Analysis Date2015-10-20 10:15:23
MD5f221d901ae95098d8b7e9b846b346c9a
SHA13f1a9ebe62e7d794e2e116c89ff3e10716431d04

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 97fc30519cece0c7f730008412a2c054 sha1: 9c935437b804e5036a1b493ecf94d0041bca28fb size: 196096
Section.rdata md5: 180d676b533f3459a4f5710633a415b4 sha1: f890d0dccb19a11bd8d20eda44768fe66d5a6591 size: 54272
Section.data md5: 37d9d68ad57bc4895199e43dceda6c5e sha1: 1bee4d25cb14aecf7f58da41c96a502f3f022aa3 size: 7168
Section.reloc md5: 6f0e44ce461087a0164fc5045fc1a290 sha1: ebaf61aa54edf1dda2215b8a831e6bac05142f2d size: 14336
Timestamp2015-04-29 19:09:14
PackerMicrosoft Visual C++ 8
PEhashbed7c7ddc78f010f23b6cc781bde00689188945c
IMPhash486506ad463d1e9ab0f828e28d403733
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!F221D901AE95
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gkxwmtuwcawixz\v4fmapkvmv
Creates FileC:\gkxwmtuwcawixz\xi1mmohtbivmxhdbi.exe
Creates FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Deletes FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Creates ProcessC:\gkxwmtuwcawixz\xi1mmohtbivmxhdbi.exe

Process
↳ C:\gkxwmtuwcawixz\xi1mmohtbivmxhdbi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPsec Instrumentation TPM ➝
C:\gkxwmtuwcawixz\fzgxdthe.exe
Creates FileC:\gkxwmtuwcawixz\v4fmapkvmv
Creates FilePIPE\lsarpc
Creates FileC:\gkxwmtuwcawixz\o3fxe4
Creates FileC:\gkxwmtuwcawixz\fzgxdthe.exe
Creates FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Deletes FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Creates ProcessC:\gkxwmtuwcawixz\fzgxdthe.exe
Creates ServiceSuperfetch Source Virtual Bus - C:\gkxwmtuwcawixz\fzgxdthe.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1132

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1196

Process
↳ C:\gkxwmtuwcawixz\fzgxdthe.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\gkxwmtuwcawixz\blf5jdbx
Creates FileC:\gkxwmtuwcawixz\zpporhqjuqyo.exe
Creates FileC:\gkxwmtuwcawixz\v4fmapkvmv
Creates FileC:\gkxwmtuwcawixz\o3fxe4
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Deletes FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Creates Processqnr0bec2ypix "c:\gkxwmtuwcawixz\fzgxdthe.exe"

Process
↳ C:\gkxwmtuwcawixz\fzgxdthe.exe

Creates FileC:\gkxwmtuwcawixz\v4fmapkvmv
Creates FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Deletes FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv

Process
↳ qnr0bec2ypix "c:\gkxwmtuwcawixz\fzgxdthe.exe"

Creates FileC:\gkxwmtuwcawixz\v4fmapkvmv
Creates FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv
Deletes FileC:\WINDOWS\gkxwmtuwcawixz\v4fmapkvmv

Network Details:

DNSforwardfuture.net
Type: A
72.52.4.120
DNSglassfuture.net
Type: A
64.62.224.253
DNSordersafety.net
Type: A
50.63.202.49
DNSleaderearly.net
Type: A
208.100.26.234
DNSgentlefancy.net
Type: A
DNSheavyconsider.net
Type: A
DNSgentleconsider.net
Type: A
DNSheavyfriend.net
Type: A
DNSgentlefriend.net
Type: A
DNSvariouslaughter.net
Type: A
DNSreturnlaughter.net
Type: A
DNSvariousfancy.net
Type: A
DNSreturnfancy.net
Type: A
DNSvariousconsider.net
Type: A
DNSreturnconsider.net
Type: A
DNSvariousfriend.net
Type: A
DNSreturnfriend.net
Type: A
DNSdegreesmell.net
Type: A
DNSforwardsmell.net
Type: A
DNSdegreeearly.net
Type: A
DNSforwardearly.net
Type: A
DNSdegreesafety.net
Type: A
DNSforwardsafety.net
Type: A
DNSdegreefuture.net
Type: A
DNSanswersmell.net
Type: A
DNSglasssmell.net
Type: A
DNSanswerearly.net
Type: A
DNSglassearly.net
Type: A
DNSanswersafety.net
Type: A
DNSglasssafety.net
Type: A
DNSanswerfuture.net
Type: A
DNSdifficultsmell.net
Type: A
DNSheardsmell.net
Type: A
DNSdifficultearly.net
Type: A
DNSheardearly.net
Type: A
DNSdifficultsafety.net
Type: A
DNSheardsafety.net
Type: A
DNSdifficultfuture.net
Type: A
DNSheardfuture.net
Type: A
DNSpleasantsmell.net
Type: A
DNSnecessarysmell.net
Type: A
DNSpleasantearly.net
Type: A
DNSnecessaryearly.net
Type: A
DNSpleasantsafety.net
Type: A
DNSnecessarysafety.net
Type: A
DNSpleasantfuture.net
Type: A
DNSnecessaryfuture.net
Type: A
DNSordersmell.net
Type: A
DNSrequiresmell.net
Type: A
DNSorderearly.net
Type: A
DNSrequireearly.net
Type: A
DNSrequiresafety.net
Type: A
DNSorderfuture.net
Type: A
DNSrequirefuture.net
Type: A
DNSleadersmell.net
Type: A
DNSheavensmell.net
Type: A
DNSheavenearly.net
Type: A
DNSleadersafety.net
Type: A
DNSheavensafety.net
Type: A
DNSleaderfuture.net
Type: A
DNSheavenfuture.net
Type: A
DNSheavysmell.net
Type: A
DNSgentlesmell.net
Type: A
DNSheavyearly.net
Type: A
DNSgentleearly.net
Type: A
DNSheavysafety.net
Type: A
DNSgentlesafety.net
Type: A
DNSheavyfuture.net
Type: A
DNSgentlefuture.net
Type: A
DNSvarioussmell.net
Type: A
DNSreturnsmell.net
Type: A
DNSvariousearly.net
Type: A
DNSreturnearly.net
Type: A
DNSvarioussafety.net
Type: A
DNSreturnsafety.net
Type: A
DNSvariousfuture.net
Type: A
DNSreturnfuture.net
Type: A
DNSdegreeseparate.net
Type: A
DNSforwardseparate.net
Type: A
DNSdegreehealth.net
Type: A
DNSforwardhealth.net
Type: A
DNSdegreeclothes.net
Type: A
DNSforwardclothes.net
Type: A
DNSdegreedistant.net
Type: A
DNSforwarddistant.net
Type: A
HTTP GEThttp://forwardfuture.net/index.php
User-Agent:
HTTP GEThttp://glassfuture.net/index.php
User-Agent:
HTTP GEThttp://ordersafety.net/index.php
User-Agent:
HTTP GEThttp://leaderearly.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1032 ➝ 64.62.224.253:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.49:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f727761 72646675 74757265 2e6e6574   orwardfuture.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   6c617373 66757475 72652e6e 65740d0a   lassfuture.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   72646572 73616665 74792e6e 65740d0a   rdersafety.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616465 72656172 6c792e6e 65740d0a   eaderearly.net..
0x00000050 (00080)   0d0a0d0a                              ....


Strings