Analysis Date2015-08-03 16:11:49
MD5d56d69caf9068b210eaae706361fb263
SHA1808e3924171befa3bea0afde7f94ea17e21ad40f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d4d0a69f50a9c843a67a83b6584a0323 sha1: 71d8ad3f2be681fc21c7f7f8b11729bc80587c71 size: 290304
Section.rdata md5: a92354acf84560e5f84a5a454ec8715b sha1: b4f89f13c7c9e7b2bfe7728214c2af6559f0922d size: 57856
Section.data md5: 5fba949e597a3333905854c092600605 sha1: 1173bb8c73325388ae690d349201fa726ad0a052 size: 7168
Section.reloc md5: 8c4efa0c4702546b7a623c243a914a72 sha1: 8f4627a997d98022740d16587f4c72bd7a47b320 size: 20480
Timestamp2015-05-11 06:13:47
PackerMicrosoft Visual C++ 8
PEhash61435948cba075d09f0ad16a3fbbbd4ee9daa3db
IMPhash0a0793ced6f6938b01a6e23792906491
AVBitDefenderGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVPadvishno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Diley.1
AVEset (nod32)Win32/Bayrob.V.gen
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVKasperskyTrojan.Win32.Generic
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMcafeeno_virus
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVBullGuardGen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAd-AwareGen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus
AVEmsisoftGen:Variant.Diley.1
AVMicroWorld (escan)Gen:Variant.Diley.1
AVTrend MicroTROJ_BAYROB.SM0
AVTwisterTrojan.Scar.jhtc.qlwv
AVClamAVno_virus
AVIkarusTrojan.Win32.Bayrob
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVRisingTrojan.Win32.Bayrod.b
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVFortinetW32/Bayrob.T!tr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\kgkobgwmf\apg1l29oziwiil02o.exe
Creates FileC:\kgkobgwmf\pngww2cugxt
Creates FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Deletes FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Creates ProcessC:\kgkobgwmf\apg1l29oziwiil02o.exe

Process
↳ C:\kgkobgwmf\apg1l29oziwiil02o.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Control Filtering Logon Store ➝
C:\kgkobgwmf\zzddfpq.exe
Creates FileC:\kgkobgwmf\zzddfpq.exe
Creates FilePIPE\lsarpc
Creates FileC:\kgkobgwmf\dhfllcixz4
Creates FileC:\kgkobgwmf\pngww2cugxt
Creates FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Deletes FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Creates ProcessC:\kgkobgwmf\zzddfpq.exe
Creates ServiceLink Config Gateway Bus SSDP Assistant - C:\kgkobgwmf\zzddfpq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1144

Process
↳ C:\kgkobgwmf\zzddfpq.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\kgkobgwmf\djodef9at
Creates FileC:\kgkobgwmf\zgazmpinx.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\kgkobgwmf\dhfllcixz4
Creates FileC:\kgkobgwmf\pngww2cugxt
Creates FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Deletes FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Creates Processsncendgvvvmi "c:\kgkobgwmf\zzddfpq.exe"

Process
↳ C:\kgkobgwmf\zzddfpq.exe

Creates FileC:\kgkobgwmf\pngww2cugxt
Creates FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Deletes FileC:\WINDOWS\kgkobgwmf\pngww2cugxt

Process
↳ sncendgvvvmi "c:\kgkobgwmf\zzddfpq.exe"

Creates FileC:\kgkobgwmf\pngww2cugxt
Creates FileC:\WINDOWS\kgkobgwmf\pngww2cugxt
Deletes FileC:\WINDOWS\kgkobgwmf\pngww2cugxt

Network Details:

DNSperhapsdifferent.net
Type: A
195.22.26.252
DNSperhapsdifferent.net
Type: A
195.22.26.253
DNSperhapsdifferent.net
Type: A
195.22.26.254
DNSperhapsdifferent.net
Type: A
195.22.26.231
DNSsweetsurprise.net
Type: A
50.63.202.104
DNSsweetbeside.net
Type: A
95.211.230.75
DNSdoctoropinion.net
Type: A
128.199.249.48
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSsubjectsurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
DNSsubjectdifferent.net
Type: A
DNSfinishsurprise.net
Type: A
DNSleavesurprise.net
Type: A
DNSfinishbeside.net
Type: A
DNSleavebeside.net
Type: A
DNSfinishletter.net
Type: A
DNSleaveletter.net
Type: A
DNSfinishdifferent.net
Type: A
DNSleavedifferent.net
Type: A
DNSprobablysurprise.net
Type: A
DNSprobablybeside.net
Type: A
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
HTTP GEThttp://perhapsdifferent.net/index.php
User-Agent:
HTTP GEThttp://sweetsurprise.net/index.php
User-Agent:
HTTP GEThttp://sweetbeside.net/index.php
User-Agent:
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 128.199.249.48:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 66666572 656e742e   erhapsdifferent.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73757270 72697365 2e6e6574   weetsurprise.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 62657369 64652e6e 65740d0a   weetbeside.net..
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a 0a0d0a                       .......


Strings