Analysis Date2016-02-20 08:05:10
MD570cc32a2f22a4c44ecb4d7b8c9aac5c6
SHA140d821a0dc16081cd1f87b53705e2c1cf21ab8f6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9a14884f7aa3125ffa04c020a3d40e8a sha1: 952c063da9dc78a4b46a09494590459301e6ced2 size: 527872
Section.rdata md5: 3cab4a380a889d8b8bd84ccd755a53fd sha1: 5946b0580b063fe0ec27e17d84c06d434b5fc9d9 size: 26112
Section.data md5: 6e15d34202bedded843118c3e7a4a900 sha1: 0788e985650655cacb8015aa037f1d7515ba657a size: 20480
Section.reloc md5: 916baa5e1818d3e32fff7c9277c5f035 sha1: f5cf8b490e27664efd470da01657bb4e497888c0 size: 39424
Timestamp2014-06-16 16:49:26
PackerMicrosoft Visual C++ 8
PEhashc6f3c86599cb321189aa0efeff6481ac181d81e3
IMPhash112e935508c24d95a1821cb7a505aa58
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!70CC32A2F22A
AVAvira (antivir)TR/Taranis.2117
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Razy.13928
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AHQJ
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Razy.13928
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Razy.13928
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Razy.13928
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!Trojan.SwizzorGen.Win32.1
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.13928
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVClamAVWin.Trojan.Agent-971815
AVDr. WebTrojan.DownLoader19.14007
AVF-SecureGen:Variant.Razy.13928

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates FileC:\zhhmyrxmxk\aouus7l
Creates FileC:\zhhmyrxmxk\rnd1laifkvic9ajdvfc.exe
Deletes FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates ProcessC:\zhhmyrxmxk\rnd1laifkvic9ajdvfc.exe

Process
↳ C:\zhhmyrxmxk\rnd1laifkvic9ajdvfc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Intelligent DHCP Function Software Log ➝
C:\zhhmyrxmxk\gfpvlebhgaoa.exe
Creates FileC:\zhhmyrxmxk\gfpvlebhgaoa.exe
Creates FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates FileC:\zhhmyrxmxk\gfhzsx
Creates FilePIPE\lsarpc
Creates FileC:\zhhmyrxmxk\aouus7l
Deletes FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates ProcessC:\zhhmyrxmxk\gfpvlebhgaoa.exe
Creates ServiceSpooler Font Grouping Distributed - C:\zhhmyrxmxk\gfpvlebhgaoa.exe

Process
↳ Pid 808

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1132

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\zhhmyrxmxk\gfpvlebhgaoa.exe

Creates FileC:\zhhmyrxmxk\a4s6tot
Creates FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates Filepipe\net\NtControlPipe10
Creates FileC:\zhhmyrxmxk\qjncigxp.exe
Creates FileC:\zhhmyrxmxk\gfhzsx
Creates FileC:\zhhmyrxmxk\aouus7l
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates Processtcr1o3tudabj "c:\zhhmyrxmxk\gfpvlebhgaoa.exe"

Process
↳ C:\zhhmyrxmxk\gfpvlebhgaoa.exe

Creates FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates FileC:\zhhmyrxmxk\aouus7l
Deletes FileC:\WINDOWS\zhhmyrxmxk\aouus7l

Process
↳ tcr1o3tudabj "c:\zhhmyrxmxk\gfpvlebhgaoa.exe"

Creates FileC:\WINDOWS\zhhmyrxmxk\aouus7l
Creates FileC:\zhhmyrxmxk\aouus7l
Deletes FileC:\WINDOWS\zhhmyrxmxk\aouus7l

Network Details:

DNSbrokentogether.net
Type: A
50.63.202.19
DNSbrokencontrol.net
Type: A
195.22.26.248
DNSdesirematter.net
Type: A
195.22.28.197
DNSdesirematter.net
Type: A
195.22.28.198
DNSdesirematter.net
Type: A
195.22.28.199
DNSdesirematter.net
Type: A
195.22.28.196
DNSpreparecontrol.net
Type: A
141.8.224.239
DNSstrengthtogether.net
Type: A
50.63.202.54
DNSmovementapple.net
Type: A
195.22.28.198
DNSmovementapple.net
Type: A
195.22.28.199
DNSmovementapple.net
Type: A
195.22.28.196
DNSmovementapple.net
Type: A
195.22.28.197
DNSbuildingfather.net
Type: A
195.22.26.248
DNSdoctorapple.net
Type: A
46.30.212.13
DNSdoubleapple.net
Type: A
75.126.211.188
DNSbrokenapple.net
Type: A
192.210.199.209
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSstrengthbuilt.net
Type: A
184.168.47.225
DNSstillcarry.net
Type: A
208.100.26.234
DNSbuildingafraid.net
Type: A
195.22.28.198
DNSbuildingafraid.net
Type: A
195.22.28.199
DNSbuildingafraid.net
Type: A
195.22.28.196
DNSbuildingafraid.net
Type: A
195.22.28.197
DNSbrokencircle.net
Type: A
184.168.221.41
DNSresulttogether.net
Type: A
DNSresultcontrol.net
Type: A
DNSpreparematter.net
Type: A
DNSpreparespent.net
Type: A
DNSdesirespent.net
Type: A
DNSpreparetogether.net
Type: A
DNSdesiretogether.net
Type: A
DNSdesirecontrol.net
Type: A
DNSstrengthmatter.net
Type: A
DNSstillmatter.net
Type: A
DNSstrengthspent.net
Type: A
DNSstillspent.net
Type: A
DNSstilltogether.net
Type: A
DNSstrengthcontrol.net
Type: A
DNSstillcontrol.net
Type: A
DNSmovementfather.net
Type: A
DNSoutsidefather.net
Type: A
DNSoutsideapple.net
Type: A
DNSmovementbuilt.net
Type: A
DNSoutsidebuilt.net
Type: A
DNSmovementcarry.net
Type: A
DNSoutsidecarry.net
Type: A
DNSeveningfather.net
Type: A
DNSbuildingapple.net
Type: A
DNSeveningapple.net
Type: A
DNSbuildingbuilt.net
Type: A
DNSeveningbuilt.net
Type: A
DNSbuildingcarry.net
Type: A
DNSeveningcarry.net
Type: A
DNSstorefather.net
Type: A
DNSmightfather.net
Type: A
DNSstoreapple.net
Type: A
DNSmightapple.net
Type: A
DNSstorebuilt.net
Type: A
DNSmightbuilt.net
Type: A
DNSstorecarry.net
Type: A
DNSmightcarry.net
Type: A
DNSdoctorfather.net
Type: A
DNSprettyfather.net
Type: A
DNSprettyapple.net
Type: A
DNSdoctorbuilt.net
Type: A
DNSprettybuilt.net
Type: A
DNSdoctorcarry.net
Type: A
DNSprettycarry.net
Type: A
DNSfellowfather.net
Type: A
DNSdoublefather.net
Type: A
DNSfellowapple.net
Type: A
DNSfellowbuilt.net
Type: A
DNSdoublebuilt.net
Type: A
DNSfellowcarry.net
Type: A
DNSdoublecarry.net
Type: A
DNSbrokenfather.net
Type: A
DNSresultfather.net
Type: A
DNSresultapple.net
Type: A
DNSbrokenbuilt.net
Type: A
DNSresultbuilt.net
Type: A
DNSbrokencarry.net
Type: A
DNSresultcarry.net
Type: A
DNSpreparefather.net
Type: A
DNSdesirefather.net
Type: A
DNSprepareapple.net
Type: A
DNSdesireapple.net
Type: A
DNSpreparebuilt.net
Type: A
DNSdesirebuilt.net
Type: A
DNSpreparecarry.net
Type: A
DNSdesirecarry.net
Type: A
DNSstrengthfather.net
Type: A
DNSstillfather.net
Type: A
DNSstrengthapple.net
Type: A
DNSstillapple.net
Type: A
DNSstillbuilt.net
Type: A
DNSstrengthcarry.net
Type: A
DNSmovementmeasure.net
Type: A
DNSoutsidemeasure.net
Type: A
DNSmovementdinner.net
Type: A
DNSoutsidedinner.net
Type: A
DNSmovementafraid.net
Type: A
DNSoutsideafraid.net
Type: A
DNSmovementcircle.net
Type: A
DNSoutsidecircle.net
Type: A
DNSbuildingmeasure.net
Type: A
DNSeveningmeasure.net
Type: A
DNSbuildingdinner.net
Type: A
DNSeveningdinner.net
Type: A
DNSeveningafraid.net
Type: A
DNSbuildingcircle.net
Type: A
DNSeveningcircle.net
Type: A
DNSstoremeasure.net
Type: A
DNSmightmeasure.net
Type: A
DNSstoredinner.net
Type: A
DNSmightdinner.net
Type: A
DNSstoreafraid.net
Type: A
DNSmightafraid.net
Type: A
DNSstorecircle.net
Type: A
DNSmightcircle.net
Type: A
DNSdoctormeasure.net
Type: A
DNSprettymeasure.net
Type: A
DNSdoctordinner.net
Type: A
DNSprettydinner.net
Type: A
DNSdoctorafraid.net
Type: A
DNSprettyafraid.net
Type: A
DNSdoctorcircle.net
Type: A
DNSprettycircle.net
Type: A
DNSfellowmeasure.net
Type: A
DNSdoublemeasure.net
Type: A
DNSfellowdinner.net
Type: A
DNSdoubledinner.net
Type: A
DNSfellowafraid.net
Type: A
DNSdoubleafraid.net
Type: A
DNSfellowcircle.net
Type: A
DNSdoublecircle.net
Type: A
DNSbrokenmeasure.net
Type: A
DNSresultmeasure.net
Type: A
DNSbrokendinner.net
Type: A
DNSresultdinner.net
Type: A
DNSbrokenafraid.net
Type: A
DNSresultafraid.net
Type: A
DNSresultcircle.net
Type: A
DNSpreparemeasure.net
Type: A
DNSdesiremeasure.net
Type: A
DNSpreparedinner.net
Type: A
DNSdesiredinner.net
Type: A
DNSprepareafraid.net
Type: A
DNSdesireafraid.net
Type: A
DNSpreparecircle.net
Type: A
DNSdesirecircle.net
Type: A
DNSstrengthmeasure.net
Type: A
DNSstillmeasure.net
Type: A
DNSstrengthdinner.net
Type: A
DNSstilldinner.net
Type: A
DNSstrengthafraid.net
Type: A
DNSstillafraid.net
Type: A
DNSstrengthcircle.net
Type: A
DNSstillcircle.net
Type: A
DNSmovementwheat.net
Type: A
DNSoutsidewheat.net
Type: A
DNSmovementanger.net
Type: A
DNSoutsideanger.net
Type: A
DNSmovementalways.net
Type: A
DNSoutsidealways.net
Type: A
DNSmovementforest.net
Type: A
DNSoutsideforest.net
Type: A
DNSbuildingwheat.net
Type: A
DNSeveningwheat.net
Type: A
DNSbuildinganger.net
Type: A
DNSeveninganger.net
Type: A
DNSbuildingalways.net
Type: A
DNSeveningalways.net
Type: A
DNSbuildingforest.net
Type: A
DNSeveningforest.net
Type: A
DNSstorewheat.net
Type: A
DNSmightwheat.net
Type: A
DNSstoreanger.net
Type: A
DNSmightanger.net
Type: A
DNSstorealways.net
Type: A
DNSmightalways.net
Type: A
HTTP GEThttp://brokentogether.net/index.php
User-Agent:
HTTP GEThttp://brokencontrol.net/index.php
User-Agent:
HTTP GEThttp://desirematter.net/index.php
User-Agent:
HTTP GEThttp://preparecontrol.net/index.php
User-Agent:
HTTP GEThttp://strengthtogether.net/index.php
User-Agent:
HTTP GEThttp://movementapple.net/index.php
User-Agent:
HTTP GEThttp://buildingfather.net/index.php
User-Agent:
HTTP GEThttp://doctorapple.net/index.php
User-Agent:
HTTP GEThttp://doubleapple.net/index.php
User-Agent:
HTTP GEThttp://brokenapple.net/index.php
User-Agent:
HTTP GEThttp://brokencarry.net/index.php
User-Agent:
HTTP GEThttp://strengthbuilt.net/index.php
User-Agent:
HTTP GEThttp://stillcarry.net/index.php
User-Agent:
HTTP GEThttp://buildingafraid.net/index.php
User-Agent:
HTTP GEThttp://brokencircle.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.19:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1034 ➝ 141.8.224.239:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1036 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1037 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1038 ➝ 46.30.212.13:80
Flows TCP192.168.1.1:1039 ➝ 75.126.211.188:80
Flows TCP192.168.1.1:1040 ➝ 192.210.199.209:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1042 ➝ 184.168.47.225:80
Flows TCP192.168.1.1:1043 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1044 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1045 ➝ 184.168.221.41:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e746f67 65746865 722e6e65   rokentogether.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e636f6e 74726f6c 2e6e6574   rokencontrol.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65736972 656d6174 7465722e 6e65740d   esirematter.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657061 7265636f 6e74726f 6c2e6e65   reparecontrol.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746874 6f676574 6865722e   trengthtogether.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f76656d 656e7461 70706c65 2e6e6574   ovementapple.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6766 61746865 722e6e65   uildingfather.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72617070 6c652e6e 65740d0a   octorapple.net..
0x00000050 (00080)   0d0a0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65617070 6c652e6e 65740d0a   oubleapple.net..
0x00000050 (00080)   0d0a0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e617070 6c652e6e 65740d0a   rokenapple.net..
0x00000050 (00080)   0d0a0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e636172 72792e6e 65740d0a   rokencarry.net..
0x00000050 (00080)   0d0a0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746862 75696c74 2e6e6574   trengthbuilt.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 63617272 792e6e65 740d0a0d   tillcarry.net...
0x00000050 (00080)   0a0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6761 66726169 642e6e65   uildingafraid.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e636972 636c652e 6e65740d   rokencircle.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings