Analysis Date2015-08-14 10:00:50
MD5d308a11ee74eacc6a3802846dc8f6a0f
SHA15fd1c2026c0c2cf08e1979bfd72fd238dc9139d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d39cfafc4eee2cd72e2a8f045162fa84 sha1: 485920667ef277a540174248cdfe25218e9265ff size: 197632
Section.rdata md5: 8c50ebd1e59f30d1be555f3a9baf34c2 sha1: 7e3888354febfbaee4a8b8c2f4e2c59b1d6a488c size: 53760
Section.data md5: f47c6a40c1c1249d0716ce8acf5771a0 sha1: e383d5d9770a065fcf4480f76fcf4eb94f032d8b size: 7168
Section.reloc md5: c51a267da7a97547092eced7e7159788 sha1: 4bc7dadfd41364280697548bf075586a9c78458b size: 14336
Timestamp2015-04-29 19:22:04
PackerMicrosoft Visual C++ 8
PEhashab491d2ccafdf83678cf7a6537956f4ed028416b
IMPhash9c5e6cd735944ac00313550d5b307b18
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Kazy.604861
AVEmsisoftGen:Variant.Kazy.604861
AVPadvishno_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVRisingTrojan.Win32.Bayrod.a
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Kazy.604861
AVZillya!no_virus
AVFrisk (f-prot)no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVF-SecureGen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )
AVMalwareBytesTrojan.Agent.KVTGen
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVAlwil (avast)VB-AJEW [Trj]
AVKasperskyTrojan.Win32.Scar.jckp
AVMcafeeTrojan-FGIJ!D308A11EE74E
AVMicrosoft Security Essentialsno_virus
AVAvira (antivir)TR/Crypt.Xpack.196027
AVBullGuardGen:Variant.Kazy.604861
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVGrisoft (avg)PSW.Generic12.BSCD
AVClamAVno_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Bayrob.Q

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\cmxty1iqhrtzof2jv.exe
Deletes FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates ProcessC:\kdkpthbhwx\cmxty1iqhrtzof2jv.exe

Process
↳ C:\kdkpthbhwx\cmxty1iqhrtzof2jv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Ordering NetBIOS HomeGroup ➝
C:\kdkpthbhwx\mopvqdaosjya.exe
Creates FileC:\kdkpthbhwx\mopvqdaosjya.exe
Creates FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\wkqhrba3
Creates FilePIPE\lsarpc
Creates FileC:\kdkpthbhwx\borvqj
Deletes FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates ProcessC:\kdkpthbhwx\mopvqdaosjya.exe
Creates ServiceThemes Resource Center Group WMI PNRP - C:\kdkpthbhwx\mopvqdaosjya.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1092

Process
↳ C:\kdkpthbhwx\mopvqdaosjya.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\wkqhrba3
Creates File\Device\Afd\Endpoint
Creates FileC:\kdkpthbhwx\rnernapuwhr
Creates FileC:\kdkpthbhwx\dzatqidmkkz.exe
Creates FileC:\kdkpthbhwx\borvqj
Deletes FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates Processchyqxzminrmc "c:\kdkpthbhwx\mopvqdaosjya.exe"

Process
↳ C:\kdkpthbhwx\mopvqdaosjya.exe

Creates FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\wkqhrba3
Deletes FileC:\WINDOWS\kdkpthbhwx\wkqhrba3

Process
↳ chyqxzminrmc "c:\kdkpthbhwx\mopvqdaosjya.exe"

Creates FileC:\WINDOWS\kdkpthbhwx\wkqhrba3
Creates FileC:\kdkpthbhwx\wkqhrba3
Deletes FileC:\WINDOWS\kdkpthbhwx\wkqhrba3

Network Details:

DNSpersonschool.net
Type: A
165.160.15.20
DNSpersonschool.net
Type: A
165.160.13.20
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.231
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.253
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSenglishschool.net
Type: A
72.52.4.119
DNSenglishquestion.net
Type: A
85.25.201.249
DNSsuddenstorm.net
Type: A
199.116.78.152
DNSrighttraining.net
Type: A
50.63.202.68
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
DNSeitherwhile.net
Type: A
DNSenglishwhile.net
Type: A
DNSeitherquestion.net
Type: A
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
DNSexpectstorm.net
Type: A
DNSbecausestorm.net
Type: A
DNSexpectthrown.net
Type: A
DNSbecausethrown.net
Type: A
DNSpersonhunger.net
Type: A
DNSmachinehunger.net
Type: A
DNSpersontraining.net
Type: A
DNSmachinetraining.net
Type: A
DNSpersonstorm.net
Type: A
DNSmachinestorm.net
Type: A
DNSpersonthrown.net
Type: A
DNSmachinethrown.net
Type: A
DNSsuddenhunger.net
Type: A
DNSforeignhunger.net
Type: A
DNSsuddentraining.net
Type: A
DNSforeigntraining.net
Type: A
DNSforeignstorm.net
Type: A
DNSsuddenthrown.net
Type: A
DNSforeignthrown.net
Type: A
DNSwhetherhunger.net
Type: A
DNSrighthunger.net
Type: A
DNSwhethertraining.net
Type: A
DNSwhetherstorm.net
Type: A
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php
User-Agent:
HTTP GEThttp://englishschool.net/index.php
User-Agent:
HTTP GEThttp://englishquestion.net/index.php
User-Agent:
HTTP GEThttp://suddenstorm.net/index.php
User-Agent:
HTTP GEThttp://righttraining.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 165.160.15.20:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1033 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1038 ➝ 85.25.201.249:80
Flows TCP192.168.1.1:1039 ➝ 199.116.78.152:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.68:80

Raw Pcap

Strings