Analysis Date2016-02-11 04:32:56
MD57483b9f4d36a7d064257ad2166fee5b3
SHA118477f7d1660f18800c4eb7429e396c446912d41

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 34426c827eec7ee855701b64c3324a6a sha1: 57f22f32d452ebc0cc74bdf632bb6cbe72d2b27e size: 1112576
Section.rdata md5: 4ab0d31e749a7d1f19883d62daff717c sha1: c5f73072b1c27e73eeedfedecb35c5b7c599191e size: 247296
Section.data md5: e48099818b442ef22932dfbc907022ae sha1: 3268f8aff4fb6ecd759dcd2fe81c71a759669765 size: 3072
Section.reloc md5: d88b5ae8ab13f402f190961935c603cc sha1: aa4c55ea1ccb466c07abc176a3406d7bb729cbb7 size: 140800
Timestamp2015-11-05 23:27:47
PackerMicrosoft Visual C++ ?.?
PEhash9bce3d99d4fa5918984f9e04ae49b4d78f7a1a1a
IMPhash2b7d3c3efee215df24a9a6094b4f78ee
AVCA (E-Trust Ino)Gen:Variant.Kazy.794416
AVF-SecureGen:Variant.Kazy.794416
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Kazy.794416
AVBullGuardGen:Variant.Kazy.794416
AVCAT (quickheal)TrojanSpy.Nivdort.g4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVEmsisoftGen:Variant.Kazy.794416
AVAuthentiumNo Virus
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Kazy.794416
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DF
AVK7Trojan ( 004da8bd1 )
AVBitDefenderGen:Variant.Kazy.794416
AVFortinetW32/Bayrob.AQ!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.AEOE
AVEset (nod32)Win32/Bayrob.BK
AVAlwil (avast)No Virus
AVRisingNo Virus
AVAd-AwareGen:Variant.Kazy.794416
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.35052
AVMcafeeTrojan-FHSX!7483B9F4D36A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\lzeffnxar03kzcrqaskgw1up.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\lzeffnxar03kzcrqaskgw1up.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\lzeffnxar03kzcrqaskgw1up.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Background Extender Encrypting Layer Error ➝
C:\WINDOWS\system32\aiivsynhz.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\aiivsynhz.exe
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\lck
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst
Creates ProcessC:\WINDOWS\system32\aiivsynhz.exe
Creates ServiceExperience DHCP Trap Desktop Store COM Program - C:\WINDOWS\system32\aiivsynhz.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ Pid 1188

Process
↳ C:\WINDOWS\system32\aiivsynhz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\lzeffn4qokuzzcrqa.exe
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\lck
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\gwapjjqe.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\run
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\cfg
Creates ProcessC:\WINDOWS\TEMP\lzeffn4qokuzzcrqa.exe -r 38613 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\aiivsynhz.exe"

Process
↳ C:\WINDOWS\system32\aiivsynhz.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst

Process
↳ c:\windows\system32\aiivsynhz.exe

Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\aiivsynhz.exe"

Creates FileC:\WINDOWS\system32\rgjdkbkcujfaqcb\tst
Creates Processc:\windows\system32\aiivsynhz.exe

Process
↳ C:\WINDOWS\TEMP\lzeffn4qokuzzcrqa.exe -r 38613 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSgwendolynhuddleston.net
Type: A
98.139.135.129
DNSforcecity.net
Type: A
209.99.40.222
DNSnailtear.net
Type: A
208.100.26.234
DNSdrivecity.net
Type: A
213.186.33.17
DNSnailcity.net
Type: A
207.148.248.143
DNSnailpure.net
Type: A
50.63.202.51
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSforcethank.net
Type: A
DNSaftercity.net
Type: A
DNSsellgrow.net
Type: A
DNSwednesdaygrow.net
Type: A
DNSselltear.net
Type: A
DNSwednesdaytear.net
Type: A
DNSsellthank.net
Type: A
DNSwednesdaythank.net
Type: A
DNSsellcity.net
Type: A
DNSwednesdaycity.net
Type: A
DNSdrivegrow.net
Type: A
DNSnailgrow.net
Type: A
DNSdrivetear.net
Type: A
DNSdrivethank.net
Type: A
DNSnailthank.net
Type: A
DNSfieldpure.net
Type: A
DNSqueenpure.net
Type: A
DNSfieldmarch.net
Type: A
DNSqueenmarch.net
Type: A
DNSfielddish.net
Type: A
DNSqueendish.net
Type: A
DNSfieldjuly.net
Type: A
DNSqueenjuly.net
Type: A
DNSbothpure.net
Type: A
DNSgainpure.net
Type: A
DNSbothmarch.net
Type: A
DNSgainmarch.net
Type: A
DNSbothdish.net
Type: A
DNSgaindish.net
Type: A
DNSbothjuly.net
Type: A
DNSgainjuly.net
Type: A
DNSleastpure.net
Type: A
DNSfacepure.net
Type: A
DNSleastmarch.net
Type: A
DNSfacemarch.net
Type: A
DNSleastdish.net
Type: A
DNSfacedish.net
Type: A
DNSleastjuly.net
Type: A
DNSfacejuly.net
Type: A
DNSmonthpure.net
Type: A
DNSwalkpure.net
Type: A
DNSmonthmarch.net
Type: A
DNSwalkmarch.net
Type: A
DNSmonthdish.net
Type: A
DNSwalkdish.net
Type: A
DNSmonthjuly.net
Type: A
DNSwalkjuly.net
Type: A
DNSstorypure.net
Type: A
DNSweakpure.net
Type: A
DNSstorymarch.net
Type: A
DNSweakmarch.net
Type: A
DNSstorydish.net
Type: A
DNSweakdish.net
Type: A
DNSstoryjuly.net
Type: A
DNSweakjuly.net
Type: A
DNSafterpure.net
Type: A
DNSforcepure.net
Type: A
DNSaftermarch.net
Type: A
DNSforcemarch.net
Type: A
DNSafterdish.net
Type: A
DNSforcedish.net
Type: A
DNSafterjuly.net
Type: A
DNSforcejuly.net
Type: A
DNSsellpure.net
Type: A
DNSwednesdaypure.net
Type: A
DNSsellmarch.net
Type: A
DNSwednesdaymarch.net
Type: A
DNSselldish.net
Type: A
DNSwednesdaydish.net
Type: A
DNSselljuly.net
Type: A
DNSwednesdayjuly.net
Type: A
DNSdrivepure.net
Type: A
DNSdrivemarch.net
Type: A
DNSnailmarch.net
Type: A
DNSdrivedish.net
Type: A
DNSnaildish.net
Type: A
DNSdrivejuly.net
Type: A
DNSnailjuly.net
Type: A
DNSfieldcompe.net
Type: A
DNSqueencompe.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gwendolynhuddleston.net/index.php
User-Agent:
HTTP GEThttp://forcecity.net/index.php
User-Agent:
HTTP GEThttp://nailtear.net/index.php
User-Agent:
HTTP GEThttp://drivecity.net/index.php
User-Agent:
HTTP GEThttp://nailcity.net/index.php
User-Agent:
HTTP GEThttp://nailpure.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 213.186.33.17:80
Flows TCP192.168.1.1:1042 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1043 ➝ 50.63.202.51:80
Flows TCP192.168.1.1:1044 ➝ 66.147.240.171:80

Raw Pcap

Strings