Analysis Date2016-02-13 12:09:17
MD5ceea7905a9512cb7c79a876eef3011fa
SHA13d8c56cfde0aeddd032dce942f9dce32b6afc4a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 031cc13a6f032b62578fc66d9912ca2d sha1: 9e567d6e845fc3928ada96a3b3034ab90118d1b9 size: 182784
Section.rdata md5: 109271a4b105199b190bdf5b53f89670 sha1: 2d40fcbb4b23ba8c9bf9d25d13250c2702c73c8f size: 2560
Section.data md5: d5606b1fb04729a49db17859ca7e0e48 sha1: 55e8264ffa98e9a4f5724b1a40d2136d3a895002 size: 15872
Section.reloc md5: 3e12a63b20a6ebd29a343a69ccf88087 sha1: 9d7aa684f60474a5d97254c18747b811739ffd7d size: 30208
Timestamp2014-04-13 12:57:02
PEhash2d148c2bdc722fcb286322b0160a014e6830da63
IMPhashce99c1d1ccd62edbbdcd338a6ee7f8c9
AVCA (E-Trust Ino)Gen:Variant.Kazy.788903
AVF-SecureGen:Variant.Kazy.788903
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVBullGuardGen:Variant.Kazy.788903
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Kazy.788903
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)No Virus
AVEset (nod32)Win32/Bayrob.BA
AVAlwil (avast)Vupa [Cryp]
AVAd-AwareGen:Variant.Kazy.788903
AVTwisterNo Virus
AVAvira (antivir)TR/Nivdort.A.29013
AVMcafeeTrojan-FHQT!CEEA7905A951
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates FileC:\ccrdmoz\fa1kvqd9o3pekuqavk.exe
Creates FileC:\ccrdmoz\svqxykvc
Deletes FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates ProcessC:\ccrdmoz\fa1kvqd9o3pekuqavk.exe

Process
↳ C:\ccrdmoz\fa1kvqd9o3pekuqavk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Image Process Logon SNMP ➝
C:\ccrdmoz\jdrhjmb.exe
Creates FileC:\ccrdmoz\jdrhjmb.exe
Creates FileC:\ccrdmoz\ysfbfb4sfv
Creates FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates FilePIPE\lsarpc
Creates FileC:\ccrdmoz\svqxykvc
Deletes FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates ProcessC:\ccrdmoz\jdrhjmb.exe
Creates ServicePanel Wired Interactive Audio WinHTTP - C:\ccrdmoz\jdrhjmb.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1884

Process
↳ Pid 1140

Process
↳ C:\ccrdmoz\jdrhjmb.exe

Creates FileC:\ccrdmoz\ysfbfb4sfv
Creates FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ccrdmoz\ylznwmxiuy.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\ccrdmoz\vv1rstha
Creates FileC:\ccrdmoz\svqxykvc
Deletes FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates Processvyjs9fhesqr7 "c:\ccrdmoz\jdrhjmb.exe"

Process
↳ C:\ccrdmoz\jdrhjmb.exe

Creates FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates FileC:\ccrdmoz\svqxykvc
Deletes FileC:\WINDOWS\ccrdmoz\svqxykvc

Process
↳ vyjs9fhesqr7 "c:\ccrdmoz\jdrhjmb.exe"

Creates FileC:\WINDOWS\ccrdmoz\svqxykvc
Creates FileC:\ccrdmoz\svqxykvc
Deletes FileC:\WINDOWS\ccrdmoz\svqxykvc

Network Details:

DNSlaughletter.net
Type: A
184.168.221.36
DNSperhapsdifferent.net
Type: A
195.22.28.198
DNSperhapsdifferent.net
Type: A
195.22.28.197
DNSperhapsdifferent.net
Type: A
195.22.28.196
DNSperhapsdifferent.net
Type: A
195.22.28.199
DNSsubjectsurprise.net
Type: A
208.100.26.234
DNSsweetsurprise.net
Type: A
141.8.225.124
DNSdoctoropinion.net
Type: A
103.48.83.103
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSoutsidesupply.net
Type: A
98.124.243.47
DNSoutsideoffice.net
Type: A
104.24.17.64
DNSoutsideoffice.net
Type: A
104.24.16.64
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSdoctorsupply.net
Type: A
184.168.221.96
DNSdoctoroffice.net
Type: A
69.172.201.208
DNSsweetpower.net
Type: A
DNSprobablypower.net
Type: A
DNSsweetcountry.net
Type: A
DNSprobablycountry.net
Type: A
DNSseveralcentury.net
Type: A
DNSmaterialcentury.net
Type: A
DNSseveralfamous.net
Type: A
DNSmaterialfamous.net
Type: A
DNSseveralpower.net
Type: A
DNSmaterialpower.net
Type: A
DNSseveralcountry.net
Type: A
DNSmaterialcountry.net
Type: A
DNSseverasurprise.net
Type: A
DNSlaughsurprise.net
Type: A
DNSseverabeside.net
Type: A
DNSlaughbeside.net
Type: A
DNSseveraletter.net
Type: A
DNSseveradifferent.net
Type: A
DNSlaughdifferent.net
Type: A
DNSsimplesurprise.net
Type: A
DNSmothersurprise.net
Type: A
DNSsimplebeside.net
Type: A
DNSmotherbeside.net
Type: A
DNSsimpleletter.net
Type: A
DNSmotherletter.net
Type: A
DNSsimpledifferent.net
Type: A
DNSmotherdifferent.net
Type: A
DNSmountainsurprise.net
Type: A
DNSpossiblesurprise.net
Type: A
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
DNSsubjectdifferent.net
Type: A
DNSfinishsurprise.net
Type: A
DNSleavesurprise.net
Type: A
DNSfinishbeside.net
Type: A
DNSleavebeside.net
Type: A
DNSfinishletter.net
Type: A
DNSleaveletter.net
Type: A
DNSfinishdifferent.net
Type: A
DNSleavedifferent.net
Type: A
DNSprobablysurprise.net
Type: A
DNSsweetbeside.net
Type: A
DNSprobablybeside.net
Type: A
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSpreparepromise.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSmovementarrive.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
DNSmightsupply.net
Type: A
DNSstoredistance.net
Type: A
DNSmightdistance.net
Type: A
DNSstoreoffice.net
Type: A
DNSmightoffice.net
Type: A
DNSstorearrive.net
Type: A
DNSmightarrive.net
Type: A
DNSprettysupply.net
Type: A
DNSdoctordistance.net
Type: A
DNSprettydistance.net
Type: A
DNSprettyoffice.net
Type: A
HTTP GEThttp://laughletter.net/index.php
User-Agent:
HTTP GEThttp://perhapsdifferent.net/index.php
User-Agent:
HTTP GEThttp://subjectsurprise.net/index.php
User-Agent:
HTTP GEThttp://sweetsurprise.net/index.php
User-Agent:
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php
User-Agent:
HTTP GEThttp://storesupply.net/index.php
User-Agent:
HTTP GEThttp://doctorsupply.net/index.php
User-Agent:
HTTP GEThttp://doctoroffice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1035 ➝ 103.48.83.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 98.124.243.47:80
Flows TCP192.168.1.1:1038 ➝ 104.24.17.64:80
Flows TCP192.168.1.1:1039 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1040 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1041 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1043 ➝ 69.172.201.208:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6c657474 65722e6e 65740d0a   aughletter.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 66666572 656e742e   erhapsdifferent.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747375 72707269 73652e6e   ubjectsurprise.n
0x00000050 (00080)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73757270 72697365 2e6e6574   weetsurprise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e70726f 6d697365 2e6e6574   rokenpromise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657375 70706c79 2e6e6574   utsidesupply.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656f66 66696365 2e6e6574   utsideoffice.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 7570706c 792e6e65   uildingsupply.ne
0x00000050 (00080)   740d0a0d 0a0a0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676f 66666963 652e6e65   uildingoffice.ne
0x00000050 (00080)   740d0a0d 0a0a0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 73757070 6c792e6e 65740d0a   toresupply.net..
0x00000050 (00080)   0d0a0a0d 0a0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72737570 706c792e 6e65740d   octorsupply.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f6666 6963652e 6e65740d   octoroffice.net.
0x00000050 (00080)   0a0d0a                                ...


Strings