Analysis Date2015-10-07 20:02:55
MD56e974876d7288037e02c617f26f14111
SHA1457c6ed55c7ff059bb5d0dcbd601d57321ce52a4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f94eceeed610da44c9dfa03ae5d1204b sha1: bfe614b6bbeba75e99b7169457b5f99b73757d69 size: 1315328
Section.rdata md5: 544c82c75bacb7b876d034175dee3f1a sha1: 5957a787e7c6c0a4560a67e8684aeb21e804dc54 size: 342016
Section.data md5: 7a28f3810369b417c34f32a2f5b9107b sha1: 0ccca3cec94ce9dfb12d3ec1b746029de6caa830 size: 8192
Section.reloc md5: 2b874afa84bf908d7003725369a0b2d1 sha1: fed45ec708ebc39b9c8d26aea6f3128e6186ebc4 size: 182784
Timestamp2015-05-11 04:37:24
PackerVC8 -> Microsoft Corporation
PEhashf02d636a6e5bbd33d3422ab79b6db20dfa056420
IMPhash93c38a286654404a41a03af8a0bbe9ed
AVEmsisoftGen:Variant.Kazy.611782
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVAvira (antivir)TR/Crypt.Xpack.280182
AVIkarusTrojan.Win32.Bayrob
AVF-SecureGen:Variant.Kazy.611782
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVBitDefenderGen:Variant.Kazy.611782
AVTwisterno_virus
AVMcafeeTrojan-FGIJ!6E974876D728
AVRisingno_virus
AVVirusBlokAda (vba32)no_virus
AVDr. WebTrojan.Bayrob.5
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Bayrob.X!tr
AVMalwareBytesno_virus
AVK7Trojan ( 004c77f41 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Kazy.611782
AVKasperskyBackdoor.Win32.SoxGrave.ahi
AVClamAVno_virus
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVCAT (quickheal)no_virus
AVBullGuardGen:Variant.Kazy.611782
AVPadvishno_virus
AVArcabit (arcavir)Error Scanning File
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Bayrob.Y
AVSymantecDownloader.Upatre!g15
AVZillya!Backdoor.SoxGrave.Win32.257
AVAuthentiumW32/SoxGrave.A.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\our7cyuc1lz8okvqwzygu.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\our7cyuc1lz8okvqwzygu.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\our7cyuc1lz8okvqwzygu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Player Detection User-mode Parental ➝
C:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\yhjqhphyvx.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\mlmhvthz\etc
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yhjqhphyvx.exe
Creates ServiceClass Protected Debugger HomeGroup - C:\WINDOWS\system32\yhjqhphyvx.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1852

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\mlmhvthz\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\mlmhvthz\tst
Creates FileC:\WINDOWS\system32\elimvbuxzgvr.exe
Creates FileC:\WINDOWS\system32\mlmhvthz\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\mlmhvthz\run
Creates FileC:\WINDOWS\system32\mlmhvthz\rng
Creates FileC:\WINDOWS\TEMP\our7cyuc1tfwok.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"
Creates ProcessC:\WINDOWS\TEMP\our7cyuc1tfwok.exe -r 48426 tcp

Process
↳ C:\WINDOWS\system32\yhjqhphyvx.exe

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yhjqhphyvx.exe"

Creates FileC:\WINDOWS\system32\mlmhvthz\tst

Process
↳ C:\WINDOWS\TEMP\our7cyuc1tfwok.exe -r 48426 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSdeadbuild.net
Type: A
195.22.26.254
DNSdeadbuild.net
Type: A
195.22.26.231
DNSdeadbuild.net
Type: A
195.22.26.252
DNSdeadbuild.net
Type: A
195.22.26.253
DNSrockbuild.net
Type: A
0.0.0.0
DNSrockroll.net
Type: A
216.21.224.199
DNSwrongroll.net
Type: A
208.100.26.234
DNSmusicmoon.net
Type: A
192.185.33.66
DNShangmoon.net
Type: A
211.234.63.232
DNSseptembermoon.net
Type: A
192.232.223.67
DNSdeadmoon.net
Type: A
87.231.114.36
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSseptemberbuild.net
Type: A
DNShangroll.net
Type: A
DNSseptemberroll.net
Type: A
DNShangdeal.net
Type: A
DNSseptemberdeal.net
Type: A
DNSjoiniron.net
Type: A
DNSwishiron.net
Type: A
DNSjoinbuild.net
Type: A
DNSwishbuild.net
Type: A
DNSjoinroll.net
Type: A
DNSwishroll.net
Type: A
DNSjoindeal.net
Type: A
DNSwishdeal.net
Type: A
DNSdeadiron.net
Type: A
DNSrockiron.net
Type: A
DNSdeadroll.net
Type: A
DNSdeaddeal.net
Type: A
DNSrockdeal.net
Type: A
DNSwrongiron.net
Type: A
DNSmadeiron.net
Type: A
DNSwrongbuild.net
Type: A
DNSmadebuild.net
Type: A
DNSmaderoll.net
Type: A
DNSwrongdeal.net
Type: A
DNSmadedeal.net
Type: A
DNShumanshoe.net
Type: A
DNShairshoe.net
Type: A
DNShumanoctober.net
Type: A
DNShairoctober.net
Type: A
DNShumanmoon.net
Type: A
DNShairmoon.net
Type: A
DNShumanouter.net
Type: A
DNShairouter.net
Type: A
DNSyardshoe.net
Type: A
DNSmusicshoe.net
Type: A
DNSyardoctober.net
Type: A
DNSmusicoctober.net
Type: A
DNSyardmoon.net
Type: A
DNSyardouter.net
Type: A
DNSmusicouter.net
Type: A
DNSwentshoe.net
Type: A
DNSspendshoe.net
Type: A
DNSwentoctober.net
Type: A
DNSspendoctober.net
Type: A
DNSwentmoon.net
Type: A
DNSspendmoon.net
Type: A
DNSwentouter.net
Type: A
DNSspendouter.net
Type: A
DNSfrontshoe.net
Type: A
DNSoffershoe.net
Type: A
DNSfrontoctober.net
Type: A
DNSofferoctober.net
Type: A
DNSfrontmoon.net
Type: A
DNSoffermoon.net
Type: A
DNSfrontouter.net
Type: A
DNSofferouter.net
Type: A
DNShangshoe.net
Type: A
DNSseptembershoe.net
Type: A
DNShangoctober.net
Type: A
DNSseptemberoctober.net
Type: A
DNShangouter.net
Type: A
DNSseptemberouter.net
Type: A
DNSjoinshoe.net
Type: A
DNSwishshoe.net
Type: A
DNSjoinoctober.net
Type: A
DNSwishoctober.net
Type: A
DNSjoinmoon.net
Type: A
DNSwishmoon.net
Type: A
DNSjoinouter.net
Type: A
DNSwishouter.net
Type: A
DNSdeadshoe.net
Type: A
DNSrockshoe.net
Type: A
DNSdeadoctober.net
Type: A
DNSrockoctober.net
Type: A
DNSrockmoon.net
Type: A
DNSdeadouter.net
Type: A
DNSrockouter.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://deadbuild.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://rockroll.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://wrongroll.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://musicmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://hangmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://septembermoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://deadmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://deadbuild.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://rockroll.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://wrongroll.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://musicmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://hangmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://septembermoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
HTTP GEThttp://deadmoon.net/index.php?method=validate&mode=sox&v=050&sox=3e566c01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1052 ➝ 216.21.224.199:80
Flows TCP192.168.1.1:1053 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1054 ➝ 192.185.33.66:80
Flows TCP192.168.1.1:1055 ➝ 211.234.63.232:80
Flows TCP192.168.1.1:1056 ➝ 192.232.223.67:80
Flows TCP192.168.1.1:1057 ➝ 87.231.114.36:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1051 ➝ 109.86.226.85:443
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1069 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1070 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1071 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1073 ➝ 216.21.224.199:80
Flows TCP192.168.1.1:1074 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1075 ➝ 192.185.33.66:80
Flows TCP192.168.1.1:1076 ➝ 211.234.63.232:80
Flows TCP192.168.1.1:1077 ➝ 192.232.223.67:80
Flows TCP192.168.1.1:1078 ➝ 87.231.114.36:80

Raw Pcap

Strings