Analysis Date2016-03-20 07:39:43
MD5630c5983c587a167fadc52f6bd895326
SHA15de5b17e929abfa981137524354d45e410164abc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ae88fd6635fc0e87c1c558f771502daf sha1: 01480525aa1c225c5aa41752b1fc57322eaa33bf size: 184320
Section.rdata md5: eadca4d2aa811e930df8fccd8aee2a41 sha1: 3303427e54812a23383569a0d6d6c16e3c6ee44c size: 2560
Section.data md5: 1e353c9455380cc5d4eec08a7a15162c sha1: 4a3cc7c4888c6697e1441e3aea03b11c56f6a303 size: 15872
Section.reloc md5: 587c72c01462c36ce1c92e3af016a144 sha1: 1de68be3a99ee219d6fdd42189cfbf18084b3f63 size: 30720
Timestamp2014-06-04 14:13:24
PEhashaf69b4bcd68dcce332bf31773a4866676df0f6d0
IMPhashcd2acfb10847251865b499606ce28b9b
AVCA (E-Trust Ino)Gen:Variant.Razy.18137
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DE
AVRisingNo Virus
AVMcafeeTrojan-FHQT!630C5983C587
AVMicroWorld (escan)Gen:Variant.Razy.18137
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Nivdort.A.38419
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.18137
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.18137
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.BA
AVGrisoft (avg)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.18137
AVArcabit (arcavir)Gen:Variant.Razy.18137
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.18137
AVDr. WebNo Virus
AVK7Trojan ( 004dc2a31 )
AVF-SecureGen:Variant.Razy.18137

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\yfzeewksdhc\y7q1lqzp7pbxgql0gjr.exe
Creates FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates FileC:\yfzeewksdhc\ardaxua
Deletes FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates ProcessC:\yfzeewksdhc\y7q1lqzp7pbxgql0gjr.exe

Process
↳ C:\yfzeewksdhc\y7q1lqzp7pbxgql0gjr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Cryptographic Error Security Fax Microsoft ➝
C:\yfzeewksdhc\ukabbusz.exe
Creates FileC:\yfzeewksdhc\ukabbusz.exe
Creates FilePIPE\lsarpc
Creates FileC:\yfzeewksdhc\nxabds
Creates FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates FileC:\yfzeewksdhc\ardaxua
Deletes FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates ProcessC:\yfzeewksdhc\ukabbusz.exe
Creates ServiceImage CNG Profile Tunneling Function Parental - C:\yfzeewksdhc\ukabbusz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1132

Process
↳ C:\yfzeewksdhc\ukabbusz.exe

Creates FileC:\yfzeewksdhc\iskyanhpd.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\yfzeewksdhc\nxabds
Creates File\Device\Afd\Endpoint
Creates FileC:\yfzeewksdhc\kfny0vzet
Creates FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates FileC:\yfzeewksdhc\ardaxua
Deletes FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates Processampqxsnsogpu "c:\yfzeewksdhc\ukabbusz.exe"

Process
↳ C:\yfzeewksdhc\ukabbusz.exe

Creates FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates FileC:\yfzeewksdhc\ardaxua
Deletes FileC:\WINDOWS\yfzeewksdhc\ardaxua

Process
↳ ampqxsnsogpu "c:\yfzeewksdhc\ukabbusz.exe"

Creates FileC:\WINDOWS\yfzeewksdhc\ardaxua
Creates FileC:\yfzeewksdhc\ardaxua
Deletes FileC:\WINDOWS\yfzeewksdhc\ardaxua

Network Details:

DNSpersonround.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfamilyround.net
Type: A
72.52.4.119
DNSchildrenglossary.net
Type: A
195.22.28.199
DNSchildrenglossary.net
Type: A
195.22.28.198
DNSchildrenglossary.net
Type: A
195.22.28.197
DNSchildrenglossary.net
Type: A
195.22.28.196
DNSexpectdirect.net
Type: A
71.18.76.144
DNSrightaction.net
Type: A
184.168.221.104
DNSwhetherdirect.net
Type: A
208.100.26.234
DNSrightdirect.net
Type: A
176.9.224.249
DNSchildrenmethod.net
Type: A
195.22.28.198
DNSchildrenmethod.net
Type: A
195.22.28.199
DNSchildrenmethod.net
Type: A
195.22.28.196
DNSchildrenmethod.net
Type: A
195.22.28.197
DNSfamilyaction.net
Type: A
217.160.171.145
DNSfamilydirect.net
Type: A
207.148.248.143
DNSenglishaction.net
Type: A
23.229.234.136
DNSenglishdirect.net
Type: A
207.148.248.143
DNSrightspeak.net
Type: A
184.168.221.23
DNSwhetherround.net
Type: A
DNSexpectglossary.net
Type: A
DNSbecauseglossary.net
Type: A
DNSexpectlikely.net
Type: A
DNSbecauselikely.net
Type: A
DNSexpectworth.net
Type: A
DNSbecauseworth.net
Type: A
DNSmachineround.net
Type: A
DNSpersonglossary.net
Type: A
DNSmachineglossary.net
Type: A
DNSpersonlikely.net
Type: A
DNSmachinelikely.net
Type: A
DNSpersonworth.net
Type: A
DNSmachineworth.net
Type: A
DNSsuddenround.net
Type: A
DNSforeignround.net
Type: A
DNSsuddenglossary.net
Type: A
DNSforeignglossary.net
Type: A
DNSsuddenlikely.net
Type: A
DNSforeignlikely.net
Type: A
DNSsuddenworth.net
Type: A
DNSforeignworth.net
Type: A
DNSrightround.net
Type: A
DNSwhetherglossary.net
Type: A
DNSrightglossary.net
Type: A
DNSwhetherlikely.net
Type: A
DNSrightlikely.net
Type: A
DNSwhetherworth.net
Type: A
DNSrightworth.net
Type: A
DNSfigureround.net
Type: A
DNSthoughround.net
Type: A
DNSfigureglossary.net
Type: A
DNSthoughglossary.net
Type: A
DNSfigurelikely.net
Type: A
DNSthoughlikely.net
Type: A
DNSfigureworth.net
Type: A
DNSthoughworth.net
Type: A
DNSpictureround.net
Type: A
DNScigaretteround.net
Type: A
DNSpictureglossary.net
Type: A
DNScigaretteglossary.net
Type: A
DNSpicturelikely.net
Type: A
DNScigarettelikely.net
Type: A
DNSpictureworth.net
Type: A
DNScigaretteworth.net
Type: A
DNSchildrenround.net
Type: A
DNSfamilyglossary.net
Type: A
DNSchildrenlikely.net
Type: A
DNSfamilylikely.net
Type: A
DNSchildrenworth.net
Type: A
DNSfamilyworth.net
Type: A
DNSeitherround.net
Type: A
DNSenglishround.net
Type: A
DNSeitherglossary.net
Type: A
DNSenglishglossary.net
Type: A
DNSeitherlikely.net
Type: A
DNSenglishlikely.net
Type: A
DNSeitherworth.net
Type: A
DNSenglishworth.net
Type: A
DNSexpectmethod.net
Type: A
DNSbecausemethod.net
Type: A
DNSexpectaction.net
Type: A
DNSbecauseaction.net
Type: A
DNSbecausedirect.net
Type: A
DNSexpectbrought.net
Type: A
DNSbecausebrought.net
Type: A
DNSpersonmethod.net
Type: A
DNSmachinemethod.net
Type: A
DNSpersonaction.net
Type: A
DNSmachineaction.net
Type: A
DNSpersondirect.net
Type: A
DNSmachinedirect.net
Type: A
DNSpersonbrought.net
Type: A
DNSmachinebrought.net
Type: A
DNSsuddenmethod.net
Type: A
DNSforeignmethod.net
Type: A
DNSsuddenaction.net
Type: A
DNSforeignaction.net
Type: A
DNSsuddendirect.net
Type: A
DNSforeigndirect.net
Type: A
DNSsuddenbrought.net
Type: A
DNSforeignbrought.net
Type: A
DNSwhethermethod.net
Type: A
DNSrightmethod.net
Type: A
DNSwhetheraction.net
Type: A
DNSwhetherbrought.net
Type: A
DNSrightbrought.net
Type: A
DNSfiguremethod.net
Type: A
DNSthoughmethod.net
Type: A
DNSfigureaction.net
Type: A
DNSthoughaction.net
Type: A
DNSfiguredirect.net
Type: A
DNSthoughdirect.net
Type: A
DNSfigurebrought.net
Type: A
DNSthoughbrought.net
Type: A
DNSpicturemethod.net
Type: A
DNScigarettemethod.net
Type: A
DNSpictureaction.net
Type: A
DNScigaretteaction.net
Type: A
DNSpicturedirect.net
Type: A
DNScigarettedirect.net
Type: A
DNSpicturebrought.net
Type: A
DNScigarettebrought.net
Type: A
DNSfamilymethod.net
Type: A
DNSchildrenaction.net
Type: A
DNSchildrendirect.net
Type: A
DNSchildrenbrought.net
Type: A
DNSfamilybrought.net
Type: A
DNSeithermethod.net
Type: A
DNSenglishmethod.net
Type: A
DNSeitheraction.net
Type: A
DNSeitherdirect.net
Type: A
DNSeitherbrought.net
Type: A
DNSenglishbrought.net
Type: A
DNSexpectspeak.net
Type: A
DNSbecausespeak.net
Type: A
DNSexpectniece.net
Type: A
DNSbecauseniece.net
Type: A
DNSexpectwrite.net
Type: A
DNSbecausewrite.net
Type: A
DNSexpectoclock.net
Type: A
DNSbecauseoclock.net
Type: A
DNSpersonspeak.net
Type: A
DNSmachinespeak.net
Type: A
DNSpersonniece.net
Type: A
DNSmachineniece.net
Type: A
DNSpersonwrite.net
Type: A
DNSmachinewrite.net
Type: A
DNSpersonoclock.net
Type: A
DNSmachineoclock.net
Type: A
DNSsuddenspeak.net
Type: A
DNSforeignspeak.net
Type: A
DNSsuddenniece.net
Type: A
DNSforeignniece.net
Type: A
DNSsuddenwrite.net
Type: A
DNSforeignwrite.net
Type: A
DNSsuddenoclock.net
Type: A
DNSforeignoclock.net
Type: A
DNSwhetherspeak.net
Type: A
DNSwhetherniece.net
Type: A
DNSrightniece.net
Type: A
DNSwhetherwrite.net
Type: A
DNSrightwrite.net
Type: A
DNSwhetheroclock.net
Type: A
DNSrightoclock.net
Type: A
DNSfigurespeak.net
Type: A
DNSthoughspeak.net
Type: A
DNSfigureniece.net
Type: A
DNSthoughniece.net
Type: A
DNSfigurewrite.net
Type: A
DNSthoughwrite.net
Type: A
DNSfigureoclock.net
Type: A
DNSthoughoclock.net
Type: A
DNSpicturespeak.net
Type: A
DNScigarettespeak.net
Type: A
DNSpictureniece.net
Type: A
DNScigaretteniece.net
Type: A
HTTP GEThttp://personround.net/index.php
User-Agent:
HTTP GEThttp://cigaretteround.net/index.php
User-Agent:
HTTP GEThttp://familyround.net/index.php
User-Agent:
HTTP GEThttp://childrenglossary.net/index.php
User-Agent:
HTTP GEThttp://expectdirect.net/index.php
User-Agent:
HTTP GEThttp://rightaction.net/index.php
User-Agent:
HTTP GEThttp://whetherdirect.net/index.php
User-Agent:
HTTP GEThttp://rightdirect.net/index.php
User-Agent:
HTTP GEThttp://childrenmethod.net/index.php
User-Agent:
HTTP GEThttp://familyaction.net/index.php
User-Agent:
HTTP GEThttp://familydirect.net/index.php
User-Agent:
HTTP GEThttp://englishaction.net/index.php
User-Agent:
HTTP GEThttp://englishdirect.net/index.php
User-Agent:
HTTP GEThttp://rightspeak.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1035 ➝ 71.18.76.144:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 176.9.224.249:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1040 ➝ 217.160.171.145:80
Flows TCP192.168.1.1:1041 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1042 ➝ 23.229.234.136:80
Flows TCP192.168.1.1:1043 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.23:80

Raw Pcap

Strings