Analysis Date2015-11-15 10:38:27
MD5735f5bdf01fe4052e45d6319fdee772c
SHA1909bcb31abfe0babe9539e4ef97bba46820210b2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 91e6e76110a582374bc729309d62b6c6 sha1: babfaf10c3b6f0d455b5760364805919aa91b427 size: 197120
Section.rdata md5: 4e62485c84a8c9fb2883a25bd5b974a9 sha1: 2b0178bfcc40ac16c06106c5288c20fe02b503ad size: 50688
Section.data md5: 4199dc5a571cc137538f4d1609d637be sha1: 2bcb43f12353d7d879572aa85f00c3f2a1966e2a size: 6656
Section.reloc md5: 5dd1d5260b7a467acd9127b88e4a40e0 sha1: 61577d101294d3689ba0749225e0d859291b0a00 size: 14336
Timestamp2015-04-29 18:49:36
PackerMicrosoft Visual C++ 8
PEhashaf63038bdc62e5ac6db66671a153a802368f4ac4
IMPhashfd43654c9aab736e9389aacaa7aa8cc0
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!735F5BDF01FE
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Strobosc.1
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)PSW.Generic12.BRTE
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Strobosc.1
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Strobosc.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Strobosc.1
AVArcabit (arcavir)Gen:Variant.Strobosc.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.7156
AVF-SecureGen:Variant.Strobosc.1
AVCA (E-Trust Ino)no_virus
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!735F5BDF01FE
AVAvira (antivir)TR/Kryptik.qgmpd
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Strobosc.1
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)PSW.Generic12.BRTE
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Strobosc.1
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ehzhnolbdkywb\udqkzol1x
Creates FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates FileC:\ehzhnolbdkywb\wcxba1jgjuopdxcgjcfno.exe
Deletes FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates ProcessC:\ehzhnolbdkywb\wcxba1jgjuopdxcgjcfno.exe

Process
↳ C:\ehzhnolbdkywb\wcxba1jgjuopdxcgjcfno.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Framework UPnP Host System Tablet PnP-X ➝
C:\ehzhnolbdkywb\yxtrulsoao.exe
Creates FileC:\ehzhnolbdkywb\udqkzol1x
Creates FileC:\ehzhnolbdkywb\yxtrulsoao.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates FileC:\ehzhnolbdkywb\biiotfi
Deletes FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates ProcessC:\ehzhnolbdkywb\yxtrulsoao.exe
Creates ServicePolicy Protected Management - C:\ehzhnolbdkywb\yxtrulsoao.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1840

Process
↳ Pid 1100

Process
↳ C:\ehzhnolbdkywb\yxtrulsoao.exe

Creates FileC:\ehzhnolbdkywb\udqkzol1x
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ehzhnolbdkywb\fclvpojy
Creates FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates File\Device\Afd\Endpoint
Creates FileC:\ehzhnolbdkywb\mdxugukdsx.exe
Creates FileC:\ehzhnolbdkywb\biiotfi
Deletes FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Creates Processs1eqkqxawlmu "c:\ehzhnolbdkywb\yxtrulsoao.exe"

Process
↳ C:\ehzhnolbdkywb\yxtrulsoao.exe

Creates FileC:\ehzhnolbdkywb\udqkzol1x
Creates FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Deletes FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x

Process
↳ s1eqkqxawlmu "c:\ehzhnolbdkywb\yxtrulsoao.exe"

Creates FileC:\ehzhnolbdkywb\udqkzol1x
Creates FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x
Deletes FileC:\WINDOWS\ehzhnolbdkywb\udqkzol1x

Network Details:

DNSeffortbuilt.net
Type: A
198.27.70.45
DNSjourneymeasure.net
Type: A
50.87.249.65
DNSdestroycircle.net
Type: A
208.100.26.234
DNSlittlecircle.net
Type: A
184.168.221.22
DNSriddencircle.net
Type: A
208.91.197.241
DNSchairapple.net
Type: A
DNSthoseapple.net
Type: A
DNSchairbuilt.net
Type: A
DNSthosebuilt.net
Type: A
DNSchaircarry.net
Type: A
DNSthosecarry.net
Type: A
DNSwithinfather.net
Type: A
DNSsufferfather.net
Type: A
DNSwithinapple.net
Type: A
DNSsufferapple.net
Type: A
DNSwithinbuilt.net
Type: A
DNSsufferbuilt.net
Type: A
DNSwithincarry.net
Type: A
DNSsuffercarry.net
Type: A
DNSeffortfather.net
Type: A
DNSthroughfather.net
Type: A
DNSeffortapple.net
Type: A
DNSthroughapple.net
Type: A
DNSthroughbuilt.net
Type: A
DNSeffortcarry.net
Type: A
DNSthroughcarry.net
Type: A
DNSforgetfather.net
Type: A
DNSincreasefather.net
Type: A
DNSforgetapple.net
Type: A
DNSincreaseapple.net
Type: A
DNSforgetbuilt.net
Type: A
DNSincreasebuilt.net
Type: A
DNSforgetcarry.net
Type: A
DNSincreasecarry.net
Type: A
DNSwouldfather.net
Type: A
DNSrememberfather.net
Type: A
DNSwouldapple.net
Type: A
DNSrememberapple.net
Type: A
DNSwouldbuilt.net
Type: A
DNSrememberbuilt.net
Type: A
DNSwouldcarry.net
Type: A
DNSremembercarry.net
Type: A
DNShusbandmeasure.net
Type: A
DNSjourneydinner.net
Type: A
DNShusbanddinner.net
Type: A
DNSjourneyafraid.net
Type: A
DNShusbandafraid.net
Type: A
DNSjourneycircle.net
Type: A
DNShusbandcircle.net
Type: A
DNSdestroymeasure.net
Type: A
DNSlittlemeasure.net
Type: A
DNSdestroydinner.net
Type: A
DNSlittledinner.net
Type: A
DNSdestroyafraid.net
Type: A
DNSlittleafraid.net
Type: A
DNSriddenmeasure.net
Type: A
DNSbelongmeasure.net
Type: A
DNSriddendinner.net
Type: A
DNSbelongdinner.net
Type: A
DNSriddenafraid.net
Type: A
DNSbelongafraid.net
Type: A
DNSbelongcircle.net
Type: A
DNSchairmeasure.net
Type: A
DNSthosemeasure.net
Type: A
DNSchairdinner.net
Type: A
DNSthosedinner.net
Type: A
DNSchairafraid.net
Type: A
DNSthoseafraid.net
Type: A
DNSchaircircle.net
Type: A
DNSthosecircle.net
Type: A
DNSwithinmeasure.net
Type: A
DNSsuffermeasure.net
Type: A
DNSwithindinner.net
Type: A
DNSsufferdinner.net
Type: A
DNSwithinafraid.net
Type: A
DNSsufferafraid.net
Type: A
DNSwithincircle.net
Type: A
DNSsuffercircle.net
Type: A
DNSeffortmeasure.net
Type: A
DNSthroughmeasure.net
Type: A
DNSeffortdinner.net
Type: A
DNSthroughdinner.net
Type: A
DNSeffortafraid.net
Type: A
DNSthroughafraid.net
Type: A
DNSeffortcircle.net
Type: A
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://destroycircle.net/index.php
User-Agent:
HTTP GEThttp://littlecircle.net/index.php
User-Agent:
HTTP GEThttp://riddencircle.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1032 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.22:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.241:80

Raw Pcap

Strings