Analysis Date2015-11-14 06:58:59
MD59b85b05219dd320c6f803f0abd0b15bc
SHA12cce4f33779cab0c47319a8f665cec6cbe7d50b1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: eb8579d2c45415b664955f5aaa34ddda sha1: 2c53826f7453e633006399026e458030530e377e size: 1377280
Section.rdata md5: 5852ab442cb73ad1db73bfd7943db8bd sha1: 99fb1b11fa28110baf88c3ae118323829e28f802 size: 353280
Section.data md5: 896c9a4a511b07386eeab83be423e63a sha1: 3802fd882ba49a7fea8f52503de160104cbae559 size: 8192
Section.reloc md5: 73fa7df470923d0587e218a7f3074256 sha1: 2ca412b6db34c67ebf00d23e322126efe33c8ddd size: 192512
Timestamp2015-05-11 04:49:31
PackerVC8 -> Microsoft Corporation
PEhashec8592a9bafca47161509314aae3282f186248a3
IMPhash1ba206b635d9d206146e8b46be926a5a
AVRisingno_virus
AVMcafeeTrojan-FGIJ!9B85B05219DD
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.141331
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Zusy.141331
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Zusy.141331
AVArcabit (arcavir)Gen:Variant.Zusy.141331
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Zusy.141331
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGIJ!9B85B05219DD
AVAvira (antivir)no_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Zusy.141331
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Zusy.141331
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe
Creates FileC:\WINDOWS\system32\scztxupbixeg\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Awareness Name Initiator Detection ➝
C:\WINDOWS\system32\dyajvlae.exe
Creates FileC:\WINDOWS\system32\scztxupbixeg\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\scztxupbixeg\tst
Creates FileC:\WINDOWS\system32\dyajvlae.exe
Creates FileC:\WINDOWS\system32\scztxupbixeg\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\dyajvlae.exe
Creates ServiceGroup Adaptive WLAN Interactive WWAN iSCSI SPP - C:\WINDOWS\system32\dyajvlae.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\2CCE4F33779CAB0C47319A8F665CE-1CBEA4D7.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\B5YIZ110DFBMTL.EXE-15EC5B12.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\Prefetch\XUEYMKONKHO.EXE-1FCA6086.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\B5YIZ1102XPMTLJFUJJPJ.EXE-257FE6B3.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\DYAJVLAE.EXE-0290AA96.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1860

Process
↳ Pid 976

Process
↳ C:\WINDOWS\system32\dyajvlae.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\scztxupbixeg\cfg
Creates FileC:\WINDOWS\system32\scztxupbixeg\tst
Creates FileC:\WINDOWS\TEMP\b5yiz110dfbmtl.exe
Creates FileC:\WINDOWS\system32\scztxupbixeg\lck
Creates FileC:\WINDOWS\system32\xueymkonkho.exe
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\scztxupbixeg\rng
Creates FileC:\WINDOWS\system32\scztxupbixeg\run
Deletes FileC:\WINDOWS\TEMP\b5yiz110dfbmtl.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\dyajvlae.exe"
Creates ProcessC:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp

Process
↳ C:\WINDOWS\system32\dyajvlae.exe

Creates FileC:\WINDOWS\system32\scztxupbixeg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\dyajvlae.exe"

Creates FileC:\WINDOWS\system32\scztxupbixeg\tst

Process
↳ C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSsignvoice.net
Type: A
208.100.26.234
DNSroomfive.net
Type: A
217.160.193.90
DNSroomeight.net
Type: A
220.124.143.32
DNSjumpfive.net
Type: A
82.165.21.75
DNSthreefive.net
Type: A
184.168.221.54
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSsongthey.net
Type: A
DNSroomvoice.net
Type: A
DNSsignfive.net
Type: A
DNSsigneight.net
Type: A
DNSroomthey.net
Type: A
DNSsignthey.net
Type: A
DNSmovevoice.net
Type: A
DNSjumpvoice.net
Type: A
DNSmovefive.net
Type: A
DNSmoveeight.net
Type: A
DNSjumpeight.net
Type: A
DNSmovethey.net
Type: A
DNSjumpthey.net
Type: A
DNShillvoice.net
Type: A
DNSwhomvoice.net
Type: A
DNShillfive.net
Type: A
DNSwhomfive.net
Type: A
DNShilleight.net
Type: A
DNSwhomeight.net
Type: A
DNShillthey.net
Type: A
DNSwhomthey.net
Type: A
DNSfeltvoice.net
Type: A
DNSlookvoice.net
Type: A
DNSfeltfive.net
Type: A
DNSlookfive.net
Type: A
DNSfelteight.net
Type: A
DNSlookeight.net
Type: A
DNSfeltthey.net
Type: A
DNSlookthey.net
Type: A
DNSthreevoice.net
Type: A
DNSlordvoice.net
Type: A
DNSlordfive.net
Type: A
DNSthreeeight.net
Type: A
DNSlordeight.net
Type: A
DNSthreethey.net
Type: A
DNSlordthey.net
Type: A
DNSdrinkvoice.net
Type: A
DNSwifevoice.net
Type: A
DNSdrinkfive.net
Type: A
DNSwifefive.net
Type: A
DNSdrinkeight.net
Type: A
DNSwifeeight.net
Type: A
DNSdrinkthey.net
Type: A
DNSwifethey.net
Type: A
DNSknowaunt.net
Type: A
DNSableaunt.net
Type: A
DNSknowscene.net
Type: A
DNSablescene.net
Type: A
DNSknowgreat.net
Type: A
DNSablegreat.net
Type: A
DNSknowdont.net
Type: A
DNSabledont.net
Type: A
DNSpickaunt.net
Type: A
DNSsongaunt.net
Type: A
DNSpickscene.net
Type: A
DNSsongscene.net
Type: A
DNSpickgreat.net
Type: A
DNSsonggreat.net
Type: A
DNSpickdont.net
Type: A
DNSsongdont.net
Type: A
DNSroomaunt.net
Type: A
DNSsignaunt.net
Type: A
DNSroomscene.net
Type: A
DNSsignscene.net
Type: A
DNSroomgreat.net
Type: A
DNSsigngreat.net
Type: A
DNSroomdont.net
Type: A
DNSsigndont.net
Type: A
DNSmoveaunt.net
Type: A
DNSjumpaunt.net
Type: A
DNSmovescene.net
Type: A
DNSjumpscene.net
Type: A
DNSmovegreat.net
Type: A
DNSjumpgreat.net
Type: A
DNSmovedont.net
Type: A
DNSjumpdont.net
Type: A
DNShillaunt.net
Type: A
DNSwhomaunt.net
Type: A
DNShillscene.net
Type: A
DNSwhomscene.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
HTTP GEThttp://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1051 ➝ 217.160.193.90:80
Flows TCP192.168.1.1:1052 ➝ 220.124.143.32:80
Flows TCP192.168.1.1:1053 ➝ 82.165.21.75:80
Flows TCP192.168.1.1:1054 ➝ 184.168.221.54:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1066 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1067 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1068 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1069 ➝ 217.160.193.90:80
Flows TCP192.168.1.1:1070 ➝ 220.124.143.32:80
Flows TCP192.168.1.1:1071 ➝ 82.165.21.75:80
Flows TCP192.168.1.1:1072 ➝ 184.168.221.54:80

Raw Pcap

Strings