Analysis Date2015-10-05 09:07:16
MD52eccfde1e8e57178fa6e895387a4ef42
SHA18f99309aaf0d89fe4b8f55d5b78be388347a4c07

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7c5fbd1a039db3a1b78d02400da031b1 sha1: 68dcbd4e0e5756fb2a608eef913c57f89d5811e2 size: 467456
Section.rdata md5: 0aa70f6f500aac6160e5f919a5ce5349 sha1: ec6d37b9b1fe8bc2b736fa848315c2df58f69e75 size: 75776
Section.data md5: 1f9d06e6f1201e04c45a819b6142af51 sha1: 773dec3811275ad19c8514850a8bc443b633dba2 size: 7168
Section.reloc md5: d71db3181cbc16ea269b9637809b8d6e sha1: fc5c50fde08aa4c613ad9fb1df04be635b87c82c size: 45568
Timestamp2015-05-08 06:51:03
PackerMicrosoft Visual C++ 8
PEhash869344747a4937be1e67a146a2532c383573a382
IMPhash636877f6b1978dbc2ced3d683729f124
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!2ECCFDE1E8E5
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Kazy.609631
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.T
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Kazy.609631
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BG
AVMicroWorld (escan)Gen:Variant.Kazy.609631
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.609631
AVZillya!Trojan.Scar.Win32.94512
AVKasperskyTrojan.Win32.Scar.jjgz
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.609631
AVArcabit (arcavir)Gen:Variant.Kazy.609631
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.609631
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cvjmruw\ypmvgbnwlyia
Creates FileC:\cvjmruw\y01kq3gzrllkpqbor.exe
Creates FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Deletes FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Creates ProcessC:\cvjmruw\y01kq3gzrllkpqbor.exe

Process
↳ C:\cvjmruw\y01kq3gzrllkpqbor.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protocol Class Browser AuthIP ➝
C:\cvjmruw\yiifttejyg.exe
Creates FileC:\cvjmruw\yiifttejyg.exe
Creates FilePIPE\lsarpc
Creates FileC:\cvjmruw\sije1hxlxr
Creates FileC:\cvjmruw\ypmvgbnwlyia
Creates FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Deletes FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Creates ProcessC:\cvjmruw\yiifttejyg.exe
Creates ServiceNetworking Server Volume Disk Link Redirector - C:\cvjmruw\yiifttejyg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ C:\cvjmruw\yiifttejyg.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\cvjmruw\sobrnvxwhe.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\cvjmruw\s7fr9scinz
Creates FileC:\cvjmruw\sije1hxlxr
Creates FileC:\cvjmruw\ypmvgbnwlyia
Creates FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Deletes FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Creates Processqbrqbk0jmpn1 "c:\cvjmruw\yiifttejyg.exe"

Process
↳ C:\cvjmruw\yiifttejyg.exe

Creates FileC:\cvjmruw\ypmvgbnwlyia
Creates FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Deletes FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia

Process
↳ qbrqbk0jmpn1 "c:\cvjmruw\yiifttejyg.exe"

Creates FileC:\cvjmruw\ypmvgbnwlyia
Creates FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia
Deletes FileC:\WINDOWS\cvjmruw\ypmvgbnwlyia

Network Details:

DNSseasonaround.net
Type: A
72.52.4.90
DNSlargeenough.net
Type: A
184.168.221.43
DNScaptainenough.net
Type: A
195.22.26.253
DNScaptainenough.net
Type: A
195.22.26.254
DNScaptainenough.net
Type: A
195.22.26.231
DNScaptainenough.net
Type: A
195.22.26.252
DNSelectricneedle.net
Type: A
70.32.83.79
DNSrecordenough.net
Type: A
98.139.135.129
DNSrecordgovern.net
Type: A
72.52.4.90
DNSbetternature.net
Type: A
72.52.4.91
DNSseasonnature.net
Type: A
95.211.230.75
DNSdoubtfurther.net
Type: A
72.52.4.90
DNSflierwelcome.net
Type: A
DNSbreadwelcome.net
Type: A
DNSflieraround.net
Type: A
DNSbreadaround.net
Type: A
DNSflierproud.net
Type: A
DNSbreadproud.net
Type: A
DNSfliercomplete.net
Type: A
DNSbreadcomplete.net
Type: A
DNSquietwelcome.net
Type: A
DNSseasonwelcome.net
Type: A
DNSquietaround.net
Type: A
DNSquietproud.net
Type: A
DNSseasonproud.net
Type: A
DNSquietcomplete.net
Type: A
DNSseasoncomplete.net
Type: A
DNSagainstnature.net
Type: A
DNSdoubtnature.net
Type: A
DNSagainstneedle.net
Type: A
DNSdoubtneedle.net
Type: A
DNSagainstenough.net
Type: A
DNSdoubtenough.net
Type: A
DNSagainstgovern.net
Type: A
DNSdoubtgovern.net
Type: A
DNSnightnature.net
Type: A
DNSdecidenature.net
Type: A
DNSnightneedle.net
Type: A
DNSdecideneedle.net
Type: A
DNSnightenough.net
Type: A
DNSdecideenough.net
Type: A
DNSnightgovern.net
Type: A
DNSdecidegovern.net
Type: A
DNSlargenature.net
Type: A
DNScaptainnature.net
Type: A
DNSlargeneedle.net
Type: A
DNScaptainneedle.net
Type: A
DNSlargegovern.net
Type: A
DNScaptaingovern.net
Type: A
DNSrecordnature.net
Type: A
DNSelectricnature.net
Type: A
DNSrecordneedle.net
Type: A
DNSelectricenough.net
Type: A
DNSelectricgovern.net
Type: A
DNSstreetnature.net
Type: A
DNStradenature.net
Type: A
DNSstreetneedle.net
Type: A
DNStradeneedle.net
Type: A
DNSstreetenough.net
Type: A
DNStradeenough.net
Type: A
DNSstreetgovern.net
Type: A
DNStradegovern.net
Type: A
DNSgathernature.net
Type: A
DNSbetterneedle.net
Type: A
DNSgatherneedle.net
Type: A
DNSbetterenough.net
Type: A
DNSgatherenough.net
Type: A
DNSbettergovern.net
Type: A
DNSgathergovern.net
Type: A
DNSfliernature.net
Type: A
DNSbreadnature.net
Type: A
DNSflierneedle.net
Type: A
DNSbreadneedle.net
Type: A
DNSflierenough.net
Type: A
DNSbreadenough.net
Type: A
DNSfliergovern.net
Type: A
DNSbreadgovern.net
Type: A
DNSquietnature.net
Type: A
DNSquietneedle.net
Type: A
DNSseasonneedle.net
Type: A
DNSquietenough.net
Type: A
DNSseasonenough.net
Type: A
DNSquietgovern.net
Type: A
DNSseasongovern.net
Type: A
DNSagainstfurther.net
Type: A
DNSagainstcover.net
Type: A
DNSdoubtcover.net
Type: A
DNSagainstbecome.net
Type: A
HTTP GEThttp://seasonaround.net/index.php
User-Agent:
HTTP GEThttp://largeenough.net/index.php
User-Agent:
HTTP GEThttp://captainenough.net/index.php
User-Agent:
HTTP GEThttp://electricneedle.net/index.php
User-Agent:
HTTP GEThttp://recordenough.net/index.php
User-Agent:
HTTP GEThttp://recordgovern.net/index.php
User-Agent:
HTTP GEThttp://betternature.net/index.php
User-Agent:
HTTP GEThttp://seasonnature.net/index.php
User-Agent:
HTTP GEThttp://doubtfurther.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1034 ➝ 70.32.83.79:80
Flows TCP192.168.1.1:1035 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1038 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80

Raw Pcap

Strings