Analysis Date2015-09-28 12:02:42
MD5a16ababcd718e0f358385afc67668e3b
SHA15e0a6798ed6ad9d6c53270f472467c30928a595b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c813dc5357acd387e9826847034f3fb7 sha1: ed1a99f08635069cca334bb99ff935e67f938c29 size: 195584
Section.rdata md5: cc237c3915108b0af537d65775330190 sha1: 2f4e0ccd31c03c6b74dccc3bb8ad702e6486fd4a size: 51712
Section.data md5: f8a97bec7e3f10dabe9a050b709d5431 sha1: 07561a642eda5d215805b0fabf75c23ddf8aef9a size: 7680
Section.reloc md5: a3c6f310c8492fa199d3899fff206d09 sha1: 2cb0ce73976ccb1a4221633a9de9aaff4e9cfba3 size: 14336
Timestamp2015-04-29 19:03:34
PackerMicrosoft Visual C++ 8
PEhash4e5724e768d28d9630737d422cf50ad5e085ba86
IMPhash3003fb6e7e9d60a46bb105117065d7d6
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!A16ABABCD718
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.604861
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.604861
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.604861

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ymdghyjuew\ibrpxwko
Creates FileC:\ymdghyjuew\twx1kxhwctnccux.exe
Creates FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Deletes FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Creates ProcessC:\ymdghyjuew\twx1kxhwctnccux.exe

Process
↳ C:\ymdghyjuew\twx1kxhwctnccux.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Performance NetBIOS Propagation ➝
C:\ymdghyjuew\mrdjdwew.exe
Creates FileC:\ymdghyjuew\ibrpxwko
Creates FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Creates FileC:\ymdghyjuew\mrdjdwew.exe
Creates FileC:\ymdghyjuew\dgns1vp
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Creates ProcessC:\ymdghyjuew\mrdjdwew.exe
Creates ServiceVisual RPC Coordinator Class Application COM - C:\ymdghyjuew\mrdjdwew.exe

Process
↳ Pid 820

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1180

Process
↳ C:\ymdghyjuew\mrdjdwew.exe

Creates FileC:\ymdghyjuew\ibrpxwko
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Creates FileC:\ymdghyjuew\dgns1vp
Creates File\Device\Afd\Endpoint
Creates FileC:\ymdghyjuew\omhnpljqhcyr.exe
Creates FileC:\ymdghyjuew\njycsgu3u
Deletes FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Creates Processhm3kmjzacctg "c:\ymdghyjuew\mrdjdwew.exe"

Process
↳ C:\ymdghyjuew\mrdjdwew.exe

Creates FileC:\ymdghyjuew\ibrpxwko
Creates FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Deletes FileC:\WINDOWS\ymdghyjuew\ibrpxwko

Process
↳ hm3kmjzacctg "c:\ymdghyjuew\mrdjdwew.exe"

Creates FileC:\ymdghyjuew\ibrpxwko
Creates FileC:\WINDOWS\ymdghyjuew\ibrpxwko
Deletes FileC:\WINDOWS\ymdghyjuew\ibrpxwko

Network Details:

DNSeffortadvance.net
Type: A
95.211.230.75
DNSchairproblem.net
Type: A
95.211.230.75
DNSthosegoodbye.net
Type: A
DNSchairfortieth.net
Type: A
DNSthosefortieth.net
Type: A
DNSwithinadvance.net
Type: A
DNSsufferadvance.net
Type: A
DNSwithinstranger.net
Type: A
DNSsufferstranger.net
Type: A
DNSwithingoodbye.net
Type: A
DNSsuffergoodbye.net
Type: A
DNSwithinfortieth.net
Type: A
DNSsufferfortieth.net
Type: A
DNSthroughadvance.net
Type: A
DNSeffortstranger.net
Type: A
DNSthroughstranger.net
Type: A
DNSeffortgoodbye.net
Type: A
DNSthroughgoodbye.net
Type: A
DNSeffortfortieth.net
Type: A
DNSthroughfortieth.net
Type: A
DNSforgetadvance.net
Type: A
DNSincreaseadvance.net
Type: A
DNSforgetstranger.net
Type: A
DNSincreasestranger.net
Type: A
DNSforgetgoodbye.net
Type: A
DNSincreasegoodbye.net
Type: A
DNSforgetfortieth.net
Type: A
DNSincreasefortieth.net
Type: A
DNSwouldadvance.net
Type: A
DNSrememberadvance.net
Type: A
DNSwouldstranger.net
Type: A
DNSrememberstranger.net
Type: A
DNSwouldgoodbye.net
Type: A
DNSremembergoodbye.net
Type: A
DNSwouldfortieth.net
Type: A
DNSrememberfortieth.net
Type: A
DNSjourneyescape.net
Type: A
DNShusbandescape.net
Type: A
DNSjourneyanimal.net
Type: A
DNShusbandanimal.net
Type: A
DNSjourneyproblem.net
Type: A
DNShusbandproblem.net
Type: A
DNSjourneymodern.net
Type: A
DNShusbandmodern.net
Type: A
DNSdestroyescape.net
Type: A
DNSlittleescape.net
Type: A
DNSdestroyanimal.net
Type: A
DNSlittleanimal.net
Type: A
DNSdestroyproblem.net
Type: A
DNSlittleproblem.net
Type: A
DNSdestroymodern.net
Type: A
DNSlittlemodern.net
Type: A
DNSriddenescape.net
Type: A
DNSbelongescape.net
Type: A
DNSriddenanimal.net
Type: A
DNSbelonganimal.net
Type: A
DNSriddenproblem.net
Type: A
DNSbelongproblem.net
Type: A
DNSriddenmodern.net
Type: A
DNSbelongmodern.net
Type: A
DNSchairescape.net
Type: A
DNSthoseescape.net
Type: A
DNSchairanimal.net
Type: A
DNSthoseanimal.net
Type: A
DNSthoseproblem.net
Type: A
DNSchairmodern.net
Type: A
DNSthosemodern.net
Type: A
DNSwithinescape.net
Type: A
DNSsufferescape.net
Type: A
DNSwithinanimal.net
Type: A
DNSsufferanimal.net
Type: A
DNSwithinproblem.net
Type: A
DNSsufferproblem.net
Type: A
DNSwithinmodern.net
Type: A
DNSsuffermodern.net
Type: A
DNSeffortescape.net
Type: A
DNSthroughescape.net
Type: A
DNSeffortanimal.net
Type: A
DNSthroughanimal.net
Type: A
DNSeffortproblem.net
Type: A
DNSthroughproblem.net
Type: A
DNSeffortmodern.net
Type: A
DNSthroughmodern.net
Type: A
DNSforgetescape.net
Type: A
DNSincreaseescape.net
Type: A
HTTP GEThttp://effortadvance.net/index.php
User-Agent:
HTTP GEThttp://chairproblem.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80

Raw Pcap

Strings