Analysis Date2015-12-01 21:50:40
MD57b762a6b1b9cf77a42fc61f90ccfa715
SHA186dd79a918b7f5dea9faa645a520afa65378f0c0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b50edfb3b76eef7d3e4ee30a6f07d09e sha1: 89795dbc51574533583d0ab82f39c3461daec43a size: 1156608
Section.rdata md5: 25d3c19a5dc8d4e3052504d822cf87a7 sha1: 5dd5f1f5813a430f26d32c9d0d09e96e7ec60d53 size: 325120
Section.data md5: 363099deb404b726559da12308d56f35 sha1: da402698f0c66869294d541a95708e3e514bf6bd size: 11264
Section.reloc md5: a157ab8ef8d5325a50097162ba69c638 sha1: e7a9de02a9478e9207c846bc0b23f715716f26aa size: 80384
Timestamp2015-04-30 20:52:16
PackerMicrosoft Visual C++ 8
PEhash069977a41d6a4b9f538248350342b0b33fb362c1
IMPhashd344a4f7d2fee059fce5e567fbf6d7ff
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVGrisoft (avg)Win32/Cryptor
AVKasperskyTrojan.Win32.Generic
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CH
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVFortinetW32/Bayrob.R!tr
AVFortinetW32/Bayrob.R!tr
AVCAT (quickheal)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVDr. WebTrojan.Bayrob.1
AVMalwareBytesno_virus
AVAd-AwareGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVEmsisoftGen:Variant.Kazy.606112
AVAvira (antivir)TR/Crypt.ZPACK.206389
AVAvira (antivir)TR/Crypt.ZPACK.206389
AVEmsisoftGen:Variant.Kazy.606112
AVEset (nod32)Win32/Bayrob.R
AVEset (nod32)Win32/Bayrob.R
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVCAT (quickheal)no_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVAlwil (avast)Dropper-OJG [Drp]
AVAlwil (avast)Dropper-OJG [Drp]
AVClamAVno_virus
AVAuthentiumno_virus
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumno_virus
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\f2ktyhq1ku0detzxsqzscs.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\f2ktyhq1ku0detzxsqzscs.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\f2ktyhq1ku0detzxsqzscs.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Extender Initiator Software ➝
C:\WINDOWS\system32\kgugfjawoq.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\uppmwhykjx\etc
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates FileC:\WINDOWS\system32\kgugfjawoq.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kgugfjawoq.exe
Creates ServiceManager Topology Client Certificate Routing - C:\WINDOWS\system32\kgugfjawoq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\kgugfjawoq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\vdhuczm.exe
Creates FileC:\WINDOWS\system32\uppmwhykjx\run
Creates FileC:\WINDOWS\system32\uppmwhykjx\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\uppmwhykjx\tst
Creates FileC:\WINDOWS\system32\uppmwhykjx\rng
Creates FileC:\WINDOWS\TEMP\f2ktyhq1r08detz.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\uppmwhykjx\lck
Creates ProcessC:\WINDOWS\TEMP\f2ktyhq1r08detz.exe -r 30427 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\kgugfjawoq.exe"

Process
↳ C:\WINDOWS\system32\kgugfjawoq.exe

Creates FileC:\WINDOWS\system32\uppmwhykjx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kgugfjawoq.exe"

Creates FileC:\WINDOWS\system32\uppmwhykjx\tst

Process
↳ C:\WINDOWS\TEMP\f2ktyhq1r08detz.exe -r 30427 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4f457201&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80

Raw Pcap

Strings