Analysis Date2016-02-13 21:41:13
MD58b7ce9265564ade7a2b676d1c02fb98f
SHA188b8db85e4efd12b6a69b8f2a81ea004cda55141

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 430ca566a9e8c11dc98662e2eccc9244 sha1: 1877988b0524b4bd81a097bd8951b8eb6714c5e3 size: 303616
Section.rdata md5: 7eb2d98749ab81ee9d59356372d694bc sha1: 244505dfe668e8e5f5ead0a774bb7bbbb659626f size: 26112
Section.data md5: 207b88878baa6d3cf70a0c3548507b5d sha1: 3a5650c53858baf4cad3ed54a1cd9a0378c4e852 size: 19968
Section.reloc md5: 8e244f246faff9929b0bd44b82767834 sha1: 29f6fbccbcc3b0ae2156301a5439ae52faf88bac size: 32768
Timestamp2014-11-08 16:21:16
PackerMicrosoft Visual C++ 8
PEhash984558a9702e1ff43b9ae81cef54f503f28935fe
IMPhash0b590ba7fd6e54f8669217b82bbd5681
AVCA (E-Trust Ino)Gen:Variant.Razy.15381
AVF-SecureGen:Variant.Razy.15381
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.15381
AVBullGuardGen:Variant.Razy.15381
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVZillya!Trojan.SwizzorGen.Win32.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15381
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.15381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Razy.15381
AVFortinetW32/Bayrob.BJ!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.AMHN
AVEset (nod32)Win32/Bayrob.BJ
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.15381
AVTwisterNo Virus
AVAvira (antivir)TR/Taranis.2080
AVMcafeeTrojan-FHSQ!8B7CE9265564

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jdgqpvxyfc\gabk1lytloqlrjq0lqydh.exe
Creates FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\zbhev27zfd
Deletes FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates ProcessC:\jdgqpvxyfc\gabk1lytloqlrjq0lqydh.exe

Process
↳ C:\jdgqpvxyfc\gabk1lytloqlrjq0lqydh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Hardware AutoConfig Device Accounts ➝
C:\jdgqpvxyfc\sfkmnqzyvyt.exe
Creates FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\sfkmnqzyvyt.exe
Creates FilePIPE\lsarpc
Creates FileC:\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\t3hnqwnewnsg
Deletes FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates ProcessC:\jdgqpvxyfc\sfkmnqzyvyt.exe

Process
↳ C:\jdgqpvxyfc\sfkmnqzyvyt.exe

Creates FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\ccmicigymr.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\bgysvjw0fc
Creates FileC:\jdgqpvxyfc\t3hnqwnewnsg
Deletes FileC:\jdgqpvxyfc\gabk1lytloqlrjq0lqydh.exe
Deletes FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates Processcvwjew2wmcfm "c:\jdgqpvxyfc\sfkmnqzyvyt.exe"

Process
↳ cvwjew2wmcfm "c:\jdgqpvxyfc\sfkmnqzyvyt.exe"

Creates FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd
Creates FileC:\jdgqpvxyfc\zbhev27zfd
Deletes FileC:\WINDOWS\jdgqpvxyfc\zbhev27zfd

Network Details:

DNSdoctoropinion.net
Type: A
103.48.83.103
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSpreparepromise.net
Type: A
208.100.26.234
DNSoutsidesupply.net
Type: A
98.124.243.47
DNSoutsideoffice.net
Type: A
104.24.16.64
DNSoutsideoffice.net
Type: A
104.24.17.64
DNSbuildingsupply.net
Type: A
67.212.232.207
DNSbuildingoffice.net
Type: A
46.20.7.163
DNSstoresupply.net
Type: A
69.172.201.208
DNSdoctorsupply.net
Type: A
184.168.221.96
DNSdoctoroffice.net
Type: A
69.172.201.208
DNSstillsupply.net
Type: A
50.63.202.15
DNSprettystrong.net
Type: A
50.62.236.1
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
DNSmovementarrive.net
Type: A
DNSoutsidearrive.net
Type: A
DNSeveningsupply.net
Type: A
DNSbuildingdistance.net
Type: A
DNSeveningdistance.net
Type: A
DNSeveningoffice.net
Type: A
DNSbuildingarrive.net
Type: A
DNSeveningarrive.net
Type: A
DNSmightsupply.net
Type: A
DNSstoredistance.net
Type: A
DNSmightdistance.net
Type: A
DNSstoreoffice.net
Type: A
DNSmightoffice.net
Type: A
DNSstorearrive.net
Type: A
DNSmightarrive.net
Type: A
DNSprettysupply.net
Type: A
DNSdoctordistance.net
Type: A
DNSprettydistance.net
Type: A
DNSprettyoffice.net
Type: A
DNSdoctorarrive.net
Type: A
DNSprettyarrive.net
Type: A
DNSfellowsupply.net
Type: A
DNSdoublesupply.net
Type: A
DNSfellowdistance.net
Type: A
DNSdoubledistance.net
Type: A
DNSfellowoffice.net
Type: A
DNSdoubleoffice.net
Type: A
DNSfellowarrive.net
Type: A
DNSdoublearrive.net
Type: A
DNSbrokensupply.net
Type: A
DNSresultsupply.net
Type: A
DNSbrokendistance.net
Type: A
DNSresultdistance.net
Type: A
DNSbrokenoffice.net
Type: A
DNSresultoffice.net
Type: A
DNSbrokenarrive.net
Type: A
DNSresultarrive.net
Type: A
DNSpreparesupply.net
Type: A
DNSdesiresupply.net
Type: A
DNSpreparedistance.net
Type: A
DNSdesiredistance.net
Type: A
DNSprepareoffice.net
Type: A
DNSdesireoffice.net
Type: A
DNSpreparearrive.net
Type: A
DNSdesirearrive.net
Type: A
DNSstrengthsupply.net
Type: A
DNSstrengthdistance.net
Type: A
DNSstilldistance.net
Type: A
DNSstrengthoffice.net
Type: A
DNSstilloffice.net
Type: A
DNSstrengtharrive.net
Type: A
DNSstillarrive.net
Type: A
DNSmovementstrong.net
Type: A
DNSoutsidestrong.net
Type: A
DNSmovementtrouble.net
Type: A
DNSoutsidetrouble.net
Type: A
DNSmovementpresident.net
Type: A
DNSoutsidepresident.net
Type: A
DNSmovementcaught.net
Type: A
DNSoutsidecaught.net
Type: A
DNSbuildingstrong.net
Type: A
DNSeveningstrong.net
Type: A
DNSbuildingtrouble.net
Type: A
DNSeveningtrouble.net
Type: A
DNSbuildingpresident.net
Type: A
DNSeveningpresident.net
Type: A
DNSbuildingcaught.net
Type: A
DNSeveningcaught.net
Type: A
DNSstorestrong.net
Type: A
DNSmightstrong.net
Type: A
DNSstoretrouble.net
Type: A
DNSmighttrouble.net
Type: A
DNSstorepresident.net
Type: A
DNSmightpresident.net
Type: A
DNSstorecaught.net
Type: A
DNSmightcaught.net
Type: A
DNSdoctorstrong.net
Type: A
DNSdoctortrouble.net
Type: A
DNSprettytrouble.net
Type: A
DNSdoctorpresident.net
Type: A
DNSprettypresident.net
Type: A
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
HTTP GEThttp://preparepromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
HTTP GEThttp://buildingsupply.net/index.php
User-Agent:
HTTP GEThttp://buildingoffice.net/index.php
User-Agent:
HTTP GEThttp://storesupply.net/index.php
User-Agent:
HTTP GEThttp://doctorsupply.net/index.php
User-Agent:
HTTP GEThttp://doctoroffice.net/index.php
User-Agent:
HTTP GEThttp://stillsupply.net/index.php
User-Agent:
HTTP GEThttp://prettystrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 103.48.83.103:80
Flows TCP192.168.1.1:1032 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 98.124.243.47:80
Flows TCP192.168.1.1:1035 ➝ 104.24.16.64:80
Flows TCP192.168.1.1:1036 ➝ 67.212.232.207:80
Flows TCP192.168.1.1:1037 ➝ 46.20.7.163:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.15:80
Flows TCP192.168.1.1:1042 ➝ 50.62.236.1:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e70726f 6d697365 2e6e6574   rokenpromise.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657061 72657072 6f6d6973 652e6e65   reparepromise.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657375 70706c79 2e6e6574   utsidesupply.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656f66 66696365 2e6e6574   utsideoffice.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 7570706c 792e6e65   uildingsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676f 66666963 652e6e65   uildingoffice.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 73757070 6c792e6e 65740d0a   toresupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72737570 706c792e 6e65740d   octorsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f6666 6963652e 6e65740d   octoroffice.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 73757070 6c792e6e 65740d0a   tillsupply.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79737472 6f6e672e 6e65740d   rettystrong.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....


Strings