Analysis Date | 2015-11-10 19:19:36 |
---|---|
MD5 | 46d62bbec8720ac0e80c8779245942d2 |
SHA1 | 281040d009b26b14968d7fb5adc9c1c0c9da071a |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 3f41aa5bfe463f1e0d63883232ecc949 sha1: b442b1bbd0a4e43f5059bc4e11bffe1f4b0e861a size: 1167872 | |
Section | .rdata md5: d622d16f879a358c7273577a490160ea sha1: 1bea0bd8371b1316ea7f7bea9d1d1653c96ef22a size: 291328 | |
Section | .data md5: 7bf1e97b96ca43823e84a75de24213ce sha1: a56a5da8d893baf434a308dae000a1811273570f size: 8192 | |
Section | .reloc md5: 090ef579b8604865edea86c8c5bce090 sha1: 3f19c403c146c1e562bc000a115a197ce1c3480b size: 145408 | |
Timestamp | 2015-05-11 04:49:17 | |
Packer | VC8 -> Microsoft Corporation | |
PEhash | 1d931c9e90e8f614c3dbbcba2fa191e2c737a0d0 | |
IMPhash | b72df0fa0e8d9de268597f0c29fdf11d | |
AV | CA (E-Trust Ino) | No Virus |
AV | CA (E-Trust Ino) | No Virus |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FGIJ!46D62BBEC872 |
AV | Avira (antivir) | TR/Crypt.Xpack.310763 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Kazy.611782 |
AV | Alwil (avast) | Dropper-OJQ [Drp] |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | BitDefender | Gen:Variant.Kazy.611782 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BN |
AV | MicroWorld (escan) | Gen:Variant.Kazy.611782 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | Frisk (f-prot) | No Virus |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Emsisoft | Gen:Variant.Kazy.611782 |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | No Virus |
AV | CAT (quickheal) | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | Padvish | No Virus |
AV | BullGuard | Gen:Variant.Kazy.611782 |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.611782 |
AV | ClamAV | No Virus |
AV | Dr. Web | Trojan.Bayrob.5 |
AV | F-Secure | Gen:Variant.Kazy.611782 |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FGIJ!46D62BBEC872 |
AV | Avira (antivir) | TR/Crypt.Xpack.310763 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Kazy.611782 |
AV | Alwil (avast) | Dropper-OJQ [Drp] |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | BitDefender | Gen:Variant.Kazy.611782 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BN |
AV | MicroWorld (escan) | Gen:Variant.Kazy.611782 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | Frisk (f-prot) | No Virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\system32\pswaiiaiufr\tst |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX Awareness Locator Spooler Media ➝ C:\WINDOWS\system32\nmhkkfg.exe |
---|---|
Creates File | C:\WINDOWS\system32\pswaiiaiufr\tst |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\nmhkkfg.exe |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\etc |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\lck |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\nmhkkfg.exe |
Creates Service | Config Biometric DCOM Transfer - C:\WINDOWS\system32\nmhkkfg.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1864
Process
↳ Pid 1172
Process
↳ C:\WINDOWS\system32\nmhkkfg.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\pswaiiaiufr\run |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\tst |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\cfg |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\rng |
Creates File | C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\qoknxdhqk.exe |
Creates File | C:\WINDOWS\system32\pswaiiaiufr\lck |
Creates Process | WATCHDOGPROC "c:\windows\system32\nmhkkfg.exe" |
Creates Process | C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp |
Process
↳ C:\WINDOWS\system32\nmhkkfg.exe
Creates File | C:\WINDOWS\system32\pswaiiaiufr\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\nmhkkfg.exe"
Creates File | C:\WINDOWS\system32\pswaiiaiufr\tst |
---|
Process
↳ C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | recordsoldier.net Type: A 208.91.197.241 |
---|---|
DNS | fliersurprise.net Type: A 208.91.197.241 |
DNS | historybright.net Type: A 208.91.197.241 |
DNS | chiefsoldier.net Type: A 208.91.197.241 |
DNS | classsurprise.net Type: A 208.91.197.241 |
DNS | thosecontinue.net Type: A 208.91.197.241 |
DNS | throughcontain.net Type: A 208.91.197.241 |
DNS | belongguard.net Type: A 208.91.197.241 |
DNS | maybellinethaddeus.net Type: A 208.91.197.241 |
DNS | kimberleyshavonne.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | riddenstorm.net Type: A 66.147.240.171 |
DNS | destroystorm.net Type: A 216.239.138.86 |
DNS | hairhour.net Type: A 184.168.221.45 |
DNS | musichour.net Type: A 202.172.28.105 |
DNS | frontcompe.net Type: A 195.22.26.248 |
DNS | frontfell.net Type: A 195.22.28.199 |
DNS | frontfell.net Type: A 195.22.28.196 |
DNS | frontfell.net Type: A 195.22.28.197 |
DNS | frontfell.net Type: A 195.22.28.198 |
DNS | frontcount.net Type: A 195.22.26.248 |
DNS | offercount.net Type: A 208.100.26.234 |
DNS | hanghour.net Type: A 184.168.221.60 |
DNS | rockfell.net Type: A 213.186.33.5 |
DNS | musicleft.net Type: A 8.5.1.51 |
DNS | husbandfound.net Type: A |
DNS | leadershort.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | mademarch.net Type: A |
DNS | wrongdish.net Type: A |
DNS | madedish.net Type: A |
DNS | wrongjuly.net Type: A |
DNS | madejuly.net Type: A |
DNS | humancompe.net Type: A |
DNS | haircompe.net Type: A |
DNS | humanhour.net Type: A |
DNS | humanfell.net Type: A |
DNS | hairfell.net Type: A |
DNS | humancount.net Type: A |
DNS | haircount.net Type: A |
DNS | yardcompe.net Type: A |
DNS | musiccompe.net Type: A |
DNS | yardhour.net Type: A |
DNS | yardfell.net Type: A |
DNS | musicfell.net Type: A |
DNS | yardcount.net Type: A |
DNS | musiccount.net Type: A |
DNS | wentcompe.net Type: A |
DNS | spendcompe.net Type: A |
DNS | wenthour.net Type: A |
DNS | spendhour.net Type: A |
DNS | wentfell.net Type: A |
DNS | spendfell.net Type: A |
DNS | wentcount.net Type: A |
DNS | spendcount.net Type: A |
DNS | offercompe.net Type: A |
DNS | fronthour.net Type: A |
DNS | offerhour.net Type: A |
DNS | offerfell.net Type: A |
DNS | hangcompe.net Type: A |
DNS | septembercompe.net Type: A |
DNS | septemberhour.net Type: A |
DNS | hangfell.net Type: A |
DNS | septemberfell.net Type: A |
DNS | hangcount.net Type: A |
DNS | septembercount.net Type: A |
DNS | joincompe.net Type: A |
DNS | wishcompe.net Type: A |
DNS | joinhour.net Type: A |
DNS | wishhour.net Type: A |
DNS | joinfell.net Type: A |
DNS | wishfell.net Type: A |
DNS | joincount.net Type: A |
DNS | wishcount.net Type: A |
DNS | deadcompe.net Type: A |
DNS | rockcompe.net Type: A |
DNS | deadhour.net Type: A |
DNS | rockhour.net Type: A |
DNS | deadfell.net Type: A |
DNS | deadcount.net Type: A |
DNS | rockcount.net Type: A |
DNS | wrongcompe.net Type: A |
DNS | madecompe.net Type: A |
DNS | wronghour.net Type: A |
DNS | madehour.net Type: A |
DNS | wrongfell.net Type: A |
DNS | madefell.net Type: A |
DNS | wrongcount.net Type: A |
DNS | madecount.net Type: A |
DNS | humanhope.net Type: A |
DNS | hairhope.net Type: A |
DNS | humanleft.net Type: A |
DNS | hairleft.net Type: A |
DNS | humanthirteen.net Type: A |
DNS | hairthirteen.net Type: A |
DNS | humanhurry.net Type: A |
DNS | hairhurry.net Type: A |
DNS | yardhope.net Type: A |
DNS | musichope.net Type: A |
DNS | yardleft.net Type: A |
DNS | yardthirteen.net Type: A |
DNS | musicthirteen.net Type: A |
DNS | yardhurry.net Type: A |
DNS | musichurry.net Type: A |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
HTTP GET | http://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1037 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1042 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1046 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1047 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1048 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1049 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1050 ➝ 184.168.221.45:80 |
Flows TCP | 192.168.1.1:1051 ➝ 202.172.28.105:80 |
Flows TCP | 192.168.1.1:1052 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1053 ➝ 195.22.28.199:80 |
Flows TCP | 192.168.1.1:1054 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1055 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1056 ➝ 184.168.221.60:80 |
Flows TCP | 192.168.1.1:1057 ➝ 213.186.33.5:80 |
Flows TCP | 192.168.1.1:1058 ➝ 8.5.1.51:80 |
Flows TCP | 192.168.1.1:1059 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1060 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1061 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1062 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1063 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1064 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1065 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1066 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1067 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1068 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1069 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1070 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1071 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1072 ➝ 184.168.221.45:80 |
Flows TCP | 192.168.1.1:1073 ➝ 202.172.28.105:80 |
Flows TCP | 192.168.1.1:1074 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1075 ➝ 195.22.28.199:80 |
Flows TCP | 192.168.1.1:1076 ➝ 195.22.26.248:80 |
Flows TCP | 192.168.1.1:1077 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1078 ➝ 184.168.221.60:80 |
Flows TCP | 192.168.1.1:1079 ➝ 213.186.33.5:80 |
Flows TCP | 192.168.1.1:1080 ➝ 8.5.1.51:80 |
Raw Pcap
Strings