Analysis Date2015-08-27 08:59:52
MD5543e4f4a3e37fbb99cca476313b1a32e
SHA1593e06b48102745bccd5068aa2e178dda1cf7c3e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e299cedc11c9a7bff3e3fe3f236d1f88 sha1: acd756f29a3be5b76314e8694c29d112ada6dbbc size: 784896
Section.rdata md5: 0e101fd9c2df9ddfaf0e8154a0bf8847 sha1: dcbc5ce303119583e44ce44fbf4e1f6ffa4b1adc size: 99840
Section.data md5: 95dfcd39e8cd20d554b6541b8e9a8e99 sha1: f66e78c67b49e87d9f37de82b46d55a0176b3955 size: 7168
Section.reloc md5: f07648bac8dbda0ee50f30704221e060 sha1: 25ab0ce3a34c7ed3cfcb5b1aab506dd5df821b72 size: 83968
Timestamp2015-05-08 07:34:15
PackerMicrosoft Visual C++ 8
PEhash82a8005b44177f0e9008154a314b7ccc20f09363
IMPhashcf8248ecfb5510efe3cc6fc515d47d0a
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.609540
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.609540
AVBullGuardGen:Variant.Kazy.609540
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.jkkf
AVZillya!Trojan.Scar.Win32.92329
AVEmsisoftGen:Variant.Kazy.609540
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.609540
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.609540
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.T
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.609540
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.263980
AVMcafeeRDN/Generic PWS.y

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\usxmptzfpmled\ev1lnyrlx7rga6qi.exe
Creates FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates FileC:\usxmptzfpmled\gr8ezmbzim
Deletes FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates ProcessC:\usxmptzfpmled\ev1lnyrlx7rga6qi.exe

Process
↳ C:\usxmptzfpmled\ev1lnyrlx7rga6qi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Host Task Resolution Enumerator VC Log ➝
C:\usxmptzfpmled\mqwmgoqrmsq.exe
Creates FileC:\usxmptzfpmled\mqwmgoqrmsq.exe
Creates FilePIPE\lsarpc
Creates FileC:\usxmptzfpmled\yyzhrsrc
Creates FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates FileC:\usxmptzfpmled\gr8ezmbzim
Deletes FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates ProcessC:\usxmptzfpmled\mqwmgoqrmsq.exe
Creates ServicePresentation Audio Machine Encryption - C:\usxmptzfpmled\mqwmgoqrmsq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1876

Process
↳ Pid 1140

Process
↳ C:\usxmptzfpmled\mqwmgoqrmsq.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\usxmptzfpmled\boxwroujguxj.exe
Creates FileC:\usxmptzfpmled\yyzhrsrc
Creates FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates File\Device\Afd\Endpoint
Creates FileC:\usxmptzfpmled\jwhgule
Creates FileC:\usxmptzfpmled\gr8ezmbzim
Deletes FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates Processdinppxlzkvd1 "c:\usxmptzfpmled\mqwmgoqrmsq.exe"

Process
↳ C:\usxmptzfpmled\mqwmgoqrmsq.exe

Creates FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates FileC:\usxmptzfpmled\gr8ezmbzim
Deletes FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim

Process
↳ dinppxlzkvd1 "c:\usxmptzfpmled\mqwmgoqrmsq.exe"

Creates FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim
Creates FileC:\usxmptzfpmled\gr8ezmbzim
Deletes FileC:\WINDOWS\usxmptzfpmled\gr8ezmbzim

Network Details:

DNSpossibleperiod.net
Type: A
192.64.119.216
DNSfinishperiod.net
Type: A
50.63.202.32
DNSseveradifference.net
Type: A
95.211.230.75
DNSsimpledifference.net
Type: A
31.22.4.18
DNSmotheralthough.net
Type: A
DNSsimpleperiod.net
Type: A
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
HTTP GEThttp://possibleperiod.net/index.php
User-Agent:
HTTP GEThttp://finishperiod.net/index.php
User-Agent:
HTTP GEThttp://severadifference.net/index.php
User-Agent:
HTTP GEThttp://simpledifference.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.64.119.216:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 31.22.4.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6570 6572696f 642e6e65   ossibleperiod.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   696e6973 68706572 696f642e 6e65740d   inishperiod.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   65766572 61646966 66657265 6e63652e   everadifference.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65646966 66657265 6e63652e   impledifference.
0x00000050 (00080)   6e65740d 0a0d0a                       net....


Strings