Analysis Date2015-08-14 10:26:50
MD54fcdb4ba349c43fc9a78318a2ed6d25a
SHA166572b2caa828e9b2dcfb193c03118f7dd652e15

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6c43b6d03dfd15007dd400c7431175f4 sha1: f1e211abe7e6d418976b477fcf09bf96a620af44 size: 198144
Section.rdata md5: c264d6cbd6d9dc329b08f2591b6aa35f sha1: 57d4a7fe1dd86e64e3e728fdcd6adeaef53481ff size: 52224
Section.data md5: 326af5b6732c32aa1eff6e4d8cfe355c sha1: b8dcb5a03595b4e2e73dce72936d3b9b3d1c3cd0 size: 7168
Section.reloc md5: 800b82a8fb27b747b7303fa139ec4a6c sha1: a881d248b1695bf79064b36d2944603cba3d68db size: 14336
Timestamp2015-04-29 18:43:35
PackerMicrosoft Visual C++ 8
PEhash33a5d8c4028eefb6b0d3261c7aea999d15ded970
IMPhashe0d20e1a19ad33f7b750e5670243de67
AVBullGuardGen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVMicrosoft Security Essentialsno_virus
AVClamAVno_virus
AVFortinetW32/Generic.AC.215362
AVTrend MicroTROJ_BAYROB.SM0
AVMalwareBytesTrojan.Agent.KVTGen
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVMcafeeTrojan-FGIJ!4FCDB4BA349C
AVF-SecureGen:Variant.Kazy.604861
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVK7Trojan ( 004c12491 )
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVVirusBlokAda (vba32)Trojan.Scar
AVZillya!no_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.604861
AVRisingTrojan.Win32.Bayrod.a
AVTwisterTrojan.0000E9000000006A1.mg
AVBitDefenderGen:Variant.Kazy.604861
AVDr. WebTrojan.DownLoader13.14450
AVEmsisoftGen:Variant.Kazy.604861
AVEset (nod32)Win32/Bayrob.Q
AVSymantecDownloader.Upatre!g15
AVIkarusTrojan.Win32.Bayrob
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.Xpack.196181
AVArcabit (arcavir)Gen:Variant.Kazy.604861

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\icmpamb\hxpx61m5ruhfocrzx.exe
Creates FileC:\icmpamb\vmzcgc
Creates FileC:\WINDOWS\icmpamb\vmzcgc
Deletes FileC:\WINDOWS\icmpamb\vmzcgc
Creates ProcessC:\icmpamb\hxpx61m5ruhfocrzx.exe

Process
↳ C:\icmpamb\hxpx61m5ruhfocrzx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PNRP Layer Agent List Secondary Telephony Log ➝
C:\icmpamb\azazokid.exe
Creates FileC:\icmpamb\dicacgrogop
Creates FilePIPE\lsarpc
Creates FileC:\icmpamb\vmzcgc
Creates FileC:\WINDOWS\icmpamb\vmzcgc
Creates FileC:\icmpamb\azazokid.exe
Deletes FileC:\WINDOWS\icmpamb\vmzcgc
Creates ProcessC:\icmpamb\azazokid.exe
Creates ServiceNet.Tcp Connect Secondary Detection - C:\icmpamb\azazokid.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 792

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1140

Process
↳ C:\icmpamb\azazokid.exe

Creates FileC:\icmpamb\obkwiijwkc
Creates Filepipe\net\NtControlPipe10
Creates FileC:\icmpamb\dicacgrogop
Creates FileC:\icmpamb\tiiciwe.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\icmpamb\vmzcgc
Creates FileC:\WINDOWS\icmpamb\vmzcgc
Deletes FileC:\WINDOWS\icmpamb\vmzcgc
Creates Processmbbs4okjzis1 "c:\icmpamb\azazokid.exe"

Process
↳ C:\icmpamb\azazokid.exe

Creates FileC:\icmpamb\vmzcgc
Creates FileC:\WINDOWS\icmpamb\vmzcgc
Deletes FileC:\WINDOWS\icmpamb\vmzcgc

Process
↳ mbbs4okjzis1 "c:\icmpamb\azazokid.exe"

Creates FileC:\icmpamb\vmzcgc
Creates FileC:\WINDOWS\icmpamb\vmzcgc
Deletes FileC:\WINDOWS\icmpamb\vmzcgc

Network Details:

DNSenglishforest.net
Type: A
59.188.232.88
DNSpersonschool.net
Type: A
165.160.15.20
DNSpersonschool.net
Type: A
165.160.13.20
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.253
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.231
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSenglishschool.net
Type: A
72.52.4.119
DNSenglishquestion.net
Type: A
85.25.201.249
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
DNSchildrentherefore.net
Type: A
DNSfamilytherefore.net
Type: A
DNSeitherschool.net
Type: A
DNSeitherwhile.net
Type: A
DNSenglishwhile.net
Type: A
DNSeitherquestion.net
Type: A
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
HTTP GEThttp://englishforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php
User-Agent:
HTTP GEThttp://englishschool.net/index.php
User-Agent:
HTTP GEThttp://englishquestion.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 59.188.232.88:80
Flows TCP192.168.1.1:1032 ➝ 165.160.15.20:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1034 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1038 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1039 ➝ 85.25.201.249:80

Raw Pcap

Strings