Analysis Date2016-02-23 21:30:00
MD5e9dad40b0f83089628eabcd2d9cde25f
SHA1329cca1f1ac772c842480c914131893fce511268

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d1decdc72b74f295444b8c7dc20c4d41 sha1: ea024b2a512511395d42bf4251cb39ce70423069 size: 1722880
Section.rdata md5: b39b78e6a7f241f437e7211fd6ac52b3 sha1: 5a86fbbc8d1916a41a09316b64c4f241d9edd4e7 size: 491008
Section.data md5: 9b02028aa8809aa8515a9389a91e05ed sha1: 6fc252a83b7582dfb0f7b2bb6eda5214681b5601 size: 11264
Section.reloc md5: 1feed9879ae4d1c4f42cfae181684021 sha1: 452511a2718f41730f8bd673ebc0e0b931e23b01 size: 217088
Timestamp2015-07-21 04:45:27
PackerMicrosoft Visual C++ 8
PEhashd1333ef0ffd7678f56d6e7817a11a6d19a21baa8
IMPhashf0865712a8c9f82f378cfd5fd667c344
AVCA (E-Trust Ino)Gen:Variant.Kazy.687527
AVRisingNo Virus
AVMcafeeTrojan-FHOH!E9DAD40B0F83
AVAvira (antivir)TR/Nivdort.A.35892
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.687527
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.R
AVGrisoft (avg)Win32/Cryptor
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Kazy.687527
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CD
AVMicroWorld (escan)Gen:Variant.Kazy.687527
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.J.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.687527
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Kazy.687527
AVArcabit (arcavir)Gen:Variant.Kazy.687527
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.687527

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tb91ohh1mppjxoxsidtwc.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\tb91ohh1mppjxoxsidtwc.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\tb91ohh1mppjxoxsidtwc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\UPnP Grouping HomeGroup Group Scheduler ➝
C:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\etc
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\phxpatgggm.exe
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\phxpatgggm.exe
Creates ServiceConfiguration Host Authentication - C:\WINDOWS\system32\phxpatgggm.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1144

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\bzpyrhklbv.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\run
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\lck
Creates FileC:\WINDOWS\TEMP\tb91ohh1ue6jxo.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\cfg
Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\rng
Creates ProcessWATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"
Creates ProcessC:\WINDOWS\TEMP\tb91ohh1ue6jxo.exe -r 46261 tcp

Process
↳ C:\WINDOWS\system32\phxpatgggm.exe

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\phxpatgggm.exe"

Creates FileC:\WINDOWS\system32\ayqxfvkzalgrdk\tst

Process
↳ C:\WINDOWS\TEMP\tb91ohh1ue6jxo.exe -r 46261 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNStakegrow.net
Type: A
208.91.197.241
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSnaildeep.com
Type: A
74.220.215.218
DNSlearnteach.net
Type: A
216.239.34.21
DNSlearnteach.net
Type: A
216.239.32.21
DNSlearnteach.net
Type: A
216.239.38.21
DNSlearnteach.net
Type: A
216.239.36.21
DNSyourmark.net
Type: A
162.242.249.192
DNSyournews.net
Type: A
31.193.140.221
DNSlrstnstate.net
Type: A
195.22.28.197
DNSlrstnstate.net
Type: A
195.22.28.196
DNSlrstnstate.net
Type: A
195.22.28.199
DNSlrstnstate.net
Type: A
195.22.28.198
DNSviewstate.net
Type: A
141.8.224.239
DNSviewmark.net
Type: A
203.189.109.246
DNSlrstnnews.net
Type: A
208.100.26.234
DNSviewnews.net
Type: A
188.165.91.212
DNSplantnews.net
Type: A
184.168.47.225
DNSmaryvonneoliverson.net
Type: A
DNSrooseveltalexander.net
Type: A
DNSyourteach.net
Type: A
DNStriesgrave.net
Type: A
DNSyourgrave.net
Type: A
DNSlrstnusual.net
Type: A
DNSviewusual.net
Type: A
DNSlrstncould.net
Type: A
DNSviewcould.net
Type: A
DNSlrstnteach.net
Type: A
DNSviewteach.net
Type: A
DNSlrstngrave.net
Type: A
DNSviewgrave.net
Type: A
DNSplantusual.net
Type: A
DNSfillusual.net
Type: A
DNSplantcould.net
Type: A
DNSfillcould.net
Type: A
DNSplantteach.net
Type: A
DNSfillteach.net
Type: A
DNSplantgrave.net
Type: A
DNSfillgrave.net
Type: A
DNSsenseusual.net
Type: A
DNSlearnusual.net
Type: A
DNSsensecould.net
Type: A
DNSlearncould.net
Type: A
DNSsenseteach.net
Type: A
DNSsensegrave.net
Type: A
DNSlearngrave.net
Type: A
DNStoreusual.net
Type: A
DNSfallusual.net
Type: A
DNStorecould.net
Type: A
DNSfallcould.net
Type: A
DNStoreteach.net
Type: A
DNSfallteach.net
Type: A
DNStoregrave.net
Type: A
DNSfallgrave.net
Type: A
DNSweekusual.net
Type: A
DNSveryusual.net
Type: A
DNSweekcould.net
Type: A
DNSverycould.net
Type: A
DNSweekteach.net
Type: A
DNSveryteach.net
Type: A
DNSweekgrave.net
Type: A
DNSverygrave.net
Type: A
DNSpieceusual.net
Type: A
DNSmuchusual.net
Type: A
DNSpiececould.net
Type: A
DNSmuchcould.net
Type: A
DNSpieceteach.net
Type: A
DNSmuchteach.net
Type: A
DNSpiecegrave.net
Type: A
DNSmuchgrave.net
Type: A
DNSwaitusual.net
Type: A
DNStakeusual.net
Type: A
DNSwaitcould.net
Type: A
DNStakecould.net
Type: A
DNSwaitteach.net
Type: A
DNStaketeach.net
Type: A
DNSwaitgrave.net
Type: A
DNStakegrave.net
Type: A
DNStriesstate.net
Type: A
DNSyourstate.net
Type: A
DNStriesbroke.net
Type: A
DNSyourbroke.net
Type: A
DNStriesmark.net
Type: A
DNStriesnews.net
Type: A
DNSlrstnbroke.net
Type: A
DNSviewbroke.net
Type: A
DNSlrstnmark.net
Type: A
DNSplantstate.net
Type: A
DNSfillstate.net
Type: A
DNSplantbroke.net
Type: A
DNSfillbroke.net
Type: A
DNSplantmark.net
Type: A
DNSfillmark.net
Type: A
DNSfillnews.net
Type: A
DNSsensestate.net
Type: A
DNSlearnstate.net
Type: A
HTTP GEThttp://takegrow.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://learnteach.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yourmark.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yournews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnstate.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewstate.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewmark.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://plantnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://takegrow.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://learnteach.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yourmark.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://yournews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnstate.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewstate.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewmark.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://lrstnnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://viewnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
HTTP GEThttp://plantnews.net/index.php?method=validate&mode=sox&v=051&sox=3b5d7801&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1039 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1040 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1041 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1042 ➝ 162.242.249.192:80
Flows TCP192.168.1.1:1043 ➝ 31.193.140.221:80
Flows TCP192.168.1.1:1044 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1045 ➝ 141.8.224.239:80
Flows TCP192.168.1.1:1046 ➝ 203.189.109.246:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1048 ➝ 188.165.91.212:80
Flows TCP192.168.1.1:1049 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1052 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1053 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1054 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1055 ➝ 162.242.249.192:80
Flows TCP192.168.1.1:1056 ➝ 31.193.140.221:80
Flows TCP192.168.1.1:1057 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1058 ➝ 141.8.224.239:80
Flows TCP192.168.1.1:1059 ➝ 203.189.109.246:80
Flows TCP192.168.1.1:1060 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1061 ➝ 188.165.91.212:80
Flows TCP192.168.1.1:1062 ➝ 184.168.47.225:80

Raw Pcap

Strings