Analysis Date2016-02-09 06:57:29
MD5a86af226921fdddabfb3fe302524a29a
SHA111e7f50b3d524fce6ff694a4a14dab9571af22e9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 29f31fafdfb3ff203abba371b3d08a64 sha1: 21b189a66db2e02fd218e636725b6fa0878dbb2b size: 904192
Section.rdata md5: 33a73cea08c300ae349f59e2f8f6cf89 sha1: fa9c4dd66f9b40b851580a8045f411cbba4a12ea size: 353280
Section.data md5: 3e8af1015916d2218d5a9b2b0498de0d sha1: b0c7863887597391d0f883c3df8e2f09169803df size: 6656
Section.reloc md5: ae04600d2d4ecb9d43fb43fbd41f04b0 sha1: 55cfb27ce460dd6c3941e3646eca1f440a064b6f size: 121856
Timestamp2015-12-15 16:16:03
PackerVC8 -> Microsoft Corporation
PEhashe43ae896e834335a3ce634a1474a350bb92e64b9
IMPhash8629056a5281b70d77e8aec3567f2929
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.442598
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)Generic37.AJLC
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Kazy.788788
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.17310
AVF-SecureGen:Variant.Kazy.788788

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\oofsuer\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\odvjrbzflkjp4buqe8sdg3bi44.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\odvjrbzflkjp4buqe8sdg3bi44.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\odvjrbzflkjp4buqe8sdg3bi44.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Application Device Hardware Resolution ➝
C:\WINDOWS\system32\tigrzdgua.exe
Creates FileC:\WINDOWS\system32\tigrzdgua.exe
Creates FileC:\WINDOWS\system32\oofsuer\lck
Creates FileC:\WINDOWS\system32\oofsuer\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\tigrzdgua.exe
Creates ServiceAccess Color System Auto Compatibility - C:\WINDOWS\system32\tigrzdgua.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1880

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\tigrzdgua.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\odvjrbzf774qbruqe8s.exe
Creates FileC:\WINDOWS\system32\oofsuer\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\oofsuer\tst
Creates FileC:\WINDOWS\system32\oofsuer\lck
Creates FileC:\WINDOWS\system32\oofsuer\run
Creates FileC:\WINDOWS\system32\jgmknks.exe
Creates FileC:\WINDOWS\system32\oofsuer\cfg
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\tigrzdgua.exe"
Creates ProcessC:\WINDOWS\TEMP\odvjrbzf774qbruqe8s.exe -r 27687 tcp

Process
↳ C:\WINDOWS\system32\tigrzdgua.exe

Creates FileC:\WINDOWS\system32\oofsuer\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\tigrzdgua.exe"

Creates FileC:\WINDOWS\system32\oofsuer\tst

Process
↳ C:\WINDOWS\TEMP\odvjrbzf774qbruqe8s.exe -r 27687 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSballjune.net
Type: A
195.22.28.199
DNSballjune.net
Type: A
195.22.28.196
DNSballjune.net
Type: A
195.22.28.197
DNSballjune.net
Type: A
195.22.28.198
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSdeepthirteen.net
Type: A
DNSshallhurry.net
Type: A
DNSdeephurry.net
Type: A
DNSpushhope.net
Type: A
DNSfridayhope.net
Type: A
DNSpushleft.net
Type: A
DNSfridayleft.net
Type: A
DNSpushthirteen.net
Type: A
DNSfridaythirteen.net
Type: A
DNSpushhurry.net
Type: A
DNSfridayhurry.net
Type: A
DNSalonghope.net
Type: A
DNSdecemberhope.net
Type: A
DNSalongleft.net
Type: A
DNSdecemberleft.net
Type: A
DNSalongthirteen.net
Type: A
DNSdecemberthirteen.net
Type: A
DNSalonghurry.net
Type: A
DNSdecemberhurry.net
Type: A
DNSlongwild.net
Type: A
DNSsoilwild.net
Type: A
DNSlongjune.net
Type: A
DNSsoiljune.net
Type: A
DNSlongbegan.net
Type: A
DNSsoilbegan.net
Type: A
DNSlongkind.net
Type: A
DNSsoilkind.net
Type: A
DNSwheelwild.net
Type: A
DNSsaidwild.net
Type: A
DNSwheeljune.net
Type: A
DNSsaidjune.net
Type: A
DNSwheelbegan.net
Type: A
DNSsaidbegan.net
Type: A
DNSwheelkind.net
Type: A
DNSsaidkind.net
Type: A
DNSstickwild.net
Type: A
DNSballwild.net
Type: A
DNSstickjune.net
Type: A
DNSstickbegan.net
Type: A
DNSballbegan.net
Type: A
DNSstickkind.net
Type: A
DNSballkind.net
Type: A
DNSenemywild.net
Type: A
DNSlifewild.net
Type: A
DNSenemyjune.net
Type: A
DNSlifejune.net
Type: A
DNSenemybegan.net
Type: A
DNSlifebegan.net
Type: A
DNSenemykind.net
Type: A
DNSlifekind.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://stickwild.net/index.php
User-Agent:
HTTP GEThttp://balljune.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1039 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1040 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1032 ➝ 75.98.233.9:443
Flows TCP192.168.1.1:1041 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1042 ➝ 195.22.28.199:80

Raw Pcap

Strings