Analysis Date2015-12-24 15:04:33
MD5697963ae58d79b9adaeb672b11c3478b
SHA157f55a2e07857fe6883e970b88a645e0647bd15e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 56314c6c7e4c51a8e5a7adf6f49b50a9 sha1: befc22bb08c4c3aa6a0ededf01cef2d71941efa3 size: 1055744
Section.rdata md5: adf25917a9c3c7f9830902f6243adf3d sha1: 0b5a1d829ec5a6892c840bd9f19853cf362d1496 size: 331264
Section.data md5: 05306cbb959cd4f814c48560e95108d6 sha1: 456fef03b0419a925dca374238dafde64a095061 size: 11264
Section.reloc md5: da5dccafbe76e2731895031e8d0d03b1 sha1: b8e9402922586ab800c644818de74243b9ffa87e size: 67584
Timestamp2015-04-30 21:47:10
PackerMicrosoft Visual C++ 8
PEhashe2e358c21c6e09b134a00f9bb32183b254ef0b17
IMPhash48128ec9beaa7e86894821d9624ac75d
AVAd-AwareGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVEmsisoftGen:Variant.Kazy.606112
AVK7Trojan ( 004c77f41 )
AVTrend Microno_virus
AVEset (nod32)Win32/Bayrob.R
AVIkarusTrojan.Win32.Bayrob
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Kryptic.WU!tr
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Boryab.aiez
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVSymantecDownloader.Upatre!g15
AVVirusBlokAda (vba32)no_virus
AVBitDefenderGen:Variant.Kazy.606112
AVZillya!Trojan.Bayrob.Win32.1967
AVBullGuardGen:Variant.Kazy.606112
AVRising0x592fb7ce
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CH
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVCAT (quickheal)no_virus
AVMcafeeTrojan-FHOH!697963AE58D7
AVTwisterW32.Bayrob.R.ccba
AVClamAVno_virus
AVMalwareBytesno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cvxbpck1leewmrvgbzw4i.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\cvxbpck1leewmrvgbzw4i.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cvxbpck1leewmrvgbzw4i.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Agent Computer Defender Secure PNRP Solutions ➝
C:\WINDOWS\system32\sjrrttyd.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\tst
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\etc
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\lck
Creates FileC:\WINDOWS\system32\sjrrttyd.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\sjrrttyd.exe
Creates ServiceKtmRm Font Human Multimedia COM Routing SNMP - C:\WINDOWS\system32\sjrrttyd.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERe51c.dir00\svchost.exe.mdmp
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1176

Process
↳ C:\WINDOWS\system32\sjrrttyd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\cvxbpck1sx8wm.exe
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\lck
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\run
Creates FileC:\WINDOWS\system32\hqclstwyvq.exe
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\cfg
Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\rng
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\cvxbpck1sx8wm.exe -r 25233 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\sjrrttyd.exe"

Process
↳ C:\WINDOWS\system32\sjrrttyd.exe

Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\sjrrttyd.exe"

Creates FileC:\WINDOWS\system32\mybmlxyhxjxf\tst

Process
↳ C:\WINDOWS\TEMP\cvxbpck1sx8wm.exe -r 25233 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A
DNSdoubtpaint.net
Type: A
DNSrecorddivide.net
Type: A
DNSwithmarry.net
Type: A

Raw Pcap

Strings