Analysis Date | 2015-07-30 22:52:22 |
---|---|
MD5 | 210fa4c6b75a0be1f24cb92242d6b6fb |
SHA1 | 1774ff5c043c12ece476645a4948925f2798ae26 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 97baad19a62d6a2b65988fd3020d899a sha1: 63cfba323c117276aea39a5552667ac0bc158b73 size: 255488 | |
Section | .rdata md5: 1e7c9ed9c72f8aed3420d5c5251f1eff sha1: 9f2124f8df4ffdd30c26b768f578167ead7770bd size: 40960 | |
Section | .data md5: 6399d9227af1d79ae7273a1cf126eed4 sha1: 5ac19cc29c6a227c738c9411b3d8b55d0cb1f6d7 size: 6656 | |
Section | .reloc md5: b4483380a13c4590187758459df74a31 sha1: 51864bbb95f9c61191046cf8d75ec40cda40f2cc size: 16896 | |
Timestamp | 2015-05-21 04:29:29 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 8864c318665c7cc000c9f08650813597f0169a41 | |
IMPhash | ec4ac29130c57be1c6c4f340a5b9ef87 | |
AV | Frisk (f-prot) | no_virus |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | K7 | Trojan ( 004c2d921 ) |
AV | Kaspersky | Trojan.Win32.Scar.jvjw |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | Mcafee | RDN/Generic.dx!dtc |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | Dr. Web | no_virus |
AV | Avira (antivir) | TR/Crypt.ZPACK.7951 |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | CA (E-Trust Ino) | no_virus |
AV | Authentium | W32/Scar.V.gen!Eldorado |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | CAT (quickheal) | Trojan.Scar.r4 |
AV | ClamAV | no_virus |
AV | Twister | no_virus |
AV | Rising | no_virus |
AV | Zillya! | Trojan.Scar.Win32.92132 |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | VirusBlokAda (vba32) | Trojan.Scar |
AV | Fortinet | W32/Scar.A!tr |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | MalwareBytes | Trojan.Agent.KVTGen |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
---|---|
Creates File | C:\zkursiymyleah\sczt1khuxmrahpviev.exe |
Creates File | C:\zkursiymyleah\oltlsnnv0tu |
Deletes File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Creates Process | C:\zkursiymyleah\sczt1khuxmrahpviev.exe |
Process
↳ C:\zkursiymyleah\sczt1khuxmrahpviev.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Instrumentation Files Encrypting ➝ C:\zkursiymyleah\ylilfkpm.exe |
---|---|
Creates File | C:\zkursiymyleah\ewavpsa |
Creates File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Creates File | C:\zkursiymyleah\ylilfkpm.exe |
Creates File | C:\zkursiymyleah\oltlsnnv0tu |
Creates File | PIPE\lsarpc |
Deletes File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Creates Process | C:\zkursiymyleah\ylilfkpm.exe |
Creates Service | Acquisition Interactive Access Visual - C:\zkursiymyleah\ylilfkpm.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1868
Process
↳ Pid 1156
Process
↳ C:\zkursiymyleah\ylilfkpm.exe
Creates File | C:\zkursiymyleah\ewavpsa |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Creates File | C:\zkursiymyleah\ekppzrt.exe |
Creates File | C:\zkursiymyleah\oltlsnnv0tu |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\zkursiymyleah\uodleri |
Deletes File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Creates Process | t3jiwvvhioqf "c:\zkursiymyleah\ylilfkpm.exe" |
Process
↳ C:\zkursiymyleah\ylilfkpm.exe
Creates File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
---|---|
Creates File | C:\zkursiymyleah\oltlsnnv0tu |
Deletes File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Process
↳ t3jiwvvhioqf "c:\zkursiymyleah\ylilfkpm.exe"
Creates File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
---|---|
Creates File | C:\zkursiymyleah\oltlsnnv0tu |
Deletes File | C:\WINDOWS\zkursiymyleah\oltlsnnv0tu |
Network Details:
DNS | smokecondition.net Type: A 208.91.197.241 |
---|---|
DNS | partynation.net Type: A 72.52.4.91 |
DNS | partyplease.net Type: A 209.157.71.176 |
DNS | freshpower.net Type: A 195.149.84.100 |
DNS | freshpower.net Type: A 195.149.84.101 |
DNS | crowdfamous.net Type: A 95.211.230.75 |
DNS | crowdpower.net Type: A 162.244.253.60 |
DNS | thoughtpower.net Type: A 23.229.204.192 |
DNS | waterpower.net Type: A 72.52.4.120 |
DNS | womanpower.net Type: A 72.52.4.120 |
DNS | partypower.net Type: A 66.151.181.49 |
DNS | fightpower.net Type: A 64.99.80.30 |
DNS | melbourneit.hotkeysparking.com Type: A 8.5.1.16 |
DNS | fightcountry.net Type: A 184.168.221.55 |
DNS | fightnation.net Type: A |
DNS | partysoldier.net Type: A |
DNS | fightsoldier.net Type: A |
DNS | fightplease.net Type: A |
DNS | partycondition.net Type: A |
DNS | fightcondition.net Type: A |
DNS | freshcentury.net Type: A |
DNS | experiencecentury.net Type: A |
DNS | freshfamous.net Type: A |
DNS | experiencefamous.net Type: A |
DNS | experiencepower.net Type: A |
DNS | freshcountry.net Type: A |
DNS | experiencecountry.net Type: A |
DNS | gentlemancentury.net Type: A |
DNS | alreadycentury.net Type: A |
DNS | gentlemanfamous.net Type: A |
DNS | alreadyfamous.net Type: A |
DNS | gentlemanpower.net Type: A |
DNS | alreadypower.net Type: A |
DNS | gentlemancountry.net Type: A |
DNS | alreadycountry.net Type: A |
DNS | followcentury.net Type: A |
DNS | membercentury.net Type: A |
DNS | followfamous.net Type: A |
DNS | memberfamous.net Type: A |
DNS | followpower.net Type: A |
DNS | memberpower.net Type: A |
DNS | followcountry.net Type: A |
DNS | membercountry.net Type: A |
DNS | begincentury.net Type: A |
DNS | knowncentury.net Type: A |
DNS | beginfamous.net Type: A |
DNS | knownfamous.net Type: A |
DNS | beginpower.net Type: A |
DNS | knownpower.net Type: A |
DNS | begincountry.net Type: A |
DNS | knowncountry.net Type: A |
DNS | summercentury.net Type: A |
DNS | crowdcentury.net Type: A |
DNS | summerfamous.net Type: A |
DNS | summerpower.net Type: A |
DNS | summercountry.net Type: A |
DNS | crowdcountry.net Type: A |
DNS | thoughtcentury.net Type: A |
DNS | watercentury.net Type: A |
DNS | thoughtfamous.net Type: A |
DNS | waterfamous.net Type: A |
DNS | thoughtcountry.net Type: A |
DNS | watercountry.net Type: A |
DNS | womancentury.net Type: A |
DNS | smokecentury.net Type: A |
DNS | womanfamous.net Type: A |
DNS | smokefamous.net Type: A |
DNS | smokepower.net Type: A |
DNS | womancountry.net Type: A |
DNS | smokecountry.net Type: A |
DNS | partycentury.net Type: A |
DNS | fightcentury.net Type: A |
DNS | partyfamous.net Type: A |
DNS | fightfamous.net Type: A |
DNS | partycountry.net Type: A |
DNS | freshsurprise.net Type: A |
DNS | experiencesurprise.net Type: A |
DNS | freshbeside.net Type: A |
DNS | experiencebeside.net Type: A |
DNS | freshletter.net Type: A |
DNS | experienceletter.net Type: A |
DNS | freshdifferent.net Type: A |
DNS | experiencedifferent.net Type: A |
DNS | gentlemansurprise.net Type: A |
DNS | alreadysurprise.net Type: A |
DNS | gentlemanbeside.net Type: A |
DNS | alreadybeside.net Type: A |
HTTP GET | http://smokecondition.net/index.php User-Agent: |
HTTP GET | http://partynation.net/index.php User-Agent: |
HTTP GET | http://partyplease.net/index.php User-Agent: |
HTTP GET | http://freshpower.net/index.php User-Agent: |
HTTP GET | http://crowdfamous.net/index.php User-Agent: |
HTTP GET | http://crowdpower.net/index.php User-Agent: |
HTTP GET | http://thoughtpower.net/index.php User-Agent: |
HTTP GET | http://waterpower.net/index.php User-Agent: |
HTTP GET | http://womanpower.net/index.php User-Agent: |
HTTP GET | http://partypower.net/index.php User-Agent: |
HTTP GET | http://fightpower.net/index.php User-Agent: |
HTTP GET | http://partycountry.net/index.php User-Agent: |
HTTP GET | http://fightcountry.net/index.php User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1032 ➝ 72.52.4.91:80 |
Flows TCP | 192.168.1.1:1033 ➝ 209.157.71.176:80 |
Flows TCP | 192.168.1.1:1034 ➝ 195.149.84.100:80 |
Flows TCP | 192.168.1.1:1035 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1036 ➝ 162.244.253.60:80 |
Flows TCP | 192.168.1.1:1037 ➝ 23.229.204.192:80 |
Flows TCP | 192.168.1.1:1038 ➝ 72.52.4.120:80 |
Flows TCP | 192.168.1.1:1039 ➝ 72.52.4.120:80 |
Flows TCP | 192.168.1.1:1040 ➝ 66.151.181.49:80 |
Flows TCP | 192.168.1.1:1041 ➝ 64.99.80.30:80 |
Flows TCP | 192.168.1.1:1042 ➝ 8.5.1.16:80 |
Flows TCP | 192.168.1.1:1043 ➝ 184.168.221.55:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 6d6f6b65 636f6e64 6974696f 6e2e6e65 mokecondition.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 6e617469 6f6e2e6e 65740d0a artynation.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 706c6561 73652e6e 65740d0a artyplease.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 72657368 706f7765 722e6e65 740d0a0d reshpower.net... 0x00000050 (00080) 0a0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 66616d6f 75732e6e 65740d0a rowdfamous.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2063 : close..Host: c 0x00000040 (00064) 726f7764 706f7765 722e6e65 740d0a0d rowdpower.net... 0x00000050 (00080) 0a0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2074 : close..Host: t 0x00000040 (00064) 686f7567 6874706f 7765722e 6e65740d houghtpower.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 61746572 706f7765 722e6e65 740d0a0d aterpower.net... 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 6f6d616e 706f7765 722e6e65 740d0a0d omanpower.net... 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 706f7765 722e6e65 740d0a0d artypower.net... 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 69676874 706f7765 722e6e65 740d0a0d ightpower.net... 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 61727479 636f756e 7472792e 6e65740d artycountry.net. 0x00000050 (00080) 0a0d0a ... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 69676874 636f756e 7472792e 6e65740d ightcountry.net. 0x00000050 (00080) 0a0d0a ...
Strings