Analysis Date2015-07-27 17:05:30
MD50bc67e1f89c1193adffe10184bd100bf
SHA11f7b7b96e6416b4d30c34dd8dc93b973aebb89b3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1c2199861ba5f1c43ab0cf080bf05a17 sha1: b33c97a2ad698ccbcec1852a7507d6401fdebd4d size: 257536
Section.rdata md5: d3379235979116d87d1aa6bd7e85fdbd sha1: 0479d8396c89ca86875ecb0195ea1eaf62150eaa size: 42496
Section.data md5: 910e4ec5567044931395b2ccb8de76e0 sha1: 494079d1b962300070c03efa4b0946d53a3ad378 size: 6656
Section.reloc md5: efc9e729eef07bc1f7b964f2b555382b sha1: f5402880004a9548c43520ceca4b0c9634e8d048 size: 17408
Timestamp2015-05-21 04:46:19
PackerMicrosoft Visual C++ ?.?
PEhash8924160cfa49901b41c580cbfef3b3feb665df06
IMPhash37b9b976e208acffe954067373b7dd31
AVMicroWorld (escan)Gen:Variant.Diley.1
AVEmsisoftGen:Variant.Diley.1
AVDr. Webno_virus
AVMalwareBytesTrojan.Agent.KVTGen
AVRising0x58e47949
AVZillya!no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVBitDefenderGen:Variant.Diley.1
AVGrisoft (avg)Win32/Cryptor
AVMcafeeTrojan-FGIJ!0BC67E1F89C1
AVBullGuardGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVKasperskyno_virus
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVF-SecureGen:Variant.Diley.1
AVAvira (antivir)TR/Crypt.ZPACK.84262
AVEset (nod32)Win32/Bayrob.Y
AVFortinetW32/Babrob.Y!tr
AVAuthentiumW32/Scar.V.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVTwisterTrojan.Generic.legc
AVPadvishno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cwzmhugrotz\f1h21kgzqhdyqk7xvbia.exe
Creates FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates FileC:\cwzmhugrotz\x8wvni
Deletes FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates ProcessC:\cwzmhugrotz\f1h21kgzqhdyqk7xvbia.exe

Process
↳ C:\cwzmhugrotz\f1h21kgzqhdyqk7xvbia.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Debugger Background Spooler Enumerator Fax KtmRm ➝
C:\cwzmhugrotz\zbrtjoos.exe
Creates FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates FileC:\cwzmhugrotz\zj9emjsiilyz
Creates FilePIPE\lsarpc
Creates FileC:\cwzmhugrotz\zbrtjoos.exe
Creates FileC:\cwzmhugrotz\x8wvni
Deletes FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates ProcessC:\cwzmhugrotz\zbrtjoos.exe
Creates ServiceLogs KtmRm Parental Presentation Problem - C:\cwzmhugrotz\zbrtjoos.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1164

Process
↳ C:\cwzmhugrotz\zbrtjoos.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\cwzmhugrotz\vfizsxqx.exe
Creates FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates FileC:\cwzmhugrotz\zj9emjsiilyz
Creates File\Device\Afd\Endpoint
Creates FileC:\cwzmhugrotz\nzywvf9nghu
Creates FileC:\cwzmhugrotz\x8wvni
Deletes FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates Processyvz2ernpkqfv "c:\cwzmhugrotz\zbrtjoos.exe"

Process
↳ C:\cwzmhugrotz\zbrtjoos.exe

Creates FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates FileC:\cwzmhugrotz\x8wvni
Deletes FileC:\WINDOWS\cwzmhugrotz\x8wvni

Process
↳ yvz2ernpkqfv "c:\cwzmhugrotz\zbrtjoos.exe"

Creates FileC:\WINDOWS\cwzmhugrotz\x8wvni
Creates FileC:\cwzmhugrotz\x8wvni
Deletes FileC:\WINDOWS\cwzmhugrotz\x8wvni

Network Details:

DNSwindowsafety.net
Type: A
184.168.221.55
DNSsweetsmell.net
Type: A
46.137.81.225
DNSsweetsmell.net
Type: A
54.75.225.111
DNSsweetsmell.net
Type: A
54.246.118.68
DNSsweetsmell.net
Type: A
54.246.123.138
DNSsweetsmell.net
Type: A
79.125.109.53
DNSsweetsmell.net
Type: A
176.34.234.43
DNSsimplehealth.net
Type: A
98.124.198.1
DNSpossibleseparate.net
Type: A
208.91.197.241
DNSmountainhealth.net
Type: A
69.64.147.249
DNSwinterclothes.net
Type: A
66.151.181.49
DNSleaveseparate.net
Type: A
95.211.230.75
DNSperhapsearly.net
Type: A
DNSwindowearly.net
Type: A
DNSperhapssafety.net
Type: A
DNSperhapsfuture.net
Type: A
DNSwindowfuture.net
Type: A
DNSwintersmell.net
Type: A
DNSsubjectsmell.net
Type: A
DNSwinterearly.net
Type: A
DNSsubjectearly.net
Type: A
DNSwintersafety.net
Type: A
DNSsubjectsafety.net
Type: A
DNSwinterfuture.net
Type: A
DNSsubjectfuture.net
Type: A
DNSfinishsmell.net
Type: A
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
DNSprobablysafety.net
Type: A
DNSsweetfuture.net
Type: A
DNSprobablyfuture.net
Type: A
DNSseveralsmell.net
Type: A
DNSmaterialsmell.net
Type: A
DNSseveralearly.net
Type: A
DNSmaterialearly.net
Type: A
DNSseveralsafety.net
Type: A
DNSmaterialsafety.net
Type: A
DNSseveralfuture.net
Type: A
DNSmaterialfuture.net
Type: A
DNSseveraseparate.net
Type: A
DNSlaughseparate.net
Type: A
DNSseverahealth.net
Type: A
DNSlaughhealth.net
Type: A
DNSseveraclothes.net
Type: A
DNSlaughclothes.net
Type: A
DNSseveradistant.net
Type: A
DNSlaughdistant.net
Type: A
DNSsimpleseparate.net
Type: A
DNSmotherseparate.net
Type: A
DNSmotherhealth.net
Type: A
DNSsimpleclothes.net
Type: A
DNSmotherclothes.net
Type: A
DNSsimpledistant.net
Type: A
DNSmotherdistant.net
Type: A
DNSmountainseparate.net
Type: A
DNSpossiblehealth.net
Type: A
DNSmountainclothes.net
Type: A
DNSpossibleclothes.net
Type: A
DNSmountaindistant.net
Type: A
DNSpossibledistant.net
Type: A
DNSperhapsseparate.net
Type: A
DNSwindowseparate.net
Type: A
DNSperhapshealth.net
Type: A
DNSwindowhealth.net
Type: A
DNSperhapsclothes.net
Type: A
DNSwindowclothes.net
Type: A
DNSperhapsdistant.net
Type: A
DNSwindowdistant.net
Type: A
DNSwinterseparate.net
Type: A
DNSsubjectseparate.net
Type: A
DNSwinterhealth.net
Type: A
DNSsubjecthealth.net
Type: A
DNSsubjectclothes.net
Type: A
DNSwinterdistant.net
Type: A
DNSsubjectdistant.net
Type: A
DNSfinishseparate.net
Type: A
DNSfinishhealth.net
Type: A
DNSleavehealth.net
Type: A
DNSfinishclothes.net
Type: A
DNSleaveclothes.net
Type: A
DNSfinishdistant.net
Type: A
HTTP GEThttp://windowsafety.net/index.php
User-Agent:
HTTP GEThttp://sweetsmell.net/index.php
User-Agent:
HTTP GEThttp://simplehealth.net/index.php
User-Agent:
HTTP GEThttp://possibleseparate.net/index.php
User-Agent:
HTTP GEThttp://mountainhealth.net/index.php
User-Agent:
HTTP GEThttp://winterclothes.net/index.php
User-Agent:
HTTP GEThttp://leaveseparate.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1032 ➝ 46.137.81.225:80
Flows TCP192.168.1.1:1033 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1036 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77736166 6574792e 6e65740d   indowsafety.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 736d656c 6c2e6e65 740d0a0d   weetsmell.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65686561 6c74682e 6e65740d   implehealth.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6573 65706172 6174652e   ossibleseparate.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e68 65616c74 682e6e65   ountainhealth.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72636c6f 74686573 2e6e6574   interclothes.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65617665 73657061 72617465 2e6e6574   eaveseparate.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......


Strings