Analysis | #totalhash

Analysis Date	2015-08-13 04:06:11
MD5	e20282620b6697a1306eddeb329b1b5c
SHA1	3a890e2d6e92e19464a8fb3018ca93ff6bc83c13

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 9b0c279618144bc6d0d0c149b9dc087b sha1: 79015e3a5fc19cd5c56dbfff0667968b39c9383f size: 314880
Section	.rdata md5: e4ba21880eb05288536ffb19d5533fab sha1: 3e63ad6487f1ba2c2cd310dbf2c047e7be3e89f4 size: 59392
Section	.data md5: 0dc39820e00a58425adb9e032ab7c796 sha1: 8ee9e4098f8f2b1105cb752c1ab26df4cd610ed9 size: 7680
Section	.reloc md5: d8531df5f1e3b5e66a5c98e5418ceffc sha1: 2de07e9f9523df9b667452d0163f30b33818a208 size: 25600
Timestamp	2015-05-11 07:02:07
Packer	Microsoft Visual C++ 8
PEhash	88685983267e864d3c6c6e17a2c77e7d2d9ca21d
IMPhash	2af1e62de3632aa0eb070ae38a3599e0
AV	Rising	Trojan.Win32.Bayrod.b
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Kazy.611009
AV	Dr. Web	Trojan.Bayrob.1
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Kazy.611009
AV	BullGuard	Gen:Variant.Kazy.611009
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.OD4
AV	Trend Micro	TROJ_BAYROB.SM0
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Kazy.611009
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Nivdort.B.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.KVTGen
AV	MicroWorld (escan)	Gen:Variant.Kazy.611009
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AL
AV	K7	Trojan ( 004c3a4d1 )
AV	BitDefender	Gen:Variant.Kazy.611009
AV	Fortinet	W32/Bayrob.T!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Bayrob.W
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Ad-Aware	Gen:Variant.Kazy.611009
AV	Twister	no_virus
AV	Avira (antivir)	TR/Spy.ZBot.xbbeomq
AV	Mcafee	PWS-FCCE!E20282620B66

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates File	C:\nppogskm\te1ks9xdeewqkvbavf.exe
Creates File	C:\nppogskm\cpjrozygvsl
Deletes File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates Process	C:\nppogskm\te1ks9xdeewqkvbavf.exe

Process
↳ C:\nppogskm\te1ks9xdeewqkvbavf.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Support Compatibility Portable Connections ➝ C:\nppogskm\zonqbtkbhvcm.exe
Creates File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates File	C:\nppogskm\zonqbtkbhvcm.exe
Creates File	PIPE\lsarpc
Creates File	C:\nppogskm\dszytvuhuto
Creates File	C:\nppogskm\cpjrozygvsl
Deletes File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates Process	C:\nppogskm\zonqbtkbhvcm.exe
Creates Service	Registry Framework DLL Auto Tablet Alerts - C:\nppogskm\zonqbtkbhvcm.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1148

Process
↳ C:\nppogskm\zonqbtkbhvcm.exe

Creates File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates File	pipe\net\NtControlPipe10
Creates File	C:\nppogskm\dqrsxax.exe
Creates File	C:\nppogskm\ut2inul
Creates File	\Device\Afd\Endpoint
Creates File	C:\nppogskm\dszytvuhuto
Creates File	C:\nppogskm\cpjrozygvsl
Deletes File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates Process	qmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe"

Process
↳ C:\nppogskm\zonqbtkbhvcm.exe

Creates File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates File	C:\nppogskm\cpjrozygvsl
Deletes File	C:\WINDOWS\nppogskm\cpjrozygvsl

Process
↳ qmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe"

Creates File	C:\WINDOWS\nppogskm\cpjrozygvsl
Creates File	C:\nppogskm\cpjrozygvsl
Deletes File	C:\WINDOWS\nppogskm\cpjrozygvsl

Network Details:

DNS	familytogether.net Type: A 104.219.41.65
DNS	childrencontrol.net Type: A 95.211.230.75
DNS	personmeasure.net Type: A 184.168.221.35
DNS	childrentogether.net Type: A
DNS	familycontrol.net Type: A
DNS	eithermatter.net Type: A
DNS	englishmatter.net Type: A
DNS	eitherspent.net Type: A
DNS	englishspent.net Type: A
DNS	eithertogether.net Type: A
DNS	englishtogether.net Type: A
DNS	eithercontrol.net Type: A
DNS	englishcontrol.net Type: A
DNS	expectfather.net Type: A
DNS	becausefather.net Type: A
DNS	expectapple.net Type: A
DNS	becauseapple.net Type: A
DNS	expectbuilt.net Type: A
DNS	becausebuilt.net Type: A
DNS	expectcarry.net Type: A
DNS	becausecarry.net Type: A
DNS	personfather.net Type: A
DNS	machinefather.net Type: A
DNS	personapple.net Type: A
DNS	machineapple.net Type: A
DNS	personbuilt.net Type: A
DNS	machinebuilt.net Type: A
DNS	personcarry.net Type: A
DNS	machinecarry.net Type: A
DNS	suddenfather.net Type: A
DNS	foreignfather.net Type: A
DNS	suddenapple.net Type: A
DNS	foreignapple.net Type: A
DNS	suddenbuilt.net Type: A
DNS	foreignbuilt.net Type: A
DNS	suddencarry.net Type: A
DNS	foreigncarry.net Type: A
DNS	whetherfather.net Type: A
DNS	rightfather.net Type: A
DNS	whetherapple.net Type: A
DNS	rightapple.net Type: A
DNS	whetherbuilt.net Type: A
DNS	rightbuilt.net Type: A
DNS	whethercarry.net Type: A
DNS	rightcarry.net Type: A
DNS	figurefather.net Type: A
DNS	thoughfather.net Type: A
DNS	figureapple.net Type: A
DNS	thoughapple.net Type: A
DNS	figurebuilt.net Type: A
DNS	thoughbuilt.net Type: A
DNS	figurecarry.net Type: A
DNS	thoughcarry.net Type: A
DNS	picturefather.net Type: A
DNS	cigarettefather.net Type: A
DNS	pictureapple.net Type: A
DNS	cigaretteapple.net Type: A
DNS	picturebuilt.net Type: A
DNS	cigarettebuilt.net Type: A
DNS	picturecarry.net Type: A
DNS	cigarettecarry.net Type: A
DNS	childrenfather.net Type: A
DNS	familyfather.net Type: A
DNS	childrenapple.net Type: A
DNS	familyapple.net Type: A
DNS	childrenbuilt.net Type: A
DNS	familybuilt.net Type: A
DNS	childrencarry.net Type: A
DNS	familycarry.net Type: A
DNS	eitherfather.net Type: A
DNS	englishfather.net Type: A
DNS	eitherapple.net Type: A
DNS	englishapple.net Type: A
DNS	eitherbuilt.net Type: A
DNS	englishbuilt.net Type: A
DNS	eithercarry.net Type: A
DNS	englishcarry.net Type: A
DNS	expectmeasure.net Type: A
DNS	becausemeasure.net Type: A
DNS	expectdinner.net Type: A
DNS	becausedinner.net Type: A
DNS	expectafraid.net Type: A
DNS	becauseafraid.net Type: A
DNS	expectcircle.net Type: A
DNS	becausecircle.net Type: A
HTTP GET	http://familytogether.net/index.php User-Agent:
HTTP GET	http://childrencontrol.net/index.php User-Agent:
HTTP GET	http://personmeasure.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 104.219.41.65:80
Flows TCP	192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP	192.168.1.1:1033 ➝ 184.168.221.35:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79746f67 65746865 722e6e65   amilytogether.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e63 6f6e7472 6f6c2e6e   hildrencontrol.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6572736f 6e6d6561 73757265 2e6e6574   ersonmeasure.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

Strings