Analysis Date2015-07-23 20:35:43
MD51365e87a0fb1693d071835bcacaab0cf
SHA177066a47763f3f18dc59845c98072b26d027e6e6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0feaf8e0826b3f51b2b71f5c32bee7cf sha1: b81857f34270eb176b89ffa38ab9dbc39b1f12d8 size: 198144
Section.rdata md5: a3a34be1bf5d4df2eae5659c3f4ab5b5 sha1: 84643a9767b5c28b68ee2a46269b25f33b845267 size: 52224
Section.data md5: 312d0954718d4a1f08d7284e107694a3 sha1: 73017701674dc7e37cf0ea95a05489b7b92165e8 size: 7680
Section.reloc md5: 983e70069a6bef097de499f251df640f sha1: 2588390a794c280696bdabb1ba61755413e99298 size: 14848
Timestamp2015-04-29 19:11:20
PackerMicrosoft Visual C++ 8
PEhash517673ab21571391a9eee49b72dc9b969b4828ba
IMPhashae7e8ebe6780888dbbb010f907380304
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.KSK
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!1365E87A0FB1
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jvmcwwmjefswlr\ww1lj6pfljmvbhyx.exe
Creates FileC:\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Deletes FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Creates ProcessC:\jvmcwwmjefswlr\ww1lj6pfljmvbhyx.exe

Process
↳ C:\jvmcwwmjefswlr\ww1lj6pfljmvbhyx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Extensible IPsec Window Coordinator SSDP ➝
C:\jvmcwwmjefswlr\jrgypyfnuyj.exe
Creates FileC:\jvmcwwmjefswlr\jrgypyfnuyj.exe
Creates FileC:\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FilePIPE\lsarpc
Creates FileC:\jvmcwwmjefswlr\iadpgwnu7
Deletes FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Creates ProcessC:\jvmcwwmjefswlr\jrgypyfnuyj.exe
Creates ServiceParental Device Propagation Fax - C:\jvmcwwmjefswlr\jrgypyfnuyj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1132

Process
↳ C:\jvmcwwmjefswlr\jrgypyfnuyj.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\jvmcwwmjefswlr\irdcemxc.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\jvmcwwmjefswlr\fqlhplji6b
Creates FileC:\jvmcwwmjefswlr\iadpgwnu7
Deletes FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Creates Processtnskojpyrigy "c:\jvmcwwmjefswlr\jrgypyfnuyj.exe"

Process
↳ C:\jvmcwwmjefswlr\jrgypyfnuyj.exe

Creates FileC:\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Deletes FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn

Process
↳ tnskojpyrigy "c:\jvmcwwmjefswlr\jrgypyfnuyj.exe"

Creates FileC:\jvmcwwmjefswlr\kgvvxjc8jmn
Creates FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn
Deletes FileC:\WINDOWS\jvmcwwmjefswlr\kgvvxjc8jmn

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSpartysystem.net
Type: A
82.165.73.79
DNSfreshfriend.net
Type: A
95.211.230.75
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNScrowdneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSsmokesystem.net
Type: A
DNSwomantrust.net
Type: A
DNSsmoketrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://freshfriend.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1034 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   656d6265 72737973 74656d2e 6e65740d   embersystem.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f6c6c6f 77747275 73742e6e 65740d0a   ollowtrust.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68747379 7374656d 2e6e6574   houghtsystem.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 73797374 656d2e6e 65740d0a   atersystem.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   61746572 74727573 742e6e65 740d0a0d   atertrust.net...
0x00000050 (00080)   0a0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 73797374 656d2e6e 65740d0a   artysystem.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 66726965 6e642e6e 65740d0a   reshfriend.net..
0x00000050 (00080)   0d0a0d0a                              ....


Strings