Analysis Date2016-05-09 22:42:39
MD5da78ed8d83c1af9fd676a5e6fa423d0d
SHA11eb37dcb5ffa74aa993449fb14efdcc8997c9146

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 48debe6ff0c5e8d9408bf692bd448ecf sha1: 0fd5477417b7a257863c9ca5d6a1259d6e736458 size: 1060352
Section.rdata md5: dc52435554c144f437cbb36c6d67dec2 sha1: dcb61e807d2529127d8a630064e5483443922832 size: 423936
Section.data md5: 3b713735bf0d5c4a9a5109e661bf322c sha1: f75b2bfe58d5b8a70e2099b387516564d97eecb4 size: 7168
Timestamp2015-12-04 10:00:42
PackerVC8 -> Microsoft Corporation
PEhash3cb7294f45163a64c217a31667d4cfc36b527af1
IMPhash34c4c501692501a1df37c8322368833c
AVRisingNo Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.42300
AVF-SecureGen:Variant.Razy.42300
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.42300
AVBullGuardGen:Variant.Razy.42300
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVEmsisoftGen:Variant.Razy.42300
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus
AVAuthentiumNo Virus
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.42300
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DU
AVK7Trojan ( 004d7cd41 )
AVBitDefenderGen:Variant.Razy.42300
AVFortinetW32/Bayrob.AQ!tr
AVSymantecNo Virus
AVGrisoft (avg)No Virus
AVEset (nod32)Win32/Bayrob.AF
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Razy.42300
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.nxlh
AVMcafeeNivdort!DA78ED8D83C1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\f3ugzcoj1m8sihhsfnzmm4i.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\f3ugzcoj1m8sihhsfnzmm4i.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\f3ugzcoj1m8sihhsfnzmm4i.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Netlogon Firewall Builder ➝
C:\WINDOWS\system32\slkoutjvevm.exe
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\etc
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\tst
Creates FileC:\WINDOWS\system32\slkoutjvevm.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\slkoutjvevm.exe
Creates ServiceSpooler Input Key Extender Initiator - C:\WINDOWS\system32\slkoutjvevm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\slkoutjvevm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\run
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\lck
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\cfg
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\rng
Creates FileC:\WINDOWS\system32\aaucgiweqgx.exe
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\f3ugzcoj1t1kihhsf.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\f3ugzcoj1t1kihhsf.exe -r 46079 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\slkoutjvevm.exe"

Process
↳ C:\WINDOWS\system32\slkoutjvevm.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\slkoutjvevm.exe"

Creates FileC:\WINDOWS\system32\pufnnkhokbqrk\tst

Process
↳ C:\WINDOWS\TEMP\f3ugzcoj1t1kihhsf.exe -r 46079 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSriddenstorm.net
Type: A
66.147.240.171
DNSthosewhile.net
Type: A
198.27.70.45
DNSwatchneck.net
Type: A
208.100.26.234
DNSwatchfood.net
Type: A
95.130.17.36
DNSdreamneck.net
Type: A
195.22.26.248
DNSdreamshown.net
Type: A
195.22.26.248
DNSdreamfood.net
Type: A
222.234.2.109
DNSdreammeet.net
Type: A
195.22.28.199
DNSdreammeet.net
Type: A
195.22.28.196
DNSdreammeet.net
Type: A
195.22.28.197
DNSdreammeet.net
Type: A
195.22.28.198
DNSsouthtoday.net
Type: A
46.153.196.198
DNSgroupsome.net
Type: A
130.185.109.77
DNSequalsuch.net
Type: A
208.100.26.234
DNSfairseven.net
Type: A
134.119.244.71
DNSwatchtoday.net
Type: A
50.63.202.61
DNSdreamtoday.net
Type: A
81.169.145.86
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSeffortbuilt.net
Type: A
DNSspokefood.net
Type: A
DNSvisitfood.net
Type: A
DNSspokemeet.net
Type: A
DNSvisitmeet.net
Type: A
DNSfairneck.net
Type: A
DNSwatchshown.net
Type: A
DNSfairshown.net
Type: A
DNSfairfood.net
Type: A
DNSwatchmeet.net
Type: A
DNSfairmeet.net
Type: A
DNSthisneck.net
Type: A
DNSthisshown.net
Type: A
DNSthisfood.net
Type: A
DNSthismeet.net
Type: A
DNSarivesome.net
Type: A
DNSsouthsome.net
Type: A
DNSariveseven.net
Type: A
DNSsouthseven.net
Type: A
DNSarivetoday.net
Type: A
DNSarivesuch.net
Type: A
DNSsouthsuch.net
Type: A
DNSuponsome.net
Type: A
DNSwhichsome.net
Type: A
DNSuponseven.net
Type: A
DNSwhichseven.net
Type: A
DNSupontoday.net
Type: A
DNSwhichtoday.net
Type: A
DNSuponsuch.net
Type: A
DNSwhichsuch.net
Type: A
DNSspotsome.net
Type: A
DNSsaltsome.net
Type: A
DNSspotseven.net
Type: A
DNSsaltseven.net
Type: A
DNSspottoday.net
Type: A
DNSsalttoday.net
Type: A
DNSspotsuch.net
Type: A
DNSsaltsuch.net
Type: A
DNSgladsome.net
Type: A
DNStakensome.net
Type: A
DNSgladseven.net
Type: A
DNStakenseven.net
Type: A
DNSgladtoday.net
Type: A
DNStakentoday.net
Type: A
DNSgladsuch.net
Type: A
DNStakensuch.net
Type: A
DNSequalsome.net
Type: A
DNSequalseven.net
Type: A
DNSgroupseven.net
Type: A
DNSequaltoday.net
Type: A
DNSgrouptoday.net
Type: A
DNSgroupsuch.net
Type: A
DNSspokesome.net
Type: A
DNSvisitsome.net
Type: A
DNSspokeseven.net
Type: A
DNSvisitseven.net
Type: A
DNSspoketoday.net
Type: A
DNSvisittoday.net
Type: A
DNSspokesuch.net
Type: A
DNSvisitsuch.net
Type: A
DNSwatchsome.net
Type: A
DNSfairsome.net
Type: A
DNSwatchseven.net
Type: A
DNSfairtoday.net
Type: A
DNSwatchsuch.net
Type: A
DNSfairsuch.net
Type: A
DNSdreamsome.net
Type: A
DNSthissome.net
Type: A
DNSdreamseven.net
Type: A
DNSthisseven.net
Type: A
DNSthistoday.net
Type: A
DNSdreamsuch.net
Type: A
DNSthissuch.net
Type: A
DNSarivedare.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://watchneck.net/index.php
User-Agent:
HTTP GEThttp://watchfood.net/index.php
User-Agent:
HTTP GEThttp://dreamneck.net/index.php
User-Agent:
HTTP GEThttp://dreamshown.net/index.php
User-Agent:
HTTP GEThttp://dreamfood.net/index.php
User-Agent:
HTTP GEThttp://dreammeet.net/index.php
User-Agent:
HTTP GEThttp://southtoday.net/index.php
User-Agent:
HTTP GEThttp://groupsome.net/index.php
User-Agent:
HTTP GEThttp://equalsuch.net/index.php
User-Agent:
HTTP GEThttp://fairseven.net/index.php
User-Agent:
HTTP GEThttp://watchtoday.net/index.php
User-Agent:
HTTP GEThttp://dreamtoday.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1039 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 95.130.17.36:80
Flows TCP192.168.1.1:1042 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1043 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1044 ➝ 222.234.2.109:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1046 ➝ 46.153.196.198:80
Flows TCP192.168.1.1:1047 ➝ 130.185.109.77:80
Flows TCP192.168.1.1:1042 ➝ 85.64.86.41:51481
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 134.119.244.71:80
Flows TCP192.168.1.1:1050 ➝ 50.63.202.61:80
Flows TCP192.168.1.1:1051 ➝ 81.169.145.86:80
Flows TCP192.168.1.1:1052 ➝ 50.87.249.65:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206a   : close..Host: j
0x00000040 (00064)   6f75726e 65796d65 61737572 652e6e65   ourneymeasure.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7365 7768696c 652e6e65 740d0a0d   hosewhile.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746368 6e65636b 2e6e6574 0d0a0d0a   atchneck.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746368 666f6f64 2e6e6574 0d0a0d0a   atchfood.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   7265616d 6e65636b 2e6e6574 0d0a0d0a   reamneck.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   7265616d 73686f77 6e2e6e65 740d0a0d   reamshown.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   7265616d 666f6f64 2e6e6574 0d0a0d0a   reamfood.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   7265616d 6d656574 2e6e6574 0d0a0d0a   reammeet.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6f757468 746f6461 792e6e65 740d0a0d   outhtoday.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   726f7570 736f6d65 2e6e6574 0d0a0d0a   roupsome.net....
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   7175616c 73756368 2e6e6574 0d0a0d0a   qualsuch.net....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   61697273 6576656e 2e6e6574 0d0a0d0a   airseven.net....
0x00000050 (00080)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746368 746f6461 792e6e65 740d0a0d   atchtoday.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   7265616d 746f6461 792e6e65 740d0a0d   reamtoday.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206a   : close..Host: j
0x00000040 (00064)   6f75726e 65796d65 61737572 652e6e65   ourneymeasure.ne
0x00000050 (00080)   740d0a0d 0a                           t....


Strings