Analysis Date | 2015-11-14 06:58:59 |
---|---|
MD5 | 9b85b05219dd320c6f803f0abd0b15bc |
SHA1 | 2cce4f33779cab0c47319a8f665cec6cbe7d50b1 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: eb8579d2c45415b664955f5aaa34ddda sha1: 2c53826f7453e633006399026e458030530e377e size: 1377280 | |
Section | .rdata md5: 5852ab442cb73ad1db73bfd7943db8bd sha1: 99fb1b11fa28110baf88c3ae118323829e28f802 size: 353280 | |
Section | .data md5: 896c9a4a511b07386eeab83be423e63a sha1: 3802fd882ba49a7fea8f52503de160104cbae559 size: 8192 | |
Section | .reloc md5: 73fa7df470923d0587e218a7f3074256 sha1: 2ca412b6db34c67ebf00d23e322126efe33c8ddd size: 192512 | |
Timestamp | 2015-05-11 04:49:31 | |
Packer | VC8 -> Microsoft Corporation | |
PEhash | ec8592a9bafca47161509314aae3282f186248a3 | |
IMPhash | 1ba206b635d9d206146e8b46be926a5a | |
AV | Rising | no_virus |
AV | Mcafee | Trojan-FGIJ!9B85B05219DD |
AV | Avira (antivir) | no_virus |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Zusy.141331 |
AV | Alwil (avast) | Dropper-OJQ [Drp] |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | BitDefender | Gen:Variant.Zusy.141331 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Zillya! | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | no_virus |
AV | CAT (quickheal) | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Zusy.141331 |
AV | Arcabit (arcavir) | Gen:Variant.Zusy.141331 |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.Bayrob.5 |
AV | F-Secure | Gen:Variant.Zusy.141331 |
AV | CA (E-Trust Ino) | no_virus |
AV | Rising | no_virus |
AV | Mcafee | Trojan-FGIJ!9B85B05219DD |
AV | Avira (antivir) | no_virus |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Zusy.141331 |
AV | Alwil (avast) | Dropper-OJQ [Drp] |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | BitDefender | Gen:Variant.Zusy.141331 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | no_virus |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/SoxGrave.A.gen!Eldorado |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan.Win32.Crypt |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe |
---|---|
Creates File | C:\WINDOWS\system32\scztxupbixeg\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\b5yiz1102xpmtljfujjpj.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Awareness Name Initiator Detection ➝ C:\WINDOWS\system32\dyajvlae.exe |
---|---|
Creates File | C:\WINDOWS\system32\scztxupbixeg\etc |
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\scztxupbixeg\tst |
Creates File | C:\WINDOWS\system32\dyajvlae.exe |
Creates File | C:\WINDOWS\system32\scztxupbixeg\lck |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\dyajvlae.exe |
Creates Service | Group Adaptive WLAN Interactive WWAN iSCSI SPP - C:\WINDOWS\system32\dyajvlae.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf |
---|---|
Creates File | C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf |
Creates File | C:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf |
Creates File | C:\WINDOWS\Prefetch\2CCE4F33779CAB0C47319A8F665CE-1CBEA4D7.pf |
Creates File | C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf |
Creates File | C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf |
Creates File | C:\WINDOWS\Prefetch\B5YIZ110DFBMTL.EXE-15EC5B12.pf |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\Prefetch\XUEYMKONKHO.EXE-1FCA6086.pf |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf |
Creates File | C:\WINDOWS\Prefetch\B5YIZ1102XPMTLJFUJJPJ.EXE-257FE6B3.pf |
Creates File | C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf |
Creates File | C:\WINDOWS\Prefetch\DYAJVLAE.EXE-0290AA96.pf |
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
Creates File | C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf |
Process
↳ Pid 1204
Process
↳ Pid 1292
Process
↳ Pid 1860
Process
↳ Pid 976
Process
↳ C:\WINDOWS\system32\dyajvlae.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\scztxupbixeg\cfg |
Creates File | C:\WINDOWS\system32\scztxupbixeg\tst |
Creates File | C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe |
Creates File | C:\WINDOWS\system32\scztxupbixeg\lck |
Creates File | C:\WINDOWS\system32\xueymkonkho.exe |
Creates File | pipe\net\NtControlPipe10 |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\system32\scztxupbixeg\rng |
Creates File | C:\WINDOWS\system32\scztxupbixeg\run |
Deletes File | C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe |
Creates Process | WATCHDOGPROC "c:\windows\system32\dyajvlae.exe" |
Creates Process | C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp |
Process
↳ C:\WINDOWS\system32\dyajvlae.exe
Creates File | C:\WINDOWS\system32\scztxupbixeg\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\dyajvlae.exe"
Creates File | C:\WINDOWS\system32\scztxupbixeg\tst |
---|
Process
↳ C:\WINDOWS\TEMP\b5yiz110dfbmtl.exe -r 52543 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | recordsoldier.net Type: A 208.91.197.241 |
---|---|
DNS | fliersurprise.net Type: A 208.91.197.241 |
DNS | historybright.net Type: A 208.91.197.241 |
DNS | chiefsoldier.net Type: A 208.91.197.241 |
DNS | classsurprise.net Type: A 208.91.197.241 |
DNS | thosecontinue.net Type: A 208.91.197.241 |
DNS | throughcontain.net Type: A 208.91.197.241 |
DNS | belongguard.net Type: A 208.91.197.241 |
DNS | maybellinethaddeus.net Type: A 208.91.197.241 |
DNS | kimberleyshavonne.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | riddenstorm.net Type: A 66.147.240.171 |
DNS | destroystorm.net Type: A 216.239.138.86 |
DNS | signvoice.net Type: A 208.100.26.234 |
DNS | roomfive.net Type: A 217.160.193.90 |
DNS | roomeight.net Type: A 220.124.143.32 |
DNS | jumpfive.net Type: A 82.165.21.75 |
DNS | threefive.net Type: A 184.168.221.54 |
DNS | husbandfound.net Type: A |
DNS | leadershort.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | songthey.net Type: A |
DNS | roomvoice.net Type: A |
DNS | signfive.net Type: A |
DNS | signeight.net Type: A |
DNS | roomthey.net Type: A |
DNS | signthey.net Type: A |
DNS | movevoice.net Type: A |
DNS | jumpvoice.net Type: A |
DNS | movefive.net Type: A |
DNS | moveeight.net Type: A |
DNS | jumpeight.net Type: A |
DNS | movethey.net Type: A |
DNS | jumpthey.net Type: A |
DNS | hillvoice.net Type: A |
DNS | whomvoice.net Type: A |
DNS | hillfive.net Type: A |
DNS | whomfive.net Type: A |
DNS | hilleight.net Type: A |
DNS | whomeight.net Type: A |
DNS | hillthey.net Type: A |
DNS | whomthey.net Type: A |
DNS | feltvoice.net Type: A |
DNS | lookvoice.net Type: A |
DNS | feltfive.net Type: A |
DNS | lookfive.net Type: A |
DNS | felteight.net Type: A |
DNS | lookeight.net Type: A |
DNS | feltthey.net Type: A |
DNS | lookthey.net Type: A |
DNS | threevoice.net Type: A |
DNS | lordvoice.net Type: A |
DNS | lordfive.net Type: A |
DNS | threeeight.net Type: A |
DNS | lordeight.net Type: A |
DNS | threethey.net Type: A |
DNS | lordthey.net Type: A |
DNS | drinkvoice.net Type: A |
DNS | wifevoice.net Type: A |
DNS | drinkfive.net Type: A |
DNS | wifefive.net Type: A |
DNS | drinkeight.net Type: A |
DNS | wifeeight.net Type: A |
DNS | drinkthey.net Type: A |
DNS | wifethey.net Type: A |
DNS | knowaunt.net Type: A |
DNS | ableaunt.net Type: A |
DNS | knowscene.net Type: A |
DNS | ablescene.net Type: A |
DNS | knowgreat.net Type: A |
DNS | ablegreat.net Type: A |
DNS | knowdont.net Type: A |
DNS | abledont.net Type: A |
DNS | pickaunt.net Type: A |
DNS | songaunt.net Type: A |
DNS | pickscene.net Type: A |
DNS | songscene.net Type: A |
DNS | pickgreat.net Type: A |
DNS | songgreat.net Type: A |
DNS | pickdont.net Type: A |
DNS | songdont.net Type: A |
DNS | roomaunt.net Type: A |
DNS | signaunt.net Type: A |
DNS | roomscene.net Type: A |
DNS | signscene.net Type: A |
DNS | roomgreat.net Type: A |
DNS | signgreat.net Type: A |
DNS | roomdont.net Type: A |
DNS | signdont.net Type: A |
DNS | moveaunt.net Type: A |
DNS | jumpaunt.net Type: A |
DNS | movescene.net Type: A |
DNS | jumpscene.net Type: A |
DNS | movegreat.net Type: A |
DNS | jumpgreat.net Type: A |
DNS | movedont.net Type: A |
DNS | jumpdont.net Type: A |
DNS | hillaunt.net Type: A |
DNS | whomaunt.net Type: A |
DNS | hillscene.net Type: A |
DNS | whomscene.net Type: A |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://signvoice.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://roomfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://roomeight.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://jumpfive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
HTTP GET | http://threefive.net/index.php?method=validate&mode=sox&v=050&sox=4f239805&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1032 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1033 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1034 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1035 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1036 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1045 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1046 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1047 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1048 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1049 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1050 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1051 ➝ 217.160.193.90:80 |
Flows TCP | 192.168.1.1:1052 ➝ 220.124.143.32:80 |
Flows TCP | 192.168.1.1:1053 ➝ 82.165.21.75:80 |
Flows TCP | 192.168.1.1:1054 ➝ 184.168.221.54:80 |
Flows TCP | 192.168.1.1:1055 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1056 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1057 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1058 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1059 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1060 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1061 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1062 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1063 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1064 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1065 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1066 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1067 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1068 ➝ 208.100.26.234:80 |
Flows TCP | 192.168.1.1:1069 ➝ 217.160.193.90:80 |
Flows TCP | 192.168.1.1:1070 ➝ 220.124.143.32:80 |
Flows TCP | 192.168.1.1:1071 ➝ 82.165.21.75:80 |
Flows TCP | 192.168.1.1:1072 ➝ 184.168.221.54:80 |
Raw Pcap
Strings