Analysis Date2016-02-17 02:46:51
MD56767f9441b2ec70b56bc85c41cd2e452
SHA1049233d0fe9731f7db9c60977b9f5fdf52600460

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6e961c97b45850df3b121f8220979cfa sha1: 9483aaf84f468eba699c94cce6998cda46c6a5c8 size: 304640
Section.rdata md5: 1c3287125a189ec872407377fa1f44b9 sha1: c71d5370bb9eeeb694cb81a96ce388492eedbd16 size: 26112
Section.data md5: 255e4d59a64745e9ba47b237e15f901e sha1: 47346baae0aa2fe6b744b996c678c8cd40c645f5 size: 20992
Section.reloc md5: 7f06c99e341d28444858207648a40c4b sha1: c46614b3a166504bae4459e69c38c022d4a3d6db size: 33280
Timestamp2014-02-17 21:33:35
PackerMicrosoft Visual C++ 8
PEhash2c5d878de15a03b6384b662a8fb969aa0b52a583
IMPhashfb8acc7e0f23b37dac9eaeb28784f066
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!6767F9441B2E
AVAvira (antivir)TR/Taranis.2084
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.15381
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BJ
AVGrisoft (avg)Generic37.ALVP
AVSymantecNo Virus
AVFortinetW32/Bayrob.BJ!tr
AVBitDefenderGen:Variant.Razy.15381
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15381
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVIkarusTrojan.Inject
AVZillya!Trojan.SwizzorGen.Win32.1
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.15381
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.15381

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cjtumqomh\qjsuz9bmm
Creates FileC:\cjtumqomh\lx1lp9phxvo96peu.exe
Creates FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Deletes FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Creates ProcessC:\cjtumqomh\lx1lp9phxvo96peu.exe

Process
↳ C:\cjtumqomh\lx1lp9phxvo96peu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Parental Foundation Shadow UPnP ➝
C:\cjtumqomh\aybtdpshmscp.exe
Creates FileC:\cjtumqomh\xhebdw
Creates FileC:\cjtumqomh\qjsuz9bmm
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Creates FileC:\cjtumqomh\aybtdpshmscp.exe
Deletes FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Creates ProcessC:\cjtumqomh\aybtdpshmscp.exe
Creates ServiceExtensible Isolation Procedure Builder - C:\cjtumqomh\aybtdpshmscp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1148

Process
↳ C:\cjtumqomh\aybtdpshmscp.exe

Creates FileC:\cjtumqomh\xhebdw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\cjtumqomh\qjsuz9bmm
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Creates FileC:\cjtumqomh\pmjmnri
Creates FileC:\cjtumqomh\kdlsreognwuj.exe
Deletes FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Creates Processtbdrhrdtkgl6 "c:\cjtumqomh\aybtdpshmscp.exe"

Process
↳ C:\cjtumqomh\aybtdpshmscp.exe

Creates FileC:\cjtumqomh\qjsuz9bmm
Creates FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Deletes FileC:\WINDOWS\cjtumqomh\qjsuz9bmm

Process
↳ tbdrhrdtkgl6 "c:\cjtumqomh\aybtdpshmscp.exe"

Creates FileC:\cjtumqomh\qjsuz9bmm
Creates FileC:\WINDOWS\cjtumqomh\qjsuz9bmm
Deletes FileC:\WINDOWS\cjtumqomh\qjsuz9bmm

Network Details:

DNSfigureopinion.net
Type: A
195.22.28.196
DNSfigureopinion.net
Type: A
195.22.28.197
DNSfigureopinion.net
Type: A
195.22.28.198
DNSfigureopinion.net
Type: A
195.22.28.199
DNSchildrenshould.net
Type: A
208.100.26.234
DNSfamilypromise.net
Type: A
45.55.234.230
DNSforeignoffice.net
Type: A
141.8.225.124
DNSforeignarrive.net
Type: A
195.22.28.199
DNSforeignarrive.net
Type: A
195.22.28.196
DNSforeignarrive.net
Type: A
195.22.28.197
DNSforeignarrive.net
Type: A
195.22.28.198
DNSfamilyoffice.net
Type: A
208.91.197.27
DNSexpectpresident.net
Type: A
208.100.26.234
DNScigarettepresident.net
Type: A
195.22.28.198
DNScigarettepresident.net
Type: A
195.22.28.199
DNScigarettepresident.net
Type: A
195.22.28.196
DNScigarettepresident.net
Type: A
195.22.28.197
DNSchildrenstrong.net
Type: A
50.63.202.52
DNSfamilystrong.net
Type: A
104.193.182.229
DNSrightshould.net
Type: A
DNSwhethershort.net
Type: A
DNSrightshort.net
Type: A
DNSwhetheropinion.net
Type: A
DNSrightopinion.net
Type: A
DNSwhetherpromise.net
Type: A
DNSrightpromise.net
Type: A
DNSfigureshould.net
Type: A
DNSthoughshould.net
Type: A
DNSfigureshort.net
Type: A
DNSthoughshort.net
Type: A
DNSthoughopinion.net
Type: A
DNSfigurepromise.net
Type: A
DNSthoughpromise.net
Type: A
DNSpictureshould.net
Type: A
DNScigaretteshould.net
Type: A
DNSpictureshort.net
Type: A
DNScigaretteshort.net
Type: A
DNSpictureopinion.net
Type: A
DNScigaretteopinion.net
Type: A
DNSpicturepromise.net
Type: A
DNScigarettepromise.net
Type: A
DNSfamilyshould.net
Type: A
DNSchildrenshort.net
Type: A
DNSfamilyshort.net
Type: A
DNSchildrenopinion.net
Type: A
DNSfamilyopinion.net
Type: A
DNSchildrenpromise.net
Type: A
DNSeithershould.net
Type: A
DNSenglishshould.net
Type: A
DNSeithershort.net
Type: A
DNSenglishshort.net
Type: A
DNSeitheropinion.net
Type: A
DNSenglishopinion.net
Type: A
DNSeitherpromise.net
Type: A
DNSenglishpromise.net
Type: A
DNSexpectsupply.net
Type: A
DNSbecausesupply.net
Type: A
DNSexpectdistance.net
Type: A
DNSbecausedistance.net
Type: A
DNSexpectoffice.net
Type: A
DNSbecauseoffice.net
Type: A
DNSexpectarrive.net
Type: A
DNSbecausearrive.net
Type: A
DNSpersonsupply.net
Type: A
DNSmachinesupply.net
Type: A
DNSpersondistance.net
Type: A
DNSmachinedistance.net
Type: A
DNSpersonoffice.net
Type: A
DNSmachineoffice.net
Type: A
DNSpersonarrive.net
Type: A
DNSmachinearrive.net
Type: A
DNSsuddensupply.net
Type: A
DNSforeignsupply.net
Type: A
DNSsuddendistance.net
Type: A
DNSforeigndistance.net
Type: A
DNSsuddenoffice.net
Type: A
DNSsuddenarrive.net
Type: A
DNSwhethersupply.net
Type: A
DNSrightsupply.net
Type: A
DNSwhetherdistance.net
Type: A
DNSrightdistance.net
Type: A
DNSwhetheroffice.net
Type: A
DNSrightoffice.net
Type: A
DNSwhetherarrive.net
Type: A
DNSrightarrive.net
Type: A
DNSfiguresupply.net
Type: A
DNSthoughsupply.net
Type: A
DNSfiguredistance.net
Type: A
DNSthoughdistance.net
Type: A
DNSfigureoffice.net
Type: A
DNSthoughoffice.net
Type: A
DNSfigurearrive.net
Type: A
DNSthougharrive.net
Type: A
DNSpicturesupply.net
Type: A
DNScigarettesupply.net
Type: A
DNSpicturedistance.net
Type: A
DNScigarettedistance.net
Type: A
DNSpictureoffice.net
Type: A
DNScigaretteoffice.net
Type: A
DNSpicturearrive.net
Type: A
DNScigarettearrive.net
Type: A
DNSchildrensupply.net
Type: A
DNSfamilysupply.net
Type: A
DNSchildrendistance.net
Type: A
DNSfamilydistance.net
Type: A
DNSchildrenoffice.net
Type: A
DNSchildrenarrive.net
Type: A
DNSfamilyarrive.net
Type: A
DNSeithersupply.net
Type: A
DNSenglishsupply.net
Type: A
DNSeitherdistance.net
Type: A
DNSenglishdistance.net
Type: A
DNSeitheroffice.net
Type: A
DNSenglishoffice.net
Type: A
DNSeitherarrive.net
Type: A
DNSenglisharrive.net
Type: A
DNSexpectstrong.net
Type: A
DNSbecausestrong.net
Type: A
DNSexpecttrouble.net
Type: A
DNSbecausetrouble.net
Type: A
DNSbecausepresident.net
Type: A
DNSexpectcaught.net
Type: A
DNSbecausecaught.net
Type: A
DNSpersonstrong.net
Type: A
DNSmachinestrong.net
Type: A
DNSpersontrouble.net
Type: A
DNSmachinetrouble.net
Type: A
DNSpersonpresident.net
Type: A
DNSmachinepresident.net
Type: A
DNSpersoncaught.net
Type: A
DNSmachinecaught.net
Type: A
DNSsuddenstrong.net
Type: A
DNSforeignstrong.net
Type: A
DNSsuddentrouble.net
Type: A
DNSforeigntrouble.net
Type: A
DNSsuddenpresident.net
Type: A
DNSforeignpresident.net
Type: A
DNSsuddencaught.net
Type: A
DNSforeigncaught.net
Type: A
DNSwhetherstrong.net
Type: A
DNSrightstrong.net
Type: A
DNSwhethertrouble.net
Type: A
DNSrighttrouble.net
Type: A
DNSwhetherpresident.net
Type: A
DNSrightpresident.net
Type: A
DNSwhethercaught.net
Type: A
DNSrightcaught.net
Type: A
DNSfigurestrong.net
Type: A
DNSthoughstrong.net
Type: A
DNSfiguretrouble.net
Type: A
DNSthoughtrouble.net
Type: A
DNSfigurepresident.net
Type: A
DNSthoughpresident.net
Type: A
DNSfigurecaught.net
Type: A
DNSthoughcaught.net
Type: A
DNSpicturestrong.net
Type: A
DNScigarettestrong.net
Type: A
DNSpicturetrouble.net
Type: A
DNScigarettetrouble.net
Type: A
DNSpicturepresident.net
Type: A
DNSpicturecaught.net
Type: A
DNScigarettecaught.net
Type: A
DNSchildrentrouble.net
Type: A
DNSfamilytrouble.net
Type: A
DNSchildrenpresident.net
Type: A
DNSfamilypresident.net
Type: A
DNSchildrencaught.net
Type: A
DNSfamilycaught.net
Type: A
DNSeitherstrong.net
Type: A
DNSenglishstrong.net
Type: A
DNSeithertrouble.net
Type: A
DNSenglishtrouble.net
Type: A
DNSeitherpresident.net
Type: A
DNSenglishpresident.net
Type: A
DNSeithercaught.net
Type: A
DNSenglishcaught.net
Type: A
DNSexpectcontinue.net
Type: A
DNSbecausecontinue.net
Type: A
DNSexpectmaster.net
Type: A
HTTP GEThttp://figureopinion.net/index.php
User-Agent:
HTTP GEThttp://childrenshould.net/index.php
User-Agent:
HTTP GEThttp://familypromise.net/index.php
User-Agent:
HTTP GEThttp://foreignoffice.net/index.php
User-Agent:
HTTP GEThttp://foreignarrive.net/index.php
User-Agent:
HTTP GEThttp://familyoffice.net/index.php
User-Agent:
HTTP GEThttp://expectpresident.net/index.php
User-Agent:
HTTP GEThttp://cigarettepresident.net/index.php
User-Agent:
HTTP GEThttp://childrenstrong.net/index.php
User-Agent:
HTTP GEThttp://familystrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 45.55.234.230:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.52:80
Flows TCP192.168.1.1:1040 ➝ 104.193.182.229:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69677572 656f7069 6e696f6e 2e6e6574   igureopinion.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e73 686f756c 642e6e65   hildrenshould.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 7970726f 6d697365 2e6e6574   amilypromise.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e6f66 66696365 2e6e6574   oreignoffice.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e6172 72697665 2e6e6574   oreignarrive.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 796f6666 6963652e 6e65740d   amilyoffice.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706563 74707265 73696465 6e742e6e   xpectpresident.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   69676172 65747465 70726573 6964656e   igarettepresiden
0x00000050 (00080)   742e6e65 740d0a0d 0a                  t.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e73 74726f6e 672e6e65   hildrenstrong.ne
0x00000050 (00080)   740d0a0d 0a0d0a0d 0a                  t........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79737472 6f6e672e 6e65740d   amilystrong.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a0d 0a                  .........


Strings