Analysis Date2016-01-29 20:30:12
MD5035d1fc15eb46b81abe04833b52521a7
SHA1473a3aacb4649c1f372d75e70dd579af20406e36

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 57927de30b8061dbc89f3cdd647960f2 sha1: b307708c8c9e3d787d6ecf5a1a2ea091b85c5417 size: 189952
Section.rdata md5: fb092f3b906a4ff792ebc55664a3146e sha1: 12eb5491718bb6b1a244a2ebca41eb98faa4afd3 size: 19456
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 199a3ca34b95475f9c6d4d090b9d75c5 sha1: 2ac4d3f3b7a890e891768a8ec1f94e51e7fbef9e size: 30720
Timestamp2016-01-06 16:48:47
PEhashaa62f6feefc94072999fb431e0ec4826c5275a71
IMPhasha0e4bb2a23e127e17c7978d6a9cbb8e8
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHPX!035D1FC15EB4
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788903
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.788903
AVK7Trojan ( 004dafce1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CZ
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.788903
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.mjm
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Kazy.788903
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.788903

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\oczhynfr\jy6iji
Creates FileC:\WINDOWS\oczhynfr\jy6iji
Creates FileC:\oczhynfr\oql1sy3iiooztqelo.exe
Deletes FileC:\WINDOWS\oczhynfr\jy6iji
Creates ProcessC:\oczhynfr\oql1sy3iiooztqelo.exe

Process
↳ C:\oczhynfr\oql1sy3iiooztqelo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DLL Player Link Distributed ➝
C:\oczhynfr\sjxtprx.exe
Creates FileC:\oczhynfr\jy6iji
Creates FileC:\WINDOWS\oczhynfr\jy6iji
Creates FilePIPE\lsarpc
Creates FileC:\oczhynfr\o6fgtsav
Creates FileC:\oczhynfr\sjxtprx.exe
Deletes FileC:\WINDOWS\oczhynfr\jy6iji
Creates ProcessC:\oczhynfr\sjxtprx.exe
Creates ServiceThemes Logs Location SPP Update Collector Resource - C:\oczhynfr\sjxtprx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1204

Process
↳ C:\oczhynfr\sjxtprx.exe

Creates FileC:\oczhynfr\hvtzrmf.exe
Creates FileC:\oczhynfr\jy6iji
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\oczhynfr\jy6iji
Creates FileC:\oczhynfr\fzuxgx
Creates File\Device\Afd\Endpoint
Creates FileC:\oczhynfr\o6fgtsav
Deletes FileC:\WINDOWS\oczhynfr\jy6iji
Creates Processqwhxvkchebmi "c:\oczhynfr\sjxtprx.exe"

Process
↳ C:\oczhynfr\sjxtprx.exe

Creates FileC:\oczhynfr\jy6iji
Creates FileC:\WINDOWS\oczhynfr\jy6iji
Deletes FileC:\WINDOWS\oczhynfr\jy6iji

Process
↳ qwhxvkchebmi "c:\oczhynfr\sjxtprx.exe"

Creates FileC:\oczhynfr\jy6iji
Creates FileC:\WINDOWS\oczhynfr\jy6iji
Deletes FileC:\WINDOWS\oczhynfr\jy6iji

Network Details:

DNSstrengthdifferent.net
Type: A
208.100.26.234
DNSmachineclean.net
Type: A
208.109.181.40
DNSrightclean.net
Type: A
66.175.213.119
DNSrightcourse.net
Type: A
72.167.191.69
DNSfamilyclean.net
Type: A
54.75.224.248
DNSfamilyclean.net
Type: A
54.228.214.122
DNSfamilyclean.net
Type: A
54.247.165.51
DNSfamilyclean.net
Type: A
176.34.121.15
DNSfamilyclean.net
Type: A
176.34.232.209
DNSfamilyclean.net
Type: A
46.137.98.88
DNSenglishpaint.net
Type: A
82.165.249.114
DNSenglishcourse.net
Type: A
50.63.202.2
DNSenglishwomen.net
Type: A
207.148.248.143
DNSsuddennothing.net
Type: A
208.100.26.234
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
DNSstillsurprise.net
Type: A
DNSstrengthbeside.net
Type: A
DNSstillbeside.net
Type: A
DNSstrengthletter.net
Type: A
DNSstillletter.net
Type: A
DNSstilldifferent.net
Type: A
DNSexpectclean.net
Type: A
DNSbecauseclean.net
Type: A
DNSexpectpaint.net
Type: A
DNSbecausepaint.net
Type: A
DNSexpectcourse.net
Type: A
DNSbecausecourse.net
Type: A
DNSexpectwomen.net
Type: A
DNSbecausewomen.net
Type: A
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
DNSforeignclean.net
Type: A
DNSsuddenpaint.net
Type: A
DNSforeignpaint.net
Type: A
DNSsuddencourse.net
Type: A
DNSforeigncourse.net
Type: A
DNSsuddenwomen.net
Type: A
DNSforeignwomen.net
Type: A
DNSwhetherclean.net
Type: A
DNSwhetherpaint.net
Type: A
DNSrightpaint.net
Type: A
DNSwhethercourse.net
Type: A
DNSwhetherwomen.net
Type: A
DNSrightwomen.net
Type: A
DNSfigureclean.net
Type: A
DNSthoughclean.net
Type: A
DNSfigurepaint.net
Type: A
DNSthoughpaint.net
Type: A
DNSfigurecourse.net
Type: A
DNSthoughcourse.net
Type: A
DNSfigurewomen.net
Type: A
DNSthoughwomen.net
Type: A
DNSpictureclean.net
Type: A
DNScigaretteclean.net
Type: A
DNSpicturepaint.net
Type: A
DNScigarettepaint.net
Type: A
DNSpicturecourse.net
Type: A
DNScigarettecourse.net
Type: A
DNSpicturewomen.net
Type: A
DNScigarettewomen.net
Type: A
DNSchildrenclean.net
Type: A
DNSchildrenpaint.net
Type: A
DNSfamilypaint.net
Type: A
DNSchildrencourse.net
Type: A
DNSfamilycourse.net
Type: A
DNSchildrenwomen.net
Type: A
DNSfamilywomen.net
Type: A
DNSeitherclean.net
Type: A
DNSenglishclean.net
Type: A
DNSeitherpaint.net
Type: A
DNSeithercourse.net
Type: A
DNSeitherwomen.net
Type: A
DNSexpectstream.net
Type: A
DNSbecausestream.net
Type: A
DNSexpectnothing.net
Type: A
DNSbecausenothing.net
Type: A
DNSexpectbottle.net
Type: A
DNSbecausebottle.net
Type: A
DNSexpectdivide.net
Type: A
DNSbecausedivide.net
Type: A
DNSpersonstream.net
Type: A
DNSmachinestream.net
Type: A
DNSpersonnothing.net
Type: A
DNSmachinenothing.net
Type: A
DNSpersonbottle.net
Type: A
DNSmachinebottle.net
Type: A
DNSpersondivide.net
Type: A
DNSmachinedivide.net
Type: A
DNSsuddenstream.net
Type: A
DNSforeignstream.net
Type: A
DNSforeignnothing.net
Type: A
DNSsuddenbottle.net
Type: A
DNSforeignbottle.net
Type: A
DNSsuddendivide.net
Type: A
DNSforeigndivide.net
Type: A
DNSwhetherstream.net
Type: A
DNSrightstream.net
Type: A
HTTP GEThttp://strengthdifferent.net/index.php
User-Agent:
HTTP GEThttp://machineclean.net/index.php
User-Agent:
HTTP GEThttp://rightclean.net/index.php
User-Agent:
HTTP GEThttp://rightcourse.net/index.php
User-Agent:
HTTP GEThttp://familyclean.net/index.php
User-Agent:
HTTP GEThttp://englishpaint.net/index.php
User-Agent:
HTTP GEThttp://englishcourse.net/index.php
User-Agent:
HTTP GEThttp://englishwomen.net/index.php
User-Agent:
HTTP GEThttp://suddennothing.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 208.109.181.40:80
Flows TCP192.168.1.1:1033 ➝ 66.175.213.119:80
Flows TCP192.168.1.1:1034 ➝ 72.167.191.69:80
Flows TCP192.168.1.1:1035 ➝ 54.75.224.248:80
Flows TCP192.168.1.1:1036 ➝ 82.165.249.114:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1038 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1039 ➝ 208.100.26.234:80

Raw Pcap

Strings