Analysis Date2015-10-30 11:40:48
MD558cb7ae8d68b669dc0ffd9fb29f3b29e
SHA10cd7089a750b8c1840993a0cf28dbc7595c2af83

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e2e1cafe299a77ecd6d78d46007e0110 sha1: 77ae9e7b2f8e69cc1b6803a9c4381a4228de16cd size: 1269760
Section.rdata md5: 7cb9b4b86f7097dc7394aa64cf5891a6 sha1: a8017113d6b48e57a47ea1e199ff8351a6b14de4 size: 322560
Section.data md5: 3e1824a0697b348e65d70d7a6960962a sha1: 0f646425bd8d03ac64c861c1abda5fa4871302d3 size: 7680
Section.reloc md5: 2a743dfa4e8dedcb7f59bdb8865d2596 sha1: d0f88ccbb228f90f5e9f02b6d02d4c6b0bd24e9b size: 168448
Timestamp2015-05-11 04:40:12
PackerVC8 -> Microsoft Corporation
PEhash59b36d901c90c4e9c7f4dbbf546b9d375094418f
IMPhash7c379063f58c6e4f013dac3b6501fb76
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGIJ!58CB7AE8D68B
AVAvira (antivir)TR/AD.Nivdort.M.59
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611782
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Kazy.611782

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lum3no1lqkch4qytzgxqy2r.exe
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\lum3no1lqkch4qytzgxqy2r.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\lum3no1lqkch4qytzgxqy2r.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shadow Portable Card Cache HomeGroup ➝
C:\WINDOWS\system32\yxocjyqwunc.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yxocjyqwunc.exe
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\etc
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\lck
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yxocjyqwunc.exe
Creates ServiceCryptographic WebClient Service Control - C:\WINDOWS\system32\yxocjyqwunc.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\yxocjyqwunc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\rng
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\tst
Creates FileC:\WINDOWS\system32\tlismcavnw.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\run
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\cfg
Creates FileC:\WINDOWS\TEMP\lum3no1t4mch4qy.exe
Creates FileC:\WINDOWS\system32\hdnruivlcgtu\lck
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\lum3no1t4mch4qy.exe -r 22738 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yxocjyqwunc.exe"

Process
↳ C:\WINDOWS\system32\yxocjyqwunc.exe

Creates FileC:\WINDOWS\system32\hdnruivlcgtu\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yxocjyqwunc.exe"

Creates FileC:\WINDOWS\system32\hdnruivlcgtu\tst

Process
↳ C:\WINDOWS\TEMP\lum3no1t4mch4qy.exe -r 22738 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSwhichfish.net
Type: A
184.168.221.62
DNSsaltfish.net
Type: A
206.130.110.212
DNSgladfish.net
Type: A
50.63.202.30
DNSgroupfish.net
Type: A
184.168.221.47
DNSfairlady.net
Type: A
69.172.201.208
DNSfairfish.net
Type: A
5.226.149.110
DNSdreamwing.net
Type: A
49.212.198.17
DNSdreamlady.net
Type: A
205.186.175.166
DNSdreamfish.net
Type: A
207.148.248.143
DNShumanpaid.net
Type: A
208.100.26.234
DNShairborn.net
Type: A
46.28.105.4
DNSmusicpaid.net
Type: A
184.168.221.38
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSuponlady.net
Type: A
DNSwhichlady.net
Type: A
DNSuponfish.net
Type: A
DNSspotwing.net
Type: A
DNSsaltwing.net
Type: A
DNSspotpast.net
Type: A
DNSsaltpast.net
Type: A
DNSspotlady.net
Type: A
DNSsaltlady.net
Type: A
DNSspotfish.net
Type: A
DNSgladwing.net
Type: A
DNStakenwing.net
Type: A
DNSgladpast.net
Type: A
DNStakenpast.net
Type: A
DNSgladlady.net
Type: A
DNStakenlady.net
Type: A
DNStakenfish.net
Type: A
DNSequalwing.net
Type: A
DNSgroupwing.net
Type: A
DNSequalpast.net
Type: A
DNSgrouppast.net
Type: A
DNSequallady.net
Type: A
DNSgrouplady.net
Type: A
DNSequalfish.net
Type: A
DNSspokewing.net
Type: A
DNSvisitwing.net
Type: A
DNSspokepast.net
Type: A
DNSvisitpast.net
Type: A
DNSspokelady.net
Type: A
DNSvisitlady.net
Type: A
DNSspokefish.net
Type: A
DNSvisitfish.net
Type: A
DNSwatchwing.net
Type: A
DNSfairwing.net
Type: A
DNSwatchpast.net
Type: A
DNSfairpast.net
Type: A
DNSwatchlady.net
Type: A
DNSwatchfish.net
Type: A
DNSthiswing.net
Type: A
DNSdreampast.net
Type: A
DNSthispast.net
Type: A
DNSthislady.net
Type: A
DNSthisfish.net
Type: A
DNShumancloth.net
Type: A
DNShaircloth.net
Type: A
DNShairpaid.net
Type: A
DNShumanaugust.net
Type: A
DNShairaugust.net
Type: A
DNShumanborn.net
Type: A
DNSyardcloth.net
Type: A
DNSmusiccloth.net
Type: A
DNSyardpaid.net
Type: A
DNSyardaugust.net
Type: A
DNSmusicaugust.net
Type: A
DNSyardborn.net
Type: A
DNSmusicborn.net
Type: A
DNSwentcloth.net
Type: A
DNSspendcloth.net
Type: A
DNSwentpaid.net
Type: A
DNSspendpaid.net
Type: A
DNSwentaugust.net
Type: A
DNSspendaugust.net
Type: A
DNSwentborn.net
Type: A
DNSspendborn.net
Type: A
DNSfrontcloth.net
Type: A
DNSoffercloth.net
Type: A
DNSfrontpaid.net
Type: A
DNSofferpaid.net
Type: A
DNSfrontaugust.net
Type: A
DNSofferaugust.net
Type: A
DNSfrontborn.net
Type: A
DNSofferborn.net
Type: A
DNShangcloth.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://whichfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://saltfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://gladfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://groupfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://fairlady.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://fairfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://dreamwing.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://dreamlady.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://dreamfish.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://humanpaid.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://hairborn.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://musicpaid.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fb70001&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.62:80
Flows TCP192.168.1.1:1051 ➝ 206.130.110.212:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.30:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.47:80
Flows TCP192.168.1.1:1054 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1055 ➝ 5.226.149.110:80
Flows TCP192.168.1.1:1056 ➝ 49.212.198.17:80
Flows TCP192.168.1.1:1057 ➝ 205.186.175.166:80
Flows TCP192.168.1.1:1058 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1059 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1060 ➝ 46.28.105.4:80
Flows TCP192.168.1.1:1061 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80

Raw Pcap

Strings