Analysis Date2016-01-27 22:56:09
MD551762be554c00f6d1442cfb44616500d
SHA13ec14c850973e3ef2a45a58bf019e59d9489f064

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e862b2494d2469c8543baada6020fa87 sha1: 05217d30288b082fec81150aac988a16a3785903 size: 1105920
Section.rdata md5: 0733062b8850079f503dd080342f23bb sha1: 2da71aba8ecc2afb6b797269d87922691952c714 size: 303104
Section.data md5: 71852f141468b479eba851eb6c66c210 sha1: 5206c46387e69b283d25ebfe79bf8b98384b78af size: 3072
Section.reloc md5: 1b4abf827aac50dfe8da036e13a2f150 sha1: c8ca1bade552ae750a2a2edc54b3f33e1092ee40 size: 139264
Timestamp2016-01-02 13:18:35
PackerMicrosoft Visual C++ ?.?
PEhasha52dea11ed7d94f8ccf2943b760d51b919c0874c
IMPhash49cf81fe03cbfa2c778050ddf6b13d6e
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Taranis.2086
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.794416
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Generic37.ABEV
AVSymantecNo Virus
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.794416
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)No Virus
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Kazy.794416
AVZillya!No Virus
AVKasperskyTrojan.Win32.Agent.netwrn
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.794416
AVArcabit (arcavir)Gen:Variant.Kazy.794416
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.5683
AVF-SecureGen:Variant.Kazy.794416

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zwsmpkdw9nvytxhedhedkycfk.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\zwsmpkdw9nvytxhedhedkycfk.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\zwsmpkdw9nvytxhedhedkycfk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Layer Driver Base RPC Offline ➝
C:\WINDOWS\system32\ortenythlysu.exe
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\lck
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\ortenythlysu.exe
Creates ProcessC:\WINDOWS\system32\ortenythlysu.exe
Creates ServiceCredential PNRP Helper Sharing Audio Search - C:\WINDOWS\system32\ortenythlysu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\ZWSMPKDAMY383XHEDH.EXE-2FD4FCFF.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\JVSLAANPE.EXE-2EAE01F1.pf
Creates FileC:\WINDOWS\Prefetch\ZWSMPKDW9NVYTXHEDHEDKYCFK.EXE-23406D3B.pf
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\3EC14C850973E3EF2A45A58BF019E-3217ACF2.pf
Creates FileC:\WINDOWS\Prefetch\ORTENYTHLYSU.EXE-068D457A.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1300

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ Pid 912

Process
↳ C:\WINDOWS\system32\ortenythlysu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\zwsmpkdamy383xhedh.exe
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\cfg
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\run
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\lck
Creates FileC:\WINDOWS\system32\jvslaanpe.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\rng
Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\TEMP\zwsmpkdamy383xhedh.exe
Creates ProcessC:\WINDOWS\TEMP\zwsmpkdamy383xhedh.exe -r 35998 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\ortenythlysu.exe"

Process
↳ C:\WINDOWS\system32\ortenythlysu.exe

Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst
Creates FilePIPE\lsarpc

Process
↳ c:\windows\system32\ortenythlysu.exe

Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ortenythlysu.exe"

Creates FileC:\WINDOWS\system32\sifgyeshooaaoao\tst
Creates Processc:\windows\system32\ortenythlysu.exe

Process
↳ C:\WINDOWS\TEMP\zwsmpkdamy383xhedh.exe -r 35998 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSwifeabout.net
Type: A
98.139.135.129
DNScasestep.net
Type: A
98.139.135.129
DNSfavorcount.net
Type: A
69.16.192.64
DNStheirhope.net
Type: A
173.236.174.11
DNSpointhope.net
Type: A
82.165.74.254
DNScallhope.net
Type: A
195.22.26.248
DNScallleft.net
Type: A
195.22.26.248
DNScallthirteen.net
Type: A
195.22.26.248
DNScallhurry.net
Type: A
195.22.26.248
DNSliarhope.net
Type: A
195.22.26.248
DNSfiftywild.net
Type: A
208.100.26.234
DNStheirkind.net
Type: A
81.21.76.62
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSringcount.net
Type: A
DNSsorryhope.net
Type: A
DNSfiftyhope.net
Type: A
DNSsorryleft.net
Type: A
DNSfiftyleft.net
Type: A
DNSsorrythirteen.net
Type: A
DNSfiftythirteen.net
Type: A
DNSsorryhurry.net
Type: A
DNSfiftyhurry.net
Type: A
DNSlikrhope.net
Type: A
DNStheirleft.net
Type: A
DNSlikrleft.net
Type: A
DNStheirthirteen.net
Type: A
DNSlikrthirteen.net
Type: A
DNStheirhurry.net
Type: A
DNSlikrhurry.net
Type: A
DNSfearhope.net
Type: A
DNSwesthope.net
Type: A
DNSfearleft.net
Type: A
DNSwestleft.net
Type: A
DNSfearthirteen.net
Type: A
DNSwestthirteen.net
Type: A
DNSfearhurry.net
Type: A
DNSwesthurry.net
Type: A
DNStablehope.net
Type: A
DNSleadhope.net
Type: A
DNStableleft.net
Type: A
DNSleadleft.net
Type: A
DNStablethirteen.net
Type: A
DNSleadthirteen.net
Type: A
DNStablehurry.net
Type: A
DNSleadhurry.net
Type: A
DNSpointleft.net
Type: A
DNSpointthirteen.net
Type: A
DNSpointhurry.net
Type: A
DNSnonehope.net
Type: A
DNSnoneleft.net
Type: A
DNSliarleft.net
Type: A
DNSnonethirteen.net
Type: A
DNSliarthirteen.net
Type: A
DNSnonehurry.net
Type: A
DNSliarhurry.net
Type: A
DNSwellhope.net
Type: A
DNSnosehope.net
Type: A
DNSwellleft.net
Type: A
DNSnoseleft.net
Type: A
DNSwellthirteen.net
Type: A
DNSnosethirteen.net
Type: A
DNSwellhurry.net
Type: A
DNSnosehurry.net
Type: A
DNSringhope.net
Type: A
DNSfavorhope.net
Type: A
DNSringleft.net
Type: A
DNSfavorleft.net
Type: A
DNSringthirteen.net
Type: A
DNSfavorthirteen.net
Type: A
DNSringhurry.net
Type: A
DNSfavorhurry.net
Type: A
DNSsorrywild.net
Type: A
DNSsorryjune.net
Type: A
DNSfiftyjune.net
Type: A
DNSsorrybegan.net
Type: A
DNSfiftybegan.net
Type: A
DNSsorrykind.net
Type: A
DNSfiftykind.net
Type: A
DNStheirwild.net
Type: A
DNSlikrwild.net
Type: A
DNStheirjune.net
Type: A
DNSlikrjune.net
Type: A
DNStheirbegan.net
Type: A
DNSlikrbegan.net
Type: A
DNSlikrkind.net
Type: A
DNSfearwild.net
Type: A
DNSwestwild.net
Type: A
DNSfearjune.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://wifeabout.net/index.php
User-Agent:
HTTP GEThttp://casestep.net/index.php
User-Agent:
HTTP GEThttp://favorcount.net/index.php
User-Agent:
HTTP GEThttp://theirhope.net/index.php
User-Agent:
HTTP GEThttp://pointhope.net/index.php
User-Agent:
HTTP GEThttp://callhope.net/index.php
User-Agent:
HTTP GEThttp://callleft.net/index.php
User-Agent:
HTTP GEThttp://callthirteen.net/index.php
User-Agent:
HTTP GEThttp://callhurry.net/index.php
User-Agent:
HTTP GEThttp://liarhope.net/index.php
User-Agent:
HTTP GEThttp://fiftywild.net/index.php
User-Agent:
HTTP GEThttp://theirkind.net/index.php
User-Agent:
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1033 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1034 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 69.16.192.64:80
Flows TCP192.168.1.1:1046 ➝ 173.236.174.11:80
Flows TCP192.168.1.1:1047 ➝ 82.165.74.254:80
Flows TCP192.168.1.1:1048 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1049 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1050 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1051 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1052 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1054 ➝ 81.21.76.62:80
Flows TCP192.168.1.1:1055 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1056 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1057 ➝ 66.147.240.171:80

Raw Pcap

Strings