Analysis Date2016-02-13 07:48:12
MD59387f13d19cffd706728ead1fc4788a8
SHA163b584985d647a48bd4d3e1e506b337ac44b1f62

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e102a46465d4d2b7cca2cd5200b0e833 sha1: 1a2974002ddebe071893502c8e6b91b5b2d8ec32 size: 303616
Section.rdata md5: faa720c9404c85fd6beda5cda544c7fe sha1: 03ba4c7437ebd5ec3b6b81512d540ffb045d39aa size: 26112
Section.data md5: 54e23902c7082801e2897590e39f464f sha1: 37139cddeffde1989cf5f5d5321d97e81148afb7 size: 20480
Section.reloc md5: 63fd085fe82d44d91d4f81c452af00b9 sha1: b8690b772d95456c27b049bc9d29723822c68cee size: 32768
Timestamp2014-03-18 11:36:56
PackerMicrosoft Visual C++ 8
PEhash0eb5473fc5e66fbef3b4082c7c1825a0e0bbda88
IMPhash04579775308e3393a2a94398058c3b62
AVCA (E-Trust Ino)Gen:Variant.Zusy.141475
AVRisingNo Virus
AVMcafeeTrojan-FHRY!9387F13D19CF
AVAvira (antivir)TR/Taranis.2014
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BJ
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gpelpyn\bernbfnsjnxr
Creates FileC:\gpelpyn\xssv1libbcxgmwvi6um.exe
Creates FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Deletes FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Creates ProcessC:\gpelpyn\xssv1libbcxgmwvi6um.exe

Process
↳ C:\gpelpyn\xssv1libbcxgmwvi6um.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Access Audio DNS Driver ➝
C:\gpelpyn\mtarwkgkx.exe
Creates FileC:\gpelpyn\bernbfnsjnxr
Creates FileC:\gpelpyn\oh0xi2jw
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Creates FileC:\gpelpyn\mtarwkgkx.exe
Deletes FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Creates ProcessC:\gpelpyn\mtarwkgkx.exe
Creates ServiceSystem Interactive Information - C:\gpelpyn\mtarwkgkx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\gpelpyn\mtarwkgkx.exe

Creates FileC:\gpelpyn\bernbfnsjnxr
Creates Filepipe\net\NtControlPipe10
Creates FileC:\gpelpyn\oh0xi2jw
Creates FileC:\gpelpyn\yhtfayphb
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Creates FileC:\gpelpyn\aqhuhwpzuixr.exe
Deletes FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Creates Processdczshzwdvedh "c:\gpelpyn\mtarwkgkx.exe"

Process
↳ C:\gpelpyn\mtarwkgkx.exe

Creates FileC:\gpelpyn\bernbfnsjnxr
Creates FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Deletes FileC:\WINDOWS\gpelpyn\bernbfnsjnxr

Process
↳ dczshzwdvedh "c:\gpelpyn\mtarwkgkx.exe"

Creates FileC:\gpelpyn\bernbfnsjnxr
Creates FileC:\WINDOWS\gpelpyn\bernbfnsjnxr
Deletes FileC:\WINDOWS\gpelpyn\bernbfnsjnxr

Network Details:

DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.0.96.24
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.71.117.99
DNSmountaincountry.net
Type: A
75.119.220.11
DNSlaughletter.net
Type: A
184.168.221.36
DNSperhapsdifferent.net
Type: A
195.22.28.197
DNSperhapsdifferent.net
Type: A
195.22.28.196
DNSperhapsdifferent.net
Type: A
195.22.28.199
DNSperhapsdifferent.net
Type: A
195.22.28.198
DNSsubjectsurprise.net
Type: A
208.100.26.234
DNSsweetsurprise.net
Type: A
141.8.225.124
DNSdoctoropinion.net
Type: A
103.48.83.103
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSpossiblefamous.net
Type: A
DNSmountainpower.net
Type: A
DNSpossiblepower.net
Type: A
DNSpossiblecountry.net
Type: A
DNSperhapscentury.net
Type: A
DNSwindowcentury.net
Type: A
DNSperhapsfamous.net
Type: A
DNSwindowfamous.net
Type: A
DNSperhapspower.net
Type: A
DNSwindowpower.net
Type: A
DNSperhapscountry.net
Type: A
DNSwindowcountry.net
Type: A
DNSwintercentury.net
Type: A
DNSsubjectcentury.net
Type: A
DNSwinterfamous.net
Type: A
DNSsubjectfamous.net
Type: A
DNSwinterpower.net
Type: A
DNSsubjectpower.net
Type: A
DNSwintercountry.net
Type: A
DNSsubjectcountry.net
Type: A
DNSfinishcentury.net
Type: A
DNSleavecentury.net
Type: A
DNSfinishfamous.net
Type: A
DNSleavefamous.net
Type: A
DNSfinishpower.net
Type: A
DNSleavepower.net
Type: A
DNSfinishcountry.net
Type: A
DNSleavecountry.net
Type: A
DNSsweetcentury.net
Type: A
DNSprobablycentury.net
Type: A
DNSsweetfamous.net
Type: A
DNSprobablyfamous.net
Type: A
DNSsweetpower.net
Type: A
DNSprobablypower.net
Type: A
DNSsweetcountry.net
Type: A
DNSprobablycountry.net
Type: A
DNSseveralcentury.net
Type: A
DNSmaterialcentury.net
Type: A
DNSseveralfamous.net
Type: A
DNSmaterialfamous.net
Type: A
DNSseveralpower.net
Type: A
DNSmaterialpower.net
Type: A
DNSseveralcountry.net
Type: A
DNSmaterialcountry.net
Type: A
DNSseverasurprise.net
Type: A
DNSlaughsurprise.net
Type: A
DNSseverabeside.net
Type: A
DNSlaughbeside.net
Type: A
DNSseveraletter.net
Type: A
DNSseveradifferent.net
Type: A
DNSlaughdifferent.net
Type: A
DNSsimplesurprise.net
Type: A
DNSmothersurprise.net
Type: A
DNSsimplebeside.net
Type: A
DNSmotherbeside.net
Type: A
DNSsimpleletter.net
Type: A
DNSmotherletter.net
Type: A
DNSsimpledifferent.net
Type: A
DNSmotherdifferent.net
Type: A
DNSmountainsurprise.net
Type: A
DNSpossiblesurprise.net
Type: A
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
DNSsubjectdifferent.net
Type: A
DNSfinishsurprise.net
Type: A
DNSleavesurprise.net
Type: A
DNSfinishbeside.net
Type: A
DNSleavebeside.net
Type: A
DNSfinishletter.net
Type: A
DNSleaveletter.net
Type: A
DNSfinishdifferent.net
Type: A
DNSleavedifferent.net
Type: A
DNSprobablysurprise.net
Type: A
DNSsweetbeside.net
Type: A
DNSprobablybeside.net
Type: A
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSpreparepromise.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
HTTP GEThttp://mountainpower.net/index.php
User-Agent:
HTTP GEThttp://mountaincountry.net/index.php
User-Agent:
HTTP GEThttp://laughletter.net/index.php
User-Agent:
HTTP GEThttp://perhapsdifferent.net/index.php
User-Agent:
HTTP GEThttp://subjectsurprise.net/index.php
User-Agent:
HTTP GEThttp://sweetsurprise.net/index.php
User-Agent:
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 52.0.96.24:80
Flows TCP192.168.1.1:1032 ➝ 75.119.220.11:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1037 ➝ 103.48.83.103:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e70 6f776572 2e6e6574   ountainpower.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e63 6f756e74 72792e6e   ountaincountry.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6c657474 65722e6e 65740d0a   aughletter.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 66666572 656e742e   erhapsdifferent.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747375 72707269 73652e6e   ubjectsurprise.n
0x00000050 (00080)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73757270 72697365 2e6e6574   weetsurprise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e70726f 6d697365 2e6e6574   rokenpromise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......


Strings