Analysis Date2015-08-13 04:06:11
MD5e20282620b6697a1306eddeb329b1b5c
SHA13a890e2d6e92e19464a8fb3018ca93ff6bc83c13

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9b0c279618144bc6d0d0c149b9dc087b sha1: 79015e3a5fc19cd5c56dbfff0667968b39c9383f size: 314880
Section.rdata md5: e4ba21880eb05288536ffb19d5533fab sha1: 3e63ad6487f1ba2c2cd310dbf2c047e7be3e89f4 size: 59392
Section.data md5: 0dc39820e00a58425adb9e032ab7c796 sha1: 8ee9e4098f8f2b1105cb752c1ab26df4cd610ed9 size: 7680
Section.reloc md5: d8531df5f1e3b5e66a5c98e5418ceffc sha1: 2de07e9f9523df9b667452d0163f30b33818a208 size: 25600
Timestamp2015-05-11 07:02:07
PackerMicrosoft Visual C++ 8
PEhash88685983267e864d3c6c6e17a2c77e7d2d9ca21d
IMPhash2af1e62de3632aa0eb070ae38a3599e0
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!E20282620B66

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates FileC:\nppogskm\te1ks9xdeewqkvbavf.exe
Creates FileC:\nppogskm\cpjrozygvsl
Deletes FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates ProcessC:\nppogskm\te1ks9xdeewqkvbavf.exe

Process
↳ C:\nppogskm\te1ks9xdeewqkvbavf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Support Compatibility Portable Connections ➝
C:\nppogskm\zonqbtkbhvcm.exe
Creates FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates FileC:\nppogskm\zonqbtkbhvcm.exe
Creates FilePIPE\lsarpc
Creates FileC:\nppogskm\dszytvuhuto
Creates FileC:\nppogskm\cpjrozygvsl
Deletes FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates ProcessC:\nppogskm\zonqbtkbhvcm.exe
Creates ServiceRegistry Framework DLL Auto Tablet Alerts - C:\nppogskm\zonqbtkbhvcm.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1148

Process
↳ C:\nppogskm\zonqbtkbhvcm.exe

Creates FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates Filepipe\net\NtControlPipe10
Creates FileC:\nppogskm\dqrsxax.exe
Creates FileC:\nppogskm\ut2inul
Creates File\Device\Afd\Endpoint
Creates FileC:\nppogskm\dszytvuhuto
Creates FileC:\nppogskm\cpjrozygvsl
Deletes FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates Processqmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe"

Process
↳ C:\nppogskm\zonqbtkbhvcm.exe

Creates FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates FileC:\nppogskm\cpjrozygvsl
Deletes FileC:\WINDOWS\nppogskm\cpjrozygvsl

Process
↳ qmsqao3mkn43 "c:\nppogskm\zonqbtkbhvcm.exe"

Creates FileC:\WINDOWS\nppogskm\cpjrozygvsl
Creates FileC:\nppogskm\cpjrozygvsl
Deletes FileC:\WINDOWS\nppogskm\cpjrozygvsl

Network Details:

DNSfamilytogether.net
Type: A
104.219.41.65
DNSchildrencontrol.net
Type: A
95.211.230.75
DNSpersonmeasure.net
Type: A
184.168.221.35
DNSchildrentogether.net
Type: A
DNSfamilycontrol.net
Type: A
DNSeithermatter.net
Type: A
DNSenglishmatter.net
Type: A
DNSeitherspent.net
Type: A
DNSenglishspent.net
Type: A
DNSeithertogether.net
Type: A
DNSenglishtogether.net
Type: A
DNSeithercontrol.net
Type: A
DNSenglishcontrol.net
Type: A
DNSexpectfather.net
Type: A
DNSbecausefather.net
Type: A
DNSexpectapple.net
Type: A
DNSbecauseapple.net
Type: A
DNSexpectbuilt.net
Type: A
DNSbecausebuilt.net
Type: A
DNSexpectcarry.net
Type: A
DNSbecausecarry.net
Type: A
DNSpersonfather.net
Type: A
DNSmachinefather.net
Type: A
DNSpersonapple.net
Type: A
DNSmachineapple.net
Type: A
DNSpersonbuilt.net
Type: A
DNSmachinebuilt.net
Type: A
DNSpersoncarry.net
Type: A
DNSmachinecarry.net
Type: A
DNSsuddenfather.net
Type: A
DNSforeignfather.net
Type: A
DNSsuddenapple.net
Type: A
DNSforeignapple.net
Type: A
DNSsuddenbuilt.net
Type: A
DNSforeignbuilt.net
Type: A
DNSsuddencarry.net
Type: A
DNSforeigncarry.net
Type: A
DNSwhetherfather.net
Type: A
DNSrightfather.net
Type: A
DNSwhetherapple.net
Type: A
DNSrightapple.net
Type: A
DNSwhetherbuilt.net
Type: A
DNSrightbuilt.net
Type: A
DNSwhethercarry.net
Type: A
DNSrightcarry.net
Type: A
DNSfigurefather.net
Type: A
DNSthoughfather.net
Type: A
DNSfigureapple.net
Type: A
DNSthoughapple.net
Type: A
DNSfigurebuilt.net
Type: A
DNSthoughbuilt.net
Type: A
DNSfigurecarry.net
Type: A
DNSthoughcarry.net
Type: A
DNSpicturefather.net
Type: A
DNScigarettefather.net
Type: A
DNSpictureapple.net
Type: A
DNScigaretteapple.net
Type: A
DNSpicturebuilt.net
Type: A
DNScigarettebuilt.net
Type: A
DNSpicturecarry.net
Type: A
DNScigarettecarry.net
Type: A
DNSchildrenfather.net
Type: A
DNSfamilyfather.net
Type: A
DNSchildrenapple.net
Type: A
DNSfamilyapple.net
Type: A
DNSchildrenbuilt.net
Type: A
DNSfamilybuilt.net
Type: A
DNSchildrencarry.net
Type: A
DNSfamilycarry.net
Type: A
DNSeitherfather.net
Type: A
DNSenglishfather.net
Type: A
DNSeitherapple.net
Type: A
DNSenglishapple.net
Type: A
DNSeitherbuilt.net
Type: A
DNSenglishbuilt.net
Type: A
DNSeithercarry.net
Type: A
DNSenglishcarry.net
Type: A
DNSexpectmeasure.net
Type: A
DNSbecausemeasure.net
Type: A
DNSexpectdinner.net
Type: A
DNSbecausedinner.net
Type: A
DNSexpectafraid.net
Type: A
DNSbecauseafraid.net
Type: A
DNSexpectcircle.net
Type: A
DNSbecausecircle.net
Type: A
HTTP GEThttp://familytogether.net/index.php
User-Agent:
HTTP GEThttp://childrencontrol.net/index.php
User-Agent:
HTTP GEThttp://personmeasure.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.219.41.65:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.35:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79746f67 65746865 722e6e65   amilytogether.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e63 6f6e7472 6f6c2e6e   hildrencontrol.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6572736f 6e6d6561 73757265 2e6e6574   ersonmeasure.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings