Analysis Date2016-01-28 06:33:04
MD51efee4ecc891212f3f51f2b78086924d
SHA11db70b408ecf810a10a1c2f6878112e63bfed6d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 01e6489f3cba82be67129a816729fa65 sha1: a113b90bbf4ab51b77293b79486a461ff2a21c79 size: 1112576
Section.rdata md5: 8601f5df5c917810c7a4e669a220222c sha1: 1fe4c01dbb6605cf5e754373bebe54bebcbf3b7d size: 287232
Section.data md5: 617dbac9afc9f97fe80efa77cb51ed29 sha1: 3d618fcd857785ddcfec9430d4351bae40c2e14c size: 3072
Section.reloc md5: 2585c5547a687bd83f49dda840de49c9 sha1: 87875eae67790f2da7c32073092e8b037b206200 size: 140800
Timestamp2015-04-23 14:41:46
PackerMicrosoft Visual C++ ?.?
PEhasha5fbeebe86a0e28cb4245cc0dd1cdf8b19b41795
IMPhash13daed0503342331ebf7859389b4ac79
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Nivdort.A.31466
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.794416
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Generic37.ADSK
AVSymantecNo Virus
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.794416
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DF
AVMicroWorld (escan)No Virus
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Kazy.794416
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.794416
AVArcabit (arcavir)Gen:Variant.Kazy.794416
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.794416
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\jvcthdt4j6zzq3jazfmo7sj.exe
Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\jvcthdt4j6zzq3jazfmo7sj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\jvcthdt4j6zzq3jazfmo7sj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Builder RPC Studio Sharing Host Acquisition ➝
C:\WINDOWS\system32\wilpsvlymvxp.exe
Creates FileC:\WINDOWS\system32\wilpsvlymvxp.exe
Creates FileC:\WINDOWS\system32\kypjazhytlfls\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst
Creates ProcessC:\WINDOWS\system32\wilpsvlymvxp.exe
Creates ServiceSpooler Update Offline - C:\WINDOWS\system32\wilpsvlymvxp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\WINDOWS\system32\wilpsvlymvxp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\kypjazhytlfls\rng
Creates FileC:\WINDOWS\system32\kypjazhytlfls\lck
Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst
Creates FileC:\WINDOWS\system32\kypjazhytlfls\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\jvcthdt459401ojaz.exe
Creates FileC:\WINDOWS\system32\grhdlno.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\kypjazhytlfls\run
Creates ProcessC:\WINDOWS\TEMP\jvcthdt459401ojaz.exe -r 43470 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\wilpsvlymvxp.exe"

Process
↳ c:\windows\system32\wilpsvlymvxp.exe

Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst

Process
↳ C:\WINDOWS\system32\wilpsvlymvxp.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\wilpsvlymvxp.exe"

Creates FileC:\WINDOWS\system32\kypjazhytlfls\tst
Creates Processc:\windows\system32\wilpsvlymvxp.exe

Process
↳ C:\WINDOWS\TEMP\jvcthdt459401ojaz.exe -r 43470 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSwifeabout.net
Type: A
98.139.135.129
DNScasestep.net
Type: A
98.139.135.129
DNSfavorhope.net
Type: A
195.22.26.248
DNSfavorleft.net
Type: A
195.22.26.248
DNSfavorhurry.net
Type: A
195.22.28.199
DNSfavorhurry.net
Type: A
195.22.28.196
DNSfavorhurry.net
Type: A
195.22.28.197
DNSfavorhurry.net
Type: A
195.22.28.198
DNSfiftywild.net
Type: A
208.100.26.234
DNStheirkind.net
Type: A
81.21.76.62
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSnosethirteen.net
Type: A
DNSwellhurry.net
Type: A
DNSnosehurry.net
Type: A
DNSringhope.net
Type: A
DNSringleft.net
Type: A
DNSringthirteen.net
Type: A
DNSfavorthirteen.net
Type: A
DNSringhurry.net
Type: A
DNSsorrywild.net
Type: A
DNSsorryjune.net
Type: A
DNSfiftyjune.net
Type: A
DNSsorrybegan.net
Type: A
DNSfiftybegan.net
Type: A
DNSsorrykind.net
Type: A
DNSfiftykind.net
Type: A
DNStheirwild.net
Type: A
DNSlikrwild.net
Type: A
DNStheirjune.net
Type: A
DNSlikrjune.net
Type: A
DNStheirbegan.net
Type: A
DNSlikrbegan.net
Type: A
DNSlikrkind.net
Type: A
DNSfearwild.net
Type: A
DNSwestwild.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://wifeabout.net/index.php
User-Agent:
HTTP GEThttp://casestep.net/index.php
User-Agent:
HTTP GEThttp://favorhope.net/index.php
User-Agent:
HTTP GEThttp://favorleft.net/index.php
User-Agent:
HTTP GEThttp://favorhurry.net/index.php
User-Agent:
HTTP GEThttp://fiftywild.net/index.php
User-Agent:
HTTP GEThttp://theirkind.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1037 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1046 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1047 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 81.21.76.62:80

Raw Pcap

Strings