Analysis Date2015-11-12 14:12:06
MD59277dbe3498c3cb5a2bb8d484059d82d
SHA14ca6123048eda55eea1c350142ce77d842351111

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f4c53c35e62e812b23fe61461b0abc97 sha1: bba9e89e32ebde3dce2f95cd419954ec9f05b52f size: 1093632
Section.rdata md5: 1ce62c07ccb6cdf4ebfc4a6849be2863 sha1: 702ae0ade54857d9d2d9d1796f8ab79aaecd4fc2 size: 331264
Section.data md5: e3736d6070f9a664a38b1a9bad81c253 sha1: 4fa29483608933427291de9f7f724d6fb892f472 size: 10752
Section.reloc md5: 761bb526eff6771f7ddcd267aacac3fd sha1: be49774992f97d706e0fe716e9e2756614c7aff8 size: 74752
Timestamp2015-04-30 20:12:28
PackerMicrosoft Visual C++ 8
PEhash797412a560d0f56d9c23bdc5324dd11c1e749456
IMPhash39341f50dac1a219b240cf452d50bcc4
AVF-SecureGen:Variant.Zusy.140251
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesNo Virus
AVDr. WebTrojan.Bayrob.1
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesNo Virus
AVEset (nod32)Win32/Bayrob.R
AVMicroWorld (escan)Gen:Variant.Zusy.140251
AVTrend MicroNo Virus
AVClamAVNo Virus
AVAd-AwareGen:Variant.Zusy.140251
AVEset (nod32)Win32/Bayrob.R
AVBitDefenderGen:Variant.Zusy.140251
AVMicroWorld (escan)Gen:Variant.Zusy.140251
AVAvira (antivir)TR/Boryab.aiez
AVAlwil (avast)Dropper-OJG [Drp]
AVFortinetW32/Kryptic.WU!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)No Virus
AVArcabit (arcavir)Gen:Variant.Zusy.140251
AVMcafeeNo Virus
AVTwisterNo Virus
AVAvira (antivir)TR/Boryab.aiez
AVAlwil (avast)Dropper-OJG [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptic.WU!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRisingNo Virus
AVMcafeeNo Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.140251
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Zusy.140251
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)No Virus
AVEmsisoftGen:Variant.Zusy.140251
AVZillya!No Virus
AVCAT (quickheal)Backdoor.SoxGrave.013162
AVPadvishNo Virus
AVBullGuardGen:Variant.Zusy.140251
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\muduogsx1l8blvxdchedr.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\muduogsx1l8blvxdchedr.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\muduogsx1l8blvxdchedr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Parental Publication Networking ➝
C:\WINDOWS\system32\kggnzamqa.exe
Creates FileC:\WINDOWS\system32\sqhrfur\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\sqhrfur\etc
Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates FileC:\WINDOWS\system32\kggnzamqa.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kggnzamqa.exe
Creates ServiceTPM Print Hardware Tracking Desktop - C:\WINDOWS\system32\kggnzamqa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\kggnzamqa.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\sqhrfur\lck
Creates FileC:\WINDOWS\system32\sqhrfur\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\sqhrfur\rng
Creates FileC:\WINDOWS\system32\jxtlvoqmkcyt.exe
Creates FileC:\WINDOWS\system32\sqhrfur\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\muduogsx1smtlv.exe
Creates FileC:\WINDOWS\system32\sqhrfur\run
Creates ProcessWATCHDOGPROC "c:\windows\system32\kggnzamqa.exe"
Creates ProcessC:\WINDOWS\TEMP\muduogsx1smtlv.exe -r 36049 tcp

Process
↳ C:\WINDOWS\system32\kggnzamqa.exe

Creates FileC:\WINDOWS\system32\sqhrfur\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kggnzamqa.exe"

Creates FileC:\WINDOWS\system32\sqhrfur\tst

Process
↳ C:\WINDOWS\TEMP\muduogsx1smtlv.exe -r 36049 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4f3ba001&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80

Raw Pcap

Strings