Analysis Date2015-07-30 23:34:00
MD59df1d369fe00aab966d2d939eb45f856
SHA15cd9a556a8e08b7db7a03130a2346cb71d415bc0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8ef38effd1f619e86de473d5e787e13c sha1: 8d091e7e27a5f26fd9bd11c37469baab5dc69910 size: 291328
Section.rdata md5: 29aa94d01a6b8a2c4bf3c397c33466d3 sha1: f724faa689178f51acc7b9797a37773a6fb9a604 size: 58368
Section.data md5: 770d837b1d1012ac7b17d4dc52f8aac0 sha1: 61e320c0bebcb19cb7b26dfff02ec556c927ca92 size: 7680
Section.reloc md5: d7b55bb256b56da1bc90ddee32564e30 sha1: 8341fb58ab13c8f61fd02c4272c29955ebc483f3 size: 20992
Timestamp2015-05-11 06:11:17
PackerMicrosoft Visual C++ 8
PEhashff8ab3585f8abdbcaa1ef1e60ad53b65656faabd
IMPhash4be295b59fee0b0b327467315d5c15bd
AVEset (nod32)Win32/Bayrob.V.gen
AVMalwareBytesTrojan.Agent.KVTGen
AVRisingTrojan.Win32.Bayrod.b
AVVirusBlokAda (vba32)no_virus
AVTwisterTrojan.Generic.jvve
AVFortinetW32/Bayrob.T!tr
AVAvira (antivir)TR/Crypt.ZPACK.8143
AVBullGuardGen:Variant.Diley.1
AVAuthentiumW32/Downloader.ZODL-5479
AVMcafeePWS-FCCE!9DF1D369FE00
AVDr. WebTrojan.DownLoader13.15078
AVK7Trojan ( 004c3a4d1 )
AVFrisk (f-prot)no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVPadvishno_virus
AVEmsisoftGen:Variant.Diley.1
AVF-SecureGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVSymantecDownloader.Upatre!g15
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVZillya!Trojan.Bayrob.Win32.442
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAd-AwareGen:Variant.Diley.1
AVBitDefenderGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\uhkwilrwf\wxnhhs5gj2r
Creates FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates FileC:\uhkwilrwf\ehwq1m0zezceaooplyo.exe
Deletes FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates ProcessC:\uhkwilrwf\ehwq1m0zezceaooplyo.exe

Process
↳ C:\uhkwilrwf\ehwq1m0zezceaooplyo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Credential TP Management Disk ➝
C:\uhkwilrwf\uimlfgbxmp.exe
Creates FileC:\uhkwilrwf\uimlfgbxmp.exe
Creates FileC:\uhkwilrwf\wxnhhs5gj2r
Creates FileC:\uhkwilrwf\ivh19fe
Creates FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates ProcessC:\uhkwilrwf\uimlfgbxmp.exe
Creates ServiceDebugger Telephony TP Bluetooth User - C:\uhkwilrwf\uimlfgbxmp.exe

Process
↳ Pid 820

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1164

Process
↳ C:\uhkwilrwf\uimlfgbxmp.exe

Creates FileC:\uhkwilrwf\zfcxbss7ifzu
Creates FileC:\uhkwilrwf\wxnhhs5gj2r
Creates Filepipe\net\NtControlPipe10
Creates FileC:\uhkwilrwf\ivh19fe
Creates FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates File\Device\Afd\Endpoint
Creates FileC:\uhkwilrwf\yritnbkdfii.exe
Deletes FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Creates Processnwixeteovovv "c:\uhkwilrwf\uimlfgbxmp.exe"

Process
↳ C:\uhkwilrwf\uimlfgbxmp.exe

Creates FileC:\uhkwilrwf\wxnhhs5gj2r
Creates FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Deletes FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r

Process
↳ nwixeteovovv "c:\uhkwilrwf\uimlfgbxmp.exe"

Creates FileC:\uhkwilrwf\wxnhhs5gj2r
Creates FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r
Deletes FileC:\WINDOWS\uhkwilrwf\wxnhhs5gj2r

Network Details:

DNSfreshpower.net
Type: A
195.149.84.100
DNSfreshpower.net
Type: A
195.149.84.101
DNScrowdfamous.net
Type: A
95.211.230.75
DNScrowdpower.net
Type: A
162.244.253.60
DNSthoughtpower.net
Type: A
23.229.204.192
DNSwaterpower.net
Type: A
72.52.4.120
DNSwomanpower.net
Type: A
72.52.4.120
DNSpartypower.net
Type: A
66.151.181.49
DNSfightpower.net
Type: A
64.99.80.30
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfightcountry.net
Type: A
184.168.221.55
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSmemberfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNSsummerpower.net
Type: A
DNSsummercountry.net
Type: A
DNScrowdcountry.net
Type: A
DNSthoughtcentury.net
Type: A
DNSwatercentury.net
Type: A
DNSthoughtfamous.net
Type: A
DNSwaterfamous.net
Type: A
DNSthoughtcountry.net
Type: A
DNSwatercountry.net
Type: A
DNSwomancentury.net
Type: A
DNSsmokecentury.net
Type: A
DNSwomanfamous.net
Type: A
DNSsmokefamous.net
Type: A
DNSsmokepower.net
Type: A
DNSwomancountry.net
Type: A
DNSsmokecountry.net
Type: A
DNSpartycentury.net
Type: A
DNSfightcentury.net
Type: A
DNSpartyfamous.net
Type: A
DNSfightfamous.net
Type: A
DNSpartycountry.net
Type: A
DNSfreshsurprise.net
Type: A
DNSexperiencesurprise.net
Type: A
DNSfreshbeside.net
Type: A
DNSexperiencebeside.net
Type: A
DNSfreshletter.net
Type: A
DNSexperienceletter.net
Type: A
DNSfreshdifferent.net
Type: A
DNSexperiencedifferent.net
Type: A
DNSgentlemansurprise.net
Type: A
DNSalreadysurprise.net
Type: A
DNSgentlemanbeside.net
Type: A
DNSalreadybeside.net
Type: A
DNSgentlemanletter.net
Type: A
DNSalreadyletter.net
Type: A
DNSgentlemandifferent.net
Type: A
DNSalreadydifferent.net
Type: A
DNSfollowsurprise.net
Type: A
DNSmembersurprise.net
Type: A
DNSfollowbeside.net
Type: A
DNSmemberbeside.net
Type: A
HTTP GEThttp://freshpower.net/index.php
User-Agent:
HTTP GEThttp://crowdfamous.net/index.php
User-Agent:
HTTP GEThttp://crowdpower.net/index.php
User-Agent:
HTTP GEThttp://thoughtpower.net/index.php
User-Agent:
HTTP GEThttp://waterpower.net/index.php
User-Agent:
HTTP GEThttp://womanpower.net/index.php
User-Agent:
HTTP GEThttp://partypower.net/index.php
User-Agent:
HTTP GEThttp://fightpower.net/index.php
User-Agent:
HTTP GEThttp://partycountry.net/index.php
User-Agent:
HTTP GEThttp://fightcountry.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.149.84.100:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 162.244.253.60:80
Flows TCP192.168.1.1:1034 ➝ 23.229.204.192:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1037 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1038 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1039 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.55:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 706f7765 722e6e65 740d0a0d   reshpower.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 66616d6f 75732e6e 65740d0a   rowdfamous.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 706f7765 722e6e65 740d0a0d   rowdpower.net...
0x00000050 (00080)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 6874706f 7765722e 6e65740d   houghtpower.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 706f7765 722e6e65 740d0a0d   aterpower.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   6f6d616e 706f7765 722e6e65 740d0a0d   omanpower.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 706f7765 722e6e65 740d0a0d   artypower.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 706f7765 722e6e65 740d0a0d   ightpower.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 636f756e 7472792e 6e65740d   artycountry.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 636f756e 7472792e 6e65740d   ightcountry.net.
0x00000050 (00080)   0a0d0a                                ...


Strings