Analysis Date2015-11-26 07:29:19
MD5b09d21b7e6781581a35f81530d7b0d6c
SHA171ba60fcee8739c3ae8f0e4f7bde4e31af4ce5e3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 693ab9a484e4565a904695beab45138b sha1: 9f53ace928f0bc2300935df5469b02ad632e51d9 size: 1090048
Section.rdata md5: c4a7c5dcb90f340baba878fa3023c411 sha1: 8f32d048a297a585adad7a81c2b878774aac5454 size: 317952
Section.data md5: eb2588ee41ebb29435f0855e1c4accd7 sha1: ac448b9d7caf57809a42ffb890ab4c89882e5f45 size: 11264
Section.reloc md5: e1f8bf12af6a6ff9a748929cd9fca5da sha1: 9c2e44f57a0dfee049d2f872ebf836f70b53fd44 size: 72192
Timestamp2015-04-30 20:34:18
PackerMicrosoft Visual C++ 8
PEhashaa6b5e8c2ee6f0e721855f392f713f7bdd2a754c
IMPhashfb0186f0b8f12208beb5668a3d957a68
AVF-SecureGen:Variant.Strobosc.1
AVTwisterno_virus
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.1
AVEmsisoftGen:Variant.Strobosc.1
AVAd-AwareGen:Variant.Strobosc.1
AVEset (nod32)Win32/Bayrob.R
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVTrend Microno_virus
AVClamAVno_virus
AVPadvishno_virus
AVZillya!Backdoor.SoxGrave.Win32.150
AVK7Trojan ( 004c77f41 )
AVGrisoft (avg)Generic36.CLXX
AVAvira (antivir)TR/Boryab.aiez
AVAlwil (avast)Dropper-OJG [Drp]
AVFortinetW32/Bayrob.R!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Strobosc.1
AVCA (E-Trust Ino)no_virus
AVBullGuardGen:Variant.Strobosc.1
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Downloader.NGVX-4231
AVBitDefenderGen:Variant.Strobosc.1
AVSymantecDownloader.Upatre!g15
AVRisingno_virus
AVMcafeeno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\yz87gvt1libgujthhblurat.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\yz87gvt1libgujthhblurat.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\yz87gvt1libgujthhblurat.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Procedure Store CNG Upgrade Web ➝
C:\WINDOWS\system32\ynvzgnrw.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\coaxcjiqg\etc
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates FileC:\WINDOWS\system32\ynvzgnrw.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\ynvzgnrw.exe
Creates ServiceInteractive Control Firewall - C:\WINDOWS\system32\ynvzgnrw.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1124

Process
↳ C:\WINDOWS\system32\ynvzgnrw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates FileC:\WINDOWS\TEMP\yz87gvt1stcgujt.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\coaxcjiqg\run
Creates FileC:\WINDOWS\system32\ndwuijagdg.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\coaxcjiqg\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"
Creates ProcessC:\WINDOWS\TEMP\yz87gvt1stcgujt.exe -r 45472 tcp

Process
↳ C:\WINDOWS\system32\ynvzgnrw.exe

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst

Process
↳ c:\windows\system32\ynvzgnrw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\coaxcjiqg\rng
Creates FileC:\WINDOWS\system32\coaxcjiqg\lck
Creates FileC:\WINDOWS\system32\coaxcjiqg\run
Creates FileC:\WINDOWS\system32\ndwuijagdg.exe
Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates FileC:\WINDOWS\TEMP\yz87gvt2er9gujt.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\coaxcjiqg\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"
Creates ProcessC:\WINDOWS\TEMP\yz87gvt2er9gujt.exe -r 32283 tcp

Process
↳ WATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst
Creates Processc:\windows\system32\ynvzgnrw.exe

Process
↳ C:\WINDOWS\TEMP\yz87gvt1stcgujt.exe -r 45472 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Process
↳ WATCHDOGPROC "c:\windows\system32\ynvzgnrw.exe"

Creates FileC:\WINDOWS\system32\coaxcjiqg\tst

Process
↳ C:\WINDOWS\TEMP\yz87gvt2er9gujt.exe -r 32283 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=47f8a802&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80

Raw Pcap

Strings