Analysis Date2016-03-18 06:55:25
MD5679a5655dc9e6f5776809ef0609f3ffe
SHA111217057c352ccedcff1cac4e2daf0c9c5690263

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ae4dc9bee05847f6aaac77cc29854768 sha1: 6f8c937db4b90a50a6b936f28d585510a81d86bf size: 654848
Section.rdata md5: 2121f3bc27b00c12331e99367d5bab13 sha1: 28813540ed655ab01c65009b2f802bbc83a871f6 size: 305664
Section.data md5: db3a3a69bc4ab0825989c7c1042c7913 sha1: f718b3676cd1a5fff8aac5a0d3a717263e50e4f5 size: 5120
Section.reloc md5: 3a10f0b634db2b24e05ed993c155a2a5 sha1: 7a198e82a6b0e6a8a8a0361cf5bf65ab3ddcb0fe size: 89088
Timestamp2013-10-26 10:06:14
PackerMicrosoft Visual C++ ?.?
PEhash0b97c4cf4b92e19aada57eb939aad916cd462fb1
IMPhash5c1fc28927a418a4ac31f86725ad212b
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRising0x59c70164
AVMcafeeTrojan-FHSY!679A5655DC9E
AVMicroWorld (escan)Gen:Variant.Razy.13381
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Nivdort.A.31439
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Trojan.WQJC-7410
AVEmsisoftGen:Variant.Razy.13381
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.13381
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecNo Virus
AVBullGuardGen:Variant.Razy.13381
AVArcabit (arcavir)Gen:Variant.Razy.13381
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.13381
AVDr. WebTrojan.DownLoader19.38854
AVK7Trojan ( 004da8bd1 )
AVF-SecureGen:Variant.Razy.13381
AVCA (E-Trust Ino)Gen:Variant.Razy.13381

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ujssxswexym\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hjslfzvu7c7attj1irch1plm.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hjslfzvu7c7attj1irch1plm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hjslfzvu7c7attj1irch1plm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Copy DLL Upgrade Browser IPsec IP Sharing ➝
C:\WINDOWS\system32\xnnksqbcey.exe
Creates FileC:\WINDOWS\system32\ujssxswexym\tst
Creates FileC:\WINDOWS\system32\ujssxswexym\lck
Creates FileC:\WINDOWS\system32\xnnksqbcey.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\xnnksqbcey.exe
Creates ServiceDCOM Superfetch Server - C:\WINDOWS\system32\xnnksqbcey.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\EXVWFVAN.EXE-246633B0.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\XNNKSQBCEY.EXE-082E7500.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\11217057C352CCEDCFF1CAC4E2DAF-2939225E.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Prefetch\HJSLFZVU7C7ATTJ1IRCH1PLM.EXE-1816BF99.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\HJSLFZVUMUFGWTJ1.EXE-035B83D8.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1332

Process
↳ Pid 1864

Process
↳ Pid 1572

Process
↳ C:\WINDOWS\system32\xnnksqbcey.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ujssxswexym\run
Creates FileC:\WINDOWS\system32\ujssxswexym\tst
Creates FileC:\WINDOWS\system32\ujssxswexym\lck
Creates FileC:\WINDOWS\system32\ujssxswexym\cfg
Creates FileC:\WINDOWS\system32\exvwfvan.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ujssxswexym\rng
Creates FileC:\WINDOWS\TEMP\hjslfzvumufgwtj1.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\TEMP\hjslfzvumufgwtj1.exe
Creates ProcessC:\WINDOWS\TEMP\hjslfzvumufgwtj1.exe -r 44393 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\xnnksqbcey.exe"

Process
↳ C:\WINDOWS\system32\xnnksqbcey.exe

Creates FileC:\WINDOWS\system32\ujssxswexym\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\xnnksqbcey.exe"

Creates FileC:\WINDOWS\system32\ujssxswexym\tst

Process
↳ C:\WINDOWS\TEMP\hjslfzvumufgwtj1.exe -r 44393 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 66.147.240.171:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..


Strings