Analysis Date2016-02-13 05:29:27
MD5e56f63e7ba3fa57a38afb770ffd30ebc
SHA1346003a1fff9bc1e45c9ba561f44da17e02b7eaa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: adf3996505bdf3e197d64d5f63f297e2 sha1: 75a864e7ccf115a23330dcb33408baaca718fd96 size: 533504
Section.rdata md5: f1704c30688a25d13888fcbdb56c4ab7 sha1: 9f77d3064a91e25af5f9b7864843bd35be0a0f2c size: 25600
Section.data md5: fa5a31199bd47081ddbe35f92c108ba0 sha1: 39c345b2914e5d0a2b5d57b79d8c45d56c29fafc size: 19968
Section.reloc md5: 31bed35bac70a14aae07cc1e28b2c229 sha1: e0039276ec29618360d363f2ab3f78d539659e83 size: 39936
Timestamp2014-05-11 05:30:44
PackerMicrosoft Visual C++ 8
PEhash45da6df9529e9ad1be0e66e903f4d853aad78534
IMPhasha95c009cf1b65403c836c2dfdaaaf00d
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVF-SecureGen:Variant.Razy.13928
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVBullGuardGen:Variant.Razy.13928
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.SwizzorGen.Win32.1
AVIkarusTrojan.Bayrob
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Razy.13928
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.13928
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.13928
AVFortinetW32/Bayrob.BM!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.AMGU
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.13928
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAvira (antivir)TR/Taranis.2165
AVMcafeeTrojan-FHSQ!E56F63E7BA3F

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tkencelyh\ywmwomx
Creates FileC:\WINDOWS\tkencelyh\ywmwomx
Creates FileC:\tkencelyh\rf1kianxqjuuqc.exe
Deletes FileC:\WINDOWS\tkencelyh\ywmwomx
Creates ProcessC:\tkencelyh\rf1kianxqjuuqc.exe

Process
↳ C:\tkencelyh\rf1kianxqjuuqc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Link Wired Server Logs Collector Adaptive ➝
C:\tkencelyh\yxrucuaqbx.exe
Creates FileC:\tkencelyh\ywmwomx
Creates FileC:\tkencelyh\yxrucuaqbx.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\tkencelyh\ywmwomx
Creates FileC:\tkencelyh\bniqopyfri
Deletes FileC:\WINDOWS\tkencelyh\ywmwomx
Creates ProcessC:\tkencelyh\yxrucuaqbx.exe
Creates ServiceUPnP Profile Desktop DLL Base Tunneling Group - C:\tkencelyh\yxrucuaqbx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1164

Process
↳ C:\tkencelyh\yxrucuaqbx.exe

Creates FileC:\tkencelyh\ywmwomx
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tkencelyh\qlektxc
Creates FileC:\tkencelyh\yizdlrthrdt.exe
Creates FileC:\WINDOWS\tkencelyh\ywmwomx
Creates File\Device\Afd\Endpoint
Creates FileC:\tkencelyh\bniqopyfri
Deletes FileC:\WINDOWS\tkencelyh\ywmwomx
Creates Processvfdugktmbnuy "c:\tkencelyh\yxrucuaqbx.exe"

Process
↳ C:\tkencelyh\yxrucuaqbx.exe

Creates FileC:\tkencelyh\ywmwomx
Creates FileC:\WINDOWS\tkencelyh\ywmwomx
Deletes FileC:\WINDOWS\tkencelyh\ywmwomx

Process
↳ vfdugktmbnuy "c:\tkencelyh\yxrucuaqbx.exe"

Creates FileC:\tkencelyh\ywmwomx
Creates FileC:\WINDOWS\tkencelyh\ywmwomx
Deletes FileC:\WINDOWS\tkencelyh\ywmwomx

Network Details:

DNSlaughcountry.net
Type: A
195.22.28.199
DNSlaughcountry.net
Type: A
195.22.28.196
DNSlaughcountry.net
Type: A
195.22.28.197
DNSlaughcountry.net
Type: A
195.22.28.198
DNSsimplepower.net
Type: A
50.63.202.27
DNSmotherpower.net
Type: A
141.8.226.14
DNSmothercountry.net
Type: A
208.100.26.234
DNSmountaincentury.net
Type: A
195.22.28.196
DNSmountaincentury.net
Type: A
195.22.28.199
DNSmountaincentury.net
Type: A
195.22.28.198
DNSmountaincentury.net
Type: A
195.22.28.197
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.0.96.24
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.71.117.99
DNSmountaincountry.net
Type: A
75.119.220.11
DNSlaughletter.net
Type: A
184.168.221.36
DNSperhapsdifferent.net
Type: A
195.22.28.197
DNSperhapsdifferent.net
Type: A
195.22.28.196
DNSperhapsdifferent.net
Type: A
195.22.28.199
DNSperhapsdifferent.net
Type: A
195.22.28.198
DNSsubjectsurprise.net
Type: A
208.100.26.234
DNSsweetsurprise.net
Type: A
141.8.225.124
DNSdoctoropinion.net
Type: A
103.48.83.103
DNSlaughfamous.net
Type: A
DNSseverapower.net
Type: A
DNSlaughpower.net
Type: A
DNSseveracountry.net
Type: A
DNSsimplecentury.net
Type: A
DNSmothercentury.net
Type: A
DNSsimplefamous.net
Type: A
DNSmotherfamous.net
Type: A
DNSsimplecountry.net
Type: A
DNSpossiblecentury.net
Type: A
DNSmountainfamous.net
Type: A
DNSpossiblefamous.net
Type: A
DNSmountainpower.net
Type: A
DNSpossiblepower.net
Type: A
DNSpossiblecountry.net
Type: A
DNSperhapscentury.net
Type: A
DNSwindowcentury.net
Type: A
DNSperhapsfamous.net
Type: A
DNSwindowfamous.net
Type: A
DNSperhapspower.net
Type: A
DNSwindowpower.net
Type: A
DNSperhapscountry.net
Type: A
DNSwindowcountry.net
Type: A
DNSwintercentury.net
Type: A
DNSsubjectcentury.net
Type: A
DNSwinterfamous.net
Type: A
DNSsubjectfamous.net
Type: A
DNSwinterpower.net
Type: A
DNSsubjectpower.net
Type: A
DNSwintercountry.net
Type: A
DNSsubjectcountry.net
Type: A
DNSfinishcentury.net
Type: A
DNSleavecentury.net
Type: A
DNSfinishfamous.net
Type: A
DNSleavefamous.net
Type: A
DNSfinishpower.net
Type: A
DNSleavepower.net
Type: A
DNSfinishcountry.net
Type: A
DNSleavecountry.net
Type: A
DNSsweetcentury.net
Type: A
DNSprobablycentury.net
Type: A
DNSsweetfamous.net
Type: A
DNSprobablyfamous.net
Type: A
DNSsweetpower.net
Type: A
DNSprobablypower.net
Type: A
DNSsweetcountry.net
Type: A
DNSprobablycountry.net
Type: A
DNSseveralcentury.net
Type: A
DNSmaterialcentury.net
Type: A
DNSseveralfamous.net
Type: A
DNSmaterialfamous.net
Type: A
DNSseveralpower.net
Type: A
DNSmaterialpower.net
Type: A
DNSseveralcountry.net
Type: A
DNSmaterialcountry.net
Type: A
DNSseverasurprise.net
Type: A
DNSlaughsurprise.net
Type: A
DNSseverabeside.net
Type: A
DNSlaughbeside.net
Type: A
DNSseveraletter.net
Type: A
DNSseveradifferent.net
Type: A
DNSlaughdifferent.net
Type: A
DNSsimplesurprise.net
Type: A
DNSmothersurprise.net
Type: A
DNSsimplebeside.net
Type: A
DNSmotherbeside.net
Type: A
DNSsimpleletter.net
Type: A
DNSmotherletter.net
Type: A
DNSsimpledifferent.net
Type: A
DNSmotherdifferent.net
Type: A
DNSmountainsurprise.net
Type: A
DNSpossiblesurprise.net
Type: A
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
DNSsubjectdifferent.net
Type: A
DNSfinishsurprise.net
Type: A
DNSleavesurprise.net
Type: A
DNSfinishbeside.net
Type: A
DNSleavebeside.net
Type: A
DNSfinishletter.net
Type: A
DNSleaveletter.net
Type: A
DNSfinishdifferent.net
Type: A
DNSleavedifferent.net
Type: A
DNSprobablysurprise.net
Type: A
DNSsweetbeside.net
Type: A
DNSprobablybeside.net
Type: A
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
HTTP GEThttp://laughcountry.net/index.php
User-Agent:
HTTP GEThttp://simplepower.net/index.php
User-Agent:
HTTP GEThttp://motherpower.net/index.php
User-Agent:
HTTP GEThttp://mothercountry.net/index.php
User-Agent:
HTTP GEThttp://mountaincentury.net/index.php
User-Agent:
HTTP GEThttp://mountainpower.net/index.php
User-Agent:
HTTP GEThttp://mountaincountry.net/index.php
User-Agent:
HTTP GEThttp://laughletter.net/index.php
User-Agent:
HTTP GEThttp://perhapsdifferent.net/index.php
User-Agent:
HTTP GEThttp://subjectsurprise.net/index.php
User-Agent:
HTTP GEThttp://sweetsurprise.net/index.php
User-Agent:
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.27:80
Flows TCP192.168.1.1:1033 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1036 ➝ 52.0.96.24:80
Flows TCP192.168.1.1:1037 ➝ 75.119.220.11:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1042 ➝ 103.48.83.103:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 636f756e 7472792e 6e65740d   aughcountry.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65706f77 65722e6e 65740d0a   implepower.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f746865 72706f77 65722e6e 65740d0a   otherpower.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f746865 72636f75 6e747279 2e6e6574   othercountry.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e63 656e7475 72792e6e   ountaincentury.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e70 6f776572 2e6e6574   ountainpower.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e63 6f756e74 72792e6e   ountaincountry.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6c657474 65722e6e 65740d0a   aughletter.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 66666572 656e742e   erhapsdifferent.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747375 72707269 73652e6e   ubjectsurprise.n
0x00000050 (00080)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73757270 72697365 2e6e6574   weetsurprise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a                              ....


Strings