Analysis Date2015-10-11 21:16:01
MD57c68861586a9a9395c3381973671dd66
SHA1915f798ca90b4bb2e2e74a5f2f90f34978951c5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1e33b2d6f1cf04f3d4f2e07bd28237a2 sha1: 4bb39ba68254d7326feb219a9fd003c045440c37 size: 266240
Section.rdata md5: 75279a490280427085e604b3feba91f1 sha1: fa781e58fc28bd0232f242ac51d54f2df591f8ff size: 40960
Section.data md5: 6aee265a260587bb5b69eb96f353bfc1 sha1: d0a03a1b594b72be1c319a60e8c975528eef612e size: 7168
Section.reloc md5: 7302e4cc3f33b972bb25870aec238745 sha1: 4785f39d4736f8035502e3b4677a4b624add6941 size: 18944
Timestamp2015-05-21 03:58:32
PackerMicrosoft Visual C++ ?.?
PEhash3c33e84afbb4e51164060c055a228a8d15efc152
IMPhashd38ea63ae2bcbc59b884bf1c752a8337
AVMicroWorld (escan)Gen:Variant.Diley.1
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVZillya!Trojan.Bayrob.Win32.1168
AVFortinetW32/Babrob.Y!tr
AVCAT (quickheal)Trojan.Dyname.r4
AVClamAVno_virus
AVFrisk (f-prot)no_virus
AVAvira (antivir)TR/Crypt.ZPACK.60414
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVAuthentiumW32/Scar.V.gen!Eldorado
AVPadvishno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVEmsisoftGen:Variant.Diley.1
AVBitDefenderGen:Variant.Diley.1
AVAd-AwareGen:Variant.Diley.1
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVDr. WebTrojan.DownLoader14.27045
AVF-SecureGen:Variant.Diley.1
AVTrend Microno_virus
AVCA (E-Trust Ino)no_virus
AVBullGuardGen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVRisingno_virus
AVK7Trojan ( 004c2d9e1 )
AVTwisterno_virus
AVMcafeeTrojan-FGIJ!7C68861586A9
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVIkarusTrojan.Win32.Bayrob

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jlqojjchsih\dyb1lydjhcbamhhwyz.exe
Creates FileC:\jlqojjchsih\brqox0ebnyp
Creates FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Deletes FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Creates ProcessC:\jlqojjchsih\dyb1lydjhcbamhhwyz.exe

Process
↳ C:\jlqojjchsih\dyb1lydjhcbamhhwyz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Group Modules Encryption Installer Copy ➝
C:\jlqojjchsih\vaifbaao.exe
Creates FileC:\jlqojjchsih\mune1h
Creates FileC:\jlqojjchsih\vaifbaao.exe
Creates FileC:\jlqojjchsih\brqox0ebnyp
Creates FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Creates ProcessC:\jlqojjchsih\vaifbaao.exe
Creates ServiceTime Tracking Parental Tunneling Debugger Keying - C:\jlqojjchsih\vaifbaao.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 820

Process
↳ Pid 868

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1224

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1896

Process
↳ Pid 1212

Process
↳ C:\jlqojjchsih\vaifbaao.exe

Creates FileC:\jlqojjchsih\mune1h
Creates Filepipe\net\NtControlPipe10
Creates FileC:\jlqojjchsih\tp9avskawy
Creates FileC:\jlqojjchsih\tnubmtcfx.exe
Creates FileC:\jlqojjchsih\brqox0ebnyp
Creates FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Creates Processetdpb3n8hu0n "c:\jlqojjchsih\vaifbaao.exe"

Process
↳ C:\jlqojjchsih\vaifbaao.exe

Creates FileC:\jlqojjchsih\brqox0ebnyp
Creates FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Deletes FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp

Process
↳ etdpb3n8hu0n "c:\jlqojjchsih\vaifbaao.exe"

Creates FileC:\jlqojjchsih\brqox0ebnyp
Creates FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp
Deletes FileC:\WINDOWS\jlqojjchsih\brqox0ebnyp

Network Details:

DNSquietdemand.net
Type: A
208.100.26.234
DNSseasondemand.net
Type: A
72.52.4.90
DNSnightstation.net
Type: A
69.163.242.16
DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSdoubttravel.net
Type: A
72.52.4.90
DNSnightspace.net
Type: A
91.250.101.43
DNSlargespace.net
Type: A
62.22.102.59
DNSquietshout.net
Type: A
DNSseasonshout.net
Type: A
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSdecideclose.net
Type: A
HTTP GEThttp://quietdemand.net/index.php
User-Agent:
HTTP GEThttp://seasondemand.net/index.php
User-Agent:
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://doubttravel.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1033 ➝ 69.163.242.16:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1039 ➝ 62.22.102.59:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000040 (00064)   75696574 64656d61 6e642e6e 65740d0a   uietdemand.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6561736f 6e64656d 616e642e 6e65740d   easondemand.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73746174 696f6e2e 6e65740d   ightstation.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696373 74617469 6f6e2e6e   lectricstation.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74737461 74696f6e 2e6e6574   treetstation.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73746174 696f6e2e 6e65740d   radestation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f756274 74726176 656c2e6e 65740d0a   oubttravel.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73706163 652e6e65 740d0a0d   ightspace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 73706163 652e6e65 740d0a0d   argespace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......


Strings