Analysis Date2015-11-18 00:17:23
MD506ccc654e5ef6a2ec2eaa0c27295bb74
SHA184d36c90a7839b5afc33583cdf661ecd7a35d077

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ed6df44457bdc6c7680af7bed6b74b9e sha1: 160a297603d220e4f83e84f96218b9a224dbcdf5 size: 1204224
Section.rdata md5: 5fb46ef4d60785e1b62e0cd005f809e9 sha1: 6cd84795a6132d0072bc184f104e580b2390be21 size: 322560
Section.data md5: 891e6821eb54b6a103b8fb2821327d98 sha1: dff5cd107a8a138240bf3144166518bf5e300be0 size: 8192
Section.reloc md5: 0afbd57026205211b8e4970e4a4b2121 sha1: 98f692ca6ff134f072995b17d64fd9cbc0b7436f size: 154112
Timestamp2015-05-11 04:54:21
PackerVC8 -> Microsoft Corporation
PEhash7c625efd9d1d996a5c54effd82e68beab6b27055
IMPhash1e13cb88e56d0518374ed1ae3df7df34
AVF-Secureno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.Bayrob.5
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVMicroWorld (escan)Gen:Variant.Diley.1
AVTrend Microno_virus
AVClamAVno_virus
AVAd-Awareno_virus
AVEset (nod32)Win32/Bayrob.Y
AVBitDefenderno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAvira (antivir)TR/Crypt.Xpack.315710
AVAlwil (avast)Dropper-OJQ [Drp]
AVFortinetW32/Bayrob.X!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)no_virus
AVMcafeeTrojan-FGIJ!06CCC654E5EF
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.315710
AVAlwil (avast)Dropper-OJQ [Drp]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVRisingno_virus
AVMcafeeTrojan-FGIJ!06CCC654E5EF
AVTwisterno_virus
AVAd-Awareno_virus
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderno_virus
AVK7Trojan ( 004c77f41 )
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftno_virus
AVZillya!Backdoor.SoxGrave.Win32.549
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ebqfj3h1jwlppmjlksgkw.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ebqfj3h1jwlppmjlksgkw.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ebqfj3h1jwlppmjlksgkw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Extender Initiator Software ➝
C:\WINDOWS\system32\kgugfjawoq.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\uppmwhykjx\etc
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates FileC:\WINDOWS\system32\kgugfjawoq.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kgugfjawoq.exe
Creates ServiceManager Topology Client Certificate Routing - C:\WINDOWS\system32\kgugfjawoq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1180

Process
↳ C:\WINDOWS\system32\kgugfjawoq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\vdhuczm.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\run
Creates FileC:\WINDOWS\system32\uppmwhykjx\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates FileC:\WINDOWS\system32\uppmwhykjx\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\ebqfj3h1ra7pp.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\lck
Creates ProcessC:\WINDOWS\TEMP\ebqfj3h1ra7pp.exe -r 22436 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\kgugfjawoq.exe"

Process
↳ C:\WINDOWS\system32\kgugfjawoq.exe

Creates FileC:\WINDOWS\system32\uppmwhykjx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kgugfjawoq.exe"

Creates FileC:\WINDOWS\system32\uppmwhykjx\tst

Process
↳ C:\WINDOWS\TEMP\ebqfj3h1ra7pp.exe -r 22436 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSheadfire.net
Type: A
212.1.215.225
DNSquickcold.net
Type: A
208.100.26.234
DNSquickfire.net
Type: A
50.63.202.2
DNSmostcold.net
Type: A
184.168.221.8
DNSsundaywrote.net
Type: A
95.211.230.75
DNSmeatcold.net
Type: A
95.211.230.75
DNScloudbone.net
Type: A
77.247.178.109
DNSdarkfire.net
Type: A
127.0.0.1
DNSablefruit.net
Type: A
195.22.28.196
DNSablefruit.net
Type: A
195.22.28.197
DNSablefruit.net
Type: A
195.22.28.198
DNSablefruit.net
Type: A
195.22.28.199
DNSablerise.net
Type: A
45.33.2.42
DNSpickfruit.net
Type: A
58.30.222.76
DNSmovefruit.net
Type: A
184.168.221.58
DNShillrise.net
Type: A
94.136.40.82
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSheadwrote.net
Type: A
DNScasebone.net
Type: A
DNSheadbone.net
Type: A
DNScasefire.net
Type: A
DNSthencold.net
Type: A
DNSquickwrote.net
Type: A
DNSthenwrote.net
Type: A
DNSquickbone.net
Type: A
DNSthenbone.net
Type: A
DNSthenfire.net
Type: A
DNSsundaycold.net
Type: A
DNSmostwrote.net
Type: A
DNSsundaybone.net
Type: A
DNSmostbone.net
Type: A
DNSsundayfire.net
Type: A
DNSmostfire.net
Type: A
DNSsickcold.net
Type: A
DNSmeatwrote.net
Type: A
DNSsickwrote.net
Type: A
DNSmeatbone.net
Type: A
DNSsickbone.net
Type: A
DNSmeatfire.net
Type: A
DNSsickfire.net
Type: A
DNScloudcold.net
Type: A
DNSdarkcold.net
Type: A
DNScloudwrote.net
Type: A
DNSdarkwrote.net
Type: A
DNSdarkbone.net
Type: A
DNScloudfire.net
Type: A
DNSknowfruit.net
Type: A
DNSknowrise.net
Type: A
DNSknownoise.net
Type: A
DNSablenoise.net
Type: A
DNSknowpull.net
Type: A
DNSablepull.net
Type: A
DNSsongfruit.net
Type: A
DNSpickrise.net
Type: A
DNSsongrise.net
Type: A
DNSpicknoise.net
Type: A
DNSsongnoise.net
Type: A
DNSpickpull.net
Type: A
DNSsongpull.net
Type: A
DNSroomfruit.net
Type: A
DNSsignfruit.net
Type: A
DNSroomrise.net
Type: A
DNSsignrise.net
Type: A
DNSroomnoise.net
Type: A
DNSsignnoise.net
Type: A
DNSroompull.net
Type: A
DNSsignpull.net
Type: A
DNSjumpfruit.net
Type: A
DNSmoverise.net
Type: A
DNSjumprise.net
Type: A
DNSmovenoise.net
Type: A
DNSjumpnoise.net
Type: A
DNSmovepull.net
Type: A
DNSjumppull.net
Type: A
DNShillfruit.net
Type: A
DNSwhomfruit.net
Type: A
DNSwhomrise.net
Type: A
DNShillnoise.net
Type: A
DNSwhomnoise.net
Type: A
DNShillpull.net
Type: A
DNSwhompull.net
Type: A
DNSfeltfruit.net
Type: A
DNSlookfruit.net
Type: A
DNSfeltrise.net
Type: A
DNSlookrise.net
Type: A
DNSfeltnoise.net
Type: A
DNSlooknoise.net
Type: A
DNSfeltpull.net
Type: A
DNSlookpull.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://headfire.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://quickcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://quickfire.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://mostcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://sundaywrote.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://meatcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://cloudbone.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://ablefruit.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://ablerise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://pickfruit.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://movefruit.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://hillrise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://headfire.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://quickcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://quickfire.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://mostcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://sundaywrote.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://meatcold.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
HTTP GEThttp://cloudbone.net/index.php?method=validate&mode=sox&v=050&sox=4f457201&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 212.1.215.225:80
Flows TCP192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.8:80
Flows TCP192.168.1.1:1054 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1055 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1056 ➝ 77.247.178.109:80
Flows TCP192.168.1.1:1058 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1059 ➝ 45.33.2.42:80
Flows TCP192.168.1.1:1060 ➝ 58.30.222.76:80
Flows TCP192.168.1.1:1061 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1062 ➝ 94.136.40.82:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1071 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1072 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1073 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1074 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1075 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1076 ➝ 212.1.215.225:80
Flows TCP192.168.1.1:1077 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1078 ➝ 50.63.202.2:80
Flows TCP192.168.1.1:1079 ➝ 184.168.221.8:80
Flows TCP192.168.1.1:1080 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1081 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1082 ➝ 77.247.178.109:80

Raw Pcap

Strings