Analysis Date2015-10-11 19:42:30
MD57070828124f5d196410494330cb642cc
SHA1793105c9e1598e269b304273c82d312278b1e863

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d84083664f5c384a9d08456b90d7cfdf sha1: 1df8b1ed5319cf86fdd7c5999e3e83b12b530ec2 size: 306176
Section.rdata md5: 55a25fc504b0ef12eb02a9c1e685cc65 sha1: 95e5ef87caadbca2fb8e385c03eaef29de064809 size: 59904
Section.data md5: f2104bc51b60ed5f17ff115aabda233e sha1: aab4e8fd7c216d29e111b94dd39cb41134ff92ff size: 7680
Section.reloc md5: 393143f2dc96cd8862e1d2b8e3dca65a sha1: 8f1e0f48745a65c6532911dac2eaa28ee9fec951 size: 23552
Timestamp2015-05-11 07:10:48
PackerMicrosoft Visual C++ 8
PEhash8218fa23afda53f9cc59d7d42ecef9348a7df88e
IMPhash539c99ffeb84ed4b19883419f484f222
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Generic36.BNQA
AVEset (nod32)Win32/Bayrob.V.gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.185606
AVMcafeePWS-FCCE!7070828124F5
AVRisingTrojan.Win32.Bayrod.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\fcarkwctgzozr\nephf1krejejixgfajgr.exe
Creates FileC:\fcarkwctgzozr\jtvd25g
Creates FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Deletes FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Creates ProcessC:\fcarkwctgzozr\nephf1krejejixgfajgr.exe

Process
↳ C:\fcarkwctgzozr\nephf1krejejixgfajgr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Initiator Debugger Endpoint ➝
C:\fcarkwctgzozr\srkppgnjcja.exe
Creates FileC:\fcarkwctgzozr\jtvd25g
Creates FileC:\fcarkwctgzozr\srkppgnjcja.exe
Creates FileC:\fcarkwctgzozr\u8ajrpccvt
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Deletes FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Creates ProcessC:\fcarkwctgzozr\srkppgnjcja.exe
Creates ServiceAutoConnect Config Framework Task Grouping - C:\fcarkwctgzozr\srkppgnjcja.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1872

Process
↳ Pid 1148

Process
↳ C:\fcarkwctgzozr\srkppgnjcja.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\fcarkwctgzozr\uqc3uhfg
Creates FileC:\fcarkwctgzozr\jtvd25g
Creates FileC:\fcarkwctgzozr\bemobfa.exe
Creates FileC:\fcarkwctgzozr\u8ajrpccvt
Creates FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Creates Processruknmhcgllfo "c:\fcarkwctgzozr\srkppgnjcja.exe"

Process
↳ C:\fcarkwctgzozr\srkppgnjcja.exe

Creates FileC:\fcarkwctgzozr\jtvd25g
Creates FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Deletes FileC:\WINDOWS\fcarkwctgzozr\jtvd25g

Process
↳ ruknmhcgllfo "c:\fcarkwctgzozr\srkppgnjcja.exe"

Creates FileC:\fcarkwctgzozr\jtvd25g
Creates FileC:\WINDOWS\fcarkwctgzozr\jtvd25g
Deletes FileC:\WINDOWS\fcarkwctgzozr\jtvd25g

Network Details:

DNSnightstation.net
Type: A
69.163.242.16
DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSdoubttravel.net
Type: A
72.52.4.90
DNSnightspace.net
Type: A
91.250.101.43
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSdecideclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://doubttravel.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.163.242.16:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1037 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.96:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73746174 696f6e2e 6e65740d   ightstation.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696373 74617469 6f6e2e6e   lectricstation.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74737461 74696f6e 2e6e6574   treetstation.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73746174 696f6e2e 6e65740d   radestation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f756274 74726176 656c2e6e 65740d0a   oubttravel.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73706163 652e6e65 740d0a0d   ightspace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 73706163 652e6e65 740d0a0d   argespace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7370 6163652e 6e65740d   aptainspace.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7472 6176656c 2e6e6574   aptaintravel.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings