Analysis | #totalhash

Analysis Date	2015-07-30 22:52:22
MD5	210fa4c6b75a0be1f24cb92242d6b6fb
SHA1	1774ff5c043c12ece476645a4948925f2798ae26

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 97baad19a62d6a2b65988fd3020d899a sha1: 63cfba323c117276aea39a5552667ac0bc158b73 size: 255488
Section	.rdata md5: 1e7c9ed9c72f8aed3420d5c5251f1eff sha1: 9f2124f8df4ffdd30c26b768f578167ead7770bd size: 40960
Section	.data md5: 6399d9227af1d79ae7273a1cf126eed4 sha1: 5ac19cc29c6a227c738c9411b3d8b55d0cb1f6d7 size: 6656
Section	.reloc md5: b4483380a13c4590187758459df74a31 sha1: 51864bbb95f9c61191046cf8d75ec40cda40f2cc size: 16896
Timestamp	2015-05-21 04:29:29
Packer	Microsoft Visual C++ ?.?
PEhash	8864c318665c7cc000c9f08650813597f0169a41
IMPhash	ec4ac29130c57be1c6c4f340a5b9ef87
AV	Frisk (f-prot)	no_virus
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort
AV	Ad-Aware	Gen:Variant.Diley.1
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Trend Micro	TROJ_BAYROB.SM0
AV	K7	Trojan ( 004c2d921 )
AV	Kaspersky	Trojan.Win32.Scar.jvjw
AV	Emsisoft	Gen:Variant.Diley.1
AV	Ikarus	Trojan.Win32.Bayrob
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	Mcafee	RDN/Generic.dx!dtc
AV	F-Secure	Gen:Variant.Diley.1
AV	Arcabit (arcavir)	Gen:Variant.Diley.1
AV	Dr. Web	no_virus
AV	Avira (antivir)	TR/Crypt.ZPACK.7951
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Diley.1
AV	CA (E-Trust Ino)	no_virus
AV	Authentium	W32/Scar.V.gen!Eldorado
AV	BitDefender	Gen:Variant.Diley.1
AV	CAT (quickheal)	Trojan.Scar.r4
AV	ClamAV	no_virus
AV	Twister	no_virus
AV	Rising	no_virus
AV	Zillya!	Trojan.Scar.Win32.92132
AV	Eset (nod32)	Win32/Bayrob.Y
AV	VirusBlokAda (vba32)	Trojan.Scar
AV	Fortinet	W32/Scar.A!tr
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	MalwareBytes	Trojan.Agent.KVTGen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates File	C:\zkursiymyleah\sczt1khuxmrahpviev.exe
Creates File	C:\zkursiymyleah\oltlsnnv0tu
Deletes File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates Process	C:\zkursiymyleah\sczt1khuxmrahpviev.exe

Process
↳ C:\zkursiymyleah\sczt1khuxmrahpviev.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Instrumentation Files Encrypting ➝ C:\zkursiymyleah\ylilfkpm.exe
Creates File	C:\zkursiymyleah\ewavpsa
Creates File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates File	C:\zkursiymyleah\ylilfkpm.exe
Creates File	C:\zkursiymyleah\oltlsnnv0tu
Creates File	PIPE\lsarpc
Deletes File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates Process	C:\zkursiymyleah\ylilfkpm.exe
Creates Service	Acquisition Interactive Access Visual - C:\zkursiymyleah\ylilfkpm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1156

Process
↳ C:\zkursiymyleah\ylilfkpm.exe

Creates File	C:\zkursiymyleah\ewavpsa
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates File	C:\zkursiymyleah\ekppzrt.exe
Creates File	C:\zkursiymyleah\oltlsnnv0tu
Creates File	\Device\Afd\Endpoint
Creates File	C:\zkursiymyleah\uodleri
Deletes File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates Process	t3jiwvvhioqf "c:\zkursiymyleah\ylilfkpm.exe"

Process
↳ C:\zkursiymyleah\ylilfkpm.exe

Creates File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates File	C:\zkursiymyleah\oltlsnnv0tu
Deletes File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu

Process
↳ t3jiwvvhioqf "c:\zkursiymyleah\ylilfkpm.exe"

Creates File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu
Creates File	C:\zkursiymyleah\oltlsnnv0tu
Deletes File	C:\WINDOWS\zkursiymyleah\oltlsnnv0tu

Network Details:

DNS	smokecondition.net Type: A 208.91.197.241
DNS	partynation.net Type: A 72.52.4.91
DNS	partyplease.net Type: A 209.157.71.176
DNS	freshpower.net Type: A 195.149.84.100
DNS	freshpower.net Type: A 195.149.84.101
DNS	crowdfamous.net Type: A 95.211.230.75
DNS	crowdpower.net Type: A 162.244.253.60
DNS	thoughtpower.net Type: A 23.229.204.192
DNS	waterpower.net Type: A 72.52.4.120
DNS	womanpower.net Type: A 72.52.4.120
DNS	partypower.net Type: A 66.151.181.49
DNS	fightpower.net Type: A 64.99.80.30
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	fightcountry.net Type: A 184.168.221.55
DNS	fightnation.net Type: A
DNS	partysoldier.net Type: A
DNS	fightsoldier.net Type: A
DNS	fightplease.net Type: A
DNS	partycondition.net Type: A
DNS	fightcondition.net Type: A
DNS	freshcentury.net Type: A
DNS	experiencecentury.net Type: A
DNS	freshfamous.net Type: A
DNS	experiencefamous.net Type: A
DNS	experiencepower.net Type: A
DNS	freshcountry.net Type: A
DNS	experiencecountry.net Type: A
DNS	gentlemancentury.net Type: A
DNS	alreadycentury.net Type: A
DNS	gentlemanfamous.net Type: A
DNS	alreadyfamous.net Type: A
DNS	gentlemanpower.net Type: A
DNS	alreadypower.net Type: A
DNS	gentlemancountry.net Type: A
DNS	alreadycountry.net Type: A
DNS	followcentury.net Type: A
DNS	membercentury.net Type: A
DNS	followfamous.net Type: A
DNS	memberfamous.net Type: A
DNS	followpower.net Type: A
DNS	memberpower.net Type: A
DNS	followcountry.net Type: A
DNS	membercountry.net Type: A
DNS	begincentury.net Type: A
DNS	knowncentury.net Type: A
DNS	beginfamous.net Type: A
DNS	knownfamous.net Type: A
DNS	beginpower.net Type: A
DNS	knownpower.net Type: A
DNS	begincountry.net Type: A
DNS	knowncountry.net Type: A
DNS	summercentury.net Type: A
DNS	crowdcentury.net Type: A
DNS	summerfamous.net Type: A
DNS	summerpower.net Type: A
DNS	summercountry.net Type: A
DNS	crowdcountry.net Type: A
DNS	thoughtcentury.net Type: A
DNS	watercentury.net Type: A
DNS	thoughtfamous.net Type: A
DNS	waterfamous.net Type: A
DNS	thoughtcountry.net Type: A
DNS	watercountry.net Type: A
DNS	womancentury.net Type: A
DNS	smokecentury.net Type: A
DNS	womanfamous.net Type: A
DNS	smokefamous.net Type: A
DNS	smokepower.net Type: A
DNS	womancountry.net Type: A
DNS	smokecountry.net Type: A
DNS	partycentury.net Type: A
DNS	fightcentury.net Type: A
DNS	partyfamous.net Type: A
DNS	fightfamous.net Type: A
DNS	partycountry.net Type: A
DNS	freshsurprise.net Type: A
DNS	experiencesurprise.net Type: A
DNS	freshbeside.net Type: A
DNS	experiencebeside.net Type: A
DNS	freshletter.net Type: A
DNS	experienceletter.net Type: A
DNS	freshdifferent.net Type: A
DNS	experiencedifferent.net Type: A
DNS	gentlemansurprise.net Type: A
DNS	alreadysurprise.net Type: A
DNS	gentlemanbeside.net Type: A
DNS	alreadybeside.net Type: A
HTTP GET	http://smokecondition.net/index.php User-Agent:
HTTP GET	http://partynation.net/index.php User-Agent:
HTTP GET	http://partyplease.net/index.php User-Agent:
HTTP GET	http://freshpower.net/index.php User-Agent:
HTTP GET	http://crowdfamous.net/index.php User-Agent:
HTTP GET	http://crowdpower.net/index.php User-Agent:
HTTP GET	http://thoughtpower.net/index.php User-Agent:
HTTP GET	http://waterpower.net/index.php User-Agent:
HTTP GET	http://womanpower.net/index.php User-Agent:
HTTP GET	http://partypower.net/index.php User-Agent:
HTTP GET	http://fightpower.net/index.php User-Agent:
HTTP GET	http://partycountry.net/index.php User-Agent:
HTTP GET	http://fightcountry.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1032 ➝ 72.52.4.91:80
Flows TCP	192.168.1.1:1033 ➝ 209.157.71.176:80
Flows TCP	192.168.1.1:1034 ➝ 195.149.84.100:80
Flows TCP	192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1036 ➝ 162.244.253.60:80
Flows TCP	192.168.1.1:1037 ➝ 23.229.204.192:80
Flows TCP	192.168.1.1:1038 ➝ 72.52.4.120:80
Flows TCP	192.168.1.1:1039 ➝ 72.52.4.120:80
Flows TCP	192.168.1.1:1040 ➝ 66.151.181.49:80
Flows TCP	192.168.1.1:1041 ➝ 64.99.80.30:80
Flows TCP	192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1043 ➝ 184.168.221.55:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6d6f6b65 636f6e64 6974696f 6e2e6e65   mokecondition.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 6e617469 6f6e2e6e 65740d0a   artynation.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 706c6561 73652e6e 65740d0a   artyplease.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 706f7765 722e6e65 740d0a0d   reshpower.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66616d6f 75732e6e 65740d0a   rowdfamous.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 706f7765 722e6e65 740d0a0d   rowdpower.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 6874706f 7765722e 6e65740d   houghtpower.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 706f7765 722e6e65 740d0a0d   aterpower.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 706f7765 722e6e65 740d0a0d   omanpower.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 706f7765 722e6e65 740d0a0d   artypower.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 706f7765 722e6e65 740d0a0d   ightpower.net...
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 636f756e 7472792e 6e65740d   artycountry.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 636f756e 7472792e 6e65740d   ightcountry.net.
0x00000050 (00080)   0a0d0a                                ...

Strings