Analysis Date2016-01-28 10:45:53
MD5d917068c697e11cfbbe2212dd9b76f58
SHA135c255dcf01d4861775a9233c9d2b4700d9f2881

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e85c08dea1d93e24dcea4e9a13c9e231 sha1: 1ededf8210b6524da51e3cd6054609427d43c119 size: 1108480
Section.rdata md5: 2abbd1ec358b6b9bff278b75fc152a48 sha1: a113c7f250d4e11e436333567d5c29f5cddd09a6 size: 304640
Section.data md5: 825b5f2258d83db28d042d6f12414c6e sha1: b88564d607c53bcc2dcb84d1518b549b67b8d58b size: 3072
Section.reloc md5: 870b8f358fa3bf134c418d3ab87a43ea sha1: 26c1805afe656ea0926d7e553b723434f1227c9b size: 140288
Timestamp2015-08-30 16:20:58
PackerMicrosoft Visual C++ ?.?
PEhash916c92a01da1f948a9e03b01af36f1db796f0e77
IMPhash86231a6755c3f39cbf5b71f7158b78e0
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Nivdort.A.31697
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.794416
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Generic37.AEDB
AVSymantecNo Virus
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.794416
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DF
AVMicroWorld (escan)No Virus
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Kazy.794416
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.794416
AVArcabit (arcavir)Gen:Variant.Kazy.794416
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.794416
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\igaoudyxt\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wijnqmiqwwcgjxx1duibtsos.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wijnqmiqwwcgjxx1duibtsos.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wijnqmiqwwcgjxx1duibtsos.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tracking Problem Identity Defender Offline Player ➝
C:\WINDOWS\system32\nvjjvrhycr.exe
Creates FileC:\WINDOWS\system32\nvjjvrhycr.exe
Creates FileC:\WINDOWS\system32\igaoudyxt\tst
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\igaoudyxt\lck
Creates ProcessC:\WINDOWS\system32\nvjjvrhycr.exe
Creates ServiceBluetooth Acquisition Firewall Telephony Socket - C:\WINDOWS\system32\nvjjvrhycr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1188

Process
↳ C:\WINDOWS\system32\nvjjvrhycr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\igaoudyxt\rng
Creates FileC:\WINDOWS\system32\igaoudyxt\cfg
Creates FileC:\WINDOWS\system32\igaoudyxt\run
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\igaoudyxt\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\wijnqmiq5iqhpkx1du.exe
Creates FileC:\WINDOWS\system32\igaoudyxt\lck
Creates FileC:\WINDOWS\system32\cbmcpvtfrl.exe
Creates ProcessC:\WINDOWS\TEMP\wijnqmiq5iqhpkx1du.exe -r 42150 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\nvjjvrhycr.exe"

Process
↳ C:\WINDOWS\system32\nvjjvrhycr.exe

Creates FileC:\WINDOWS\system32\igaoudyxt\tst
Creates FilePIPE\lsarpc

Process
↳ c:\windows\system32\nvjjvrhycr.exe

Creates FileC:\WINDOWS\system32\igaoudyxt\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\nvjjvrhycr.exe"

Creates FileC:\WINDOWS\system32\igaoudyxt\tst
Creates Processc:\windows\system32\nvjjvrhycr.exe

Process
↳ C:\WINDOWS\TEMP\wijnqmiq5iqhpkx1du.exe -r 42150 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSwifeabout.net
Type: A
98.139.135.129
DNScasestep.net
Type: A
98.139.135.129
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSwestkind.net
Type: A
DNStablewild.net
Type: A
DNSleadwild.net
Type: A
DNStablejune.net
Type: A
DNSleadjune.net
Type: A
DNStablebegan.net
Type: A
DNSleadbegan.net
Type: A
DNStablekind.net
Type: A
DNSleadkind.net
Type: A
DNSpointwild.net
Type: A
DNScallwild.net
Type: A
DNSpointjune.net
Type: A
DNScalljune.net
Type: A
DNSpointbegan.net
Type: A
DNScallbegan.net
Type: A
DNSpointkind.net
Type: A
DNScallkind.net
Type: A
DNSnonewild.net
Type: A
DNSliarwild.net
Type: A
DNSnonejune.net
Type: A
DNSliarjune.net
Type: A
DNSnonebegan.net
Type: A
DNSliarbegan.net
Type: A
DNSnonekind.net
Type: A
DNSliarkind.net
Type: A
DNSwellwild.net
Type: A
DNSnosewild.net
Type: A
DNSwelljune.net
Type: A
DNSnosejune.net
Type: A
DNSwellbegan.net
Type: A
DNSnosebegan.net
Type: A
DNSwellkind.net
Type: A
DNSnosekind.net
Type: A
DNSringwild.net
Type: A
DNSfavorwild.net
Type: A
DNSringjune.net
Type: A
DNSfavorjune.net
Type: A
DNSringbegan.net
Type: A
DNSfavorbegan.net
Type: A
DNSringkind.net
Type: A
DNSfavorkind.net
Type: A
DNSsorryboat.net
Type: A
DNSfiftyboat.net
Type: A
DNSsorrypress.net
Type: A
DNSfiftypress.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearboat.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://wifeabout.net/index.php
User-Agent:
HTTP GEThttp://casestep.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1037 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 98.124.199.4:80

Raw Pcap

Strings