Analysis Date2015-08-19 05:12:29
MD584f9472726b1d46e0077dc2ff34ad579
SHA13dfdf4eb83341eafa72b22e89237c61263cde759

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 555bd471dfc129c83d1bdf461b96c5f9 sha1: 6d6ee28a8c938762f8c312dbe7498ac9d30ed725 size: 274944
Section.rdata md5: c7c6e15986cf970ec67ac58a9deed777 sha1: 43333c2e7401a49a14ee495e6b3653f0947570ed size: 44032
Section.data md5: 69848f0a7ea8d0475509b75744695793 sha1: cf570ea0b3df1e5f9e64a5ac05fd2cd08a184d77 size: 7168
Section.reloc md5: 3ff23c13a59d8ebe6f74c8de0a7f23c1 sha1: 9de4e6bfca88f0661ecbfe9876cd36bd9b54e185 size: 20992
Timestamp2015-05-21 04:46:13
PackerMicrosoft Visual C++ ?.?
PEhashbbef5878ee3588a2a6818c99c20c74b472ea81d0
IMPhash314662b3b4ca4355314cf270f222c9eb
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAuthentiumW32/Scar.V.gen!Eldorado
AVFortinetno_virus
AVGrisoft (avg)Win32/Cryptor
AVClamAVno_virus
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVTrend MicroTROJ_BAYROB.SM0
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMalwareBytesno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader15.36971
AVKasperskyTrojan.Win32.Scar.jwpt
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVBullGuardGen:Variant.Diley.1
AVCAT (quickheal)TrojanSpy.Nivdort.J4
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterW32.Bayrob.Y.riod
AVAvira (antivir)TR/AD.Nivdort.M.13
AVMcafeeTrojan-FGIJ!84F9472726B1
AVRisingno_virus
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe
Creates FileC:\gtofefngco\jp7ewfi4
Creates FileC:\WINDOWS\gtofefngco\jp7ewfi4
Deletes FileC:\WINDOWS\gtofefngco\jp7ewfi4
Creates ProcessC:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe

Process
↳ C:\gtofefngco\kpkjl1jz6gsyugqs7yvmb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Now Peer Acquisition WebClient BranchCache Group ➝
C:\gtofefngco\satmweno.exe
Creates FileC:\gtofefngco\satmweno.exe
Creates FileC:\gtofefngco\rolln6xrv
Creates FileC:\gtofefngco\jp7ewfi4
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\gtofefngco\jp7ewfi4
Deletes FileC:\WINDOWS\gtofefngco\jp7ewfi4
Creates ProcessC:\gtofefngco\satmweno.exe
Creates ServiceSuperfetch Window Secure - C:\gtofefngco\satmweno.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1872

Process
↳ Pid 1180

Process
↳ C:\gtofefngco\satmweno.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\gtofefngco\rolln6xrv
Creates FileC:\gtofefngco\jp7ewfi4
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\gtofefngco\jp7ewfi4
Creates FileC:\gtofefngco\ke13eld2ct
Creates FileC:\gtofefngco\uqsfojg.exe
Deletes FileC:\WINDOWS\gtofefngco\jp7ewfi4
Creates Processkufkqsfabgbl "c:\gtofefngco\satmweno.exe"

Process
↳ C:\gtofefngco\satmweno.exe

Creates FileC:\gtofefngco\jp7ewfi4
Creates FileC:\WINDOWS\gtofefngco\jp7ewfi4
Deletes FileC:\WINDOWS\gtofefngco\jp7ewfi4

Process
↳ kufkqsfabgbl "c:\gtofefngco\satmweno.exe"

Creates FileC:\gtofefngco\jp7ewfi4
Creates FileC:\WINDOWS\gtofefngco\jp7ewfi4
Deletes FileC:\WINDOWS\gtofefngco\jp7ewfi4

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSprobablyshort.net
Type: A
208.91.197.241
DNSsweetpromise.net
Type: A
69.64.147.249
DNSmaterialopinion.net
Type: A
195.22.26.254
DNSmaterialopinion.net
Type: A
195.22.26.231
DNSmaterialopinion.net
Type: A
195.22.26.252
DNSmaterialopinion.net
Type: A
195.22.26.253
DNSsimpleoffice.net
Type: A
50.63.202.104
DNSmountainsupply.net
Type: A
67.18.199.2
DNSwindowsupply.net
Type: A
173.236.172.44
DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSprobablyshould.net
Type: A
DNSsweetshort.net
Type: A
DNSsweetopinion.net
Type: A
DNSprobablyopinion.net
Type: A
DNSprobablypromise.net
Type: A
DNSseveralshould.net
Type: A
DNSmaterialshould.net
Type: A
DNSseveralshort.net
Type: A
DNSmaterialshort.net
Type: A
DNSseveralopinion.net
Type: A
DNSseveralpromise.net
Type: A
DNSmaterialpromise.net
Type: A
DNSseverasupply.net
Type: A
DNSlaughsupply.net
Type: A
DNSseveradistance.net
Type: A
DNSlaughdistance.net
Type: A
DNSseveraoffice.net
Type: A
DNSlaughoffice.net
Type: A
DNSseveraarrive.net
Type: A
DNSlaugharrive.net
Type: A
DNSsimplesupply.net
Type: A
DNSmothersupply.net
Type: A
DNSsimpledistance.net
Type: A
DNSmotherdistance.net
Type: A
DNSmotheroffice.net
Type: A
DNSsimplearrive.net
Type: A
DNSmotherarrive.net
Type: A
DNSpossiblesupply.net
Type: A
DNSmountaindistance.net
Type: A
DNSpossibledistance.net
Type: A
DNSmountainoffice.net
Type: A
DNSpossibleoffice.net
Type: A
DNSmountainarrive.net
Type: A
DNSpossiblearrive.net
Type: A
DNSperhapssupply.net
Type: A
DNSperhapsdistance.net
Type: A
DNSwindowdistance.net
Type: A
DNSperhapsoffice.net
Type: A
DNSwindowoffice.net
Type: A
DNSperhapsarrive.net
Type: A
DNSwindowarrive.net
Type: A
DNSwintersupply.net
Type: A
DNSsubjectsupply.net
Type: A
DNSwinterdistance.net
Type: A
DNSsubjectdistance.net
Type: A
DNSwinteroffice.net
Type: A
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
HTTP GEThttp://sweetshort.net/index.php
User-Agent:
HTTP GEThttp://probablyshort.net/index.php
User-Agent:
HTTP GEThttp://sweetpromise.net/index.php
User-Agent:
HTTP GEThttp://materialopinion.net/index.php
User-Agent:
HTTP GEThttp://simpleoffice.net/index.php
User-Agent:
HTTP GEThttp://mountainsupply.net/index.php
User-Agent:
HTTP GEThttp://windowsupply.net/index.php
User-Agent:
HTTP GEThttp://sweetoffice.net/index.php
User-Agent:
HTTP GEThttp://materialsupply.net/index.php
User-Agent:
HTTP GEThttp://laughstrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1036 ➝ 67.18.199.2:80
Flows TCP192.168.1.1:1037 ➝ 173.236.172.44:80
Flows TCP192.168.1.1:1038 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1040 ➝ 50.21.189.209:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73686f72 742e6e65 740d0a0d   weetshort.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   726f6261 626c7973 686f7274 2e6e6574   robablyshort.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 70726f6d 6973652e 6e65740d   weetpromise.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c6f 70696e69 6f6e2e6e   aterialopinion.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 656f6666 6963652e 6e65740d   impleoffice.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......

Strings