Analysis Date2015-08-01 21:45:22
MD53423b8326010c0858d46a908ea06237d
SHA17757f12c77c00e0e65d4a93bc3263642f814baba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 610f54dd79f817299912e8ee73243303 sha1: 115b80ac00c34233d96a14841d1b2b3d4dadd060 size: 326656
Section.rdata md5: 2fb5b0ed7e81230d2d727d8ea21d83f0 sha1: df965f8aeec70057af0bad8436bbeafaf5122ff9 size: 61440
Section.data md5: 36dd33fc6d2a2e3aa3dc221be464e39b sha1: ae1db73f78f6cc524d7fc0ab1e809d692f9b910e size: 7168
Section.reloc md5: 0f630c5f8734f843a3121932f962c8c9 sha1: 1c82bf542d0730c1d73425348d4d59cf0027f36f size: 27648
Timestamp2015-05-11 06:59:51
PackerMicrosoft Visual C++ 8
PEhash8ef89e7ffa6a9caa2429c5694ce998ad6620fce7
IMPhash4d7ee060e0e323157da24be1e4ada246
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVDr. WebTrojan.Bayrob.1
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVAd-AwareGen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVClamAVno_virus
AVRisingTrojan.Win32.Bayrod.b
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Bayrob.T!tr
AVZillya!no_virus
AVPadvishno_virus
AVEmsisoftGen:Variant.Kazy.611009
AVBitDefenderGen:Variant.Kazy.611009
AVTwisterTrojan.Scar.jhrq.ebec
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVMcafeePWS-FCCE!3423B8326010
AVFrisk (f-prot)no_virus
AVMalwareBytesTrojan.Agent.KVTGen
AVTrend MicroTROJ_BAYROB.SM0
AVF-SecureGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c3a4d1 )
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\fdhcksp\wy67i1m0zno9tfosmhojx.exe
Creates FileC:\fdhcksp\sxosz9gprbd
Creates FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Deletes FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Creates ProcessC:\fdhcksp\wy67i1m0zno9tfosmhojx.exe

Process
↳ C:\fdhcksp\wy67i1m0zno9tfosmhojx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\System Center Network ActiveX ➝
C:\fdhcksp\ngoengvktike.exe
Creates FileC:\fdhcksp\ngoengvktike.exe
Creates FilePIPE\lsarpc
Creates FileC:\fdhcksp\sxosz9gprbd
Creates FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Creates FileC:\fdhcksp\jajiso7tzqy
Deletes FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Creates ProcessC:\fdhcksp\ngoengvktike.exe

Process
↳ C:\fdhcksp\ngoengvktike.exe

Creates FileC:\fdhcksp\q0nk7cvzohd
Creates FilePIPE\lsarpc
Creates FileC:\fdhcksp\sxosz9gprbd
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Creates FileC:\fdhcksp\ivydmys.exe
Creates FileC:\fdhcksp\jajiso7tzqy
Deletes FileC:\fdhcksp\wy67i1m0zno9tfosmhojx.exe
Deletes FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Creates Processaudngacgiwjw "c:\fdhcksp\ngoengvktike.exe"

Process
↳ audngacgiwjw "c:\fdhcksp\ngoengvktike.exe"

Creates FileC:\fdhcksp\sxosz9gprbd
Creates FileC:\WINDOWS\fdhcksp\sxosz9gprbd
Deletes FileC:\WINDOWS\fdhcksp\sxosz9gprbd

Network Details:

DNSprofiles.dexknows.com
Type: A
204.133.117.26
DNSwinterbright.net
Type: A
67.231.253.49
DNSprobablybright.net
Type: A
95.211.230.75
DNSsweetinside.net
Type: A
208.91.197.241
DNSsimplepeople.net
Type: A
91.194.77.112
DNSmotherdaughter.net
Type: A
208.91.197.26
DNSlaughbright.net
Type: A
DNSseverainside.net
Type: A
DNSlaughinside.net
Type: A
DNSsimpleinstead.net
Type: A
DNSmotherinstead.net
Type: A
DNSsimpleexplain.net
Type: A
DNSmotherexplain.net
Type: A
DNSsimplebright.net
Type: A
DNSmotherbright.net
Type: A
DNSsimpleinside.net
Type: A
DNSmotherinside.net
Type: A
DNSmountaininstead.net
Type: A
DNSpossibleinstead.net
Type: A
DNSmountainexplain.net
Type: A
DNSpossibleexplain.net
Type: A
DNSmountainbright.net
Type: A
DNSpossiblebright.net
Type: A
DNSmountaininside.net
Type: A
DNSpossibleinside.net
Type: A
DNSperhapsinstead.net
Type: A
DNSwindowinstead.net
Type: A
DNSperhapsexplain.net
Type: A
DNSwindowexplain.net
Type: A
DNSperhapsbright.net
Type: A
DNSwindowbright.net
Type: A
DNSperhapsinside.net
Type: A
DNSwindowinside.net
Type: A
DNSwinterinstead.net
Type: A
DNSsubjectinstead.net
Type: A
DNSwinterexplain.net
Type: A
DNSsubjectexplain.net
Type: A
DNSsubjectbright.net
Type: A
DNSwinterinside.net
Type: A
DNSsubjectinside.net
Type: A
DNSfinishinstead.net
Type: A
DNSleaveinstead.net
Type: A
DNSfinishexplain.net
Type: A
DNSleaveexplain.net
Type: A
DNSfinishbright.net
Type: A
DNSleavebright.net
Type: A
DNSfinishinside.net
Type: A
DNSleaveinside.net
Type: A
DNSsweetinstead.net
Type: A
DNSprobablyinstead.net
Type: A
DNSsweetexplain.net
Type: A
DNSprobablyexplain.net
Type: A
DNSsweetbright.net
Type: A
DNSprobablyinside.net
Type: A
DNSseveralinstead.net
Type: A
DNSmaterialinstead.net
Type: A
DNSseveralexplain.net
Type: A
DNSmaterialexplain.net
Type: A
DNSseveralbright.net
Type: A
DNSmaterialbright.net
Type: A
DNSseveralinside.net
Type: A
DNSmaterialinside.net
Type: A
DNSseveraready.net
Type: A
DNSlaughready.net
Type: A
DNSseverabrown.net
Type: A
DNSlaughbrown.net
Type: A
DNSseverapeople.net
Type: A
DNSlaughpeople.net
Type: A
DNSseveradaughter.net
Type: A
DNSlaughdaughter.net
Type: A
DNSsimpleready.net
Type: A
DNSmotherready.net
Type: A
DNSsimplebrown.net
Type: A
DNSmotherbrown.net
Type: A
DNSmotherpeople.net
Type: A
DNSsimpledaughter.net
Type: A
DNSmountainready.net
Type: A
DNSpossibleready.net
Type: A
DNSmountainbrown.net
Type: A
DNSpossiblebrown.net
Type: A
DNSmountainpeople.net
Type: A
DNSpossiblepeople.net
Type: A
DNSmountaindaughter.net
Type: A
DNSpossibledaughter.net
Type: A
DNSperhapsready.net
Type: A
DNSwindowready.net
Type: A
HTTP GEThttp://windowbright.net/index.php
User-Agent:
HTTP GEThttp://winterbright.net/index.php
User-Agent:
HTTP GEThttp://probablybright.net/index.php
User-Agent:
HTTP GEThttp://sweetinside.net/index.php
User-Agent:
HTTP GEThttp://simplepeople.net/index.php
User-Agent:
HTTP GEThttp://motherdaughter.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.133.117.26:80
Flows TCP192.168.1.1:1032 ➝ 67.231.253.49:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 91.194.77.112:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77627269 6768742e 6e65740d   indowbright.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e7465 72627269 6768742e 6e65740d   interbright.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   726f6261 626c7962 72696768 742e6e65   robablybright.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 696e7369 64652e6e 65740d0a   weetinside.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 6570656f 706c652e 6e65740d   implepeople.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f746865 72646175 67687465 722e6e65   otherdaughter.ne
0x00000050 (00080)   740d0a0d 0a                           t....


Strings