Analysis Date2015-10-26 02:01:49
MD53d7d8f0ed64c6226d80d66703bde06b9
SHA188c358c4d1a861cc3bac87c53394eb508ec3e489

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c66565e997ee61b814994fc5ff2fd7e2 sha1: 6bffc09bb802ccc8bb367fb019e13b4679f79160 size: 282112
Section.rdata md5: 478db520eba96beb0ccbce808a2e08b6 sha1: 80f31a003ae42b3c15e6f0dfbb04b376fb9aad30 size: 57856
Section.data md5: 0628a6457288d6441551aa64914f47f3 sha1: e16e528435801a28408c7701bb29df6f1d614809 size: 7680
Section.reloc md5: 087dfd1e4d63e97ec7a18930c46e4633 sha1: 5accbe05fe5aa962b4b6665d84edf9db0aa55a66 size: 18944
Timestamp2015-05-11 06:09:11
PackerMicrosoft Visual C++ 8
PEhash8e8971f7bdc46356379cccf14d00e45520571837
IMPhash09fe53d30f3beef52127a242ff68ab57
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!3D7D8F0ED64C
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AA
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Trojan.CIPL-1937
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\yrowznicxbr\gxzo4qknt
Creates FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates FileC:\yrowznicxbr\xc1l71sithhsnthp0r.exe
Deletes FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates ProcessC:\yrowznicxbr\xc1l71sithhsnthp0r.exe

Process
↳ C:\yrowznicxbr\xc1l71sithhsnthp0r.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Logon Computer Modules Image Storage Hardware ➝
C:\yrowznicxbr\mcjsohupdvec.exe
Creates FileC:\yrowznicxbr\gxzo4qknt
Creates FileC:\yrowznicxbr\mcjsohupdvec.exe
Creates FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates FilePIPE\lsarpc
Creates FileC:\yrowznicxbr\xhtaubjcl
Deletes FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates ProcessC:\yrowznicxbr\mcjsohupdvec.exe
Creates ServiceCryptographic Gateway Workstation - C:\yrowznicxbr\mcjsohupdvec.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1156

Process
↳ C:\yrowznicxbr\mcjsohupdvec.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\yrowznicxbr\sogmi86moa09
Creates FileC:\yrowznicxbr\gxzo4qknt
Creates FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates FileC:\yrowznicxbr\xhtaubjcl
Creates File\Device\Afd\Endpoint
Creates FileC:\yrowznicxbr\lokrvbiciou.exe
Deletes FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Creates Processoorypawhdwdi "c:\yrowznicxbr\mcjsohupdvec.exe"

Process
↳ C:\yrowznicxbr\mcjsohupdvec.exe

Creates FileC:\yrowznicxbr\gxzo4qknt
Creates FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Deletes FileC:\WINDOWS\yrowznicxbr\gxzo4qknt

Process
↳ oorypawhdwdi "c:\yrowznicxbr\mcjsohupdvec.exe"

Creates FileC:\yrowznicxbr\gxzo4qknt
Creates FileC:\WINDOWS\yrowznicxbr\gxzo4qknt
Deletes FileC:\WINDOWS\yrowznicxbr\gxzo4qknt

Network Details:

DNSheavenbright.net
Type: A
104.27.153.238
DNSheavenbright.net
Type: A
104.27.152.238
DNSheaveninside.net
Type: A
184.168.221.35
DNSgentlebright.net
Type: A
195.22.26.254
DNSgentlebright.net
Type: A
195.22.26.231
DNSgentlebright.net
Type: A
195.22.26.252
DNSgentlebright.net
Type: A
195.22.26.253
DNSanswerbrown.net
Type: A
208.100.26.234
DNSglasspeople.net
Type: A
207.148.248.143
DNSdifficultpeople.net
Type: A
184.168.221.60
DNSpleasantpeople.net
Type: A
54.217.250.161
DNSpleasantpeople.net
Type: A
54.246.118.197
DNSpleasantpeople.net
Type: A
54.247.173.130
DNSpleasantpeople.net
Type: A
176.34.103.58
DNSpleasantpeople.net
Type: A
46.137.176.135
DNSpleasantpeople.net
Type: A
54.75.238.30
DNSanswerbright.net
Type: A
DNSglassbright.net
Type: A
DNSanswerinside.net
Type: A
DNSglassinside.net
Type: A
DNSdifficultinstead.net
Type: A
DNSheardinstead.net
Type: A
DNSdifficultexplain.net
Type: A
DNSheardexplain.net
Type: A
DNSdifficultbright.net
Type: A
DNSheardbright.net
Type: A
DNSdifficultinside.net
Type: A
DNSheardinside.net
Type: A
DNSpleasantinstead.net
Type: A
DNSnecessaryinstead.net
Type: A
DNSpleasantexplain.net
Type: A
DNSnecessaryexplain.net
Type: A
DNSpleasantbright.net
Type: A
DNSnecessarybright.net
Type: A
DNSpleasantinside.net
Type: A
DNSnecessaryinside.net
Type: A
DNSorderinstead.net
Type: A
DNSrequireinstead.net
Type: A
DNSorderexplain.net
Type: A
DNSrequireexplain.net
Type: A
DNSorderbright.net
Type: A
DNSrequirebright.net
Type: A
DNSorderinside.net
Type: A
DNSrequireinside.net
Type: A
DNSleaderinstead.net
Type: A
DNSheaveninstead.net
Type: A
DNSleaderexplain.net
Type: A
DNSheavenexplain.net
Type: A
DNSleaderbright.net
Type: A
DNSleaderinside.net
Type: A
DNSheavyinstead.net
Type: A
DNSgentleinstead.net
Type: A
DNSheavyexplain.net
Type: A
DNSgentleexplain.net
Type: A
DNSheavybright.net
Type: A
DNSheavyinside.net
Type: A
DNSgentleinside.net
Type: A
DNSvariousinstead.net
Type: A
DNSreturninstead.net
Type: A
DNSvariousexplain.net
Type: A
DNSreturnexplain.net
Type: A
DNSvariousbright.net
Type: A
DNSreturnbright.net
Type: A
DNSvariousinside.net
Type: A
DNSreturninside.net
Type: A
DNSdegreeready.net
Type: A
DNSforwardready.net
Type: A
DNSdegreebrown.net
Type: A
DNSforwardbrown.net
Type: A
DNSdegreepeople.net
Type: A
DNSforwardpeople.net
Type: A
DNSdegreedaughter.net
Type: A
DNSforwarddaughter.net
Type: A
DNSanswerready.net
Type: A
DNSglassready.net
Type: A
DNSglassbrown.net
Type: A
DNSanswerpeople.net
Type: A
DNSanswerdaughter.net
Type: A
DNSglassdaughter.net
Type: A
DNSdifficultready.net
Type: A
DNSheardready.net
Type: A
DNSdifficultbrown.net
Type: A
DNSheardbrown.net
Type: A
DNSheardpeople.net
Type: A
DNSdifficultdaughter.net
Type: A
DNShearddaughter.net
Type: A
DNSpleasantready.net
Type: A
DNSnecessaryready.net
Type: A
DNSpleasantbrown.net
Type: A
DNSnecessarybrown.net
Type: A
DNSnecessarypeople.net
Type: A
DNSpleasantdaughter.net
Type: A
DNSnecessarydaughter.net
Type: A
DNSorderready.net
Type: A
HTTP GEThttp://heavenbright.net/index.php
User-Agent:
HTTP GEThttp://heaveninside.net/index.php
User-Agent:
HTTP GEThttp://gentlebright.net/index.php
User-Agent:
HTTP GEThttp://answerbrown.net/index.php
User-Agent:
HTTP GEThttp://glasspeople.net/index.php
User-Agent:
HTTP GEThttp://difficultpeople.net/index.php
User-Agent:
HTTP GEThttp://pleasantpeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.27.153.238:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.35:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.60:80
Flows TCP192.168.1.1:1037 ➝ 54.217.250.161:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2068   : close..Host: h
0x00000040 (00064)   65617665 6e627269 6768742e 6e65740d   eavenbright.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2068   : close..Host: h
0x00000040 (00064)   65617665 6e696e73 6964652e 6e65740d   eaveninside.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   656e746c 65627269 6768742e 6e65740d   entlebright.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6e737765 7262726f 776e2e6e 65740d0a   nswerbrown.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   6c617373 70656f70 6c652e6e 65740d0a   lasspeople.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   69666669 63756c74 70656f70 6c652e6e   ifficultpeople.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6c656173 616e7470 656f706c 652e6e65   leasantpeople.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....


Strings