Analysis Date | 2015-08-19 05:12:29 |
---|---|
MD5 | 84f9472726b1d46e0077dc2ff34ad579 |
SHA1 | 3dfdf4eb83341eafa72b22e89237c61263cde759 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 555bd471dfc129c83d1bdf461b96c5f9 sha1: 6d6ee28a8c938762f8c312dbe7498ac9d30ed725 size: 274944 | |
Section | .rdata md5: c7c6e15986cf970ec67ac58a9deed777 sha1: 43333c2e7401a49a14ee495e6b3653f0947570ed size: 44032 | |
Section | .data md5: 69848f0a7ea8d0475509b75744695793 sha1: cf570ea0b3df1e5f9e64a5ac05fd2cd08a184d77 size: 7168 | |
Section | .reloc md5: 3ff23c13a59d8ebe6f74c8de0a7f23c1 sha1: 9de4e6bfca88f0661ecbfe9876cd36bd9b54e185 size: 20992 | |
Timestamp | 2015-05-21 04:46:13 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | bbef5878ee3588a2a6818c99c20c74b472ea81d0 | |
IMPhash | 314662b3b4ca4355314cf270f222c9eb | |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | Authentium | W32/Scar.V.gen!Eldorado |
AV | Fortinet | no_virus |
AV | Grisoft (avg) | Win32/Cryptor |
AV | ClamAV | no_virus |
AV | Padvish | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | Symantec | Downloader.Upatre!g15 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.Y |
AV | MalwareBytes | no_virus |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | VirusBlokAda (vba32) | no_virus |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | Dr. Web | Trojan.DownLoader15.36971 |
AV | Kaspersky | Trojan.Win32.Scar.jwpt |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | CAT (quickheal) | TrojanSpy.Nivdort.J4 |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Twister | W32.Bayrob.Y.riod |
AV | Avira (antivir) | TR/AD.Nivdort.M.13 |
AV | Mcafee | Trojan-FGIJ!84F9472726B1 |
AV | Rising | no_virus |
AV | Frisk (f-prot) | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe |
---|---|
Creates File | C:\gtofefngco\jp7ewfi4 |
Creates File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Deletes File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Creates Process | C:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe |
Process
↳ C:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Now Peer Acquisition WebClient BranchCache Group ➝ C:\gtofefngco\satmweno.exe |
---|---|
Creates File | C:\gtofefngco\satmweno.exe |
Creates File | C:\gtofefngco\rolln6xrv |
Creates File | C:\gtofefngco\jp7ewfi4 |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Deletes File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Creates Process | C:\gtofefngco\satmweno.exe |
Creates Service | Superfetch Window Secure - C:\gtofefngco\satmweno.exe |
Process
↳ Pid 816
Process
↳ Pid 864
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1124
Process
↳ Pid 1220
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1872
Process
↳ Pid 1180
Process
↳ C:\gtofefngco\satmweno.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\gtofefngco\rolln6xrv |
Creates File | C:\gtofefngco\jp7ewfi4 |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Creates File | C:\gtofefngco\ke13eld2ct |
Creates File | C:\gtofefngco\uqsfojg.exe |
Deletes File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Creates Process | kufkqsfabgbl "c:\gtofefngco\satmweno.exe" |
Process
↳ C:\gtofefngco\satmweno.exe
Creates File | C:\gtofefngco\jp7ewfi4 |
---|---|
Creates File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Deletes File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Process
↳ kufkqsfabgbl "c:\gtofefngco\satmweno.exe"
Creates File | C:\gtofefngco\jp7ewfi4 |
---|---|
Creates File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Deletes File | C:\WINDOWS\gtofefngco\jp7ewfi4 |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 73686f72 742e6e65 740d0a0d weetshort.net... 0x00000050 (00080) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 726f6261 626c7973 686f7274 2e6e6574 robablyshort.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 70726f6d 6973652e 6e65740d weetpromise.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61746572 69616c6f 70696e69 6f6e2e6e aterialopinion.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 696d706c 656f6666 6963652e 6e65740d impleoffice.net. 0x00000050 (00080) 0a0d0a0a 0d0a ...... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 6f756e74 61696e73 7570706c 792e6e65 ountainsupply.ne 0x00000050 (00080) 740d0a0d 0a0a t..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 696e646f 77737570 706c792e 6e65740d indowsupply.net. 0x00000050 (00080) 0a0d0a0d 0a0a ...... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 6f666669 63652e6e 65740d0a weetoffice.net.. 0x00000050 (00080) 0d0a0a0d 0a0a ...... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61746572 69616c73 7570706c 792e6e65 aterialsupply.ne 0x00000050 (00080) 740d0a0d 0a0a t..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206c : close..Host: l 0x00000040 (00064) 61756768 7374726f 6e672e6e 65740d0a aughstrong.net.. 0x00000050 (00080) 0d0a0a0d 0a0a ......
Strings