Analysis Date2015-07-30 20:49:57
MD5cdbccdd6dff3387e767bf0b7051e85c3
SHA1567348c7286e5ece7e31fce8abb7c798a8fdfa64

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b1587ee7e1329654781638f05b9c479a sha1: 876cafde71cf347ea1132bb79c0d083843f30d97 size: 196608
Section.rdata md5: ae9c9d0b3680bd10bb226c4932469c15 sha1: 7992872ae04ec35afaf1d9ce77583f24d105c073 size: 51200
Section.data md5: bc49ac279e87fa32e3ebc80e2845d5bb sha1: 0b8f2aa20e967383f83097719ed846d730c4d61e size: 7680
Section.reloc md5: 9b464c1cd86b517119c26f19e012769d sha1: e1011ba976506f0afdbe9fbe85c6c133bf7c05f0 size: 14336
Timestamp2015-04-29 18:40:14
PackerMicrosoft Visual C++ 8
PEhash1e9c8c1e57a93170bfaf685097d5981d5ad412f5
IMPhash7e02cc6bbc342177b63f2f86b79c400e
AVBitDefenderGen:Variant.Kazy.604861
AVClamAVno_virus
AVAd-AwareGen:Variant.Kazy.604861
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVAvira (antivir)TR/Crypt.Xpack.198972
AVDr. WebTrojan.Bayrob.1
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVTrend MicroTROJ_BAYROB.SM0
AVGrisoft (avg)PSW.Generic12.BRRL
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVF-SecureGen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVMcafeeTrojan-FGIJ!CDBCCDD6DFF3
AVSymantecDownloader.Upatre!g15
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVTwisterTrojan.0000E9000000006A1.mg
AVFrisk (f-prot)no_virus
AVFortinetW32/Generic.AC.215362
AVZillya!Trojan.Scar.Win32.89745
AVVirusBlokAda (vba32)no_virus
AVAlwil (avast)VB-AJEW [Trj]
AVCA (E-Trust Ino)no_virus
AVPadvishno_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVRisingTrojan.Win32.Bayrod.a
AVK7Trojan ( 004c12491 )
AVIkarusTrojan-Spy.Win32.Nivdort
AVEset (nod32)Win32/Bayrob.Q
AVBullGuardGen:Variant.Kazy.604861
AVEmsisoftGen:Variant.Kazy.604861

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\nhvvyfrzjzttxo\cgslnrs
Creates FileC:\nhvvyfrzjzttxo\pzrn1jn1vhuxreknt5w.exe
Creates FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Deletes FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Creates ProcessC:\nhvvyfrzjzttxo\pzrn1jn1vhuxreknt5w.exe

Process
↳ C:\nhvvyfrzjzttxo\pzrn1jn1vhuxreknt5w.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Profile Discovery Update Routing ➝
C:\nhvvyfrzjzttxo\bdiukxvbnikm.exe
Creates FileC:\nhvvyfrzjzttxo\cgslnrs
Creates FilePIPE\lsarpc
Creates FileC:\nhvvyfrzjzttxo\ufo0voe
Creates FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Creates FileC:\nhvvyfrzjzttxo\bdiukxvbnikm.exe
Deletes FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Creates ProcessC:\nhvvyfrzjzttxo\bdiukxvbnikm.exe
Creates ServiceAdapter Profile Routing Panel - C:\nhvvyfrzjzttxo\bdiukxvbnikm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1128

Process
↳ C:\nhvvyfrzjzttxo\bdiukxvbnikm.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\nhvvyfrzjzttxo\cgslnrs
Creates FileC:\nhvvyfrzjzttxo\bnbfs5hlyb
Creates FileC:\nhvvyfrzjzttxo\ufo0voe
Creates FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Creates File\Device\Afd\Endpoint
Creates FileC:\nhvvyfrzjzttxo\bmvuklfgph.exe
Deletes FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Creates Processbrf82t6soww7 "c:\nhvvyfrzjzttxo\bdiukxvbnikm.exe"

Process
↳ C:\nhvvyfrzjzttxo\bdiukxvbnikm.exe

Creates FileC:\nhvvyfrzjzttxo\cgslnrs
Creates FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Deletes FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs

Process
↳ brf82t6soww7 "c:\nhvvyfrzjzttxo\bdiukxvbnikm.exe"

Creates FileC:\nhvvyfrzjzttxo\cgslnrs
Creates FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs
Deletes FileC:\WINDOWS\nhvvyfrzjzttxo\cgslnrs

Network Details:

DNSwaterplease.net
Type: A
182.162.94.49
DNSwatercondition.net
Type: A
204.11.56.25
DNSwomannation.net
Type: A
50.63.202.46
DNSsmokecondition.net
Type: A
208.91.197.241
DNSpartynation.net
Type: A
72.52.4.91
DNSpartyplease.net
Type: A
209.157.71.176
DNSfreshpower.net
Type: A
195.149.84.101
DNSfreshpower.net
Type: A
195.149.84.100
DNScrowdfamous.net
Type: A
95.211.230.75
DNScrowdpower.net
Type: A
162.244.253.60
DNSthoughtpower.net
Type: A
23.229.204.192
DNSwaterpower.net
Type: A
72.52.4.120
DNSwomanpower.net
Type: A
72.52.4.120
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNScrowdcondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSsmokenation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSmemberfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNSsummerpower.net
Type: A
DNSsummercountry.net
Type: A
DNScrowdcountry.net
Type: A
DNSthoughtcentury.net
Type: A
DNSwatercentury.net
Type: A
DNSthoughtfamous.net
Type: A
DNSwaterfamous.net
Type: A
DNSthoughtcountry.net
Type: A
DNSwatercountry.net
Type: A
DNSwomancentury.net
Type: A
DNSsmokecentury.net
Type: A
DNSwomanfamous.net
Type: A
DNSsmokefamous.net
Type: A
DNSsmokepower.net
Type: A
DNSwomancountry.net
Type: A
DNSsmokecountry.net
Type: A
DNSpartycentury.net
Type: A
DNSfightcentury.net
Type: A
HTTP GEThttp://waterplease.net/index.php
User-Agent:
HTTP GEThttp://watercondition.net/index.php
User-Agent:
HTTP GEThttp://womannation.net/index.php
User-Agent:
HTTP GEThttp://smokecondition.net/index.php
User-Agent:
HTTP GEThttp://partynation.net/index.php
User-Agent:
HTTP GEThttp://partyplease.net/index.php
User-Agent:
HTTP GEThttp://freshpower.net/index.php
User-Agent:
HTTP GEThttp://crowdfamous.net/index.php
User-Agent:
HTTP GEThttp://crowdpower.net/index.php
User-Agent:
HTTP GEThttp://thoughtpower.net/index.php
User-Agent:
HTTP GEThttp://waterpower.net/index.php
User-Agent:
HTTP GEThttp://womanpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 182.162.94.49:80
Flows TCP192.168.1.1:1032 ➝ 204.11.56.25:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.46:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1036 ➝ 209.157.71.176:80
Flows TCP192.168.1.1:1037 ➝ 195.149.84.101:80
Flows TCP192.168.1.1:1038 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1039 ➝ 162.244.253.60:80
Flows TCP192.168.1.1:1040 ➝ 23.229.204.192:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1042 ➝ 72.52.4.120:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 706c6561 73652e6e 65740d0a   aterplease.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 636f6e64 6974696f 6e2e6e65   atercondition.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 6e617469 6f6e2e6e 65740d0a   omannation.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6d6f6b65 636f6e64 6974696f 6e2e6e65   mokecondition.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 6e617469 6f6e2e6e 65740d0a   artynation.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 706c6561 73652e6e 65740d0a   artyplease.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 706f7765 722e6e65 740d0a0d   reshpower.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66616d6f 75732e6e 65740d0a   rowdfamous.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 706f7765 722e6e65 740d0a0d   rowdpower.net...
0x00000050 (00080)   0a0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 6874706f 7765722e 6e65740d   houghtpower.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 706f7765 722e6e65 740d0a0d   aterpower.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 706f7765 722e6e65 740d0a0d   omanpower.net...
0x00000050 (00080)   0a                                    .


Strings