Analysis Date2016-02-08 17:28:36
MD5cb8df2f9a09b5998587f90019cbdf025
SHA1810580628f5052b927d4c6d3006cf885e679cd10

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b488afd2cc042c23a40eb69c7f0184e6 sha1: a617e237ba56e8b3e033907b0c2818a48f1af7bf size: 901632
Section.rdata md5: ee72d601b94371f4ea5f24267f07eb8f sha1: f58c0813f0ca9f5f5faa055ed9ce9a349f8d62ba size: 348160
Section.data md5: c16ce7207d354576d354a75a3f44aeea sha1: c779a97368dd02157bbf1868a617f6595458dc07 size: 7168
Section.reloc md5: f6fa95a6cec29d4775880ae97a0497f9 sha1: 0e5535c508fb39b46c29b8adafdedd6f3cae124e size: 120832
Timestamp2015-12-15 15:54:25
PackerVC8 -> Microsoft Corporation
PEhash1fbea5bce14b0f23d6c64d247f7b8762db4839e3
IMPhash91a9875e32f6db45a3abf89d90cd8d92
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHOH!CB8DF2F9A09B
AVAvira (antivir)TR/Crypt.Xpack.444512
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DJ
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Kazy.788788
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.788788

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\rktpevssimpjntfkvf8xzljyz.exe
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\rktpevssimpjntfkvf8xzljyz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\rktpevssimpjntfkvf8xzljyz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reports Video Web Removal Alerts ➝
C:\WINDOWS\system32\haorsnugu.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\haorsnugu.exe
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\tst
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\lck
Creates ProcessC:\WINDOWS\system32\haorsnugu.exe
Creates ServiceBuilder Function Net.Tcp Brightness DNS Controls - C:\WINDOWS\system32\haorsnugu.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ Pid 1192

Process
↳ C:\WINDOWS\system32\haorsnugu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\tst
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\rng
Creates FileC:\WINDOWS\system32\plktyfollf.exe
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\rktpevs8wwz7ltfkv.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\lck
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\run
Creates ProcessWATCHDOGPROC "c:\windows\system32\haorsnugu.exe"
Creates ProcessC:\WINDOWS\TEMP\rktpevs8wwz7ltfkv.exe -r 33878 tcp

Process
↳ C:\WINDOWS\system32\haorsnugu.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\timieqyxyhfzww\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\haorsnugu.exe"

Creates FileC:\WINDOWS\system32\timieqyxyhfzww\tst

Process
↳ C:\WINDOWS\TEMP\rktpevs8wwz7ltfkv.exe -r 33878 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSstickcount.net
Type: A
208.100.26.234
DNSlifecount.net
Type: A
50.63.202.59
DNSlonghope.net
Type: A
192.254.233.60
DNSwheelhope.net
Type: A
50.63.202.61
DNSlifehope.net
Type: A
208.91.197.26
DNSlifeleft.net
Type: A
103.238.225.206
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSmorningduring.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSwheelfell.net
Type: A
DNSsaidfell.net
Type: A
DNSwheelcount.net
Type: A
DNSsaidcount.net
Type: A
DNSstickcompe.net
Type: A
DNSballcompe.net
Type: A
DNSstickhour.net
Type: A
DNSballhour.net
Type: A
DNSstickfell.net
Type: A
DNSballfell.net
Type: A
DNSballcount.net
Type: A
DNSenemycompe.net
Type: A
DNSlifecompe.net
Type: A
DNSenemyhour.net
Type: A
DNSlifehour.net
Type: A
DNSenemyfell.net
Type: A
DNSlifefell.net
Type: A
DNSenemycount.net
Type: A
DNSmouthcompe.net
Type: A
DNStillcompe.net
Type: A
DNSmouthhour.net
Type: A
DNStillhour.net
Type: A
DNSmouthfell.net
Type: A
DNStillfell.net
Type: A
DNSmouthcount.net
Type: A
DNStillcount.net
Type: A
DNSshallcompe.net
Type: A
DNSdeepcompe.net
Type: A
DNSshallhour.net
Type: A
DNSdeephour.net
Type: A
DNSshallfell.net
Type: A
DNSdeepfell.net
Type: A
DNSshallcount.net
Type: A
DNSdeepcount.net
Type: A
DNSpushcompe.net
Type: A
DNSfridaycompe.net
Type: A
DNSpushhour.net
Type: A
DNSfridayhour.net
Type: A
DNSpushfell.net
Type: A
DNSfridayfell.net
Type: A
DNSpushcount.net
Type: A
DNSfridaycount.net
Type: A
DNSalongcompe.net
Type: A
DNSdecembercompe.net
Type: A
DNSalonghour.net
Type: A
DNSdecemberhour.net
Type: A
DNSalongfell.net
Type: A
DNSdecemberfell.net
Type: A
DNSalongcount.net
Type: A
DNSdecembercount.net
Type: A
DNSsoilhope.net
Type: A
DNSlongleft.net
Type: A
DNSsoilleft.net
Type: A
DNSlongthirteen.net
Type: A
DNSsoilthirteen.net
Type: A
DNSlonghurry.net
Type: A
DNSsoilhurry.net
Type: A
DNSsaidhope.net
Type: A
DNSwheelleft.net
Type: A
DNSsaidleft.net
Type: A
DNSwheelthirteen.net
Type: A
DNSsaidthirteen.net
Type: A
DNSwheelhurry.net
Type: A
DNSsaidhurry.net
Type: A
DNSstickhope.net
Type: A
DNSballhope.net
Type: A
DNSstickleft.net
Type: A
DNSballleft.net
Type: A
DNSstickthirteen.net
Type: A
DNSballthirteen.net
Type: A
DNSstickhurry.net
Type: A
DNSballhurry.net
Type: A
DNSenemyhope.net
Type: A
DNSenemyleft.net
Type: A
DNSenemythirteen.net
Type: A
DNSlifethirteen.net
Type: A
DNSenemyhurry.net
Type: A
DNSlifehurry.net
Type: A
DNSmouthhope.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://stickcount.net/index.php
User-Agent:
HTTP GEThttp://lifecount.net/index.php
User-Agent:
HTTP GEThttp://longhope.net/index.php
User-Agent:
HTTP GEThttp://wheelhope.net/index.php
User-Agent:
HTTP GEThttp://lifehope.net/index.php
User-Agent:
HTTP GEThttp://lifeleft.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1039 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1040 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 50.63.202.59:80
Flows TCP192.168.1.1:1043 ➝ 192.254.233.60:80
Flows TCP192.168.1.1:1044 ➝ 50.63.202.61:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.26:80
Flows TCP192.168.1.1:1046 ➝ 103.238.225.206:80
Flows TCP192.168.1.1:1047 ➝ 50.87.249.65:80

Raw Pcap

Strings