Analysis Date2015-10-03 10:01:32
MD57648ee3b2c542cf73bbf115548ca715f
SHA16403bbfe24933a5468e649c2e2901203d8471681

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 30c7d622e7ebbb69bc83406fb91a07ea sha1: d3f31e80f470c789ae3bef93dd4790e1c5009a8e size: 1410048
Section.rdata md5: b3ec308d4b3f6cd7a3f60a0e30440057 sha1: ba26e427dd6e2b502169b1e179a070ff6e37acf6 size: 343552
Section.data md5: 570b048fdee9e3da35a170f8236d08e3 sha1: 6b01bd1433d7a43b800c5485119bbc3a0905ce05 size: 8704
Section.reloc md5: 6fe6a7a0cfe8c9c3bd6fef326e68d606 sha1: bc59f556ece4e223078f2ef8f8eff0f3fd966f65 size: 199680
Timestamp2015-05-11 04:26:51
PackerVC8 -> Microsoft Corporation
PEhash323df74e78b4eb759b3858398c931a677189e460
IMPhashceb4fbe4d4f5d95770303b3750018bc6
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGIJ!7648EE3B2C54
AVAvira (antivir)TR/Crypt.Xpack.280396
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\tuvodxh\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\chjykhlg1mm8zwidwiggvv.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\chjykhlg1mm8zwidwiggvv.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\chjykhlg1mm8zwidwiggvv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Call Redirector WMI Secondary Connect ➝
C:\WINDOWS\system32\hjyfaecgppc.exe
Creates FileC:\WINDOWS\system32\hjyfaecgppc.exe
Creates FileC:\WINDOWS\system32\tuvodxh\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\tuvodxh\tst
Creates FileC:\WINDOWS\system32\tuvodxh\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\hjyfaecgppc.exe
Creates ServiceAdaptive Resolution Endpoint Net.Tcp - C:\WINDOWS\system32\hjyfaecgppc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1856

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\hjyfaecgppc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\tuvodxh\lck
Creates FileC:\WINDOWS\system32\tuvodxh\tst
Creates FileC:\WINDOWS\system32\jtjvdcxpvap.exe
Creates FileC:\WINDOWS\system32\tuvodxh\cfg
Creates FileC:\WINDOWS\system32\tuvodxh\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\tuvodxh\run
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\chjykhlg1twtzw.exe
Deletes FileC:\WINDOWS\TEMP\chjykhlg1twtzw.exe
Creates ProcessC:\WINDOWS\TEMP\chjykhlg1twtzw.exe -r 33831 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\hjyfaecgppc.exe"

Process
↳ C:\WINDOWS\system32\hjyfaecgppc.exe

Process
↳ WATCHDOGPROC "c:\windows\system32\hjyfaecgppc.exe"

Creates FileC:\WINDOWS\system32\tuvodxh\tst

Process
↳ C:\WINDOWS\TEMP\chjykhlg1twtzw.exe -r 33831 tcp

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSlordgold.net
Type: A
109.226.13.193
DNSsouthfirst.net
Type: A
125.171.1.95
DNSgroupguess.net
Type: A
50.63.202.48
DNSspokestood.net
Type: A
95.211.230.75
DNSspokekill.net
Type: A
193.166.255.171
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSdrinkhome.net
Type: A
DNSwifehome.net
Type: A
DNSdrinkover.net
Type: A
DNSwifeover.net
Type: A
DNSdrinkgrain.net
Type: A
DNSwifegrain.net
Type: A
DNSdrinkgold.net
Type: A
DNSwifegold.net
Type: A
DNSarivestood.net
Type: A
DNSsouthstood.net
Type: A
DNSarivekill.net
Type: A
DNSsouthkill.net
Type: A
DNSarivefirst.net
Type: A
DNSariveguess.net
Type: A
DNSsouthguess.net
Type: A
DNSuponstood.net
Type: A
DNSwhichstood.net
Type: A
DNSuponkill.net
Type: A
DNSwhichkill.net
Type: A
DNSuponfirst.net
Type: A
DNSwhichfirst.net
Type: A
DNSuponguess.net
Type: A
DNSwhichguess.net
Type: A
DNSspotstood.net
Type: A
DNSsaltstood.net
Type: A
DNSspotkill.net
Type: A
DNSsaltkill.net
Type: A
DNSspotfirst.net
Type: A
DNSsaltfirst.net
Type: A
DNSspotguess.net
Type: A
DNSsaltguess.net
Type: A
DNSgladstood.net
Type: A
DNStakenstood.net
Type: A
DNSgladkill.net
Type: A
DNStakenkill.net
Type: A
DNSgladfirst.net
Type: A
DNStakenfirst.net
Type: A
DNSgladguess.net
Type: A
DNStakenguess.net
Type: A
DNSequalstood.net
Type: A
DNSgroupstood.net
Type: A
DNSequalkill.net
Type: A
DNSgroupkill.net
Type: A
DNSequalfirst.net
Type: A
DNSgroupfirst.net
Type: A
DNSequalguess.net
Type: A
DNSvisitstood.net
Type: A
DNSvisitkill.net
Type: A
DNSspokefirst.net
Type: A
DNSvisitfirst.net
Type: A
DNSspokeguess.net
Type: A
DNSvisitguess.net
Type: A
DNSwatchstood.net
Type: A
DNSfairstood.net
Type: A
DNSwatchkill.net
Type: A
DNSfairkill.net
Type: A
DNSwatchfirst.net
Type: A
DNSfairfirst.net
Type: A
DNSwatchguess.net
Type: A
DNSfairguess.net
Type: A
DNSdreamstood.net
Type: A
DNSthisstood.net
Type: A
DNSdreamkill.net
Type: A
DNSthiskill.net
Type: A
DNSdreamfirst.net
Type: A
DNSthisfirst.net
Type: A
DNSdreamguess.net
Type: A
DNSthisguess.net
Type: A
DNSarivetaste.net
Type: A
DNSsouthtaste.net
Type: A
DNSariveearth.net
Type: A
DNSsouthearth.net
Type: A
DNSariveallow.net
Type: A
DNSsouthallow.net
Type: A
DNSarivegives.net
Type: A
DNSsouthgives.net
Type: A
DNSupontaste.net
Type: A
DNSwhichtaste.net
Type: A
DNSuponearth.net
Type: A
DNSwhichearth.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://lordgold.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://southfirst.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://groupguess.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://spokestood.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://spokekill.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=504ed000&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 109.226.13.193:80
Flows TCP192.168.1.1:1051 ➝ 125.171.1.95:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1053 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1054 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80

Raw Pcap

Strings