net
Type: A
DNSwithinspecial.net
Type: A
DNSsufferspecial.net
Type: A
DNSwithincorner.net
Type: A
DNSsuffercorner.net
Type: A
DNSeffortflower.net
Type: A
DNSthroughflower.net
Type: A
DNSeffortminute.net
Type: A
DNSthroughminute.net
Type: A
DNSeffortspecial.net
Type: A
DNSthroughspecial.net
Type: A
DNSeffortcorner.net
Type: A
DNSthroughcorner.net
Type: A
DNSforgetflower.net
Type: A
DNSincreaseflower.net
Type: A
DNSforgetminute.net
Type: A
DNSincreaseminute.net
Type: A
DNSforgetspecial.net
Type: A
DNSincreasespecial.net
Type: A
DNSforgetcorner.net
Type: A
DNSincreasecorner.net
Type: A
DNSwouldflower.net
Type: A
DNSrememberflower.net
Type: A
DNSwouldminute.net
Type: A
DNSrememberminute.net
Type: A
DNSwouldspecial.net
Type: A
DNSrememberspecial.net
Type: A
DNSwouldcorner.net
Type: A
DNSremembercorner.net
Type: A
DNSjourneyadvance.net
Type: A
DNShusbandadvance.net
Type: A
DNSjourneystranger.net
Type: A
DNShusbandstranger.net
Type: A
DNSjourneygoodbye.net
Type: A
DNShusbandgoodbye.net
Type: A
DNSjourneyfortieth.net
Type: A
DNShusbandfortieth.net
Type: A
DNSdestroyadvance.net
Type: A
DNSlittleadvance.net
Type: A
DNSdestroystranger.net
Type: A
DNSlittlestranger.net
Type: A
HTTP GEThttp://rememberforever.net/index.php
User-Agent:
HTTP GEThttp://littleflower.net/index.php
User-Agent:
HTTP GEThttp://littleminute.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1032 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1033 ➝ 74.220.199.8:80

Raw Pcap

Strings