Analysis Date2015-12-02 06:28:44
MD53239e609ee5a53996b73688f2edd0f5d
SHA167d56898f5152a12542c9e145b19267206788d60

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1579c03a268235988b9167b1837ee0d2 sha1: 87dc46346894bcd9b95171b7903ca90147680833 size: 1248256
Section.rdata md5: 55d4e25d59bd4ad5a3a1b197b9ec6d6d sha1: 0582c8bba87c41981f48f83cf66a71dbd76c66c6 size: 318464
Section.data md5: 29b5c6b0fb8cf7328fdaff70c616ddb2 sha1: 72f08dc587d9efb7d5d0b4728fce009e1e704298 size: 7680
Section.reloc md5: 7e0d458fac9b035100e7093c2a12b00c sha1: c1fea4d1cd152d6b2128aa7109fb2580d0b6aeab size: 164864
Timestamp2015-05-11 04:26:28
PackerVC8 -> Microsoft Corporation
PEhash2e89ba8df129863ab45348e5128e1b3cb18d376e
IMPhashe35c0fb8ff558af119739969260bca89
AVKasperskyTrojan.Win32.Generic
AVPadvishno_virus
AVF-SecureTrojan.GenericKD.2881644
AVKasperskyTrojan.Win32.Generic
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Trojan.GenericKD.2881644
AVFortinetW32/Kryptik.EETB!tr
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVMcafeeTrojan-FGIJ!3239E609EE5A
AVMcafeeTrojan-FGIJ!3239E609EE5A
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Trojan.GenericKD.2881644
AVEset (nod32)Win32/Bayrob.Y
AVEset (nod32)Win32/Bayrob.Y
AVFortinetW32/Kryptik.EETB!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2881644
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVMalwareBytesno_virus
AVMalwareBytesno_virus
AVAd-AwareTrojan.GenericKD.2881644
AVBullGuardTrojan.GenericKD.2881644
AVBullGuardTrojan.GenericKD.2881644
AVAlwil (avast)Dropper-OJQ [Drp]
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVAlwil (avast)Dropper-OJQ [Drp]
AVCAT (quickheal)no_virus
AVCAT (quickheal)no_virus
AVAd-AwareTrojan.GenericKD.2881644
AVAvira (antivir)TR/AD.Nivdort.M.75
AVClamAVno_virus
AVClamAVno_virus
AVAvira (antivir)TR/AD.Nivdort.M.75
AVGrisoft (avg)Win32/Cryptor
AVDr. WebTrojan.Bayrob.5
AVDr. WebTrojan.Bayrob.5
AVArcabit (arcavir)Trojan.GenericKD.2881644
AVBitDefenderTrojan.GenericKD.2881644
AVEmsisoftTrojan.GenericKD.2881644
AVEmsisoftTrojan.GenericKD.2881644
AVBitDefenderTrojan.GenericKD.2881644
AVArcabit (arcavir)Trojan.GenericKD.2881644
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\egoghiekupsis\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\uepghw1l3zbqcqqm2m3lus.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\uepghw1l3zbqcqqm2m3lus.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\uepghw1l3zbqcqqm2m3lus.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Topology Reports File Logon Controls ➝
C:\WINDOWS\system32\kkjaxnr.exe
Creates FileC:\WINDOWS\system32\egoghiekupsis\etc
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\egoghiekupsis\tst
Creates FileC:\WINDOWS\system32\kkjaxnr.exe
Creates FileC:\WINDOWS\system32\egoghiekupsis\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kkjaxnr.exe
Creates ServiceTracking Layer Logs UPnP Access - C:\WINDOWS\system32\kkjaxnr.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1076

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\kkjaxnr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\dgtqfktoju.exe
Creates FileC:\WINDOWS\system32\egoghiekupsis\tst
Creates FileC:\WINDOWS\system32\egoghiekupsis\lck
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\uepghw1rigbqcq.exe
Creates FileC:\WINDOWS\system32\egoghiekupsis\run
Creates FileC:\WINDOWS\system32\egoghiekupsis\cfg
Creates FileC:\WINDOWS\system32\egoghiekupsis\rng
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\uepghw1rigbqcq.exe -r 39316 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\kkjaxnr.exe"

Process
↳ C:\WINDOWS\system32\kkjaxnr.exe

Creates FileC:\WINDOWS\system32\egoghiekupsis\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kkjaxnr.exe"

Creates FileC:\WINDOWS\system32\egoghiekupsis\tst

Process
↳ C:\WINDOWS\TEMP\uepghw1rigbqcq.exe -r 39316 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSjointree.net
Type: A
208.100.26.234
DNSwishtree.net
Type: A
222.122.56.200
DNSdeadloud.net
Type: A
217.70.184.38
DNSdeadtree.net
Type: A
207.148.248.143
DNSwrongtree.net
Type: A
192.64.119.151
DNShairreply.net
Type: A
195.22.28.197
DNShairreply.net
Type: A
195.22.28.198
DNShairreply.net
Type: A
195.22.28.199
DNShairreply.net
Type: A
195.22.28.196
DNSmusicstock.net
Type: A
194.98.228.81
DNSdeadstock.net
Type: A
211.234.110.165
DNSrockstock.net
Type: A
184.168.221.48
DNSmadewhole.net
Type: A
50.63.202.54
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSdeadsaturday.net
Type: A
DNSrocksaturday.net
Type: A
DNSdeadthousand.net
Type: A
DNSrockthousand.net
Type: A
DNSrockloud.net
Type: A
DNSrocktree.net
Type: A
DNSwrongsaturday.net
Type: A
DNSmadesaturday.net
Type: A
DNSwrongthousand.net
Type: A
DNSmadethousand.net
Type: A
DNSwrongloud.net
Type: A
DNSmadeloud.net
Type: A
DNSmadetree.net
Type: A
DNShumanstock.net
Type: A
DNShairstock.net
Type: A
DNShumanthrow.net
Type: A
DNShairthrow.net
Type: A
DNShumanreply.net
Type: A
DNShumanwhole.net
Type: A
DNShairwhole.net
Type: A
DNSyardstock.net
Type: A
DNSyardthrow.net
Type: A
DNSmusicthrow.net
Type: A
DNSyardreply.net
Type: A
DNSmusicreply.net
Type: A
DNSyardwhole.net
Type: A
DNSmusicwhole.net
Type: A
DNSwentstock.net
Type: A
DNSspendstock.net
Type: A
DNSwentthrow.net
Type: A
DNSspendthrow.net
Type: A
DNSwentreply.net
Type: A
DNSspendreply.net
Type: A
DNSwentwhole.net
Type: A
DNSspendwhole.net
Type: A
DNSfrontstock.net
Type: A
DNSofferstock.net
Type: A
DNSfrontthrow.net
Type: A
DNSofferthrow.net
Type: A
DNSfrontreply.net
Type: A
DNSofferreply.net
Type: A
DNSfrontwhole.net
Type: A
DNSofferwhole.net
Type: A
DNShangstock.net
Type: A
DNSseptemberstock.net
Type: A
DNShangthrow.net
Type: A
DNSseptemberthrow.net
Type: A
DNShangreply.net
Type: A
DNSseptemberreply.net
Type: A
DNShangwhole.net
Type: A
DNSseptemberwhole.net
Type: A
DNSjoinstock.net
Type: A
DNSwishstock.net
Type: A
DNSjointhrow.net
Type: A
DNSwishthrow.net
Type: A
DNSjoinreply.net
Type: A
DNSwishreply.net
Type: A
DNSjoinwhole.net
Type: A
DNSwishwhole.net
Type: A
DNSdeadthrow.net
Type: A
DNSrockthrow.net
Type: A
DNSdeadreply.net
Type: A
DNSrockreply.net
Type: A
DNSdeadwhole.net
Type: A
DNSrockwhole.net
Type: A
DNSwrongstock.net
Type: A
DNSmadestock.net
Type: A
DNSwrongthrow.net
Type: A
DNSmadethrow.net
Type: A
DNSwrongreply.net
Type: A
DNSmadereply.net
Type: A
DNSwrongwhole.net
Type: A
DNShumancold.net
Type: A
DNShaircold.net
Type: A
DNShumanwrote.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://jointree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://wishtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadloud.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://wrongtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://hairreply.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://musicstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://rockstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://madewhole.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://jointree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://wishtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadloud.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://wrongtree.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://hairreply.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://musicstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://deadstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://rockstock.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
HTTP GEThttp://madewhole.net/index.php?method=validate&mode=sox&v=050&sox=4f330200&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1051 ➝ 222.122.56.200:80
Flows TCP192.168.1.1:1052 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1053 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1054 ➝ 192.64.119.151:80
Flows TCP192.168.1.1:1055 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1056 ➝ 194.98.228.81:80
Flows TCP192.168.1.1:1057 ➝ 211.234.110.165:80
Flows TCP192.168.1.1:1058 ➝ 184.168.221.48:80
Flows TCP192.168.1.1:1059 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1071 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1072 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1073 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1074 ➝ 222.122.56.200:80
Flows TCP192.168.1.1:1075 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1076 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1077 ➝ 192.64.119.151:80
Flows TCP192.168.1.1:1078 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1079 ➝ 194.98.228.81:80
Flows TCP192.168.1.1:1080 ➝ 211.234.110.165:80
Flows TCP192.168.1.1:1081 ➝ 184.168.221.48:80
Flows TCP192.168.1.1:1082 ➝ 50.63.202.54:80

Raw Pcap

Strings