Analysis Date2016-02-05 11:20:11
MD5f0f1711df0da9aca60e132a2a75208fb
SHA1102f4bbeebb965249dd1b8800958e7295ae7c58d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 30ea09501a8e4117c58bb0fa50d84ea3 sha1: 048abb821094974790e5f3af717f295d442c8b5c size: 904192
Section.rdata md5: 0d848436562d773a11727291aed8dc77 sha1: 67d837f4a5f732216205d5bd7288c20479c1d8d8 size: 364544
Section.data md5: b6e9df5568b65321453ee5eddc0444d0 sha1: aa6270e6c8d43233dd9a04994b22d4403d2b3136 size: 6656
Section.reloc md5: 379f5af234169b388288d13b48539293 sha1: 2bec98ff803a0a501f245ec6b7f06ff1c4336b7f size: 122368
Timestamp2015-12-15 16:34:11
PackerVC8 -> Microsoft Corporation
PEhash648939d89633c5ec30d0b0a8311227ed6f82de9f
IMPhash2d143aeb53b96189dd983dc4b2c884ce
AVF-SecureGen:Variant.Kazy.788788
AVAd-AwareGen:Variant.Kazy.788788
AVGrisoft (avg)Generic37.HMH
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVIkarusTrojan.Win32.Bayrob
AVAvira (antivir)TR/Crypt.Xpack.430092
AVK7Trojan ( 004da8bd1 )
AVClamAVNo Virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVDr. WebTrojan.DownLoader18.28435
AVMcafeeTrojan-FHOH!F0F1711DF0DA
AVBitDefenderGen:Variant.Kazy.788788
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVEmsisoftGen:Variant.Kazy.788788
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVEset (nod32)Win32/Bayrob.AG
AVBullGuardGen:Variant.Kazy.788788
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVTrend MicroNo Virus
AVAuthentiumNo Virus
AVTwisterNo Virus
AVFrisk (f-prot)No Virus
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)No Virus
AVZillya!Trojan.Black.Win32.45439

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\uvytoveezc\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\gngpbcdtcvt5gzbngds3cf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\gngpbcdtcvt5gzbngds3cf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\gngpbcdtcvt5gzbngds3cf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Key Assistant Trap Support Now ➝
C:\WINDOWS\system32\njsecuq.exe
Creates FileC:\WINDOWS\system32\uvytoveezc\tst
Creates FileC:\WINDOWS\system32\uvytoveezc\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\njsecuq.exe
Creates ProcessC:\WINDOWS\system32\njsecuq.exe
Creates ServiceServices WMI Problem Receiver - C:\WINDOWS\system32\njsecuq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\njsecuq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\uvytoveezc\run
Creates FileC:\WINDOWS\system32\qjxspkqsufgc.exe
Creates FileC:\WINDOWS\system32\uvytoveezc\cfg
Creates FileC:\WINDOWS\system32\uvytoveezc\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\uvytoveezc\tst
Creates FileC:\WINDOWS\TEMP\gngpbcdeylimwzb.exe
Creates FileC:\WINDOWS\system32\uvytoveezc\lck
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\njsecuq.exe"
Creates ProcessC:\WINDOWS\TEMP\gngpbcdeylimwzb.exe -r 21980 tcp

Process
↳ C:\WINDOWS\system32\njsecuq.exe

Creates FileC:\WINDOWS\system32\uvytoveezc\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\njsecuq.exe"

Creates FileC:\WINDOWS\system32\uvytoveezc\tst

Process
↳ C:\WINDOWS\TEMP\gngpbcdeylimwzb.exe -r 21980 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSafterprice.net
Type: A
217.31.58.24
DNSsellprice.net
Type: A
79.99.134.187
DNSdrivecroud.net
Type: A
195.22.28.196
DNSdrivecroud.net
Type: A
195.22.28.197
DNSdrivecroud.net
Type: A
195.22.28.198
DNSdrivecroud.net
Type: A
195.22.28.199
DNSqueenfood.net
Type: A
103.3.245.71
DNSfacefood.net
Type: A
69.9.179.166
DNSfacemeet.net
Type: A
66.96.147.111
DNSwalkshown.net
Type: A
208.100.26.234
DNSwalkfood.net
Type: A
127.0.0.1
DNSstoryfood.net
Type: A
198.185.159.145
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSmonthraise.net
Type: A
DNSwalkraise.net
Type: A
DNSmonthreach.net
Type: A
DNSwalkreach.net
Type: A
DNSstoryprice.net
Type: A
DNSweakprice.net
Type: A
DNSstorycroud.net
Type: A
DNSweakcroud.net
Type: A
DNSstoryraise.net
Type: A
DNSweakraise.net
Type: A
DNSstoryreach.net
Type: A
DNSweakreach.net
Type: A
DNSforceprice.net
Type: A
DNSaftercroud.net
Type: A
DNSforcecroud.net
Type: A
DNSafterraise.net
Type: A
DNSforceraise.net
Type: A
DNSafterreach.net
Type: A
DNSforcereach.net
Type: A
DNSwednesdayprice.net
Type: A
DNSsellcroud.net
Type: A
DNSwednesdaycroud.net
Type: A
DNSsellraise.net
Type: A
DNSwednesdayraise.net
Type: A
DNSsellreach.net
Type: A
DNSwednesdayreach.net
Type: A
DNSdriveprice.net
Type: A
DNSnailprice.net
Type: A
DNSnailcroud.net
Type: A
DNSdriveraise.net
Type: A
DNSnailraise.net
Type: A
DNSdrivereach.net
Type: A
DNSnailreach.net
Type: A
DNSfieldneck.net
Type: A
DNSqueenneck.net
Type: A
DNSfieldshown.net
Type: A
DNSqueenshown.net
Type: A
DNSfieldfood.net
Type: A
DNSfieldmeet.net
Type: A
DNSqueenmeet.net
Type: A
DNSbothneck.net
Type: A
DNSgainneck.net
Type: A
DNSbothshown.net
Type: A
DNSgainshown.net
Type: A
DNSbothfood.net
Type: A
DNSgainfood.net
Type: A
DNSbothmeet.net
Type: A
DNSgainmeet.net
Type: A
DNSleastneck.net
Type: A
DNSfaceneck.net
Type: A
DNSleastshown.net
Type: A
DNSfaceshown.net
Type: A
DNSleastfood.net
Type: A
DNSleastmeet.net
Type: A
DNSmonthneck.net
Type: A
DNSwalkneck.net
Type: A
DNSmonthshown.net
Type: A
DNSmonthfood.net
Type: A
DNSmonthmeet.net
Type: A
DNSwalkmeet.net
Type: A
DNSstoryneck.net
Type: A
DNSweakneck.net
Type: A
DNSstoryshown.net
Type: A
DNSweakshown.net
Type: A
DNSweakfood.net
Type: A
DNSstorymeet.net
Type: A
DNSweakmeet.net
Type: A
DNSafterneck.net
Type: A
DNSforceneck.net
Type: A
DNSaftershown.net
Type: A
DNSforceshown.net
Type: A
DNSafterfood.net
Type: A
DNSforcefood.net
Type: A
DNSaftermeet.net
Type: A
DNSforcemeet.net
Type: A
DNSsellneck.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://afterprice.net/index.php
User-Agent:
HTTP GEThttp://sellprice.net/index.php
User-Agent:
HTTP GEThttp://drivecroud.net/index.php
User-Agent:
HTTP GEThttp://queenfood.net/index.php
User-Agent:
HTTP GEThttp://facefood.net/index.php
User-Agent:
HTTP GEThttp://facemeet.net/index.php
User-Agent:
HTTP GEThttp://walkshown.net/index.php
User-Agent:
HTTP GEThttp://storyfood.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1039 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1040 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1041 ➝ 217.31.58.24:80
Flows TCP192.168.1.1:1042 ➝ 79.99.134.187:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1044 ➝ 103.3.245.71:80
Flows TCP192.168.1.1:1045 ➝ 69.9.179.166:80
Flows TCP192.168.1.1:1046 ➝ 66.96.147.111:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 198.185.159.145:80
Flows TCP192.168.1.1:1050 ➝ 50.87.249.65:80

Raw Pcap

Strings