Analysis Date2015-10-28 11:00:23
MD5b41ae763c832f569f9e20d07a8138dec
SHA124ad56801f1c776b4acf2e8a61bec6f648b6c9af

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2b6e2f8e60be0bfe356516c2bf8dc11a sha1: e3a4c3458b32786c9ae122641749eab58949ff9a size: 1225728
Section.rdata md5: 02524dd353dd94922aaed3fad1f7581c sha1: 8beeea1ce14a95c491256ea5d19122bf71f19a8f size: 316928
Section.data md5: 829506c15b6d0308020b0f8a558a1fdd sha1: 98c5d0f4df6fb0e7782b1d91700e4112b0576c71 size: 7680
Section.reloc md5: 51347a72f4b5fbf0741bd211ffe747ff sha1: 2f2ca397f5c02092404e5c7af215e3a7e8b9c3c4 size: 156672
Timestamp2015-05-11 04:51:57
PackerVC8 -> Microsoft Corporation
PEhash0187c86953529d9f691291c0c05ec51aff8b844b
IMPhash24ed3a755562648aaa83330f791a4786
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611782
AVDr. WebTrojan.Bayrob.5
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVBullGuardGen:Variant.Kazy.611782
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyBackdoor.Win32.SoxGrave.bot
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611782
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.611782
AVFortinetW32/Bayrob.X!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Dropper-OJQ [Drp]
AVAd-AwareGen:Variant.Kazy.611782
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.306584
AVMcafeeTrojan-FGIJ!B41AE763C832

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq251hhbeznwdghus.exe
Creates FileC:\WINDOWS\system32\ouceochqhyii\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq251hhbeznwdghus.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq251hhbeznwdghus.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Logs Workstation Smart Location Intelligent ➝
C:\WINDOWS\system32\aiwtpapsd.exe
Creates FileC:\WINDOWS\system32\aiwtpapsd.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ouceochqhyii\etc
Creates FileC:\WINDOWS\system32\ouceochqhyii\lck
Creates FileC:\WINDOWS\system32\ouceochqhyii\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\aiwtpapsd.exe

Process
↳ C:\WINDOWS\system32\aiwtpapsd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq25bqebez.exe
Creates FileC:\WINDOWS\system32\ouceochqhyii\run
Creates FileC:\WINDOWS\system32\saqnajmfkz.exe
Creates FileC:\WINDOWS\system32\ouceochqhyii\rng
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ouceochqhyii\cfg
Creates FileC:\WINDOWS\system32\ouceochqhyii\lck
Creates FileC:\WINDOWS\system32\ouceochqhyii\tst
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq25bqebez.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq251hhbeznwdghus.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\aiwtpapsd.exe"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq25bqebez.exe -r 41186 tcp

Process
↳ WATCHDOGPROC "c:\windows\system32\aiwtpapsd.exe"

Creates FileC:\WINDOWS\system32\ouceochqhyii\tst

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rqmyuq25bqebez.exe -r 41186 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSwatchneck.net
Type: A
208.100.26.234
DNSwatchfood.net
Type: A
95.130.17.36
DNSfairfood.net
Type: A
69.172.201.208
DNSdreamfood.net
Type: A
222.234.2.109
DNSthisfood.net
Type: A
50.63.202.42
DNSsouthtoday.net
Type: A
5.246.175.169
DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSgladfood.net
Type: A
166.62.5.1
DNSgroupmeet.net
Type: A
185.53.177.7
DNSwatchneck.net
Type: A
208.100.26.234
DNSwatchfood.net
Type: A
95.130.17.36
DNSfairfood.net
Type: A
69.172.201.208
DNSdreamfood.net
Type: A
222.234.2.109
DNSthisfood.net
Type: A
50.63.202.42
DNSsouthtoday.net
Type: A
5.246.175.169
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSthisreach.net
Type: A
DNSariveneck.net
Type: A
DNSsouthneck.net
Type: A
DNSariveshown.net
Type: A
DNSsouthshown.net
Type: A
DNSarivefood.net
Type: A
DNSsouthfood.net
Type: A
DNSarivemeet.net
Type: A
DNSsouthmeet.net
Type: A
DNSuponneck.net
Type: A
DNSwhichneck.net
Type: A
DNSuponshown.net
Type: A
DNSwhichshown.net
Type: A
DNSuponfood.net
Type: A
DNSwhichfood.net
Type: A
DNSuponmeet.net
Type: A
DNSwhichmeet.net
Type: A
DNSspotneck.net
Type: A
DNSvisitmeet.net
Type: A
DNSfairneck.net
Type: A
DNSwatchshown.net
Type: A
DNSfairshown.net
Type: A
DNSwatchmeet.net
Type: A
DNSfairmeet.net
Type: A
DNSdreamneck.net
Type: A
DNSthisneck.net
Type: A
DNSdreamshown.net
Type: A
DNSthisshown.net
Type: A
DNSdreammeet.net
Type: A
DNSthismeet.net
Type: A
DNSarivesome.net
Type: A
DNSsouthsome.net
Type: A
DNSariveseven.net
Type: A
DNSsouthseven.net
Type: A
DNSarivetoday.net
Type: A
DNSarivesuch.net
Type: A
DNSsouthsuch.net
Type: A
DNSuponsome.net
Type: A
DNSwhichsome.net
Type: A
DNSuponseven.net
Type: A
DNSwhichseven.net
Type: A
DNSupontoday.net
Type: A
DNSwhichtoday.net
Type: A
DNSuponsuch.net
Type: A
DNSwhichsuch.net
Type: A
DNSspotsome.net
Type: A
DNSsaltsome.net
Type: A
DNSspotseven.net
Type: A
DNSsaltseven.net
Type: A
DNSsaltneck.net
Type: A
DNSspotshown.net
Type: A
DNSsaltshown.net
Type: A
DNSspotfood.net
Type: A
DNSsaltfood.net
Type: A
DNSspotmeet.net
Type: A
DNSsaltmeet.net
Type: A
DNSgladneck.net
Type: A
DNStakenneck.net
Type: A
DNSgladshown.net
Type: A
DNStakenshown.net
Type: A
DNStakenfood.net
Type: A
DNSgladmeet.net
Type: A
DNStakenmeet.net
Type: A
DNSequalneck.net
Type: A
DNSgroupneck.net
Type: A
DNSequalshown.net
Type: A
DNSgroupshown.net
Type: A
DNSequalfood.net
Type: A
DNSgroupfood.net
Type: A
DNSequalmeet.net
Type: A
DNSspokeneck.net
Type: A
DNSvisitneck.net
Type: A
DNSspokeshown.net
Type: A
DNSvisitshown.net
Type: A
DNSspokefood.net
Type: A
DNSvisitfood.net
Type: A
DNSspokemeet.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://watchneck.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://watchfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://fairfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://dreamfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://thisfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://southtoday.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://gladfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://groupmeet.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://watchneck.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://watchfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://fairfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://dreamfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://thisfood.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
HTTP GEThttp://southtoday.net/index.php?method=validate&mode=sox&v=050&sox=4e9eda01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1056 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1062 ➝ 95.130.17.36:80
Flows TCP192.168.1.1:1063 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1064 ➝ 222.234.2.109:80
Flows TCP192.168.1.1:1065 ➝ 50.63.202.42:80
Flows TCP192.168.1.1:1066 ➝ 5.246.175.169:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1072 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1073 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1074 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1075 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1076 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1077 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1078 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1079 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1080 ➝ 166.62.5.1:80
Flows TCP192.168.1.1:1081 ➝ 185.53.177.7:80
Flows TCP192.168.1.1:1082 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1083 ➝ 95.130.17.36:80
Flows TCP192.168.1.1:1084 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1085 ➝ 222.234.2.109:80
Flows TCP192.168.1.1:1086 ➝ 50.63.202.42:80
Flows TCP192.168.1.1:1087 ➝ 5.246.175.169:80

Raw Pcap

Strings