Analysis Date2015-08-14 09:28:56
MD53c1285288e884fe2de4969fe1a0f7a29
SHA10e69d7b347227b7ef920316f25228c8550dee6a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 09d6c4836af79e28215a5170283ad4ad sha1: 4b94e2a6155964e4ef719767dc748cd9c42461db size: 198144
Section.rdata md5: cf7d1bc4faf44237808905be7f4c544d sha1: c7b5d441b8b8e3801214c4602e89da2b109eec50 size: 52736
Section.data md5: 9b140bc903cb39b667fe44e1e2289fed sha1: bbc9e3ba7ec01bf53c6a1eb21ce89600660e6064 size: 7168
Section.reloc md5: 1470f1e4bb559ef7d3a9e833a9e1affb sha1: 0ce333af5029bf68b4a344397eb37704e5351667 size: 14336
Timestamp2015-04-29 19:18:36
PackerMicrosoft Visual C++ 8
PEhashcf0945e21ea3d897a3f74fd2efdf937c4e20ef51
IMPhashea09f92ea0ffb532009bb7e6d8478105
AVVirusBlokAda (vba32)Trojan.Scar
AVF-SecureGen:Variant.Kazy.604861
AVPadvishno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVTwisterTrojan.0000E9000000006A1.mg
AVAlwil (avast)VB-AJEW [Trj]
AVMalwareBytesTrojan.Agent.KVTGen
AVAd-AwareGen:Variant.Kazy.604861
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Kazy.604861
AVTrend MicroTROJ_BAYROB.SM0
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVEset (nod32)Win32/Bayrob.Q
AVBullGuardGen:Variant.Kazy.604861
AVKasperskyTrojan.Win32.Generic
AVFortinetW32/Generic.AC.215362
AVEmsisoftGen:Variant.Kazy.604861
AVAvira (antivir)TR/Crypt.Xpack.196519
AVZillya!no_virus
AVDr. WebTrojan.Bayrob.1
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVRisingTrojan.Win32.Bayrod.a
AVAuthentiumW32/Scar.R.gen!Eldorado
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004c12491 )
AVMcafeeTrojan-FGIJ!3C1285288E88
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\yoarzgtpuhzlopgvlw.exe
Creates FileC:\fcgkhcqxnuydy\myu4mchc5g
Deletes FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates ProcessC:\fcgkhcqxnuydy\yoarzgtpuhzlopgvlw.exe

Process
↳ C:\fcgkhcqxnuydy\yoarzgtpuhzlopgvlw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interface Volume iSCSI Player ➝
C:\fcgkhcqxnuydy\kebqdyagnk.exe
Creates FileC:\fcgkhcqxnuydy\kebqdyagnk.exe
Creates FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates FilePIPE\lsarpc
Creates FileC:\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\lpaxzogzrz
Deletes FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates ProcessC:\fcgkhcqxnuydy\kebqdyagnk.exe
Creates ServiceCache Power WebClient Process - C:\fcgkhcqxnuydy\kebqdyagnk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\0E69D7B347227B7EF920316F25228-0EDEC0E5.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\DJKZWTPWUFO.EXE-07EF2A4C.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\KEBQDYAGNK.EXE-32688784.pf
Creates FileC:\WINDOWS\Prefetch\YOARZGTPUHZLOPGVLW.EXE-0628AFAF.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1212

Process
↳ Pid 1328

Process
↳ Pid 1864

Process
↳ Pid 1696

Process
↳ C:\fcgkhcqxnuydy\kebqdyagnk.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\djkzwtpwufo.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\fcgkhcqxnuydy\wnfmup
Creates FileC:\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\lpaxzogzrz
Deletes FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates Processwm8gnsthaxvw "c:\fcgkhcqxnuydy\kebqdyagnk.exe"

Process
↳ C:\fcgkhcqxnuydy\kebqdyagnk.exe

Creates FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\myu4mchc5g
Deletes FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g

Process
↳ wm8gnsthaxvw "c:\fcgkhcqxnuydy\kebqdyagnk.exe"

Creates FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g
Creates FileC:\fcgkhcqxnuydy\myu4mchc5g
Deletes FileC:\WINDOWS\fcgkhcqxnuydy\myu4mchc5g

Network Details:

DNSpersonschool.net
Type: A
165.160.15.20
DNSpersonschool.net
Type: A
165.160.13.20
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.253
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.231
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSenglishschool.net
Type: A
72.52.4.119
DNSenglishquestion.net
Type: A
85.25.201.249
DNSsuddenstorm.net
Type: A
199.116.78.152
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
DNSeitherwhile.net
Type: A
DNSenglishwhile.net
Type: A
DNSeitherquestion.net
Type: A
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
DNSexpectstorm.net
Type: A
DNSbecausestorm.net
Type: A
DNSexpectthrown.net
Type: A
DNSbecausethrown.net
Type: A
DNSpersonhunger.net
Type: A
DNSmachinehunger.net
Type: A
DNSpersontraining.net
Type: A
DNSmachinetraining.net
Type: A
DNSpersonstorm.net
Type: A
DNSmachinestorm.net
Type: A
DNSpersonthrown.net
Type: A
DNSmachinethrown.net
Type: A
DNSsuddenhunger.net
Type: A
DNSforeignhunger.net
Type: A
DNSsuddentraining.net
Type: A
DNSforeigntraining.net
Type: A
DNSforeignstorm.net
Type: A
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php
User-Agent:
HTTP GEThttp://englishschool.net/index.php
User-Agent:
HTTP GEThttp://englishquestion.net/index.php
User-Agent:
HTTP GEThttp://suddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 165.160.15.20:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1033 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1038 ➝ 85.25.201.249:80
Flows TCP192.168.1.1:1039 ➝ 199.116.78.152:80

Raw Pcap

Strings