Analysis Date2015-09-19 08:36:35
MD5104a75e7248251f70d99749f0532d0cb
SHA1561b4f3e66915be053d583c0820b03d07418bee4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5ae55b7a6ce48fb4cf284ee33dd8e7ad sha1: 8a02b5992948879df2067efb766510af1a7cf109 size: 1225216
Section.rdata md5: f7f4a5446e1753aae3c0b9a75f01ae47 sha1: ead20cbe96f489e19da130cc27da59951f9aab38 size: 302080
Section.data md5: b239638829e1e995e00a236ef896dd76 sha1: c54d39418e23095394f15cca730fd7186a021355 size: 8192
Section.reloc md5: b8f15c68eec351193b8b99081ac25272 sha1: 6b18d078d6b8e67b2d62aa5c6b8a262f75cfb905 size: 158720
Timestamp2015-05-11 04:37:33
PackerVC8 -> Microsoft Corporation
PEhashcec24189e2cca164966d3ea0c541e4be69328a65
IMPhash4884d12db1cb865cb724b05c1ea90cf6
AVDr. WebTrojan.Bayrob.5
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVArcabit (arcavir)Gen:Variant.Diley.1
AVEmsisoftGen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Bayrob.Z
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Bayrob.X!tr
AVAvira (antivir)TR/Crypt.Xpack.259020
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Dropper-OJQ [Drp]
AVClamAVno_virus
AVF-SecureGen:Variant.Diley.1
AVMcafeeTrojan-FGIJ!104A75E72482
AVTwisterno_virus
AVGrisoft (avg)Win32/Cryptor
AVBitDefenderGen:Variant.Diley.1
AVRisingno_virus
AVIkarusTrojan.Win32.Bayrob
AVAd-AwareGen:Variant.Diley.1
AVCAT (quickheal)no_virus
AVK7Trojan ( 004c77f41 )
AVVirusBlokAda (vba32)no_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVKasperskyBackdoor.Win32.SoxGrave.bsg
AVBullGuardGen:Variant.Diley.1
AVMalwareBytesno_virus
AVZillya!Backdoor.SoxGrave.Win32.724

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nmtbcoiu1kiqmgvkfgikt06.exe
Creates FileC:\WINDOWS\system32\ejusfuqxvr\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\nmtbcoiu1kiqmgvkfgikt06.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\nmtbcoiu1kiqmgvkfgikt06.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Control Enumerator Window Agent ➝
C:\WINDOWS\system32\odlcfdhwercj.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ejusfuqxvr\lck
Creates FileC:\WINDOWS\system32\ejusfuqxvr\tst
Creates FileC:\WINDOWS\system32\ejusfuqxvr\etc
Creates FileC:\WINDOWS\system32\odlcfdhwercj.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\odlcfdhwercj.exe
Creates ServiceDLL Acquisition Defender Server Transaction - C:\WINDOWS\system32\odlcfdhwercj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\odlcfdhwercj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ejusfuqxvr\lck
Creates FileC:\WINDOWS\system32\ejusfuqxvr\tst
Creates FileC:\WINDOWS\system32\owrmzwhme.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ejusfuqxvr\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\nmtbcoiu1rb2mgvk.exe
Creates FileC:\WINDOWS\system32\ejusfuqxvr\run
Creates FileC:\WINDOWS\system32\ejusfuqxvr\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\odlcfdhwercj.exe"
Creates ProcessC:\WINDOWS\TEMP\nmtbcoiu1rb2mgvk.exe -r 34229 tcp

Process
↳ C:\WINDOWS\system32\odlcfdhwercj.exe

Creates FileC:\WINDOWS\system32\ejusfuqxvr\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\odlcfdhwercj.exe"

Creates FileC:\WINDOWS\system32\ejusfuqxvr\tst

Process
↳ C:\WINDOWS\TEMP\nmtbcoiu1rb2mgvk.exe -r 34229 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSfridaystudy.net
Type: A
74.220.215.214
DNSlongwall.net
Type: A
192.185.27.36
DNSwheelfree.net
Type: A
184.168.221.40
DNSstickfree.net
Type: A
184.168.221.104
DNSballfree.net
Type: A
209.99.40.222
DNSballwall.net
Type: A
184.95.38.200
DNSlifefree.net
Type: A
64.151.75.104
DNSlifewall.net
Type: A
184.168.221.38
DNSdeepfree.net
Type: A
91.93.116.249
DNSpushfree.net
Type: A
95.211.230.75
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSmouthonce.net
Type: A
DNStillonce.net
Type: A
DNSshalluncle.net
Type: A
DNSdeepuncle.net
Type: A
DNSshallstudy.net
Type: A
DNSdeepstudy.net
Type: A
DNSshallloss.net
Type: A
DNSdeeploss.net
Type: A
DNSshallonce.net
Type: A
DNSdeeponce.net
Type: A
DNSpushuncle.net
Type: A
DNSfridayuncle.net
Type: A
DNSpushstudy.net
Type: A
DNSpushloss.net
Type: A
DNSfridayloss.net
Type: A
DNSpushonce.net
Type: A
DNSfridayonce.net
Type: A
DNSalonguncle.net
Type: A
DNSdecemberuncle.net
Type: A
DNSalongstudy.net
Type: A
DNSdecemberstudy.net
Type: A
DNSalongloss.net
Type: A
DNSdecemberloss.net
Type: A
DNSalongonce.net
Type: A
DNSdecemberonce.net
Type: A
DNSlongfree.net
Type: A
DNSsoilfree.net
Type: A
DNSlongforty.net
Type: A
DNSsoilforty.net
Type: A
DNSlongother.net
Type: A
DNSsoilother.net
Type: A
DNSsoilwall.net
Type: A
DNSsaidfree.net
Type: A
DNSwheelforty.net
Type: A
DNSsaidforty.net
Type: A
DNSwheelother.net
Type: A
DNSsaidother.net
Type: A
DNSwheelwall.net
Type: A
DNSsaidwall.net
Type: A
DNSstickforty.net
Type: A
DNSballforty.net
Type: A
DNSstickother.net
Type: A
DNSballother.net
Type: A
DNSstickwall.net
Type: A
DNSenemyfree.net
Type: A
DNSenemyforty.net
Type: A
DNSlifeforty.net
Type: A
DNSenemyother.net
Type: A
DNSlifeother.net
Type: A
DNSenemywall.net
Type: A
DNSmouthfree.net
Type: A
DNStillfree.net
Type: A
DNSmouthforty.net
Type: A
DNStillforty.net
Type: A
DNSmouthother.net
Type: A
DNStillother.net
Type: A
DNSmouthwall.net
Type: A
DNStillwall.net
Type: A
DNSshallfree.net
Type: A
DNSshallforty.net
Type: A
DNSdeepforty.net
Type: A
DNSshallother.net
Type: A
DNSdeepother.net
Type: A
DNSshallwall.net
Type: A
DNSdeepwall.net
Type: A
DNSfridayfree.net
Type: A
DNSpushforty.net
Type: A
DNSfridayforty.net
Type: A
DNSpushother.net
Type: A
DNSfridayother.net
Type: A
DNSpushwall.net
Type: A
DNSfridaywall.net
Type: A
DNSalongfree.net
Type: A
DNSdecemberfree.net
Type: A
DNSalongforty.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://fridaystudy.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://longwall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://wheelfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://stickfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://ballfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://ballwall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://lifefree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://lifewall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://deepfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://pushfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://fridaystudy.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://longwall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://wheelfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://stickfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://ballfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://ballwall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://lifefree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://lifewall.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://deepfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
HTTP GEThttp://pushfree.net/index.php?method=validate&mode=sox&v=050&sox=4ab33800&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 74.220.215.214:80
Flows TCP192.168.1.1:1051 ➝ 192.185.27.36:80
Flows TCP192.168.1.1:1052 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1054 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1055 ➝ 184.95.38.200:80
Flows TCP192.168.1.1:1056 ➝ 64.151.75.104:80
Flows TCP192.168.1.1:1057 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1058 ➝ 91.93.116.249:80
Flows TCP192.168.1.1:1059 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1071 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1072 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1073 ➝ 74.220.215.214:80
Flows TCP192.168.1.1:1074 ➝ 192.185.27.36:80
Flows TCP192.168.1.1:1075 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1076 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1077 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1078 ➝ 184.95.38.200:80
Flows TCP192.168.1.1:1079 ➝ 64.151.75.104:80
Flows TCP192.168.1.1:1080 ➝ 184.168.221.38:80
Flows TCP192.168.1.1:1081 ➝ 91.93.116.249:80
Flows TCP192.168.1.1:1082 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1055 ➝ 46.72.149.179:1604

Raw Pcap

Strings