Analysis Date | 2016-01-28 21:01:24 |
---|---|
MD5 | 7172e81792fb94c6fd799f182608c5a0 |
SHA1 | 47e93ee44bb20c2d70f1a4175983d35c180d055d |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 0596932cd84370669d09bcfaf74a80a2 sha1: 97895e873b3697267f3295eaecf4dc335a37037a size: 261120 | |
Section | .rdata md5: a8f366ef1392189a70f53bd0647802af sha1: afd4d44033fd0124b0ba938c0c57b40644392a3a size: 41472 | |
Section | .data md5: 2411a97645dd11a72e5d58a8576e351e sha1: 15b55994da8521bd73e9296f3404e367a33f8101 size: 1536 | |
Section | .reloc md5: 60efecc06f5b0efbc44a6ee893212054 sha1: 15b5be605987d76ceb0b83f669395fe44ed3bd2e size: 50688 | |
Timestamp | 2015-12-23 04:53:26 | |
PEhash | b26cdbeb4abe189125e17eb4d849ea5afe0e4c3c | |
IMPhash | bf69f8b184fa719294015eed3ecfb423 | |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHPD!7172E81792FB |
AV | Avira (antivir) | TR/Spy.Agent.355840.13 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Kazy.784853 |
AV | Alwil (avast) | Win32:Malware-gen |
AV | Eset (nod32) | Win32/Bayrob.AQ |
AV | Grisoft (avg) | Win32/Heur |
AV | Symantec | Trojan.Bayrob!gen6 |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | BitDefender | Gen:Variant.Kazy.784853 |
AV | K7 | Trojan ( 004da1e61 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | MicroWorld (escan) | Gen:Variant.Kazy.784853 |
AV | MalwareBytes | No Virus |
AV | Authentium | W32/Nivdort.F.gen!Eldorado |
AV | Emsisoft | Gen:Variant.Kazy.784853 |
AV | Frisk (f-prot) | W32/Nivdort.F.gen!Eldorado |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Zillya! | Downloader.Somoto.Win32.1971 |
AV | Kaspersky | Trojan.Win32.Agent.netpca |
AV | Trend Micro | No Virus |
AV | VirusBlokAda (vba32) | BScope.Malware-Cryptor.Msgfake |
AV | CAT (quickheal) | No Virus |
AV | BullGuard | Gen:Variant.Kazy.784853 |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.784853 |
AV | ClamAV | No Virus |
AV | Dr. Web | Trojan.DownLoader18.57548 |
AV | F-Secure | Gen:Variant.Kazy.784853 |
AV | CA (E-Trust Ino) | No Virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\jxosifzzdtn\muby7wi |
---|---|
Creates File | C:\jxosifzzdtn\sclih1kedxbufulipxjrgd.exe |
Creates File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Deletes File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Creates Process | C:\jxosifzzdtn\sclih1kedxbufulipxjrgd.exe |
Process
↳ C:\jxosifzzdtn\sclih1kedxbufulipxjrgd.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Link Superfetch Net.Tcp Update ➝ C:\jxosifzzdtn\hipfwyxiirc.exe |
---|---|
Creates File | C:\jxosifzzdtn\muby7wi |
Creates File | C:\jxosifzzdtn\hipfwyxiirc.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Creates File | C:\jxosifzzdtn\apuwthiey |
Deletes File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Creates Process | C:\jxosifzzdtn\hipfwyxiirc.exe |
Creates Service | Link-Layer DNS Time ActiveX Bus - C:\jxosifzzdtn\hipfwyxiirc.exe |
Process
↳ Pid 808
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1136
Process
↳ Pid 1212
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1864
Process
↳ Pid 1164
Process
↳ C:\jxosifzzdtn\hipfwyxiirc.exe
Creates File | C:\jxosifzzdtn\gnuusqhxojp.exe |
---|---|
Creates File | C:\jxosifzzdtn\muby7wi |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\jxosifzzdtn\roquzyo |
Creates File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\jxosifzzdtn\apuwthiey |
Deletes File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Creates Process | jkwmroahlqvv "c:\jxosifzzdtn\hipfwyxiirc.exe" |
Process
↳ C:\jxosifzzdtn\hipfwyxiirc.exe
Creates File | C:\jxosifzzdtn\muby7wi |
---|---|
Creates File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Deletes File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Process
↳ jkwmroahlqvv "c:\jxosifzzdtn\hipfwyxiirc.exe"
Creates File | C:\jxosifzzdtn\muby7wi |
---|---|
Creates File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Deletes File | C:\WINDOWS\jxosifzzdtn\muby7wi |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 69676874 706c6561 73652e6e 65740d0a ightplease.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79736f6c 64696572 2e6e6574 rettysoldier.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79706c65 6173652e 6e65740d rettyplease.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e6e6174 696f6e2e 6e65740d rokennation.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2072 : close..Host: r 0x00000040 (00064) 6573756c 746e6174 696f6e2e 6e65740d esultnation.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e736f6c 64696572 2e6e6574 rokensoldier.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 75696c64 696e6770 6f776572 2e6e6574 uildingpower.net 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79706f77 65722e6e 65740d0a rettypower.net.. 0x00000050 (00080) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f75626c 6566616d 6f75732e 6e65740d oublefamous.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 656c6c6f 77706f77 65722e6e 65740d0a ellowpower.net.. 0x00000050 (00080) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e66616d 6f75732e 6e65740d rokenfamous.net. 0x00000050 (00080) 0a0d0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2062 : close..Host: b 0x00000040 (00064) 726f6b65 6e706f77 65722e6e 65740d0a rokenpower.net.. 0x00000050 (00080) 0d0a0a0a .... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 74696c6c 706f7765 722e6e65 740d0a0d tillpower.net... 0x00000050 (00080) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 726c6574 7465722e 6e65740d octorletter.net. 0x00000050 (00080) 0a0d0a ... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 6f63746f 72646966 66657265 6e742e6e octordifferent.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2070 : close..Host: p 0x00000040 (00064) 72657474 79646966 66657265 6e742e6e rettydifferent.n 0x00000050 (00080) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 74696c6c 73757270 72697365 2e6e6574 tillsurprise.net 0x00000050 (00080) 0d0a0d0a 0d0a ......
Strings