Analysis Date2016-02-11 05:07:03
MD5245b309b0449fb54ddca0f9e64d56228
SHA19191eec319581a3e65ccb1599a61ea262b19768c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 624c345c7215be1081dd0ab4591b1e99 sha1: e9c24061adca19d0e16d9e67cf9584cdd8f4d121 size: 527360
Section.rdata md5: 657e2f6c75ee8a7aab2991f3da103c40 sha1: 48f9c69af46a887f8a2d5545b9063c0abea55c78 size: 26112
Section.data md5: ed2ab5e88e57cd27f9affbfd0304cf8a sha1: e5af30fb28737e77c5c47c673ea0e100e557d33b size: 20480
Section.reloc md5: adae64cf470fbbdfd680e31ece015d26 sha1: a7bcd2baee79b92f71370f2a35e1d775aa9ce109 size: 39424
Timestamp2014-02-05 22:26:26
PackerMicrosoft Visual C++ 8
PEhash5a8ab2c5a7b6279f292be7cb676ce292f7427eea
IMPhash28f4c88d1e719b964990e21b2b20113e
AVFortinetW32/Bayrob.BM!tr
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVF-SecureGen:Variant.Razy.13928
AVMalwareBytesNo Virus
AVMcafeeTrojan-FHSQ!245B309B0449
AVIkarusTrojan.Bayrob
AVTrend MicroNo Virus
AVDr. WebNo Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVGrisoft (avg)Generic37.ALUO
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVBullGuardGen:Variant.Zusy.141475
AVZillya!No Virus
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVKasperskyTrojan.Win32.Bayrob.dvhf
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVClamAVNo Virus
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)No Virus
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVBitDefenderGen:Variant.Razy.13928
AVEmsisoftGen:Variant.Razy.13928
AVSymantecNo Virus
AVK7Trojan ( 004dc2a31 )
AVAd-AwareGen:Variant.Razy.13928
AVAvira (antivir)TR/Taranis.2123
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVVirusBlokAda (vba32)No Virus
AVRisingNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mpkfcwpclwfca\ma1kaha1m92iowf.exe
Creates FileC:\mpkfcwpclwfca\jzwjbbp
Creates FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Deletes FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Creates ProcessC:\mpkfcwpclwfca\ma1kaha1m92iowf.exe

Process
↳ C:\mpkfcwpclwfca\ma1kaha1m92iowf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPsec Wired Machine Policy Thread TCP/IP ➝
C:\mpkfcwpclwfca\eleiqumimp.exe
Creates FileC:\mpkfcwpclwfca\aw3qper
Creates FileC:\mpkfcwpclwfca\jzwjbbp
Creates FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Creates FilePIPE\lsarpc
Creates FileC:\mpkfcwpclwfca\eleiqumimp.exe
Deletes FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Creates ProcessC:\mpkfcwpclwfca\eleiqumimp.exe
Creates ServiceRemote Play RPC Drive Engine Secure - C:\mpkfcwpclwfca\eleiqumimp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1916

Process
↳ Pid 1236

Process
↳ C:\mpkfcwpclwfca\eleiqumimp.exe

Creates FileC:\mpkfcwpclwfca\rbvowp
Creates Filepipe\net\NtControlPipe10
Creates FileC:\mpkfcwpclwfca\aw3qper
Creates FileC:\mpkfcwpclwfca\jzwjbbp
Creates FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Creates File\Device\Afd\Endpoint
Creates FileC:\mpkfcwpclwfca\gmbhiutbbuko.exe
Deletes FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Creates Processamhkmgv6twrz "c:\mpkfcwpclwfca\eleiqumimp.exe"

Process
↳ C:\mpkfcwpclwfca\eleiqumimp.exe

Creates FileC:\mpkfcwpclwfca\jzwjbbp
Creates FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Deletes FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp

Process
↳ amhkmgv6twrz "c:\mpkfcwpclwfca\eleiqumimp.exe"

Creates FileC:\mpkfcwpclwfca\jzwjbbp
Creates FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp
Deletes FileC:\WINDOWS\mpkfcwpclwfca\jzwjbbp

Network Details:

DNSsweetwomen.net
Type: A
184.168.221.104
DNSmaterialpaint.net
Type: A
208.100.26.234
DNSsimplestream.net
Type: A
141.8.225.124
DNSmountainstream.net
Type: A
207.148.248.143
DNSmountainbottle.net
Type: A
195.22.28.199
DNSmountainbottle.net
Type: A
195.22.28.198
DNSmountainbottle.net
Type: A
195.22.28.197
DNSmountainbottle.net
Type: A
195.22.28.196
DNSwindowstream.net
Type: A
216.21.239.197
DNSsweetnothing.net
Type: A
72.52.4.119
DNSmotheranother.net
Type: A
50.63.202.39
DNSsimplebusiness.net
Type: A
72.52.4.119
DNSmountainmanner.net
Type: A
208.100.26.234
DNSsweetbusiness.net
Type: A
50.240.78.247
DNSprofiles.dexknows.com
Type: A
204.133.117.26
DNSprobablycourse.net
Type: A
DNSprobablywomen.net
Type: A
DNSseveralclean.net
Type: A
DNSmaterialclean.net
Type: A
DNSseveralpaint.net
Type: A
DNSseveralcourse.net
Type: A
DNSmaterialcourse.net
Type: A
DNSseveralwomen.net
Type: A
DNSmaterialwomen.net
Type: A
DNSseverastream.net
Type: A
DNSlaughstream.net
Type: A
DNSseveranothing.net
Type: A
DNSlaughnothing.net
Type: A
DNSseverabottle.net
Type: A
DNSlaughbottle.net
Type: A
DNSseveradivide.net
Type: A
DNSlaughdivide.net
Type: A
DNSmotherstream.net
Type: A
DNSsimplenothing.net
Type: A
DNSmothernothing.net
Type: A
DNSsimplebottle.net
Type: A
DNSmotherbottle.net
Type: A
DNSsimpledivide.net
Type: A
DNSmotherdivide.net
Type: A
DNSpossiblestream.net
Type: A
DNSmountainnothing.net
Type: A
DNSpossiblenothing.net
Type: A
DNSpossiblebottle.net
Type: A
DNSmountaindivide.net
Type: A
DNSpossibledivide.net
Type: A
DNSperhapsstream.net
Type: A
DNSperhapsnothing.net
Type: A
DNSwindownothing.net
Type: A
DNSperhapsbottle.net
Type: A
DNSwindowbottle.net
Type: A
DNSperhapsdivide.net
Type: A
DNSwindowdivide.net
Type: A
DNSwinterstream.net
Type: A
DNSsubjectstream.net
Type: A
DNSwinternothing.net
Type: A
DNSsubjectnothing.net
Type: A
DNSwinterbottle.net
Type: A
DNSsubjectbottle.net
Type: A
DNSwinterdivide.net
Type: A
DNSsubjectdivide.net
Type: A
DNSfinishstream.net
Type: A
DNSleavestream.net
Type: A
DNSfinishnothing.net
Type: A
DNSleavenothing.net
Type: A
DNSfinishbottle.net
Type: A
DNSleavebottle.net
Type: A
DNSfinishdivide.net
Type: A
DNSleavedivide.net
Type: A
DNSsweetstream.net
Type: A
DNSprobablystream.net
Type: A
DNSprobablynothing.net
Type: A
DNSsweetbottle.net
Type: A
DNSprobablybottle.net
Type: A
DNSsweetdivide.net
Type: A
DNSprobablydivide.net
Type: A
DNSseveralstream.net
Type: A
DNSmaterialstream.net
Type: A
DNSseveralnothing.net
Type: A
DNSmaterialnothing.net
Type: A
DNSseveralbottle.net
Type: A
DNSmaterialbottle.net
Type: A
DNSseveraldivide.net
Type: A
DNSmaterialdivide.net
Type: A
DNSseveramanner.net
Type: A
DNSlaughmanner.net
Type: A
DNSseveraanother.net
Type: A
DNSlaughanother.net
Type: A
DNSseverabusiness.net
Type: A
DNSlaughbusiness.net
Type: A
DNSseveraappear.net
Type: A
DNSlaughappear.net
Type: A
DNSsimplemanner.net
Type: A
DNSmothermanner.net
Type: A
DNSsimpleanother.net
Type: A
DNSmotherbusiness.net
Type: A
DNSsimpleappear.net
Type: A
DNSmotherappear.net
Type: A
DNSpossiblemanner.net
Type: A
DNSmountainanother.net
Type: A
DNSpossibleanother.net
Type: A
DNSmountainbusiness.net
Type: A
DNSpossiblebusiness.net
Type: A
DNSmountainappear.net
Type: A
DNSpossibleappear.net
Type: A
DNSperhapsmanner.net
Type: A
DNSwindowmanner.net
Type: A
DNSperhapsanother.net
Type: A
DNSwindowanother.net
Type: A
DNSperhapsbusiness.net
Type: A
DNSwindowbusiness.net
Type: A
DNSperhapsappear.net
Type: A
DNSwindowappear.net
Type: A
DNSwintermanner.net
Type: A
DNSsubjectmanner.net
Type: A
DNSwinteranother.net
Type: A
DNSsubjectanother.net
Type: A
DNSwinterbusiness.net
Type: A
DNSsubjectbusiness.net
Type: A
DNSwinterappear.net
Type: A
DNSsubjectappear.net
Type: A
DNSfinishmanner.net
Type: A
DNSleavemanner.net
Type: A
DNSfinishanother.net
Type: A
DNSleaveanother.net
Type: A
DNSfinishbusiness.net
Type: A
DNSleavebusiness.net
Type: A
DNSfinishappear.net
Type: A
DNSleaveappear.net
Type: A
DNSsweetmanner.net
Type: A
DNSprobablymanner.net
Type: A
DNSsweetanother.net
Type: A
DNSprobablyanother.net
Type: A
DNSprobablybusiness.net
Type: A
DNSsweetappear.net
Type: A
DNSprobablyappear.net
Type: A
DNSseveralmanner.net
Type: A
DNSmaterialmanner.net
Type: A
DNSseveralanother.net
Type: A
DNSmaterialanother.net
Type: A
DNSseveralbusiness.net
Type: A
DNSmaterialbusiness.net
Type: A
DNSseveralappear.net
Type: A
DNSmaterialappear.net
Type: A
DNSseverainstead.net
Type: A
DNSlaughinstead.net
Type: A
DNSseveraexplain.net
Type: A
DNSlaughexplain.net
Type: A
DNSseverabright.net
Type: A
DNSlaughbright.net
Type: A
DNSseverainside.net
Type: A
DNSlaughinside.net
Type: A
DNSsimpleinstead.net
Type: A
DNSmotherinstead.net
Type: A
DNSsimpleexplain.net
Type: A
DNSmotherexplain.net
Type: A
DNSsimplebright.net
Type: A
DNSmotherbright.net
Type: A
DNSsimpleinside.net
Type: A
DNSmotherinside.net
Type: A
DNSmountaininstead.net
Type: A
DNSpossibleinstead.net
Type: A
DNSmountainexplain.net
Type: A
DNSpossibleexplain.net
Type: A
DNSmountainbright.net
Type: A
DNSpossiblebright.net
Type: A
DNSmountaininside.net
Type: A
DNSpossibleinside.net
Type: A
DNSperhapsinstead.net
Type: A
DNSwindowinstead.net
Type: A
DNSperhapsexplain.net
Type: A
DNSwindowexplain.net
Type: A
DNSperhapsbright.net
Type: A
DNSwindowbright.net
Type: A
DNSperhapsinside.net
Type: A
HTTP GEThttp://sweetwomen.net/index.php
User-Agent:
HTTP GEThttp://materialpaint.net/index.php
User-Agent:
HTTP GEThttp://simplestream.net/index.php
User-Agent:
HTTP GEThttp://mountainstream.net/index.php
User-Agent:
HTTP GEThttp://mountainbottle.net/index.php
User-Agent:
HTTP GEThttp://windowstream.net/index.php
User-Agent:
HTTP GEThttp://sweetnothing.net/index.php
User-Agent:
HTTP GEThttp://motheranother.net/index.php
User-Agent:
HTTP GEThttp://simplebusiness.net/index.php
User-Agent:
HTTP GEThttp://mountainmanner.net/index.php
User-Agent:
HTTP GEThttp://sweetbusiness.net/index.php
User-Agent:
HTTP GEThttp://windowbright.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1034 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1036 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.39:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 50.240.78.247:80
Flows TCP192.168.1.1:1042 ➝ 204.133.117.26:80

Raw Pcap

Strings