Analysis Date2015-10-23 01:52:34
MD517ddd43d673288df9762fec9e1f4fc9b
SHA1172c1cd5ddfb3d6b48687156a6c1b7baa3c3e7e2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ddf149fa53ce17501e0d94b95dacf8dd sha1: 18afa71871a0518d668337185d8d518a26fea9c8 size: 196096
Section.rdata md5: 81b0e055dfd4af3b41a3f43d62241f40 sha1: 8387a55b65c4eb513c7a4b56c4f52b79d152c48e size: 52224
Section.data md5: 0068c24e1b815298abef2ffa5c95e73f sha1: fcfaa5d4ad146422c81bd0de1aed737e75e99668 size: 7168
Section.reloc md5: b1fa2258382740c34b463cc0a49336b7 sha1: 8453266f6db2af1d1b85b2d082d233f8761fceb3 size: 14336
Timestamp2015-04-29 19:12:48
PackerMicrosoft Visual C++ 8
PEhashe4226c7edea1f10edb5742c3a5108e887499d15e
IMPhash3c13252edbb1ef4fb64abe1a11f78a97
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!17DDD43D6732

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates FileC:\yrpnlxwgu\uddse1jeszkuexpbyhx.exe
Creates FileC:\yrpnlxwgu\uyltm4ws
Deletes FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates ProcessC:\yrpnlxwgu\uddse1jeszkuexpbyhx.exe

Process
↳ C:\yrpnlxwgu\uddse1jeszkuexpbyhx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\iSCSI Error RPC Host Cache ➝
C:\yrpnlxwgu\ujdbdntdna.exe
Creates FileC:\yrpnlxwgu\ujdbdntdna.exe
Creates FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates FileC:\yrpnlxwgu\ef6srq
Creates FilePIPE\lsarpc
Creates FileC:\yrpnlxwgu\uyltm4ws
Deletes FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates ProcessC:\yrpnlxwgu\ujdbdntdna.exe
Creates ServicePresentation Profile DCOM Center User - C:\yrpnlxwgu\ujdbdntdna.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1144

Process
↳ C:\yrpnlxwgu\ujdbdntdna.exe

Creates FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates Filepipe\net\NtControlPipe10
Creates FileC:\yrpnlxwgu\ef6srq
Creates File\Device\Afd\Endpoint
Creates FileC:\yrpnlxwgu\uyltm4ws
Creates FileC:\yrpnlxwgu\gaxoxi2
Creates FileC:\yrpnlxwgu\erekowhwb.exe
Deletes FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates Processwghpr2uf5mve "c:\yrpnlxwgu\ujdbdntdna.exe"

Process
↳ C:\yrpnlxwgu\ujdbdntdna.exe

Creates FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates FileC:\yrpnlxwgu\uyltm4ws
Deletes FileC:\WINDOWS\yrpnlxwgu\uyltm4ws

Process
↳ wghpr2uf5mve "c:\yrpnlxwgu\ujdbdntdna.exe"

Creates FileC:\WINDOWS\yrpnlxwgu\uyltm4ws
Creates FileC:\yrpnlxwgu\uyltm4ws
Deletes FileC:\WINDOWS\yrpnlxwgu\uyltm4ws

Network Details:

DNSjourneybright.net
Type: A
50.63.202.63
DNSforgetinstead.net
Type: A
54.186.220.79
DNSjourneybrown.net
Type: A
50.63.202.33
DNSdestroybrown.net
Type: A
195.22.26.253
DNSdestroybrown.net
Type: A
195.22.26.254
DNSdestroybrown.net
Type: A
195.22.26.231
DNSdestroybrown.net
Type: A
195.22.26.252
DNSlittlebrown.net
Type: A
62.149.128.72
DNSlittlebrown.net
Type: A
62.149.128.74
DNSlittlebrown.net
Type: A
62.149.128.151
DNSlittlebrown.net
Type: A
62.149.128.154
DNSlittlebrown.net
Type: A
62.149.128.157
DNSlittlebrown.net
Type: A
62.149.128.160
DNSlittlebrown.net
Type: A
62.149.128.163
DNSlittlebrown.net
Type: A
62.149.128.166
DNSlittlepeople.net
Type: A
69.46.38.42
DNSriddenready.net
Type: A
208.100.26.234
DNSjourneyinstead.net
Type: A
DNShusbandinstead.net
Type: A
DNSjourneyexplain.net
Type: A
DNShusbandexplain.net
Type: A
DNShusbandbright.net
Type: A
DNSjourneyinside.net
Type: A
DNShusbandinside.net
Type: A
DNSdestroyinstead.net
Type: A
DNSlittleinstead.net
Type: A
DNSdestroyexplain.net
Type: A
DNSlittleexplain.net
Type: A
DNSdestroybright.net
Type: A
DNSlittlebright.net
Type: A
DNSdestroyinside.net
Type: A
DNSlittleinside.net
Type: A
DNSriddeninstead.net
Type: A
DNSbelonginstead.net
Type: A
DNSriddenexplain.net
Type: A
DNSbelongexplain.net
Type: A
DNSriddenbright.net
Type: A
DNSbelongbright.net
Type: A
DNSriddeninside.net
Type: A
DNSbelonginside.net
Type: A
DNSchairinstead.net
Type: A
DNSthoseinstead.net
Type: A
DNSchairexplain.net
Type: A
DNSthoseexplain.net
Type: A
DNSchairbright.net
Type: A
DNSthosebright.net
Type: A
DNSchairinside.net
Type: A
DNSthoseinside.net
Type: A
DNSwithininstead.net
Type: A
DNSsufferinstead.net
Type: A
DNSwithinexplain.net
Type: A
DNSsufferexplain.net
Type: A
DNSwithinbright.net
Type: A
DNSsufferbright.net
Type: A
DNSwithininside.net
Type: A
DNSsufferinside.net
Type: A
DNSeffortinstead.net
Type: A
DNSthroughinstead.net
Type: A
DNSeffortexplain.net
Type: A
DNSthroughexplain.net
Type: A
DNSeffortbright.net
Type: A
DNSthroughbright.net
Type: A
DNSeffortinside.net
Type: A
DNSthroughinside.net
Type: A
DNSincreaseinstead.net
Type: A
DNSforgetexplain.net
Type: A
DNSincreaseexplain.net
Type: A
DNSforgetbright.net
Type: A
DNSincreasebright.net
Type: A
DNSforgetinside.net
Type: A
DNSincreaseinside.net
Type: A
DNSwouldinstead.net
Type: A
DNSrememberinstead.net
Type: A
DNSwouldexplain.net
Type: A
DNSrememberexplain.net
Type: A
DNSwouldbright.net
Type: A
DNSrememberbright.net
Type: A
DNSwouldinside.net
Type: A
DNSrememberinside.net
Type: A
DNSjourneyready.net
Type: A
DNShusbandready.net
Type: A
DNShusbandbrown.net
Type: A
DNSjourneypeople.net
Type: A
DNShusbandpeople.net
Type: A
DNSjourneydaughter.net
Type: A
DNShusbanddaughter.net
Type: A
DNSdestroyready.net
Type: A
DNSlittleready.net
Type: A
DNSdestroypeople.net
Type: A
DNSdestroydaughter.net
Type: A
DNSlittledaughter.net
Type: A
DNSbelongready.net
Type: A
DNSriddenbrown.net
Type: A
DNSbelongbrown.net
Type: A
DNSriddenpeople.net
Type: A
HTTP GEThttp://journeybright.net/index.php
User-Agent:
HTTP GEThttp://forgetinstead.net/index.php
User-Agent:
HTTP GEThttp://journeybrown.net/index.php
User-Agent:
HTTP GEThttp://destroybrown.net/index.php
User-Agent:
HTTP GEThttp://littlebrown.net/index.php
User-Agent:
HTTP GEThttp://littlepeople.net/index.php
User-Agent:
HTTP GEThttp://riddenready.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.63:80
Flows TCP192.168.1.1:1032 ➝ 54.186.220.79:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.33:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1035 ➝ 62.149.128.72:80
Flows TCP192.168.1.1:1036 ➝ 69.46.38.42:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80

Raw Pcap

Strings