Analysis Date2015-07-24 09:06:12
MD513acf76bb8996b7bf70d0f4d37b28162
SHA11e3a2c935b2411eeb2c5c0d8e71c9db362bb9b06

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ab7704257be7f6a84da3c45c04a24ace sha1: 7215ae2b477619b24a81499c7a09cf2059add0ab size: 324608
Section.rdata md5: 524a252cba00d7802cc134d8d4a2cc24 sha1: a76242d681be3d90de264a77bf6a8ebea22d8dcb size: 60416
Section.data md5: e119f336c187efd784bfaeaf675547d4 sha1: 330596bf97660382266458732172d91672f53a74 size: 7680
Section.reloc md5: 15fcfdeb3990871ed9f8b9dc5b9ddb7c sha1: 9aaa4f0934d2b60fd97442f37d24dc54ae5a867b size: 27136
Timestamp2015-05-11 06:51:08
PackerMicrosoft Visual C++ 8
PEhash9b665f8de04273f0785925e21a87ca422a3f6613
IMPhashc1d806b69fb8edae866407d13953eef9
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMcafeePWS-FCCE!13ACF76BB899
AVAd-AwareGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVFrisk (f-prot)no_virus
AVFortinetW32/Bayrob.T!tr
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVDr. WebTrojan.Bayrob.1
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVVirusBlokAda (vba32)no_virus
AVKasperskyTrojan.Win32.Generic
AVIkarusTrojan.Win32.Bayrob
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVBitDefenderGen:Variant.Kazy.611009
AVEset (nod32)Win32/Bayrob.V.gen
AVTwisterTrojan.Scar.jhtp.aceu
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVRisingTrojan.Win32.Bayrod.b
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVGrisoft (avg)Win32/Cryptor
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVZillya!Trojan.Scar.Win32.92017
AVEmsisoftGen:Variant.Kazy.611009
AVF-SecureGen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\yihhfguel\fxx3votra
Creates FileC:\WINDOWS\yihhfguel\fxx3votra
Creates FileC:\yihhfguel\skibd1k02tacem5smaxx.exe
Deletes FileC:\WINDOWS\yihhfguel\fxx3votra
Creates ProcessC:\yihhfguel\skibd1k02tacem5smaxx.exe

Process
↳ C:\yihhfguel\skibd1k02tacem5smaxx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adaptive Locator Color File Upgrade ➝
C:\yihhfguel\ozkzbak.exe
Creates FileC:\yihhfguel\ozkzbak.exe
Creates FilePIPE\lsarpc
Creates FileC:\yihhfguel\fxx3votra
Creates FileC:\WINDOWS\yihhfguel\fxx3votra
Creates FileC:\yihhfguel\qiyydyo
Deletes FileC:\WINDOWS\yihhfguel\fxx3votra
Creates ProcessC:\yihhfguel\ozkzbak.exe
Creates ServiceUPnP Config Experience Microsoft - C:\yihhfguel\ozkzbak.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1852

Process
↳ Pid 1128

Process
↳ C:\yihhfguel\ozkzbak.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\yihhfguel\wvmdmhixxb
Creates FileC:\yihhfguel\whirmqmovnu.exe
Creates FileC:\yihhfguel\fxx3votra
Creates FileC:\WINDOWS\yihhfguel\fxx3votra
Creates File\Device\Afd\Endpoint
Creates FileC:\yihhfguel\qiyydyo
Deletes FileC:\WINDOWS\yihhfguel\fxx3votra
Creates Processtdvrhecdbpb3 "c:\yihhfguel\ozkzbak.exe"

Process
↳ C:\yihhfguel\ozkzbak.exe

Creates FileC:\yihhfguel\fxx3votra
Creates FileC:\WINDOWS\yihhfguel\fxx3votra
Deletes FileC:\WINDOWS\yihhfguel\fxx3votra

Process
↳ tdvrhecdbpb3 "c:\yihhfguel\ozkzbak.exe"

Creates FileC:\yihhfguel\fxx3votra
Creates FileC:\WINDOWS\yihhfguel\fxx3votra
Deletes FileC:\WINDOWS\yihhfguel\fxx3votra

Network Details:

DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSwomanfriend.net
Type: A
218.30.21.59
DNSpartyfriend.net
Type: A
89.31.143.7
DNSexperiencesafety.net
Type: A
72.21.91.60
DNSfreshfuture.net
Type: A
66.39.68.24
DNSbeginearly.net
Type: A
95.211.230.75
DNSknownfuture.net
Type: A
94.127.112.92
DNSknownfuture.net
Type: A
94.127.112.93
DNScrowdfuture.net
Type: A
5.9.118.41
DNSwatersafety.net
Type: A
217.160.52.166
DNSwaterfuture.net
Type: A
184.168.221.9
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSgentlemanearly.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSknownearly.net
Type: A
DNSbeginsafety.net
Type: A
DNSknownsafety.net
Type: A
DNSbeginfuture.net
Type: A
DNSsummersmell.net
Type: A
DNScrowdsmell.net
Type: A
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
DNSthoughtearly.net
Type: A
DNSwaterearly.net
Type: A
DNSthoughtsafety.net
Type: A
DNSthoughtfuture.net
Type: A
DNSwomansmell.net
Type: A
DNSsmokesmell.net
Type: A
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://womanfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://experiencesafety.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://beginearly.net/index.php
User-Agent:
HTTP GEThttp://knownfuture.net/index.php
User-Agent:
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
HTTP GEThttp://watersafety.net/index.php
User-Agent:
HTTP GEThttp://waterfuture.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1032 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1033 ➝ 218.30.21.59:80
Flows TCP192.168.1.1:1034 ➝ 89.31.143.7:80
Flows TCP192.168.1.1:1035 ➝ 72.21.91.60:80
Flows TCP192.168.1.1:1036 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1038 ➝ 94.127.112.92:80
Flows TCP192.168.1.1:1039 ➝ 5.9.118.41:80
Flows TCP192.168.1.1:1040 ➝ 217.160.52.166:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.9:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66726965 6e642e6e 65740d0a   rowdfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 66726965 6e642e6e 65740d0a   aterfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 66726965 6e642e6e 65740d0a   omanfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 66726965 6e642e6e 65740d0a   artyfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65736166 6574792e   xperiencesafety.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 66757475 72652e6e 65740d0a   reshfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   6567696e 6561726c 792e6e65 740d0a0d   eginearly.net...
0x00000050 (00080)   0a0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   6e6f776e 66757475 72652e6e 65740d0a   nownfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66757475 72652e6e 65740d0a   rowdfuture.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 73616665 74792e6e 65740d0a   atersafety.net..
0x00000050 (00080)   0d0a740d 0a0d0a                       ..t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 66757475 72652e6e 65740d0a   aterfuture.net..
0x00000050 (00080)   0d0a                                  ..


Strings