Analysis Date2016-01-28 12:38:39
MD52c5364bb5e8328ff90e045e384817551
SHA15462a8088d57aa14764751116b4a8a54ec0b12f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d2085b947c166d2e09f28f420271f253 sha1: 7bf3645cecb681b221e5d737ca56f4e7096142ea size: 546304
Section.rdata md5: 45f75c91e83cda9e5f9420e11e3f0f7c sha1: 00e90b44a07f2500f63a0a7f167183c466cbc0f3 size: 265216
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 32e6a84f85e6e84ab0f1a304eb3f4fcd sha1: 3a9c301129552a7449559abe580a922cee593e7c size: 87040
Timestamp2015-12-29 20:34:45
PEhash653310d5185caaa8bd9663ab3cb5303382234396
IMPhash1d9ec139740b59d7e932dcf601823e63
AVRisingNo Virus
AVMcafeeTrojan-FHOH!2C5364BB5E83
AVAvira (antivir)TR/Nivdort.A.27654
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.791077
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AS
AVGrisoft (avg)Win32/Heur
AVSymantecNo Virus
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.791077
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Kazy.791077
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.CPLL-7670
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.791077
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.bwia
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.791077
AVArcabit (arcavir)Gen:Variant.Kazy.791077
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.3746
AVF-SecureGen:Variant.Kazy.791077
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\hhukckheruxk\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\idpw2ro1n85h3g8ortblpzft.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\idpw2ro1n85h3g8ortblpzft.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\idpw2ro1n85h3g8ortblpzft.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SSDP Topology Now Ordering HomeGroup ➝
C:\WINDOWS\system32\llsxjdtzqnnn.exe
Creates FileC:\WINDOWS\system32\hhukckheruxk\tst
Creates FileC:\WINDOWS\system32\hhukckheruxk\lck
Creates FileC:\WINDOWS\system32\llsxjdtzqnnn.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\llsxjdtzqnnn.exe
Creates ServiceEngine Upgrade Ordering Search Keying Agent - C:\WINDOWS\system32\llsxjdtzqnnn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1852

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\llsxjdtzqnnn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\hhukckheruxk\rng
Creates FileC:\WINDOWS\system32\hhukckheruxk\run
Creates FileC:\WINDOWS\system32\hhukckheruxk\cfg
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\hhukckheruxk\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\hhukckheruxk\lck
Creates FileC:\WINDOWS\TEMP\idpw2ronw4i0qg8or.exe
Creates FileC:\WINDOWS\system32\nstezdrl.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\idpw2ronw4i0qg8or.exe -r 43840 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\llsxjdtzqnnn.exe"

Process
↳ C:\WINDOWS\system32\llsxjdtzqnnn.exe

Creates FileC:\WINDOWS\system32\hhukckheruxk\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\llsxjdtzqnnn.exe"

Creates FileC:\WINDOWS\system32\hhukckheruxk\tst

Process
↳ C:\WINDOWS\TEMP\idpw2ronw4i0qg8or.exe -r 43840 tcp

Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSfearboat.net
Type: A
195.22.28.199
DNSfearboat.net
Type: A
195.22.28.196
DNSfearboat.net
Type: A
195.22.28.197
DNSfearboat.net
Type: A
195.22.28.198
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSpointkind.net
Type: A
DNScallkind.net
Type: A
DNSnonewild.net
Type: A
DNSliarwild.net
Type: A
DNSnonejune.net
Type: A
DNSliarjune.net
Type: A
DNSnonebegan.net
Type: A
DNSliarbegan.net
Type: A
DNSnonekind.net
Type: A
DNSliarkind.net
Type: A
DNSwellwild.net
Type: A
DNSnosewild.net
Type: A
DNSwelljune.net
Type: A
DNSnosejune.net
Type: A
DNSwellbegan.net
Type: A
DNSnosebegan.net
Type: A
DNSwellkind.net
Type: A
DNSnosekind.net
Type: A
DNSringwild.net
Type: A
DNSfavorwild.net
Type: A
DNSringjune.net
Type: A
DNSfavorjune.net
Type: A
DNSringbegan.net
Type: A
DNSfavorbegan.net
Type: A
DNSringkind.net
Type: A
DNSfavorkind.net
Type: A
DNSsorryboat.net
Type: A
DNSfiftyboat.net
Type: A
DNSsorrypress.net
Type: A
DNSfiftypress.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://fearboat.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1038 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1039 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1042 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1043 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1044 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1045 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 98.124.199.4:80

Raw Pcap

Strings