Analysis Date2015-11-25 12:00:35
MD58254390e4b9b8ed61f61b10687d2ce3b
SHA14b15b86dd71ab0a68fa1755028d101933f651050

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a65bfde28cc96cd5aa309dd3601692e5 sha1: 150a04a56a2100badedc9f277efaab54d581e661 size: 1293824
Section.rdata md5: e2bbeb4b7fc7e101b0279a46de4e1df9 sha1: b101a433e4dd64d05a8cd28fac3075cd50bde868 size: 323584
Section.data md5: d6e24e899cc03a1bdffd082b737c2faa sha1: 026b2be152c4f3c50ea4a580ded064ec8d392bf4 size: 8192
Section.reloc md5: a54a1f26ae8626e8f788d28e2a029744 sha1: dcbe14276961cc52510e179a921b4c9662b4d2d8 size: 176128
Timestamp2015-05-11 03:53:51
PackerVC8 -> Microsoft Corporation
PEhash8ee2bf3df6d68d6770ff397bc2c2b9a32f957f06
IMPhash4fcd43ea366e6a7b4de670f54ad7f661
AVF-SecureGen:Variant.Kazy.611782
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.5
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMicroWorld (escan)Gen:Trojan.Heur.TP.UrW@by8Owzc
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVEset (nod32)Win32/Bayrob.Y
AVBitDefenderGen:Variant.Kazy.611782
AVMicroWorld (escan)Gen:Trojan.Heur.TP.UrW@by8Owzc
AVAvira (antivir)TR/Crypt.Xpack.316558
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Kryptik.EETB!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVMcafeeTrojan-FGIJ!8254390E4B9B
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.316558
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.EETB!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVRising0x594153ee
AVMcafeeTrojan-FGIJ!8254390E4B9B
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Kazy.611782
AVZillya!no_virus
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611782
AVCA (E-Trust Ino)no_virus
AVRising0x594153ee
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mnhgyzo1j8pqkagxldum.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mnhgyzo1j8pqkagxldum.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mnhgyzo1j8pqkagxldum.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Procedure Store CNG Upgrade Web ➝
C:\WINDOWS\system32\ynvzgnrw.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\coaxcjiqg\etc
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates FileC:\WINDOWS\system32\ynvzgnrw.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ynvzgnrw.exe
Creates ServiceInteractive Control Firewall - C:\WINDOWS\system32\ynvzgnrw.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\ynvzgnrw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\TEMP\mnhgyzo1q12qk.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates FileC:\WINDOWS\system32\coaxcjiqg\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\coaxcjiqg\run
Creates FileC:\WINDOWS\system32\ndwuijagdg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\coaxcjiqg\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"
Creates ProcessC:\WINDOWS\TEMP\mnhgyzo1q12qk.exe -r 21636 tcp

Process
↳ c:\windows\system32\ynvzgnrw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\coaxcjiqg\rng
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\system32\coaxcjiqg\run
Creates FileC:\WINDOWS\system32\ndwuijagdg.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\mnhgyzo2cemqk.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"
Creates ProcessC:\WINDOWS\TEMP\mnhgyzo2cemqk.exe -r 43079 tcp

Process
↳ C:\WINDOWS\system32\ynvzgnrw.exe

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates Processc:\windows\system32\ynvzgnrw.exe

Process
↳ C:\WINDOWS\TEMP\mnhgyzo1q12qk.exe -r 21636 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Process
↳ WATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst

Process
↳ C:\WINDOWS\TEMP\mnhgyzo2cemqk.exe -r 43079 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSmademail.net
Type: A
184.168.221.51
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSmaderoad.net
Type: A
DNSwrongmail.net
Type: A
DNSwrongwore.net
Type: A
DNSmadewore.net
Type: A
DNSwrongwhere.net
Type: A
DNSmadewhere.net
Type: A
DNShumanlift.net
Type: A
DNShairlift.net
Type: A
DNShumangreen.net
Type: A
DNShairgreen.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://mademail.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=47f8a802&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1645 ➝ 50.87.164.13:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.51:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80

Raw Pcap

Strings