Analysis Date2015-08-27 09:13:34
MD5951c7a5f72b7aa2564904d38e5f5a771
SHA17f4adf7b1a87fb4a85dce51f8d30f380229c5f3f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a31df477c74306424bdee6cc34925052 sha1: 21ede113073ad9a23760c26547636006a283cb7e size: 286208
Section.rdata md5: 092611ce1e6cfa68b88dbafe3bc9d978 sha1: 140135a9f8e6f145aabc90d446626a98ebb04011 size: 43520
Section.data md5: 758cf7933b0c228d31b93d90775c8c08 sha1: 7e590a5d2367500f3e8128d71cf32060c7160c9d size: 7168
Section.reloc md5: c3759ee01ddad61e949a3885beda870b sha1: 4fa6ce932bae04cade08137f64b22335d1988728 size: 23040
Timestamp2015-05-21 04:46:18
PackerMicrosoft Visual C++ ?.?
PEhashf101e68ce03a725e2ddc71e997ee08db9134dbd0
IMPhash9aeb6146840a44f59b829aac8382ec81
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.jznw
AVZillya!Trojan.Scar.Win32.93829
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Bayrob.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.154251
AVMcafeeTrojan-FGIJ!951C7A5F72B7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates FileC:\aesufyifxm\xoodv1l0idfrvvn5o0.exe
Creates FileC:\aesufyifxm\poxwalvat
Deletes FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates ProcessC:\aesufyifxm\xoodv1l0idfrvvn5o0.exe

Process
↳ C:\aesufyifxm\xoodv1l0idfrvvn5o0.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Upgrade Drive Program Routing ➝
C:\aesufyifxm\vzaumrg.exe
Creates FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates FileC:\aesufyifxm\poxwalvat
Creates FilePIPE\lsarpc
Creates FileC:\aesufyifxm\hyrtau
Creates FileC:\aesufyifxm\vzaumrg.exe
Deletes FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates ProcessC:\aesufyifxm\vzaumrg.exe
Creates ServiceServices Center Protection Assistant Configuration - C:\aesufyifxm\vzaumrg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1132

Process
↳ C:\aesufyifxm\vzaumrg.exe

Creates FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates Filepipe\net\NtControlPipe10
Creates FileC:\aesufyifxm\utjgjuqesnvd.exe
Creates FileC:\aesufyifxm\poxwalvat
Creates FileC:\aesufyifxm\hyrtau
Creates File\Device\Afd\Endpoint
Creates FileC:\aesufyifxm\svklfhm
Deletes FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates Processushkdj9orpmt "c:\aesufyifxm\vzaumrg.exe"

Process
↳ C:\aesufyifxm\vzaumrg.exe

Creates FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates FileC:\aesufyifxm\poxwalvat
Deletes FileC:\WINDOWS\aesufyifxm\poxwalvat

Process
↳ ushkdj9orpmt "c:\aesufyifxm\vzaumrg.exe"

Creates FileC:\WINDOWS\aesufyifxm\poxwalvat
Creates FileC:\aesufyifxm\poxwalvat
Deletes FileC:\WINDOWS\aesufyifxm\poxwalvat

Network Details:

DNSpossibleperiod.net
Type: A
192.64.119.216
DNSfinishperiod.net
Type: A
50.63.202.32
DNSseveradifference.net
Type: A
95.211.230.75
DNSsimpledifference.net
Type: A
31.22.4.18
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
DNSwintersingle.net
Type: A
DNSsubjectsingle.net
Type: A
DNSwintercharge.net
Type: A
HTTP GEThttp://possibleperiod.net/index.php
User-Agent:
HTTP GEThttp://finishperiod.net/index.php
User-Agent:
HTTP GEThttp://severadifference.net/index.php
User-Agent:
HTTP GEThttp://simpledifference.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.64.119.216:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 31.22.4.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6f737369 626c6570 6572696f 642e6e65   ossibleperiod.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   696e6973 68706572 696f642e 6e65740d   inishperiod.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   65766572 61646966 66657265 6e63652e   everadifference.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 65646966 66657265 6e63652e   impledifference.
0x00000050 (00080)   6e65740d 0a0d0a                       net....


Strings