Analysis Date2015-12-09 06:20:43
MD549147f79a9c61109060cb2c14efdb4a9
SHA11a143219dedf77f2feaeff5b9d159ac1422e03e1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 28e9b40f208faa9e436f53561235a86f sha1: f4f7e50a5c9c29f5ec139acaa3cec1ba2572b64a size: 325120
Section.rdata md5: ca3e9e45f2a72a3297b03ae73502bfb1 sha1: 0d13a22f56290a707a74019844baa7d2867e24ca size: 54272
Section.data md5: cd6bd0d6111835af1802db6c7637fd41 sha1: 0b39c5c1606b67f624aa1575845a0f63d0367344 size: 7680
Section.reloc md5: 2ec66c16997f468353c4ffbf654edf95 sha1: 574f46fb350db80fb284caf48fdfed0f4d82282c size: 22528
Timestamp2015-11-11 23:28:13
PackerMicrosoft Visual C++ 8
PEhashb088ba1792cfbb1f2a9da6e4eae2274a7cc59565
IMPhash0766f11ac9fb2b35dec02aa0639d9b13
AVMalwareBytesno_virus
AVRisingTrojan.Win32.Bayrod.b
AVIkarusTrojan.Win32.Bayrob
AVMalwareBytesno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CD
AVMicroWorld (escan)Gen:Variant.Kazy.766982
AVFortinetW32/Bayrob.AA!tr
AVGrisoft (avg)Win32/Cryptor
AVK7Trojan ( 004d698a1 )
AVKasperskyTrojan.Win32.Tinba.wlt
AVMcafeeGeneric-FAWY!49147F79A9C6
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CD
AVF-SecureGen:Variant.Kazy.766982
AVMicroWorld (escan)Gen:Variant.Kazy.766982
AVEset (nod32)Win32/Bayrob.AA
AVEset (nod32)Win32/Bayrob.AA
AVFrisk (f-prot)W32/Upatre.GJ.gen!Eldorado
AVGrisoft (avg)Win32/Cryptor
AVFortinetW32/Bayrob.AA!tr
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004d698a1 )
AVKasperskyTrojan.Win32.Tinba.wlt
AVF-SecureGen:Variant.Kazy.766982
AVMcafeeGeneric-FAWY!49147F79A9C6
AVAd-AwareGen:Variant.Kazy.766982
AVBullGuardGen:Variant.Kazy.766982
AVBullGuardGen:Variant.Kazy.766982
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAuthentiumW32/Upatre.GJ.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Upatre.GJ.gen!Eldorado
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareGen:Variant.Kazy.766982
AVAvira (antivir)TR/AD.Nivdort.Y.821
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/AD.Nivdort.Y.821
AVFrisk (f-prot)W32/Upatre.GJ.gen!Eldorado
AVDr. WebTrojan.DownLoader17.56062
AVDr. WebTrojan.DownLoader17.56062
AVArcabit (arcavir)Gen:Variant.Kazy.766982
AVBitDefenderGen:Variant.Kazy.766982
AVEmsisoftGen:Variant.Kazy.766982
AVEmsisoftGen:Variant.Kazy.766982
AVBitDefenderGen:Variant.Kazy.766982
AVRisingTrojan.Win32.Bayrod.b
AVArcabit (arcavir)Gen:Variant.Kazy.766982

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jixzisgefbs\nq1kg4vtuujvhie.exe
Creates FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates FileC:\jixzisgefbs\vdmnwy5ms1d
Deletes FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates ProcessC:\jixzisgefbs\nq1kg4vtuujvhie.exe

Process
↳ C:\jixzisgefbs\nq1kg4vtuujvhie.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Remote Assistant Cryptographic Client ➝
C:\jixzisgefbs\ucsvuqj.exe
Creates FileC:\jixzisgefbs\ucsvuqj.exe
Creates FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates FilePIPE\lsarpc
Creates FileC:\jixzisgefbs\puc3dvvqf
Creates FileC:\jixzisgefbs\vdmnwy5ms1d
Deletes FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates ProcessC:\jixzisgefbs\ucsvuqj.exe
Creates ServiceCard Video Protocol Foundation - C:\jixzisgefbs\ucsvuqj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1884

Process
↳ Pid 1188

Process
↳ C:\jixzisgefbs\ucsvuqj.exe

Creates FileC:\jixzisgefbs\irtzcbus4
Creates FileC:\jixzisgefbs\rofutrnjvy.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates FileC:\jixzisgefbs\puc3dvvqf
Creates File\Device\Afd\Endpoint
Creates FileC:\jixzisgefbs\vdmnwy5ms1d
Deletes FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates Processdpnpnypwkuho "c:\jixzisgefbs\ucsvuqj.exe"

Process
↳ C:\jixzisgefbs\ucsvuqj.exe

Creates FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates FileC:\jixzisgefbs\vdmnwy5ms1d
Deletes FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d

Process
↳ dpnpnypwkuho "c:\jixzisgefbs\ucsvuqj.exe"

Creates FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d
Creates FileC:\jixzisgefbs\vdmnwy5ms1d
Deletes FileC:\WINDOWS\jixzisgefbs\vdmnwy5ms1d

Network Details:

DNSlittlebroad.net
Type: A
208.100.26.234
DNSdestroybehind.net
Type: A
195.22.28.197
DNSdestroybehind.net
Type: A
195.22.28.198
DNSdestroybehind.net
Type: A
195.22.28.199
DNSdestroybehind.net
Type: A
195.22.28.196
DNSbelongbehind.net
Type: A
72.52.4.91
DNSthosebutter.net
Type: A
98.139.135.129
DNShusbandbroad.net
Type: A
DNSjourneybehind.net
Type: A
DNShusbandbehind.net
Type: A
DNSjourneybutter.net
Type: A
DNShusbandbutter.net
Type: A
DNSdestroyunderstand.net
Type: A
DNSlittleunderstand.net
Type: A
DNSdestroybroad.net
Type: A
DNSlittlebehind.net
Type: A
DNSdestroybutter.net
Type: A
DNSlittlebutter.net
Type: A
DNSriddenunderstand.net
Type: A
DNSbelongunderstand.net
Type: A
DNSriddenbroad.net
Type: A
DNSbelongbroad.net
Type: A
DNSriddenbehind.net
Type: A
DNSriddenbutter.net
Type: A
DNSbelongbutter.net
Type: A
DNSchairunderstand.net
Type: A
DNSthoseunderstand.net
Type: A
DNSchairbroad.net
Type: A
DNSthosebroad.net
Type: A
DNSchairbehind.net
Type: A
DNSthosebehind.net
Type: A
DNSchairbutter.net
Type: A
DNSwithinunderstand.net
Type: A
DNSsufferunderstand.net
Type: A
DNSwithinbroad.net
Type: A
DNSsufferbroad.net
Type: A
DNSwithinbehind.net
Type: A
DNSsufferbehind.net
Type: A
DNSwithinbutter.net
Type: A
DNSsufferbutter.net
Type: A
DNSeffortunderstand.net
Type: A
DNSthroughunderstand.net
Type: A
DNSeffortbroad.net
Type: A
DNSthroughbroad.net
Type: A
DNSeffortbehind.net
Type: A
DNSthroughbehind.net
Type: A
DNSeffortbutter.net
Type: A
DNSthroughbutter.net
Type: A
DNSforgetunderstand.net
Type: A
DNSincreaseunderstand.net
Type: A
DNSforgetbroad.net
Type: A
DNSincreasebroad.net
Type: A
DNSforgetbehind.net
Type: A
DNSincreasebehind.net
Type: A
DNSforgetbutter.net
Type: A
DNSincreasebutter.net
Type: A
DNSwouldunderstand.net
Type: A
DNSrememberunderstand.net
Type: A
DNSwouldbroad.net
Type: A
DNSrememberbroad.net
Type: A
DNSwouldbehind.net
Type: A
DNSrememberbehind.net
Type: A
DNSwouldbutter.net
Type: A
DNSrememberbutter.net
Type: A
DNSjourneydried.net
Type: A
DNShusbanddried.net
Type: A
DNSjourneyfifteen.net
Type: A
DNShusbandfifteen.net
Type: A
DNSjourneyangry.net
Type: A
DNShusbandangry.net
Type: A
DNSjourneyarticle.net
Type: A
DNShusbandarticle.net
Type: A
DNSdestroydried.net
Type: A
DNSlittledried.net
Type: A
DNSdestroyfifteen.net
Type: A
DNSlittlefifteen.net
Type: A
DNSdestroyangry.net
Type: A
DNSlittleangry.net
Type: A
DNSdestroyarticle.net
Type: A
DNSlittlearticle.net
Type: A
DNSriddendried.net
Type: A
DNSbelongdried.net
Type: A
DNSriddenfifteen.net
Type: A
DNSbelongfifteen.net
Type: A
DNSriddenangry.net
Type: A
DNSbelongangry.net
Type: A
DNSriddenarticle.net
Type: A
DNSbelongarticle.net
Type: A
HTTP GEThttp://littlebroad.net/index.php
User-Agent:
HTTP GEThttp://destroybehind.net/index.php
User-Agent:
HTTP GEThttp://belongbehind.net/index.php
User-Agent:
HTTP GEThttp://thosebutter.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80

Raw Pcap

Strings