Analysis Date2015-09-17 11:54:58
MD53a6eb3382c377464a613ef0dc8f7513d
SHA172328a98cedfd0d8968dc7ba596fb87ea368a618

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4e60a7219150dd57cda4119b5eeb43ed sha1: b677ff37db8215e2d859cadd840336d078401c55 size: 304128
Section.rdata md5: b3f3400347db035896ff750ab97dbb15 sha1: a3643da71898e1bb9234e367d95c8ad0d3069d61 size: 59904
Section.data md5: 258a1efdfa609cc634526e5a70e48c22 sha1: c72fffbf1115e4f2f362be5828dc58c21b369b5e size: 7680
Section.reloc md5: 5293d844a6895265b80d02bf89f34d45 sha1: 8b8ca32c36907acfc59686a9cffab6afe306d0b3 size: 23552
Timestamp2015-05-11 06:09:02
PackerMicrosoft Visual C++ 8
PEhashbe27cf5787a6d263eaf231f2d3fcf7997b6b242c
IMPhashcc8477ee8998d9d0bd8cb24710f0493c
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeePWS-FCCE!3A6EB3382C37
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterTrojan.Scar.jkcf.evbe
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.V.gen
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.A!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Scar.jkcf
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.2
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates FileC:\cvgcguhdabnhrkg\iub1mefpzvwypvxzz.exe
Creates FileC:\cvgcguhdabnhrkg\tij3mbhxdlt
Deletes FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates ProcessC:\cvgcguhdabnhrkg\iub1mefpzvwypvxzz.exe

Process
↳ C:\cvgcguhdabnhrkg\iub1mefpzvwypvxzz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Detection Accounts Visual Font ➝
C:\cvgcguhdabnhrkg\hpwyifjol.exe
Creates FileC:\cvgcguhdabnhrkg\hpwyifjol.exe
Creates FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates FileC:\cvgcguhdabnhrkg\tij3mbhxdlt
Creates FilePIPE\lsarpc
Creates FileC:\cvgcguhdabnhrkg\fvf4rw
Deletes FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates ProcessC:\cvgcguhdabnhrkg\hpwyifjol.exe
Creates ServiceLink Support Workstation Internet Netlogon - C:\cvgcguhdabnhrkg\hpwyifjol.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1160

Process
↳ C:\cvgcguhdabnhrkg\hpwyifjol.exe

Creates FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates Filepipe\net\NtControlPipe10
Creates FileC:\cvgcguhdabnhrkg\tij3mbhxdlt
Creates File\Device\Afd\Endpoint
Creates FileC:\cvgcguhdabnhrkg\tragqturh.exe
Creates FileC:\cvgcguhdabnhrkg\fvf4rw
Creates FileC:\cvgcguhdabnhrkg\eixmdwvq8ua
Deletes FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates Processptwlop5yhzvg "c:\cvgcguhdabnhrkg\hpwyifjol.exe"

Process
↳ C:\cvgcguhdabnhrkg\hpwyifjol.exe

Creates FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates FileC:\cvgcguhdabnhrkg\tij3mbhxdlt
Deletes FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt

Process
↳ ptwlop5yhzvg "c:\cvgcguhdabnhrkg\hpwyifjol.exe"

Creates FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt
Creates FileC:\cvgcguhdabnhrkg\tij3mbhxdlt
Deletes FileC:\WINDOWS\cvgcguhdabnhrkg\tij3mbhxdlt

Network Details:

DNSfreshmethod.net
Type: A
113.20.9.169
DNSfreshaction.net
Type: A
72.52.4.120
DNSfreshdirect.net
Type: A
208.48.81.134
DNSfreshdirect.net
Type: A
64.15.205.100
DNSfreshdirect.net
Type: A
64.15.205.101
DNSfreshdirect.net
Type: A
208.48.81.133
DNSexperiencedirect.net
Type: A
50.63.202.32
DNSalreadyaction.net
Type: A
195.22.26.253
DNSalreadyaction.net
Type: A
195.22.26.254
DNSalreadyaction.net
Type: A
195.22.26.231
DNSalreadyaction.net
Type: A
195.22.26.252
DNSmemberaction.net
Type: A
184.168.221.51
DNSmemberdirect.net
Type: A
209.53.114.33
DNSknownaction.net
Type: A
95.211.230.75
DNScrowdmethod.net
Type: A
50.63.202.63
DNSsummeraction.net
Type: A
184.168.221.36
DNScrowdaction.net
Type: A
97.74.42.79
DNScrowddirect.net
Type: A
69.64.147.242
DNSthoughtaction.net
Type: A
74.220.199.8
DNSwateraction.net
Type: A
50.63.202.22
DNSwaterdirect.net
Type: A
66.96.161.145
DNSfightmethod.net
Type: A
184.168.167.179
DNSpartylikely.net
Type: A
DNSfightlikely.net
Type: A
DNSpartyworth.net
Type: A
DNSfightworth.net
Type: A
DNSexperiencemethod.net
Type: A
DNSexperienceaction.net
Type: A
DNSfreshbrought.net
Type: A
DNSexperiencebrought.net
Type: A
DNSgentlemanmethod.net
Type: A
DNSalreadymethod.net
Type: A
DNSgentlemanaction.net
Type: A
DNSgentlemandirect.net
Type: A
DNSalreadydirect.net
Type: A
DNSgentlemanbrought.net
Type: A
DNSalreadybrought.net
Type: A
DNSfollowmethod.net
Type: A
DNSmembermethod.net
Type: A
DNSfollowaction.net
Type: A
DNSfollowdirect.net
Type: A
DNSfollowbrought.net
Type: A
DNSmemberbrought.net
Type: A
DNSbeginmethod.net
Type: A
DNSknownmethod.net
Type: A
DNSbeginaction.net
Type: A
DNSbegindirect.net
Type: A
DNSknowndirect.net
Type: A
DNSbeginbrought.net
Type: A
DNSknownbrought.net
Type: A
DNSsummermethod.net
Type: A
DNSsummerdirect.net
Type: A
DNSsummerbrought.net
Type: A
DNScrowdbrought.net
Type: A
DNSthoughtmethod.net
Type: A
DNSwatermethod.net
Type: A
DNSthoughtdirect.net
Type: A
DNSthoughtbrought.net
Type: A
DNSwaterbrought.net
Type: A
DNSwomanmethod.net
Type: A
DNSsmokemethod.net
Type: A
DNSwomanaction.net
Type: A
DNSsmokeaction.net
Type: A
DNSwomandirect.net
Type: A
DNSsmokedirect.net
Type: A
DNSwomanbrought.net
Type: A
DNSsmokebrought.net
Type: A
DNSpartymethod.net
Type: A
DNSpartyaction.net
Type: A
DNSfightaction.net
Type: A
DNSpartydirect.net
Type: A
DNSfightdirect.net
Type: A
DNSpartybrought.net
Type: A
DNSfightbrought.net
Type: A
DNSfreshspeak.net
Type: A
DNSexperiencespeak.net
Type: A
DNSfreshniece.net
Type: A
DNSexperienceniece.net
Type: A
DNSfreshwrite.net
Type: A
DNSexperiencewrite.net
Type: A
DNSfreshoclock.net
Type: A
DNSexperienceoclock.net
Type: A
DNSgentlemanspeak.net
Type: A
DNSalreadyspeak.net
Type: A
DNSgentlemanniece.net
Type: A
DNSalreadyniece.net
Type: A
DNSgentlemanwrite.net
Type: A
DNSalreadywrite.net
Type: A
DNSgentlemanoclock.net
Type: A
DNSalreadyoclock.net
Type: A
DNSfollowspeak.net
Type: A
HTTP GEThttp://freshmethod.net/index.php
User-Agent:
HTTP GEThttp://freshaction.net/index.php
User-Agent:
HTTP GEThttp://freshdirect.net/index.php
User-Agent:
HTTP GEThttp://experiencedirect.net/index.php
User-Agent:
HTTP GEThttp://alreadyaction.net/index.php
User-Agent:
HTTP GEThttp://memberaction.net/index.php
User-Agent:
HTTP GEThttp://memberdirect.net/index.php
User-Agent:
HTTP GEThttp://knownaction.net/index.php
User-Agent:
HTTP GEThttp://crowdmethod.net/index.php
User-Agent:
HTTP GEThttp://summeraction.net/index.php
User-Agent:
HTTP GEThttp://crowdaction.net/index.php
User-Agent:
HTTP GEThttp://crowddirect.net/index.php
User-Agent:
HTTP GEThttp://thoughtaction.net/index.php
User-Agent:
HTTP GEThttp://wateraction.net/index.php
User-Agent:
HTTP GEThttp://waterdirect.net/index.php
User-Agent:
HTTP GEThttp://fightmethod.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 113.20.9.169:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1033 ➝ 208.48.81.134:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.51:80
Flows TCP192.168.1.1:1037 ➝ 209.53.114.33:80
Flows TCP192.168.1.1:1038 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.63:80
Flows TCP192.168.1.1:1040 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1041 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1042 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1043 ➝ 74.220.199.8:80
Flows TCP192.168.1.1:1044 ➝ 50.63.202.22:80
Flows TCP192.168.1.1:1045 ➝ 66.96.161.145:80
Flows TCP192.168.1.1:1046 ➝ 184.168.167.179:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 6d657468 6f642e6e 65740d0a   reshmethod.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 61637469 6f6e2e6e 65740d0a   reshaction.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 64697265 63742e6e 65740d0a   reshdirect.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706572 69656e63 65646972 6563742e   xperiencedirect.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6c726561 64796163 74696f6e 2e6e6574   lreadyaction.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   656d6265 72616374 696f6e2e 6e65740d   emberaction.net.
0x00000050 (00080)   0a0d0a0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   656d6265 72646972 6563742e 6e65740d   emberdirect.net.
0x00000050 (00080)   0a0d0a0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   6e6f776e 61637469 6f6e2e6e 65740d0a   nownaction.net..
0x00000050 (00080)   0d0a0a0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 6d657468 6f642e6e 65740d0a   rowdmethod.net..
0x00000050 (00080)   0d0a0a0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72616374 696f6e2e 6e65740d   ummeraction.net.
0x00000050 (00080)   0a0d0a0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 61637469 6f6e2e6e 65740d0a   rowdaction.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 64697265 63742e6e 65740d0a   rowddirect.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68746163 74696f6e 2e6e6574   houghtaction.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 61637469 6f6e2e6e 65740d0a   ateraction.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 64697265 63742e6e 65740d0a   aterdirect.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69676874 6d657468 6f642e6e 65740d0a   ightmethod.net..
0x00000050 (00080)   0d0a0d0a                              ....


Strings