Analysis Date2015-07-27 10:22:52
MD532ca5aaee6ced092d1254d539acd3915
SHA1320f8a859ffecd222307a9ea9dc395225cadecc1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd9c07dca29740e23d81d3786e3f1ee0 sha1: 4d0de2b4e175b3d7257a031d3966f72d4d998a87 size: 346624
Section.rdata md5: 460b2e38f1ff8be865f334ee6103c3ba sha1: 8f38bf855c01a7e5f63aa3836f8611713f31a3d4 size: 67072
Section.data md5: 7a118a50329b45fe537d803d4f7b3897 sha1: c334b08f0fb2dc2be5bfa9edd28b191c269819eb size: 7168
Section.reloc md5: a7e7470ec628fd6045ce1ab94198f615 sha1: 617af87b4b285fb1ed43f731e45b672d37783785 size: 31232
Timestamp2015-05-08 07:32:33
PackerMicrosoft Visual C++ 8
PEhash51384e8499f4b92d9d16ce3d7aa5433aeba1a106
IMPhash683c826c3052b9100b5f247ba83c2138
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.609631
AVDr. WebTrojan.Bayrob.1
AVClamAVWin.Trojan.Kazy-1800
AVArcabit (arcavir)Gen:Variant.Kazy.609631
AVBullGuardGen:Variant.Kazy.609631
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.609631
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R2.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.609631
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.609631
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.V.gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.609631
AVRisingTrojan.Win32.Bayrod.a
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.265428
AVMcafeeTrojan-FGIJ!32CA5AAEE6CE

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jwkdyjk\cjdsogvvr
Creates FileC:\jwkdyjk\zck1l9mgclaeozleha.exe
Creates FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Deletes FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Creates ProcessC:\jwkdyjk\zck1l9mgclaeozleha.exe

Process
↳ C:\jwkdyjk\zck1l9mgclaeozleha.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Files Secondary Program Health Bus ➝
C:\jwkdyjk\rjlzotylvgg.exe
Creates FileC:\jwkdyjk\rjlzotylvgg.exe
Creates FileC:\jwkdyjk\cjdsogvvr
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Creates FileC:\jwkdyjk\hmlh5esmf
Deletes FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Creates ProcessC:\jwkdyjk\rjlzotylvgg.exe
Creates ServiceBlock Function Solutions Player - C:\jwkdyjk\rjlzotylvgg.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1104

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\jwkdyjk\rjlzotylvgg.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\jwkdyjk\edvuevgayni
Creates FileC:\jwkdyjk\cjdsogvvr
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Creates FileC:\jwkdyjk\jerdyhzhe.exe
Creates FileC:\jwkdyjk\hmlh5esmf
Deletes FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Creates Processzgflkyvwmild "c:\jwkdyjk\rjlzotylvgg.exe"

Process
↳ C:\jwkdyjk\rjlzotylvgg.exe

Creates FileC:\jwkdyjk\cjdsogvvr
Creates FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Deletes FileC:\WINDOWS\jwkdyjk\cjdsogvvr

Process
↳ zgflkyvwmild "c:\jwkdyjk\rjlzotylvgg.exe"

Creates FileC:\jwkdyjk\cjdsogvvr
Creates FileC:\WINDOWS\jwkdyjk\cjdsogvvr
Deletes FileC:\WINDOWS\jwkdyjk\cjdsogvvr

Network Details:

DNSsweetfancy.net
Type: A
184.168.221.40
DNSsweetfriend.net
Type: A
66.96.147.156
DNSmaterialconsider.net
Type: A
208.91.197.241
DNSsimplesafety.net
Type: A
199.59.82.80
DNSmountainsafety.net
Type: A
184.168.221.12
DNSpossiblesafety.net
Type: A
95.211.230.75
DNSwindowsafety.net
Type: A
184.168.221.55
DNSsweetsmell.net
Type: A
176.34.234.43
DNSsweetsmell.net
Type: A
46.137.81.225
DNSsweetsmell.net
Type: A
54.75.225.111
DNSsweetsmell.net
Type: A
54.246.118.68
DNSsweetsmell.net
Type: A
54.246.123.138
DNSsweetsmell.net
Type: A
79.125.109.53
DNSsubjectfancy.net
Type: A
DNSwinterconsider.net
Type: A
DNSsubjectconsider.net
Type: A
DNSwinterfriend.net
Type: A
DNSsubjectfriend.net
Type: A
DNSfinishlaughter.net
Type: A
DNSleavelaughter.net
Type: A
DNSfinishfancy.net
Type: A
DNSleavefancy.net
Type: A
DNSfinishconsider.net
Type: A
DNSleaveconsider.net
Type: A
DNSfinishfriend.net
Type: A
DNSleavefriend.net
Type: A
DNSsweetlaughter.net
Type: A
DNSprobablylaughter.net
Type: A
DNSprobablyfancy.net
Type: A
DNSsweetconsider.net
Type: A
DNSprobablyconsider.net
Type: A
DNSprobablyfriend.net
Type: A
DNSseverallaughter.net
Type: A
DNSmateriallaughter.net
Type: A
DNSseveralfancy.net
Type: A
DNSmaterialfancy.net
Type: A
DNSseveralconsider.net
Type: A
DNSseveralfriend.net
Type: A
DNSmaterialfriend.net
Type: A
DNSseverasmell.net
Type: A
DNSlaughsmell.net
Type: A
DNSseveraearly.net
Type: A
DNSlaughearly.net
Type: A
DNSseverasafety.net
Type: A
DNSlaughsafety.net
Type: A
DNSseverafuture.net
Type: A
DNSlaughfuture.net
Type: A
DNSsimplesmell.net
Type: A
DNSmothersmell.net
Type: A
DNSsimpleearly.net
Type: A
DNSmotherearly.net
Type: A
DNSmothersafety.net
Type: A
DNSsimplefuture.net
Type: A
DNSmotherfuture.net
Type: A
DNSmountainsmell.net
Type: A
DNSpossiblesmell.net
Type: A
DNSmountainearly.net
Type: A
DNSpossibleearly.net
Type: A
DNSmountainfuture.net
Type: A
DNSpossiblefuture.net
Type: A
DNSperhapssmell.net
Type: A
DNSwindowsmell.net
Type: A
DNSperhapsearly.net
Type: A
DNSwindowearly.net
Type: A
DNSperhapssafety.net
Type: A
DNSperhapsfuture.net
Type: A
DNSwindowfuture.net
Type: A
DNSwintersmell.net
Type: A
DNSsubjectsmell.net
Type: A
DNSwinterearly.net
Type: A
DNSsubjectearly.net
Type: A
DNSwintersafety.net
Type: A
DNSsubjectsafety.net
Type: A
DNSwinterfuture.net
Type: A
DNSsubjectfuture.net
Type: A
DNSfinishsmell.net
Type: A
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
DNSprobablysafety.net
Type: A
DNSsweetfuture.net
Type: A
DNSprobablyfuture.net
Type: A
HTTP GEThttp://sweetfancy.net/index.php
User-Agent:
HTTP GEThttp://sweetfriend.net/index.php
User-Agent:
HTTP GEThttp://materialconsider.net/index.php
User-Agent:
HTTP GEThttp://simplesafety.net/index.php
User-Agent:
HTTP GEThttp://mountainsafety.net/index.php
User-Agent:
HTTP GEThttp://possiblesafety.net/index.php
User-Agent:
HTTP GEThttp://windowsafety.net/index.php
User-Agent:
HTTP GEThttp://sweetsmell.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1032 ➝ 66.96.147.156:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 199.59.82.80:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.12:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1038 ➝ 176.34.234.43:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 66616e63 792e6e65 740d0a0d   weetfancy.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 66726965 6e642e6e 65740d0a   weetfriend.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c63 6f6e7369 6465722e   aterialconsider.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65736166 6574792e 6e65740d   implesafety.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 61666574 792e6e65   ountainsafety.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6573 61666574 792e6e65   ossiblesafety.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77736166 6574792e 6e65740d   indowsafety.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 736d656c 6c2e6e65 740d0a0d   weetsmell.net...
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......


Strings