Analysis Date | 2016-02-13 10:48:41 |
---|---|
MD5 | a504039250466a10a1a5010508d12348 |
SHA1 | 594a7625cd0ce63315206e40b004ed120c096b5e |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: cda55539cbe4ad19f20b738ac9add36e sha1: d661ce8758d4b7e8cc2fc6e311bb89a56e4343c7 size: 1116672 | |
Section | .rdata md5: ce964d554a205b8479853dd3a6cb7855 sha1: a5325219afe4835004e949130bb11771507b8dab size: 276480 | |
Section | .data md5: e2d1fa3951041d4b5ba01832220a9089 sha1: 3bbd8343f36fe43b577534e0599a5993a4880720 size: 3072 | |
Section | .reloc md5: d65658a97f3c2c11e02459ba16a767fa sha1: 430b7421f1da9e35132026139609c0bc2631c7c8 size: 141312 | |
Timestamp | 2015-06-06 22:24:13 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 57baac8c4cf2ddf1b8bc3449fa36deb685ff5052 | |
IMPhash | bac688424740259a01371f18e458ddf7 | |
AV | CA (E-Trust Ino) | Gen:Variant.Kazy.794416 |
AV | Rising | No Virus |
AV | Mcafee | Trojan-FHSX!A50403925046 |
AV | Avira (antivir) | TR/Taranis.2092 |
AV | Twister | No Virus |
AV | Ad-Aware | Gen:Variant.Kazy.794416 |
AV | Alwil (avast) | No Virus |
AV | Eset (nod32) | Win32/Bayrob.BK |
AV | Grisoft (avg) | No Virus |
AV | Symantec | No Virus |
AV | Fortinet | W32/Bayrob.AQ!tr |
AV | BitDefender | Gen:Variant.Kazy.794416 |
AV | K7 | Trojan ( 004da8bd1 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.DG |
AV | MicroWorld (escan) | Gen:Variant.Kazy.794416 |
AV | MalwareBytes | No Virus |
AV | Authentium | No Virus |
AV | Emsisoft | Gen:Variant.Kazy.794416 |
AV | Frisk (f-prot) | No Virus |
AV | Ikarus | No Virus |
AV | Zillya! | No Virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | No Virus |
AV | VirusBlokAda (vba32) | No Virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.g4 |
AV | BullGuard | Gen:Variant.Kazy.794416 |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.794416 |
AV | ClamAV | No Virus |
AV | Dr. Web | No Virus |
AV | F-Secure | Gen:Variant.Kazy.794416 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | PIPE\lsarpc |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe |
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yyemslfcfju6rit7jojgmgd.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Health WLAN VC Machine Media Diagnostic ➝ C:\WINDOWS\system32\jbmzeog.exe |
---|---|
Creates File | C:\WINDOWS\system32\jbmzeog.exe |
Creates File | C:\WINDOWS\system32\acufymmijwmy\lck |
Creates File | PIPE\lsarpc |
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
Creates Process | C:\WINDOWS\system32\jbmzeog.exe |
Creates Service | CardSpace Storage Cryptographic Quality - C:\WINDOWS\system32\jbmzeog.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 812
Process
↳ Pid 860
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1188
Process
↳ C:\WINDOWS\system32\jbmzeog.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\acufymmijwmy\lck |
Creates File | C:\WINDOWS\system32\acufymmijwmy\run |
Creates File | C:\WINDOWS\system32\acufymmijwmy\cfg |
Creates File | C:\WINDOWS\system32\acufymmijwmy\rng |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\inqstfcmvi.exe |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe |
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
Creates Process | WATCHDOGPROC "c:\windows\system32\jbmzeog.exe" |
Creates Process | C:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe -r 52075 tcp |
Process
↳ C:\WINDOWS\system32\jbmzeog.exe
Creates File | PIPE\lsarpc |
---|---|
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
Process
↳ c:\windows\system32\jbmzeog.exe
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\jbmzeog.exe"
Creates File | C:\WINDOWS\system32\acufymmijwmy\tst |
---|---|
Creates Process | c:\windows\system32\jbmzeog.exe |
Process
↳ C:\WINDOWS\TEMP\yyemsl3qe4ttrit7.exe -r 52075 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2072 : close..Host: r 0x00000040 (00064) 69646465 6e73746f 726d2e6e 65740d0a iddenstorm.net.. 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 72697665 66696e64 2e6e6574 0d0a0d0a rivefind.net.... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2064 : close..Host: d 0x00000040 (00064) 72697665 77656172 2e6e6574 0d0a0d0a rivewear.net.... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206e : close..Host: n 0x00000040 (00064) 61696c77 6561722e 6e65740d 0a0d0a0a ailwear.net..... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2067 : close..Host: g 0x00000040 (00064) 61696e68 656c702e 6e65740d 0a0d0a0a ainhelp.net..... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2066 : close..Host: f 0x00000040 (00064) 61636568 656c702e 6e65740d 0a0d0a0a acehelp.net..... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 616c6b68 656c702e 6e65740d 0a0d0a0a alkhelp.net..... 0x00000050 (00080) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 65616b73 6c6f772e 6e65740d 0a0d0a0a eakslow.net..... 0x00000050 (00080) 0d0a ..
Strings