Analysis | #totalhash

Analysis Date	2015-11-14 06:58:59
MD5	9b85b05219dd320c6f803f0abd0b15bc
SHA1	2cce4f33779cab0c47319a8f665cec6cbe7d50b1

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: eb8579d2c45415b664955f5aaa34ddda sha1: 2c53826f7453e633006399026e458030530e377e size: 1377280
Section	.rdata md5: 5852ab442cb73ad1db73bfd7943db8bd sha1: 99fb1b11fa28110baf88c3ae118323829e28f802 size: 353280
Section	.data md5: 896c9a4a511b07386eeab83be423e63a sha1: 3802fd882ba49a7fea8f52503de160104cbae559 size: 8192
Section	.reloc md5: 73fa7df470923d0587e218a7f3074256 sha1: 2ca412b6db34c67ebf00d23e322126efe33c8ddd size: 192512
Timestamp	2015-05-11 04:49:31
Packer	VC8 -> Microsoft Corporation
PEhash	ec8592a9bafca47161509314aae3282f186248a3
IMPhash	1ba206b635d9d206146e8b46be926a5a
AV	Rising	no_virus
AV	Mcafee	Trojan-FGIJ!9B85B05219DD
AV	Avira (antivir)	no_virus
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Zusy.141331
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Bayrob.X!tr
AV	BitDefender	Gen:Variant.Zusy.141331
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	no_virus
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	MalwareBytes	no_virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	Frisk (f-prot)	no_virus
AV	Ikarus	Trojan.Win32.Crypt
AV	Emsisoft	Gen:Variant.Diley.1
AV	Zillya!	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	no_virus
AV	CAT (quickheal)	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Zusy.141331
AV	Arcabit (arcavir)	Gen:Variant.Zusy.141331
AV	ClamAV	no_virus
AV	Dr. Web	Trojan.Bayrob.5
AV	F-Secure	Gen:Variant.Zusy.141331
AV	CA (E-Trust Ino)	no_virus
AV	Rising	no_virus
AV	Mcafee	Trojan-FGIJ!9B85B05219DD
AV	Avira (antivir)	no_virus
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Zusy.141331
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Bayrob.X!tr
AV	BitDefender	Gen:Variant.Zusy.141331
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	no_virus
AV	MicroWorld (escan)	Gen:Variant.Diley.1
AV	MalwareBytes	no_virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	Frisk (f-prot)	no_virus
AV	Ikarus	Trojan.Win32.Crypt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe
Creates File	C:\WINDOWS\system32\scztxupbixeg\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Awareness Name Initiator Detection ➝ C:\WINDOWS\system32\dyajvlae.exe
Creates File	C:\WINDOWS\system32\scztxupbixeg\etc
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\scztxupbixeg\tst
Creates File	C:\WINDOWS\system32\dyajvlae.exe
Creates File	C:\WINDOWS\system32\scztxupbixeg\lck
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\dyajvlae.exe
Creates Service	Group Adaptive WLAN Interactive WWAN iSCSI SPP - C:\WINDOWS\system32\dyajvlae.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates File	C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates File	C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates File	C:\WINDOWS\Prefetch\2CCE4F33779CAB0C47319A8F665CE-1CBEA4D7.pf
Creates File	C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates File	C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates File	C:\WINDOWS\Prefetch\B5YIZ110DFBMTL.EXE-15EC5B12.pf
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\Prefetch\XUEYMKONKHO.EXE-1FCA6086.pf
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates File	C:\WINDOWS\Prefetch\B5YIZ1102XPMTLJFUJJPJ.EXE-257FE6B3.pf
Creates File	C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates File	C:\WINDOWS\Prefetch\DYAJVLAE.EXE-0290AA96.pf
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File	C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1860

Process
↳ Pid 976

Process
↳ C:\WINDOWS\system32\dyajvlae.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\scztxupbixeg\cfg
Creates File	C:\WINDOWS\system32\scztxupbixeg\tst
Creates File	C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe
Creates File	C:\WINDOWS\system32\scztxupbixeg\lck
Creates File	C:\WINDOWS\system32\xueymkonkho.exe
Creates File	pipe\net\NtControlPipe10
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\scztxupbixeg\rng
Creates File	C:\WINDOWS\system32\scztxupbixeg\run
Deletes File	C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe
Creates Process	WATCHDOGPROC "c:\windows\system32\dyajvlae.exe"
Creates Process	C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp

Process
↳ C:\WINDOWS\system32\dyajvlae.exe

Creates File	C:\WINDOWS\system32\scztxupbixeg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\dyajvlae.exe"

Creates File	C:\WINDOWS\system32\scztxupbixeg\tst

Process
↳ C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	recordsoldier.net Type: A 208.91.197.241
DNS	fliersurprise.net Type: A 208.91.197.241
DNS	historybright.net Type: A 208.91.197.241
DNS	chiefsoldier.net Type: A 208.91.197.241
DNS	classsurprise.net Type: A 208.91.197.241
DNS	thosecontinue.net Type: A 208.91.197.241
DNS	throughcontain.net Type: A 208.91.197.241
DNS	belongguard.net Type: A 208.91.197.241
DNS	maybellinethaddeus.net Type: A 208.91.197.241
DNS	kimberleyshavonne.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	riddenstorm.net Type: A 66.147.240.171
DNS	destroystorm.net Type: A 216.239.138.86
DNS	signvoice.net Type: A 208.100.26.234
DNS	roomfive.net Type: A 217.160.193.90
DNS	roomeight.net Type: A 220.124.143.32
DNS	jumpfive.net Type: A 82.165.21.75
DNS	threefive.net Type: A 184.168.221.54
DNS	husbandfound.net Type: A
DNS	leadershort.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	songthey.net Type: A
DNS	roomvoice.net Type: A
DNS	signfive.net Type: A
DNS	signeight.net Type: A
DNS	roomthey.net Type: A
DNS	signthey.net Type: A
DNS	movevoice.net Type: A
DNS	jumpvoice.net Type: A
DNS	movefive.net Type: A
DNS	moveeight.net Type: A
DNS	jumpeight.net Type: A
DNS	movethey.net Type: A
DNS	jumpthey.net Type: A
DNS	hillvoice.net Type: A
DNS	whomvoice.net Type: A
DNS	hillfive.net Type: A
DNS	whomfive.net Type: A
DNS	hilleight.net Type: A
DNS	whomeight.net Type: A
DNS	hillthey.net Type: A
DNS	whomthey.net Type: A
DNS	feltvoice.net Type: A
DNS	lookvoice.net Type: A
DNS	feltfive.net Type: A
DNS	lookfive.net Type: A
DNS	felteight.net Type: A
DNS	lookeight.net Type: A
DNS	feltthey.net Type: A
DNS	lookthey.net Type: A
DNS	threevoice.net Type: A
DNS	lordvoice.net Type: A
DNS	lordfive.net Type: A
DNS	threeeight.net Type: A
DNS	lordeight.net Type: A
DNS	threethey.net Type: A
DNS	lordthey.net Type: A
DNS	drinkvoice.net Type: A
DNS	wifevoice.net Type: A
DNS	drinkfive.net Type: A
DNS	wifefive.net Type: A
DNS	drinkeight.net Type: A
DNS	wifeeight.net Type: A
DNS	drinkthey.net Type: A
DNS	wifethey.net Type: A
DNS	knowaunt.net Type: A
DNS	ableaunt.net Type: A
DNS	knowscene.net Type: A
DNS	ablescene.net Type: A
DNS	knowgreat.net Type: A
DNS	ablegreat.net Type: A
DNS	knowdont.net Type: A
DNS	abledont.net Type: A
DNS	pickaunt.net Type: A
DNS	songaunt.net Type: A
DNS	pickscene.net Type: A
DNS	songscene.net Type: A
DNS	pickgreat.net Type: A
DNS	songgreat.net Type: A
DNS	pickdont.net Type: A
DNS	songdont.net Type: A
DNS	roomaunt.net Type: A
DNS	signaunt.net Type: A
DNS	roomscene.net Type: A
DNS	signscene.net Type: A
DNS	roomgreat.net Type: A
DNS	signgreat.net Type: A
DNS	roomdont.net Type: A
DNS	signdont.net Type: A
DNS	moveaunt.net Type: A
DNS	jumpaunt.net Type: A
DNS	movescene.net Type: A
DNS	jumpscene.net Type: A
DNS	movegreat.net Type: A
DNS	jumpgreat.net Type: A
DNS	movedont.net Type: A
DNS	jumpdont.net Type: A
DNS	hillaunt.net Type: A
DNS	whomaunt.net Type: A
DNS	hillscene.net Type: A
DNS	whomscene.net Type: A
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
HTTP GET	http://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent:
Flows TCP	192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1035 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1051 ➝ 217.160.193.90:80
Flows TCP	192.168.1.1:1052 ➝ 220.124.143.32:80
Flows TCP	192.168.1.1:1053 ➝ 82.165.21.75:80
Flows TCP	192.168.1.1:1054 ➝ 184.168.221.54:80
Flows TCP	192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1065 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1066 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1067 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1068 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1069 ➝ 217.160.193.90:80
Flows TCP	192.168.1.1:1070 ➝ 220.124.143.32:80
Flows TCP	192.168.1.1:1071 ➝ 82.165.21.75:80
Flows TCP	192.168.1.1:1072 ➝ 184.168.221.54:80

Raw Pcap

Strings