Analysis Date2016-02-12 16:25:08
MD5cc07b1df10c98d5962c5753e6badbaa8
SHA113354970db9652714c1d34a145024185f3bf626d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62327f6caebc8dc581073ce5a5ebcfc7 sha1: 8db4cedf33af7d8cbd3052bf5033263ed450d5f3 size: 1111040
Section.rdata md5: a26bf5e24cc13d35b73e02c3a555ee5c sha1: 4f103f1dc1cd7e4321932bbef406058572c0d73d size: 269312
Section.data md5: 801b31328a7cfd79a6358316f3850fdc sha1: d0280d1a0809ed0dd0a6e2632d49a4f5b8cbf211 size: 3072
Section.reloc md5: 1d6f8e67839a706806edccc09e0511c9 sha1: 717f18e824f554f510efcf4215cfe38a2b80bc6b size: 140288
Timestamp2015-11-19 11:13:13
PackerMicrosoft Visual C++ ?.?
PEhasha3e36ccdf5d21826429e1158e5d61597abefb952
IMPhash5592fecc2971ab82c4ab08b8d9cfc532
AVCA (E-Trust Ino)Gen:Variant.Razy.16325
AVRisingNo Virus
AVMcafeeTrojan-FHSX!CC07B1DF10C9
AVAvira (antivir)TR/Taranis.2091
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.16325
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Generic37.AHDP
AVSymantecTrojan.Gen
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.16325
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Razy.16325
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.SSYR-1839
AVEmsisoftGen:Variant.Razy.16325
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.16325
AVArcabit (arcavir)Gen:Variant.Razy.16325
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.16325

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pyfnkyjln\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ywkkyv36gj2houdiundpgf.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ywkkyv36gj2houdiundpgf.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ywkkyv36gj2houdiundpgf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Offline Windows Bluetooth Detection UserMode ➝
C:\WINDOWS\system32\qyxiexrefk.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pyfnkyjln\lck
Creates FileC:\WINDOWS\system32\pyfnkyjln\tst
Creates FileC:\WINDOWS\system32\qyxiexrefk.exe
Creates ProcessC:\WINDOWS\system32\qyxiexrefk.exe
Creates ServiceProcess Software Connections Security - C:\WINDOWS\system32\qyxiexrefk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\qyxiexrefk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\pyfnkyjln\cfg
Creates FileC:\WINDOWS\system32\pyfnkyjln\rng
Creates FileC:\WINDOWS\system32\hflihuvtns.exe
Creates FileC:\WINDOWS\system32\pyfnkyjln\lck
Creates FileC:\WINDOWS\system32\pyfnkyjln\tst
Creates FileC:\WINDOWS\system32\pyfnkyjln\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\ywkkyv5xvmxmou.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\ywkkyv5xvmxmou.exe -r 27786 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\qyxiexrefk.exe"

Process
↳ C:\WINDOWS\system32\qyxiexrefk.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pyfnkyjln\tst

Process
↳ c:\windows\system32\qyxiexrefk.exe

Creates FileC:\WINDOWS\system32\pyfnkyjln\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qyxiexrefk.exe"

Creates FileC:\WINDOWS\system32\pyfnkyjln\tst
Creates Processc:\windows\system32\qyxiexrefk.exe

Process
↳ C:\WINDOWS\TEMP\ywkkyv5xvmxmou.exe -r 27786 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSafterjune.net
Type: A
195.154.108.241
DNSdrivewild.net
Type: A
72.52.4.90
DNSnailwild.net
Type: A
208.100.26.234
DNSbothboat.net
Type: A
195.22.28.196
DNSbothboat.net
Type: A
195.22.28.197
DNSbothboat.net
Type: A
195.22.28.198
DNSbothboat.net
Type: A
195.22.28.199
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfacepress.net
Type: A
50.63.33.1
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSweakbegan.net
Type: A
DNSstorykind.net
Type: A
DNSweakkind.net
Type: A
DNSafterwild.net
Type: A
DNSforcewild.net
Type: A
DNSforcejune.net
Type: A
DNSafterbegan.net
Type: A
DNSforcebegan.net
Type: A
DNSafterkind.net
Type: A
DNSforcekind.net
Type: A
DNSsellwild.net
Type: A
DNSwednesdaywild.net
Type: A
DNSselljune.net
Type: A
DNSwednesdayjune.net
Type: A
DNSsellbegan.net
Type: A
DNSwednesdaybegan.net
Type: A
DNSsellkind.net
Type: A
DNSwednesdaykind.net
Type: A
DNSdrivejune.net
Type: A
DNSnailjune.net
Type: A
DNSdrivebegan.net
Type: A
DNSnailbegan.net
Type: A
DNSdrivekind.net
Type: A
DNSnailkind.net
Type: A
DNSfieldboat.net
Type: A
DNSqueenboat.net
Type: A
DNSfieldpress.net
Type: A
DNSqueenpress.net
Type: A
DNSfieldrest.net
Type: A
DNSqueenrest.net
Type: A
DNSfieldopen.net
Type: A
DNSqueenopen.net
Type: A
DNSgainboat.net
Type: A
DNSbothpress.net
Type: A
DNSgainpress.net
Type: A
DNSbothrest.net
Type: A
DNSgainrest.net
Type: A
DNSbothopen.net
Type: A
DNSgainopen.net
Type: A
DNSleastboat.net
Type: A
DNSfaceboat.net
Type: A
DNSleastpress.net
Type: A
DNSleastrest.net
Type: A
DNSfacerest.net
Type: A
DNSleastopen.net
Type: A
DNSfaceopen.net
Type: A
DNSmonthboat.net
Type: A
DNSwalkboat.net
Type: A
DNSmonthpress.net
Type: A
DNSwalkpress.net
Type: A
DNSmonthrest.net
Type: A
DNSwalkrest.net
Type: A
DNSmonthopen.net
Type: A
DNSwalkopen.net
Type: A
DNSstoryboat.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://afterjune.net/index.php
User-Agent:
HTTP GEThttp://drivewild.net/index.php
User-Agent:
HTTP GEThttp://nailwild.net/index.php
User-Agent:
HTTP GEThttp://bothboat.net/index.php
User-Agent:
HTTP GEThttp://faceboat.net/index.php
User-Agent:
HTTP GEThttp://facepress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 195.154.108.241:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1043 ➝ 50.63.33.1:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   66746572 6a756e65 2e6e6574 0d0a0d0a   fterjune.net....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 77696c64 2e6e6574 0d0a0d0a   rivewild.net....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   61696c77 696c642e 6e65740d 0a0d0a0a   ailwild.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   6f746862 6f61742e 6e65740d 0a0d0a0a   othboat.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   61636562 6f61742e 6e65740d 0a0d0a0a   aceboat.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   61636570 72657373 2e6e6574 0d0a0d0a   acepress.net....
0x00000050 (00080)   0d0a                                  ..


Strings