Analysis Date2016-02-21 04:55:43
MD50187f53ba3efeee4109ae95e37025b26
SHA152205e421b607d904cd1f9bfa7caf50d5fa39c93

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e6c49bb7747bfc81ea69407e0c942459 sha1: 714d058e05d3a2f63b97412ca0fee2b85da3cb55 size: 529408
Section.rdata md5: fab45d906ef568a0b4efedc28c0400c5 sha1: 2723d2e16f90bd4a12abbeb7ad3afc86b96f69ac size: 26112
Section.data md5: a9bedd97fbe0710227e0326bfac0c2ec sha1: 67d916e21ef4a3ccaf8546f916ef079aa2b185a7 size: 20480
Section.reloc md5: bc474b769542f4bc07505c5ef79f5a0f sha1: cefe34ecb08c8b843e7dfababc1cff686a57bdc8 size: 39424
Timestamp2014-11-28 23:40:35
PackerMicrosoft Visual C++ 8
PEhash721e100cca9d9cd56bfc557d612701f322bd92a8
IMPhash3fe92ebab6524f56a38b7d8e6073ade6
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!0187F53BA3EF
AVAvira (antivir)TR/Taranis.2147
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Razy.13928
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AFDK
AVSymantecNo Virus
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Razy.13928
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Razy.13928
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Razy.13928
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!Trojan.SwizzorGen.Win32.1
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.13928
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.13928

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ssylhhehfgsxgqu\kc6qvzozx
Creates FileC:\ssylhhehfgsxgqu\gcqh1kvbsq3b4gaofbe.exe
Creates FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Deletes FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Creates ProcessC:\ssylhhehfgsxgqu\gcqh1kvbsq3b4gaofbe.exe

Process
↳ C:\ssylhhehfgsxgqu\gcqh1kvbsq3b4gaofbe.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Auto-Discovery Firewall Call Class KtmRm ➝
C:\ssylhhehfgsxgqu\wyhxxjpr.exe
Creates FileC:\ssylhhehfgsxgqu\kc6qvzozx
Creates FileC:\ssylhhehfgsxgqu\wyhxxjpr.exe
Creates FileC:\ssylhhehfgsxgqu\qjtkfjpra
Creates FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Creates ProcessC:\ssylhhehfgsxgqu\wyhxxjpr.exe
Creates ServiceServices AutoConfig Office Power Procedure - C:\ssylhhehfgsxgqu\wyhxxjpr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1116

Process
↳ C:\ssylhhehfgsxgqu\wyhxxjpr.exe

Creates FileC:\ssylhhehfgsxgqu\etynumriek.exe
Creates FileC:\ssylhhehfgsxgqu\kc6qvzozx
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ssylhhehfgsxgqu\xhuadl
Creates FileC:\ssylhhehfgsxgqu\qjtkfjpra
Creates FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Creates Processyijgpntscwnz "c:\ssylhhehfgsxgqu\wyhxxjpr.exe"

Process
↳ C:\ssylhhehfgsxgqu\wyhxxjpr.exe

Creates FileC:\ssylhhehfgsxgqu\kc6qvzozx
Creates FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Deletes FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx

Process
↳ yijgpntscwnz "c:\ssylhhehfgsxgqu\wyhxxjpr.exe"

Creates FileC:\ssylhhehfgsxgqu\kc6qvzozx
Creates FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx
Deletes FileC:\WINDOWS\ssylhhehfgsxgqu\kc6qvzozx

Network Details:

DNSmightanger.net
Type: A
208.100.26.234
DNSdoctoralways.net
Type: A
195.22.28.196
DNSdoctoralways.net
Type: A
195.22.28.197
DNSdoctoralways.net
Type: A
195.22.28.198
DNSdoctoralways.net
Type: A
195.22.28.199
DNSfw.ename.net
Type: A
198.148.92.57
DNSfw.ename.net
Type: A
198.148.92.58
DNSfw.ename.net
Type: A
198.148.92.56
DNSbuildingschool.net
Type: A
72.167.232.36
DNSeveningschool.net
Type: A
50.63.202.50
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdoubletherefore.net
Type: A
208.100.26.234
DNSbrokenquestion.net
Type: A
195.22.28.196
DNSbrokenquestion.net
Type: A
195.22.28.197
DNSbrokenquestion.net
Type: A
195.22.28.198
DNSbrokenquestion.net
Type: A
195.22.28.199
DNSstrengthschool.net
Type: A
50.63.202.38
DNSmovementtraining.net
Type: A
108.163.251.66
DNSbuildingstorm.net
Type: A
184.168.221.53
DNSdoctortraining.net
Type: A
184.168.221.96
DNSdoctorstorm.net
Type: A
72.21.91.60
DNSmovementanger.net
Type: A
DNSoutsideanger.net
Type: A
DNSmovementalways.net
Type: A
DNSoutsidealways.net
Type: A
DNSmovementforest.net
Type: A
DNSoutsideforest.net
Type: A
DNSbuildingwheat.net
Type: A
DNSeveningwheat.net
Type: A
DNSbuildinganger.net
Type: A
DNSeveninganger.net
Type: A
DNSbuildingalways.net
Type: A
DNSeveningalways.net
Type: A
DNSbuildingforest.net
Type: A
DNSeveningforest.net
Type: A
DNSstorewheat.net
Type: A
DNSmightwheat.net
Type: A
DNSstoreanger.net
Type: A
DNSstorealways.net
Type: A
DNSmightalways.net
Type: A
DNSstoreforest.net
Type: A
DNSmightforest.net
Type: A
DNSdoctorwheat.net
Type: A
DNSprettywheat.net
Type: A
DNSdoctoranger.net
Type: A
DNSprettyanger.net
Type: A
DNSprettyalways.net
Type: A
DNSdoctorforest.net
Type: A
DNSprettyforest.net
Type: A
DNSfellowwheat.net
Type: A
DNSdoublewheat.net
Type: A
DNSfellowanger.net
Type: A
DNSdoubleanger.net
Type: A
DNSfellowalways.net
Type: A
DNSdoublealways.net
Type: A
DNSfellowforest.net
Type: A
DNSdoubleforest.net
Type: A
DNSbrokenwheat.net
Type: A
DNSresultwheat.net
Type: A
DNSbrokenanger.net
Type: A
DNSresultanger.net
Type: A
DNSbrokenalways.net
Type: A
DNSresultalways.net
Type: A
DNSbrokenforest.net
Type: A
DNSresultforest.net
Type: A
DNSpreparewheat.net
Type: A
DNSdesirewheat.net
Type: A
DNSprepareanger.net
Type: A
DNSdesireanger.net
Type: A
DNSpreparealways.net
Type: A
DNSdesirealways.net
Type: A
DNSprepareforest.net
Type: A
DNSdesireforest.net
Type: A
DNSstrengthwheat.net
Type: A
DNSstillwheat.net
Type: A
DNSstrengthanger.net
Type: A
DNSstillanger.net
Type: A
DNSstrengthalways.net
Type: A
DNSstillalways.net
Type: A
DNSstrengthforest.net
Type: A
DNSstillforest.net
Type: A
DNSmovementschool.net
Type: A
DNSoutsideschool.net
Type: A
DNSmovementwhile.net
Type: A
DNSoutsidewhile.net
Type: A
DNSmovementquestion.net
Type: A
DNSoutsidequestion.net
Type: A
DNSmovementtherefore.net
Type: A
DNSoutsidetherefore.net
Type: A
DNSbuildingwhile.net
Type: A
DNSeveningwhile.net
Type: A
DNSbuildingquestion.net
Type: A
DNSeveningquestion.net
Type: A
DNSbuildingtherefore.net
Type: A
DNSeveningtherefore.net
Type: A
DNSstoreschool.net
Type: A
DNSmightschool.net
Type: A
DNSstorewhile.net
Type: A
DNSmightwhile.net
Type: A
DNSstorequestion.net
Type: A
DNSmightquestion.net
Type: A
DNSstoretherefore.net
Type: A
DNSmighttherefore.net
Type: A
DNSdoctorschool.net
Type: A
DNSprettyschool.net
Type: A
DNSdoctorwhile.net
Type: A
DNSprettywhile.net
Type: A
DNSdoctorquestion.net
Type: A
DNSprettyquestion.net
Type: A
DNSdoctortherefore.net
Type: A
DNSprettytherefore.net
Type: A
DNSfellowschool.net
Type: A
DNSdoubleschool.net
Type: A
DNSfellowwhile.net
Type: A
DNSdoublewhile.net
Type: A
DNSfellowquestion.net
Type: A
DNSdoublequestion.net
Type: A
DNSfellowtherefore.net
Type: A
DNSbrokenschool.net
Type: A
DNSresultschool.net
Type: A
DNSbrokenwhile.net
Type: A
DNSresultwhile.net
Type: A
DNSresultquestion.net
Type: A
DNSbrokentherefore.net
Type: A
DNSresulttherefore.net
Type: A
DNSprepareschool.net
Type: A
DNSdesireschool.net
Type: A
DNSpreparewhile.net
Type: A
DNSdesirewhile.net
Type: A
DNSpreparequestion.net
Type: A
DNSdesirequestion.net
Type: A
DNSpreparetherefore.net
Type: A
DNSdesiretherefore.net
Type: A
DNSstillschool.net
Type: A
DNSstrengthwhile.net
Type: A
DNSstillwhile.net
Type: A
DNSstrengthquestion.net
Type: A
DNSstillquestion.net
Type: A
DNSstrengththerefore.net
Type: A
DNSstilltherefore.net
Type: A
DNSmovementhunger.net
Type: A
DNSoutsidehunger.net
Type: A
DNSoutsidetraining.net
Type: A
DNSmovementstorm.net
Type: A
DNSoutsidestorm.net
Type: A
DNSmovementthrown.net
Type: A
DNSoutsidethrown.net
Type: A
DNSbuildinghunger.net
Type: A
DNSeveninghunger.net
Type: A
DNSbuildingtraining.net
Type: A
DNSeveningtraining.net
Type: A
DNSeveningstorm.net
Type: A
DNSbuildingthrown.net
Type: A
DNSeveningthrown.net
Type: A
DNSstorehunger.net
Type: A
DNSmighthunger.net
Type: A
DNSstoretraining.net
Type: A
DNSmighttraining.net
Type: A
DNSstorestorm.net
Type: A
DNSmightstorm.net
Type: A
DNSstorethrown.net
Type: A
DNSmightthrown.net
Type: A
DNSdoctorhunger.net
Type: A
DNSprettyhunger.net
Type: A
DNSprettytraining.net
Type: A
DNSprettystorm.net
Type: A
DNSdoctorthrown.net
Type: A
DNSprettythrown.net
Type: A
DNSfellowhunger.net
Type: A
DNSdoublehunger.net
Type: A
DNSfellowtraining.net
Type: A
DNSdoubletraining.net
Type: A
DNSfellowstorm.net
Type: A
DNSdoublestorm.net
Type: A
DNSfellowthrown.net
Type: A
DNSdoublethrown.net
Type: A
DNSbrokenhunger.net
Type: A
DNSresulthunger.net
Type: A
DNSbrokentraining.net
Type: A
DNSresulttraining.net
Type: A
HTTP GEThttp://mightanger.net/index.php
User-Agent:
HTTP GEThttp://doctoralways.net/index.php
User-Agent:
HTTP GEThttp://outsideschool.net/index.php
User-Agent:
HTTP GEThttp://buildingschool.net/index.php
User-Agent:
HTTP GEThttp://eveningschool.net/index.php
User-Agent:
HTTP GEThttp://doctorschool.net/index.php
User-Agent:
HTTP GEThttp://doubletherefore.net/index.php
User-Agent:
HTTP GEThttp://brokenquestion.net/index.php
User-Agent:
HTTP GEThttp://strengthschool.net/index.php
User-Agent:
HTTP GEThttp://movementtraining.net/index.php
User-Agent:
HTTP GEThttp://buildingstorm.net/index.php
User-Agent:
HTTP GEThttp://doctortraining.net/index.php
User-Agent:
HTTP GEThttp://doctorstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 198.148.92.57:80
Flows TCP192.168.1.1:1034 ➝ 72.167.232.36:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.38:80
Flows TCP192.168.1.1:1040 ➝ 108.163.251.66:80
Flows TCP192.168.1.1:1041 ➝ 184.168.221.53:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1043 ➝ 72.21.91.60:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 616e6765 722e6e65 740d0a0d   ightanger.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72616c77 6179732e 6e65740d   octoralways.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657363 686f6f6c 2e6e6574   utsideschool.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 63686f6f 6c2e6e65   uildingschool.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e677363 686f6f6c 2e6e6574   veningschool.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72736368 6f6f6c2e 6e65740d   octorschool.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65746865 7265666f 72652e6e   oubletherefore.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e717565 7374696f 6e2e6e65   rokenquestion.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746873 63686f6f 6c2e6e65   trengthschool.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f76656d 656e7474 7261696e 696e672e   ovementtraining.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 746f726d 2e6e6574   uildingstorm.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72747261 696e696e 672e6e65   octortraining.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 7273746f 726d2e6e 65740d0a   octorstorm.net..
0x00000050 (00080)   0d0a                                  ..


Strings