Analysis Date2015-10-15 03:40:32
MD508ea39d7e6e42370ddb1d3c60d810fba
SHA11deb3d7e6476c8d9668978b11d747f2f89144152

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5338d054f11a5ebb7881db54cce48e33 sha1: ebc43a025a36eb55476f1d0bc8326cd9b4b106b5 size: 203264
Section.rdata md5: 41b1671245050a59ba90690e726854ad sha1: 4abdbbf5ca23a379106037e2259e6ee73670cb22 size: 53760
Section.data md5: dd9607887b2d2b158d3a6f5118386a85 sha1: d96885ed8524932e10f91a7e08124ccb31e5fb27 size: 7680
Section.reloc md5: fb6526bce1721e7e80e0d7ee7615d408 sha1: ed5a9fe26f6d20ce50e104a786f53c8b4f366a45 size: 14848
Timestamp2015-04-29 18:46:31
PackerMicrosoft Visual C++ 8
PEhash5511eec9c60e54c9deaccebe1fbbc296bb83dc79
IMPhash52a2eeb736085b1ca57b29f9e7c1a5ac
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Crypt.Xpack.202670
AVMcafeeTrojan-FGIJ!08EA39D7E6E4
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bpynwttrjvuw\quhpo1kjlownfducbca.exe
Creates FileC:\bpynwttrjvuw\ppwjtpan6kh
Creates FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Deletes FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Creates ProcessC:\bpynwttrjvuw\quhpo1kjlownfducbca.exe

Process
↳ C:\bpynwttrjvuw\quhpo1kjlownfducbca.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Remote Class Framework Bus Layer iSCSI ➝
C:\bpynwttrjvuw\qbcmpzijkbq.exe
Creates FileC:\bpynwttrjvuw\alnuhtwag
Creates FilePIPE\lsarpc
Creates FileC:\bpynwttrjvuw\ppwjtpan6kh
Creates FileC:\bpynwttrjvuw\qbcmpzijkbq.exe
Creates FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Deletes FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Creates ProcessC:\bpynwttrjvuw\qbcmpzijkbq.exe
Creates ServiceCryptographic Acquisition Now Background Firewall - C:\bpynwttrjvuw\qbcmpzijkbq.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1136

Process
↳ C:\bpynwttrjvuw\qbcmpzijkbq.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\bpynwttrjvuw\alnuhtwag
Creates FileC:\bpynwttrjvuw\gdtbntre
Creates FileC:\bpynwttrjvuw\iovstzmtic.exe
Creates FileC:\bpynwttrjvuw\ppwjtpan6kh
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Deletes FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Creates Processlhlob8zy0jwl "c:\bpynwttrjvuw\qbcmpzijkbq.exe"

Process
↳ C:\bpynwttrjvuw\qbcmpzijkbq.exe

Creates FileC:\bpynwttrjvuw\ppwjtpan6kh
Creates FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Deletes FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh

Process
↳ lhlob8zy0jwl "c:\bpynwttrjvuw\qbcmpzijkbq.exe"

Creates FileC:\bpynwttrjvuw\ppwjtpan6kh
Creates FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh
Deletes FileC:\WINDOWS\bpynwttrjvuw\ppwjtpan6kh

Network Details:

DNSthinkspace.net
Type: A
205.234.252.223
DNSpresentspace.net
Type: A
184.168.221.25
DNScollegespace.net
Type: A
208.91.197.27
DNSchieftravel.net
Type: A
208.100.26.234
DNScollegetravel.net
Type: A
162.209.12.173
DNSmiddlespace.net
Type: A
98.139.134.174
DNSmorningtravel.net
Type: A
220.73.161.122
DNSstrangespace.net
Type: A
210.172.144.61
DNSweathertravel.net
Type: A
204.11.56.48
DNSthickspace.net
Type: A
66.96.147.155
DNSclassspace.net
Type: A
212.96.137.160
DNSclasstravel.net
Type: A
74.220.215.112
DNSlittlenotice.net
Type: A
50.63.202.37
DNSthickstation.net
Type: A
DNSclassstation.net
Type: A
DNSthickthird.net
Type: A
DNSclassthird.net
Type: A
DNSthickobject.net
Type: A
DNSclassobject.net
Type: A
DNSthickchildhood.net
Type: A
DNSclasschildhood.net
Type: A
DNSthinktravel.net
Type: A
DNSpresenttravel.net
Type: A
DNSthinkyellow.net
Type: A
DNSpresentyellow.net
Type: A
DNSthinkclose.net
Type: A
DNSpresentclose.net
Type: A
DNSchiefspace.net
Type: A
DNSchiefyellow.net
Type: A
DNScollegeyellow.net
Type: A
DNSchiefclose.net
Type: A
DNScollegeclose.net
Type: A
DNSoftenspace.net
Type: A
DNSalonespace.net
Type: A
DNSoftentravel.net
Type: A
DNSalonetravel.net
Type: A
DNSoftenyellow.net
Type: A
DNSaloneyellow.net
Type: A
DNSoftenclose.net
Type: A
DNSaloneclose.net
Type: A
DNStwelvespace.net
Type: A
DNSmiddletravel.net
Type: A
DNStwelvetravel.net
Type: A
DNSmiddleyellow.net
Type: A
DNStwelveyellow.net
Type: A
DNSmiddleclose.net
Type: A
DNStwelveclose.net
Type: A
DNSratherspace.net
Type: A
DNSmorningspace.net
Type: A
DNSrathertravel.net
Type: A
DNSratheryellow.net
Type: A
DNSmorningyellow.net
Type: A
DNSratherclose.net
Type: A
DNSmorningclose.net
Type: A
DNShistoryspace.net
Type: A
DNSstrangetravel.net
Type: A
DNShistorytravel.net
Type: A
DNSstrangeyellow.net
Type: A
DNShistoryyellow.net
Type: A
DNSstrangeclose.net
Type: A
DNShistoryclose.net
Type: A
DNSamountspace.net
Type: A
DNSweatherspace.net
Type: A
DNSamounttravel.net
Type: A
DNSamountyellow.net
Type: A
DNSweatheryellow.net
Type: A
DNSamountclose.net
Type: A
DNSweatherclose.net
Type: A
DNSthicktravel.net
Type: A
DNSthickyellow.net
Type: A
DNSclassyellow.net
Type: A
DNSthickclose.net
Type: A
DNSclassclose.net
Type: A
DNSjourneylength.net
Type: A
DNShusbandlength.net
Type: A
DNSjourneynotice.net
Type: A
DNShusbandnotice.net
Type: A
DNSjourneyindeed.net
Type: A
DNShusbandindeed.net
Type: A
DNSjourneyduring.net
Type: A
DNShusbandduring.net
Type: A
DNSdestroylength.net
Type: A
DNSlittlelength.net
Type: A
DNSdestroynotice.net
Type: A
DNSdestroyindeed.net
Type: A
HTTP GEThttp://thinkspace.net/index.php
User-Agent:
HTTP GEThttp://presentspace.net/index.php
User-Agent:
HTTP GEThttp://collegespace.net/index.php
User-Agent:
HTTP GEThttp://chieftravel.net/index.php
User-Agent:
HTTP GEThttp://collegetravel.net/index.php
User-Agent:
HTTP GEThttp://middlespace.net/index.php
User-Agent:
HTTP GEThttp://morningtravel.net/index.php
User-Agent:
HTTP GEThttp://strangespace.net/index.php
User-Agent:
HTTP GEThttp://weathertravel.net/index.php
User-Agent:
HTTP GEThttp://thickspace.net/index.php
User-Agent:
HTTP GEThttp://classspace.net/index.php
User-Agent:
HTTP GEThttp://classtravel.net/index.php
User-Agent:
HTTP GEThttp://littlenotice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 205.234.252.223:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.25:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 162.209.12.173:80
Flows TCP192.168.1.1:1036 ➝ 98.139.134.174:80
Flows TCP192.168.1.1:1037 ➝ 220.73.161.122:80
Flows TCP192.168.1.1:1038 ➝ 210.172.144.61:80
Flows TCP192.168.1.1:1039 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1040 ➝ 66.96.147.155:80
Flows TCP192.168.1.1:1041 ➝ 212.96.137.160:80
Flows TCP192.168.1.1:1042 ➝ 74.220.215.112:80
Flows TCP192.168.1.1:1043 ➝ 50.63.202.37:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   68696e6b 73706163 652e6e65 740d0a0d   hinkspace.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657365 6e747370 6163652e 6e65740d   resentspace.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6f6c6c65 67657370 6163652e 6e65740d   ollegespace.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696566 74726176 656c2e6e 65740d0a   hieftravel.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6f6c6c65 67657472 6176656c 2e6e6574   ollegetravel.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6964646c 65737061 63652e6e 65740d0a   iddlespace.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f726e69 6e677472 6176656c 2e6e6574   orningtravel.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472616e 67657370 6163652e 6e65740d   trangespace.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65617468 65727472 6176656c 2e6e6574   eathertravel.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   6869636b 73706163 652e6e65 740d0a0d   hickspace.net...
0x00000050 (00080)   0a0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6c617373 73706163 652e6e65 740d0a0d   lassspace.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6c617373 74726176 656c2e6e 65740d0a   lasstravel.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 656e6f74 6963652e 6e65740d   ittlenotice.net.
0x00000050 (00080)   0a0d0a                                ...


Strings