Analysis Date2016-02-11 04:28:46
MD58ea84db07289467791b4b5cd2ef1f67c
SHA1191a079b733b55f2af4d69b7fa3f4c8b19ef0927

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 02ef356a98cc28ae1369011a58111eeb sha1: ccc67dbe8aa1f1f8cf7a53622d28f5bff5475d2c size: 545792
Section.rdata md5: 26e5f7387a5ed84f494af5de471a71f2 sha1: a23f965f63bfeb45abcaf09a6c238a8a41bc7429 size: 260096
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 595785ecfa23ab4bcb3aa81adac36ce1 sha1: 5b4413b2925825f746cf88cfc8f0e77d04c90594 size: 87040
Timestamp2015-12-29 20:04:32
PEhashb40892555629a41921df8ad25bd83d3ff21a403b
IMPhashcce853bb421b3f9693e0a81f4cd28a82
AVCA (E-Trust Ino)Gen:Variant.Razy.14896
AVRisingNo Virus
AVMcafeeTrojan-FHOH!8EA84DB07289
AVAvira (antivir)TR/Crypt.Xpack.446578
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.14896
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AS
AVGrisoft (avg)Generic37.AMHW
AVSymantecNo Virus
AVFortinetW32/Bayrob.AS!tr
AVBitDefenderGen:Variant.Razy.14896
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Zusy.179160
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Razy.14896
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.dvhb
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVBullGuardGen:Variant.Zusy.179160
AVArcabit (arcavir)Gen:Variant.Razy.14896
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.14896

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\todolndtjevqmw\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\opm3bebu4dqumziojtta0v.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\opm3bebu4dqumziojtta0v.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\opm3bebu4dqumziojtta0v.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\COM Event Tunneling Foundation ➝
C:\WINDOWS\system32\xkcoorbr.exe
Creates FileC:\WINDOWS\system32\todolndtjevqmw\tst
Creates FileC:\WINDOWS\system32\todolndtjevqmw\lck
Creates FileC:\WINDOWS\system32\xkcoorbr.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\xkcoorbr.exe
Creates ServiceDCOM Notification HomeGroup - C:\WINDOWS\system32\xkcoorbr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1144

Process
↳ C:\WINDOWS\system32\xkcoorbr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\todolndtjevqmw\run
Creates FileC:\WINDOWS\system32\todolndtjevqmw\lck
Creates FileC:\WINDOWS\system32\abhiatbbkevi.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\todolndtjevqmw\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\opm3bebnfo5qmzi.exe
Creates FileC:\WINDOWS\system32\todolndtjevqmw\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\todolndtjevqmw\rng
Creates ProcessWATCHDOGPROC "c:\windows\system32\xkcoorbr.exe"
Creates ProcessC:\WINDOWS\TEMP\opm3bebnfo5qmzi.exe -r 41720 tcp

Process
↳ C:\WINDOWS\system32\xkcoorbr.exe

Creates FileC:\WINDOWS\system32\todolndtjevqmw\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\xkcoorbr.exe"

Creates FileC:\WINDOWS\system32\todolndtjevqmw\tst

Process
↳ C:\WINDOWS\TEMP\opm3bebnfo5qmzi.exe -r 41720 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSchiefanother.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
Flows TCP192.168.1.1:1038 ➝ 50.87.249.65:80

Raw Pcap

Strings