Analysis Date2016-02-03 06:30:32
MD5a749c3fc32abae52f5c397485b673f56
SHA11521f352dd916501faef2eb2f0a472a9c27f981c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a2675bc12eb43192612074f4e1a91f29 sha1: da5e0cc818c5a2bf22c1fad37232c44a5de5d729 size: 183296
Section.rdata md5: f8fe40ff545e98d7f54ec15a1ad14d1e sha1: 258d7beed461cc93506ec4a9a0313f5eba221cec size: 2560
Section.data md5: b21c7c0b205272badda0ba9f0e23e3ae sha1: d1b5b2ec40476cce2782e336647694ac2c069b68 size: 15360
Section.reloc md5: 136762baf35231de923a991a63ea9add sha1: 38f027469a0bd6ae895fafe40f3792a87b7dee40 size: 30208
Timestamp2014-09-10 22:10:59
PEhashe02820a9069823db221a97e514bee71bfa476431
IMPhash986f8ccf0000d342f4fdacb47f8d0f1f
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHQT!A749C3FC32AB
AVAvira (antivir)TR/Nivdort.A.22269
AVTwisterNo Virus
AVAd-AwareTrojan.Generic.15789896
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)Generic37.WIM
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderTrojan.Generic.15789896
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftTrojan.Generic.15789896
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardTrojan.Generic.15789896
AVArcabit (arcavir)Trojan.Generic.15789896
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.6065
AVF-SecureTrojan.Generic.15789896

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jhielseic\iy7fqhct
Creates FileC:\jhielseic\gbu41l1tchppua2llg.exe
Creates FileC:\WINDOWS\jhielseic\iy7fqhct
Deletes FileC:\WINDOWS\jhielseic\iy7fqhct
Creates ProcessC:\jhielseic\gbu41l1tchppua2llg.exe

Process
↳ C:\jhielseic\gbu41l1tchppua2llg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Machine Group Connect Drive Event ➝
C:\jhielseic\ticvooyyw.exe
Creates FileC:\jhielseic\iy7fqhct
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\jhielseic\iy7fqhct
Creates FileC:\jhielseic\ticvooyyw.exe
Creates FileC:\jhielseic\xvuk2dgc
Deletes FileC:\WINDOWS\jhielseic\iy7fqhct
Creates ProcessC:\jhielseic\ticvooyyw.exe
Creates ServiceStudio Routing Multimedia Brightness - C:\jhielseic\ticvooyyw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1124

Process
↳ C:\jhielseic\ticvooyyw.exe

Creates FileC:\jhielseic\iy7fqhct
Creates Filepipe\net\NtControlPipe10
Creates FileC:\jhielseic\dcnhrhylwmt
Creates FileC:\jhielseic\mytobhbsldt.exe
Creates FileC:\WINDOWS\jhielseic\iy7fqhct
Creates File\Device\Afd\Endpoint
Creates FileC:\jhielseic\xvuk2dgc
Deletes FileC:\WINDOWS\jhielseic\iy7fqhct
Creates Processezl9byg3ubqp "c:\jhielseic\ticvooyyw.exe"

Process
↳ C:\jhielseic\ticvooyyw.exe

Creates FileC:\jhielseic\iy7fqhct
Creates FileC:\WINDOWS\jhielseic\iy7fqhct
Deletes FileC:\WINDOWS\jhielseic\iy7fqhct

Process
↳ ezl9byg3ubqp "c:\jhielseic\ticvooyyw.exe"

Creates FileC:\jhielseic\iy7fqhct
Creates FileC:\WINDOWS\jhielseic\iy7fqhct
Deletes FileC:\WINDOWS\jhielseic\iy7fqhct

Network Details:

DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSpartyfriend.net
Type: A
89.31.143.16
DNSfreshfuture.net
Type: A
66.39.68.24
DNSgentlemanearly.net
Type: A
208.100.26.234
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencesafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSbeginearly.net
Type: A
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://gentlemanearly.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1036 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1037 ➝ 89.31.143.16:80
Flows TCP192.168.1.1:1038 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80

Raw Pcap



Strings