Analysis Date2016-02-13 10:48:41
MD5a504039250466a10a1a5010508d12348
SHA1594a7625cd0ce63315206e40b004ed120c096b5e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cda55539cbe4ad19f20b738ac9add36e sha1: d661ce8758d4b7e8cc2fc6e311bb89a56e4343c7 size: 1116672
Section.rdata md5: ce964d554a205b8479853dd3a6cb7855 sha1: a5325219afe4835004e949130bb11771507b8dab size: 276480
Section.data md5: e2d1fa3951041d4b5ba01832220a9089 sha1: 3bbd8343f36fe43b577534e0599a5993a4880720 size: 3072
Section.reloc md5: d65658a97f3c2c11e02459ba16a767fa sha1: 430b7421f1da9e35132026139609c0bc2631c7c8 size: 141312
Timestamp2015-06-06 22:24:13
PackerMicrosoft Visual C++ ?.?
PEhash57baac8c4cf2ddf1b8bc3449fa36deb685ff5052
IMPhashbac688424740259a01371f18e458ddf7
AVCA (E-Trust Ino)Gen:Variant.Kazy.794416
AVRisingNo Virus
AVMcafeeTrojan-FHSX!A50403925046
AVAvira (antivir)TR/Taranis.2092
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.794416
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Kazy.794416
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Kazy.794416
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Kazy.794416
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.g4
AVBullGuardGen:Variant.Kazy.794416
AVArcabit (arcavir)Gen:Variant.Kazy.794416
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.794416

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe
Creates FileC:\WINDOWS\system32\acufymmijwmy\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Health WLAN VC Machine Media Diagnostic ➝
C:\WINDOWS\system32\jbmzeog.exe
Creates FileC:\WINDOWS\system32\jbmzeog.exe
Creates FileC:\WINDOWS\system32\acufymmijwmy\lck
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\acufymmijwmy\tst
Creates ProcessC:\WINDOWS\system32\jbmzeog.exe
Creates ServiceCardSpace Storage Cryptographic Quality - C:\WINDOWS\system32\jbmzeog.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1188

Process
↳ C:\WINDOWS\system32\jbmzeog.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\acufymmijwmy\lck
Creates FileC:\WINDOWS\system32\acufymmijwmy\run
Creates FileC:\WINDOWS\system32\acufymmijwmy\cfg
Creates FileC:\WINDOWS\system32\acufymmijwmy\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\inqstfcmvi.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe
Creates FileC:\WINDOWS\system32\acufymmijwmy\tst
Creates ProcessWATCHDOGPROC "c:\windows\system32\jbmzeog.exe"
Creates ProcessC:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe -r 52075 tcp

Process
↳ C:\WINDOWS\system32\jbmzeog.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\acufymmijwmy\tst

Process
↳ c:\windows\system32\jbmzeog.exe

Creates FileC:\WINDOWS\system32\acufymmijwmy\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\jbmzeog.exe"

Creates FileC:\WINDOWS\system32\acufymmijwmy\tst
Creates Processc:\windows\system32\jbmzeog.exe

Process
↳ C:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe -r 52075 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSdrivefind.net
Type: A
69.64.147.249
DNSdrivewear.net
Type: A
141.8.225.31
DNSnailwear.net
Type: A
14.63.216.242
DNSgainhelp.net
Type: A
89.248.171.88
DNSfacehelp.net
Type: A
217.160.213.41
DNSwalkhelp.net
Type: A
162.255.119.249
DNSweakslow.net
Type: A
208.100.26.234
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSafterhurt.net
Type: A
DNSforcehurt.net
Type: A
DNSselltold.net
Type: A
DNSwednesdaytold.net
Type: A
DNSsellfind.net
Type: A
DNSwednesdayfind.net
Type: A
DNSsellwear.net
Type: A
DNSwednesdaywear.net
Type: A
DNSsellhurt.net
Type: A
DNSwednesdayhurt.net
Type: A
DNSdrivetold.net
Type: A
DNSnailtold.net
Type: A
DNSnailfind.net
Type: A
DNSdrivehurt.net
Type: A
DNSnailhurt.net
Type: A
DNSfieldslow.net
Type: A
DNSqueenslow.net
Type: A
DNSfieldfebruary.net
Type: A
DNSqueenfebruary.net
Type: A
DNSfieldhelp.net
Type: A
DNSqueenhelp.net
Type: A
DNSfieldnovember.net
Type: A
DNSqueennovember.net
Type: A
DNSbothslow.net
Type: A
DNSgainslow.net
Type: A
DNSbothfebruary.net
Type: A
DNSgainfebruary.net
Type: A
DNSbothhelp.net
Type: A
DNSbothnovember.net
Type: A
DNSgainnovember.net
Type: A
DNSleastslow.net
Type: A
DNSfaceslow.net
Type: A
DNSleastfebruary.net
Type: A
DNSfacefebruary.net
Type: A
DNSleasthelp.net
Type: A
DNSleastnovember.net
Type: A
DNSfacenovember.net
Type: A
DNSmonthslow.net
Type: A
DNSwalkslow.net
Type: A
DNSmonthfebruary.net
Type: A
DNSwalkfebruary.net
Type: A
DNSmonthhelp.net
Type: A
DNSmonthnovember.net
Type: A
DNSwalknovember.net
Type: A
DNSstoryslow.net
Type: A
DNSstoryfebruary.net
Type: A
DNSweakfebruary.net
Type: A
DNSstoryhelp.net
Type: A
DNSweakhelp.net
Type: A
DNSstorynovember.net
Type: A
DNSweaknovember.net
Type: A
DNSafterslow.net
Type: A
DNSforceslow.net
Type: A
DNSafterfebruary.net
Type: A
DNSforcefebruary.net
Type: A
DNSafterhelp.net
Type: A
DNSforcehelp.net
Type: A
DNSafternovember.net
Type: A
DNSforcenovember.net
Type: A
DNSsellslow.net
Type: A
DNSwednesdayslow.net
Type: A
DNSsellfebruary.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://drivefind.net/index.php
User-Agent:
HTTP GEThttp://drivewear.net/index.php
User-Agent:
HTTP GEThttp://nailwear.net/index.php
User-Agent:
HTTP GEThttp://gainhelp.net/index.php
User-Agent:
HTTP GEThttp://facehelp.net/index.php
User-Agent:
HTTP GEThttp://walkhelp.net/index.php
User-Agent:
HTTP GEThttp://weakslow.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1039 ➝ 141.8.225.31:80
Flows TCP192.168.1.1:1040 ➝ 14.63.216.242:80
Flows TCP192.168.1.1:1041 ➝ 89.248.171.88:80
Flows TCP192.168.1.1:1042 ➝ 217.160.213.41:80
Flows TCP192.168.1.1:1043 ➝ 162.255.119.249:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 66696e64 2e6e6574 0d0a0d0a   rivefind.net....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 77656172 2e6e6574 0d0a0d0a   rivewear.net....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   61696c77 6561722e 6e65740d 0a0d0a0a   ailwear.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   61696e68 656c702e 6e65740d 0a0d0a0a   ainhelp.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   61636568 656c702e 6e65740d 0a0d0a0a   acehelp.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   616c6b68 656c702e 6e65740d 0a0d0a0a   alkhelp.net.....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65616b73 6c6f772e 6e65740d 0a0d0a0a   eakslow.net.....
0x00000050 (00080)   0d0a                                  ..

Strings