Analysis Date2015-10-23 18:19:02
MD52ba6db4664dc839cfda11854a296fe52
SHA17629a2e2cc38a700170a3412b4e4d83317d28fc5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d0cba01bbae472c282f0ad9bc13132df sha1: 5977698375efb22e0deeb965ab07ebccafd1c4f1 size: 292352
Section.rdata md5: 6842dab2cfedc25fdec36c800691840a sha1: 7ee7964c294de5f798cad0b912bcc181c77514df size: 58880
Section.data md5: c16b6a9ed36b69435a549ec75e92f5e7 sha1: 83220be644b7b0df8eca291ea90394ca71d1fc29 size: 7168
Section.reloc md5: 909f4b05ec7ee19c86c7327751158df0 sha1: 9b0ee476712c8d818cf3b1e39d658ffa47f38815 size: 20992
Timestamp2015-05-11 06:51:46
PackerMicrosoft Visual C++ 8
PEhash9034fb9d1dbbf3564be14c2cf77e9b9f724c0550
IMPhash6ce919fe117e9a5cea6747dc964fa0b7
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/AD.Nivdort.M.43
AVMcafeePWS-FCCE!2BA6DB4664DC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hzkcahadgxxwupx\rx1llswyvwhsfhry.exe
Creates FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\nyivzm
Deletes FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates ProcessC:\hzkcahadgxxwupx\rx1llswyvwhsfhry.exe

Process
↳ C:\hzkcahadgxxwupx\rx1llswyvwhsfhry.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Modules Removal Client ➝
C:\hzkcahadgxxwupx\xtqwrardsscu.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\acgq4kovbw
Creates FileC:\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\xtqwrardsscu.exe
Deletes FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates ProcessC:\hzkcahadgxxwupx\xtqwrardsscu.exe
Creates ServicePort Counter Configuration Publication - C:\hzkcahadgxxwupx\xtqwrardsscu.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1132

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1180

Process
↳ C:\hzkcahadgxxwupx\xtqwrardsscu.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hzkcahadgxxwupx\nxkbtlhf.exe
Creates FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates File\Device\Afd\Endpoint
Creates FileC:\hzkcahadgxxwupx\acgq4kovbw
Creates FileC:\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\tjkijtljdlqy
Deletes FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates Processzapdo2qmqmdi "c:\hzkcahadgxxwupx\xtqwrardsscu.exe"

Process
↳ C:\hzkcahadgxxwupx\xtqwrardsscu.exe

Creates FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\nyivzm
Deletes FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm

Process
↳ zapdo2qmqmdi "c:\hzkcahadgxxwupx\xtqwrardsscu.exe"

Creates FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm
Creates FileC:\hzkcahadgxxwupx\nyivzm
Deletes FileC:\WINDOWS\hzkcahadgxxwupx\nyivzm

Network Details:

DNSlittlepower.net
Type: A
58.64.204.42
DNSlittlecountry.net
Type: A
84.16.80.74
DNSincreasefamous.net
Type: A
209.99.40.223
DNSforgetcountry.net
Type: A
209.99.40.223
DNSwithincondition.net
Type: A
DNSsuffercondition.net
Type: A
DNSeffortnation.net
Type: A
DNSthroughnation.net
Type: A
DNSeffortsoldier.net
Type: A
DNSthroughsoldier.net
Type: A
DNSeffortplease.net
Type: A
DNSthroughplease.net
Type: A
DNSeffortcondition.net
Type: A
DNSthroughcondition.net
Type: A
DNSforgetnation.net
Type: A
DNSincreasenation.net
Type: A
DNSforgetsoldier.net
Type: A
DNSincreasesoldier.net
Type: A
DNSforgetplease.net
Type: A
DNSincreaseplease.net
Type: A
DNSforgetcondition.net
Type: A
DNSincreasecondition.net
Type: A
DNSwouldnation.net
Type: A
DNSremembernation.net
Type: A
DNSwouldsoldier.net
Type: A
DNSremembersoldier.net
Type: A
DNSwouldplease.net
Type: A
DNSrememberplease.net
Type: A
DNSwouldcondition.net
Type: A
DNSremembercondition.net
Type: A
DNSjourneycentury.net
Type: A
DNShusbandcentury.net
Type: A
DNSjourneyfamous.net
Type: A
DNShusbandfamous.net
Type: A
DNSjourneypower.net
Type: A
DNShusbandpower.net
Type: A
DNSjourneycountry.net
Type: A
DNShusbandcountry.net
Type: A
DNSdestroycentury.net
Type: A
DNSlittlecentury.net
Type: A
DNSdestroyfamous.net
Type: A
DNSlittlefamous.net
Type: A
DNSdestroypower.net
Type: A
DNSdestroycountry.net
Type: A
DNSriddencentury.net
Type: A
DNSbelongcentury.net
Type: A
DNSriddenfamous.net
Type: A
DNSbelongfamous.net
Type: A
DNSriddenpower.net
Type: A
DNSbelongpower.net
Type: A
DNSriddencountry.net
Type: A
DNSbelongcountry.net
Type: A
DNSchaircentury.net
Type: A
DNSthosecentury.net
Type: A
DNSchairfamous.net
Type: A
DNSthosefamous.net
Type: A
DNSchairpower.net
Type: A
DNSthosepower.net
Type: A
DNSchaircountry.net
Type: A
DNSthosecountry.net
Type: A
DNSwithincentury.net
Type: A
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSeffortcountry.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSremembercentury.net
Type: A
DNSwouldfamous.net
Type: A
HTTP GEThttp://littlepower.net/index.php
User-Agent:
HTTP GEThttp://increasefamous.net/index.php
User-Agent:
HTTP GEThttp://forgetcountry.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 58.64.204.42:80
Flows TCP192.168.1.1:1032 ➝ 84.16.80.74:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1034 ➝ 209.99.40.223:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 65706f77 65722e6e 65740d0a   ittlepower.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2069   : close..Host: i
0x00000040 (00064)   6e637265 61736566 616d6f75 732e6e65   ncreasefamous.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74636f75 6e747279 2e6e6574   orgetcountry.net
0x00000050 (00080)   0d0a0d0a 0a                           .....


Strings