Analysis Date2015-10-23 18:32:24
MD52f4c88b7880d049268023563ae463fd8
SHA170dada963d00ddd9ecd84bf48d8bec68f351130e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cf00711b75f7445859e04a108303d781 sha1: 267e9d851d09cb423bf8d5f7431884194225cee1 size: 196608
Section.rdata md5: 3983c6ebd98e725e5e1243a98007a0f4 sha1: 8ce420f9f021b6f60853fce357d6d2df2240c6f9 size: 51712
Section.data md5: 7a2357ccae91e11bf49253c0e6dbca4d sha1: b941d0a84a3258fad23b1747c286d7b7201f6549 size: 7680
Section.reloc md5: f225a6d78d9385a5650734ab35480406 sha1: b8bbbb8a2efdb2a0fe5f3e454be5ca6a118e9969 size: 14336
Timestamp2015-04-29 19:03:46
PackerMicrosoft Visual C++ 8
PEhashb81a811bd49b836264f6daaf6833c53d434b398b
IMPhash2b5abd2a6acd9898e7cdd86b7197ea88
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!2F4C88B7880D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates FileC:\dopwzlstcr\m6u1lnilfvtwszakinbr.exe
Creates FileC:\dopwzlstcr\yvgxtvnpg
Deletes FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates ProcessC:\dopwzlstcr\m6u1lnilfvtwszakinbr.exe

Process
↳ C:\dopwzlstcr\m6u1lnilfvtwszakinbr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Workstation Proxy Credential DCOM ➝
C:\dopwzlstcr\zxrchyimmlfi.exe
Creates FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates FilePIPE\lsarpc
Creates FileC:\dopwzlstcr\fdljsquypu
Creates FileC:\dopwzlstcr\yvgxtvnpg
Creates FileC:\dopwzlstcr\zxrchyimmlfi.exe
Deletes FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates ProcessC:\dopwzlstcr\zxrchyimmlfi.exe
Creates ServiceActiveX Defragmenter User-mode - C:\dopwzlstcr\zxrchyimmlfi.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1880

Process
↳ Pid 1184

Process
↳ C:\dopwzlstcr\zxrchyimmlfi.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates FileC:\dopwzlstcr\fdljsquypu
Creates FileC:\dopwzlstcr\yvgxtvnpg
Creates File\Device\Afd\Endpoint
Creates FileC:\dopwzlstcr\ojvlkljgvgmu
Creates FileC:\dopwzlstcr\auvqjvt.exe
Deletes FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates Processkbuvwjqnyqtm "c:\dopwzlstcr\zxrchyimmlfi.exe"

Process
↳ C:\dopwzlstcr\zxrchyimmlfi.exe

Creates FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates FileC:\dopwzlstcr\yvgxtvnpg
Deletes FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg

Process
↳ kbuvwjqnyqtm "c:\dopwzlstcr\zxrchyimmlfi.exe"

Creates FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg
Creates FileC:\dopwzlstcr\yvgxtvnpg
Deletes FileC:\WINDOWS\dopwzlstcr\yvgxtvnpg

Network Details:

DNSlittlepower.net
Type: A
58.64.204.42
DNSlittlecountry.net
Type: A
84.16.80.74
DNSincreasefamous.net
Type: A
209.99.40.223
DNSforgetcountry.net
Type: A
209.99.40.222
DNSwithincondition.net
Type: A
DNSsuffercondition.net
Type: A
DNSeffortnation.net
Type: A
DNSthroughnation.net
Type: A
DNSeffortsoldier.net
Type: A
DNSthroughsoldier.net
Type: A
DNSeffortplease.net
Type: A
DNSthroughplease.net
Type: A
DNSeffortcondition.net
Type: A
DNSthroughcondition.net
Type: A
DNSforgetnation.net
Type: A
DNSincreasenation.net
Type: A
DNSforgetsoldier.net
Type: A
DNSincreasesoldier.net
Type: A
DNSforgetplease.net
Type: A
DNSincreaseplease.net
Type: A
DNSforgetcondition.net
Type: A
DNSincreasecondition.net
Type: A
DNSwouldnation.net
Type: A
DNSremembernation.net
Type: A
DNSwouldsoldier.net
Type: A
DNSremembersoldier.net
Type: A
DNSwouldplease.net
Type: A
DNSrememberplease.net
Type: A
DNSwouldcondition.net
Type: A
DNSremembercondition.net
Type: A
DNSjourneycentury.net
Type: A
DNShusbandcentury.net
Type: A
DNSjourneyfamous.net
Type: A
DNShusbandfamous.net
Type: A
DNSjourneypower.net
Type: A
DNShusbandpower.net
Type: A
DNSjourneycountry.net
Type: A
DNShusbandcountry.net
Type: A
DNSdestroycentury.net
Type: A
DNSlittlecentury.net
Type: A
DNSdestroyfamous.net
Type: A
DNSlittlefamous.net
Type: A
DNSdestroypower.net
Type: A
DNSdestroycountry.net
Type: A
DNSriddencentury.net
Type: A
DNSbelongcentury.net
Type: A
DNSriddenfamous.net
Type: A
DNSbelongfamous.net
Type: A
DNSriddenpower.net
Type: A
DNSbelongpower.net
Type: A
DNSriddencountry.net
Type: A
DNSbelongcountry.net
Type: A
DNSchaircentury.net
Type: A
DNSthosecentury.net
Type: A
DNSchairfamous.net
Type: A
DNSthosefamous.net
Type: A
DNSchairpower.net
Type: A
DNSthosepower.net
Type: A
DNSchaircountry.net
Type: A
DNSthosecountry.net
Type: A
DNSwithincentury.net
Type: A
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSeffortcountry.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSremembercentury.net
Type: A
DNSwouldfamous.net
Type: A
HTTP GEThttp://littlepower.net/index.php
User-Agent:
HTTP GEThttp://increasefamous.net/index.php
User-Agent:
HTTP GEThttp://forgetcountry.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 58.64.204.42:80
Flows TCP192.168.1.1:1032 ➝ 84.16.80.74:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1034 ➝ 209.99.40.222:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 65706f77 65722e6e 65740d0a   ittlepower.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2069   : close..Host: i
0x00000040 (00064)   6e637265 61736566 616d6f75 732e6e65   ncreasefamous.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74636f75 6e747279 2e6e6574   orgetcountry.net
0x00000050 (00080)   0d0a0d0a 0a                           .....


Strings