Analysis Date2015-08-28 11:56:26
MD509f5cd66db60a6e033a1a63cc480416a
SHA195a5dbcb99950ae52034dfdbb222bd7abb5d0246

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bf2fc3cada7040e7f245a8a3684755e0 sha1: 2b1399fb3eee753f1a290afd99310399d9f7480d size: 258048
Section.rdata md5: 795971f2e36a35051ab03b90dd87bb97 sha1: 97a98e3daa102799ec80b208ffc31ad0245e57f9 size: 40960
Section.data md5: 8e30585f5d2118cd7b7c696846a67325 sha1: a377e2a1a7e657bbfd0c4d48d94813361f8356fc size: 6656
Section.reloc md5: dbe597a76327edf06e6e90ec77da2d97 sha1: 9755911aa01a0b91421c2c8302f93c985374c511 size: 17408
Timestamp2015-05-21 03:59:36
PackerMicrosoft Visual C++ ?.?
PEhash066aa41e9b1896ea7d95923c41779a4898cd414a
IMPhash8b8ed5d9e17ee7ddad95ddb9e1e5d657
AVMicroWorld (escan)Gen:Variant.Diley.1
AVEmsisoftGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader13.28057
AVMalwareBytesTrojan.Agent.KVTGen
AVRising0x58f8a690
AVZillya!no_virus
AVTrend Microno_virus
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVBitDefenderGen:Variant.Diley.1
AVGrisoft (avg)Win32/Cryptor
AVMcafeeTrojan-FGIJ!09F5CD66DB60
AVBullGuardGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Scar.jvuu
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVF-SecureGen:Variant.Diley.1
AVAvira (antivir)TR/Crypt.ZPACK.175956
AVEset (nod32)Win32/Bayrob.Y
AVFortinetW32/Babrob.Y!tr
AVAuthentiumW32/Scar.V.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVTwisterW32.Bayrob.Y.soox
AVPadvishno_virus
AVCAT (quickheal)Trojan.Scar.r4
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\hhlyy1m1ebzxsbfypmw.exe
Creates FileC:\kokdlsnyoc\ym4d2zfkb
Deletes FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates ProcessC:\kokdlsnyoc\hhlyy1m1ebzxsbfypmw.exe

Process
↳ C:\kokdlsnyoc\hhlyy1m1ebzxsbfypmw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Bluetooth Awareness Fax Ordering ➝
C:\kokdlsnyoc\hjnwpqragftn.exe
Creates FileC:\kokdlsnyoc\hjnwpqragftn.exe
Creates FileC:\kokdlsnyoc\fmevfawj
Creates FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\ym4d2zfkb
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates ProcessC:\kokdlsnyoc\hjnwpqragftn.exe
Creates ServiceInstaller Location Procedure Themes - C:\kokdlsnyoc\hjnwpqragftn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1108

Process
↳ C:\kokdlsnyoc\hjnwpqragftn.exe

Creates FileC:\kokdlsnyoc\fmevfawj
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\fhqmfsykrapi.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\kokdlsnyoc\egay0gq
Deletes FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates Processjzcnpbmikzth "c:\kokdlsnyoc\hjnwpqragftn.exe"

Process
↳ C:\kokdlsnyoc\hjnwpqragftn.exe

Creates FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\ym4d2zfkb
Deletes FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb

Process
↳ jzcnpbmikzth "c:\kokdlsnyoc\hjnwpqragftn.exe"

Creates FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb
Creates FileC:\kokdlsnyoc\ym4d2zfkb
Deletes FileC:\WINDOWS\kokdlsnyoc\ym4d2zfkb

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfellowunderstood.net
Type: A
93.115.38.30
DNSbrokentwenty.net
Type: A
95.211.230.75
DNSeveningdelight.net
Type: A
72.21.91.60
DNSstoreelectricity.net
Type: A
75.126.76.132
DNSbuildingunderstood.net
Type: A
DNSeveningunderstood.net
Type: A
DNSstorechance.net
Type: A
DNSmightchance.net
Type: A
DNSstoremeeting.net
Type: A
DNSmightmeeting.net
Type: A
DNSstoretwenty.net
Type: A
DNSmighttwenty.net
Type: A
DNSstoreunderstood.net
Type: A
DNSmightunderstood.net
Type: A
DNSdoctorchance.net
Type: A
DNSprettychance.net
Type: A
DNSdoctormeeting.net
Type: A
DNSprettymeeting.net
Type: A
DNSdoctortwenty.net
Type: A
DNSprettytwenty.net
Type: A
DNSdoctorunderstood.net
Type: A
DNSprettyunderstood.net
Type: A
DNSfellowchance.net
Type: A
DNSdoublechance.net
Type: A
DNSfellowmeeting.net
Type: A
DNSdoublemeeting.net
Type: A
DNSfellowtwenty.net
Type: A
DNSdoubletwenty.net
Type: A
DNSdoubleunderstood.net
Type: A
DNSbrokenchance.net
Type: A
DNSresultchance.net
Type: A
DNSbrokenmeeting.net
Type: A
DNSresultmeeting.net
Type: A
DNSresulttwenty.net
Type: A
DNSbrokenunderstood.net
Type: A
DNSresultunderstood.net
Type: A
DNSpreparechance.net
Type: A
DNSdesirechance.net
Type: A
DNSpreparemeeting.net
Type: A
DNSdesiremeeting.net
Type: A
DNSpreparetwenty.net
Type: A
DNSdesiretwenty.net
Type: A
DNSprepareunderstood.net
Type: A
DNSdesireunderstood.net
Type: A
DNSstrengthchance.net
Type: A
DNSstillchance.net
Type: A
DNSstrengthmeeting.net
Type: A
DNSstillmeeting.net
Type: A
DNSstrengthtwenty.net
Type: A
DNSstilltwenty.net
Type: A
DNSstrengthunderstood.net
Type: A
DNSstillunderstood.net
Type: A
DNSmovementborrow.net
Type: A
DNSoutsideborrow.net
Type: A
DNSmovementtrain.net
Type: A
DNSoutsidetrain.net
Type: A
DNSmovementelectricity.net
Type: A
DNSoutsideelectricity.net
Type: A
DNSmovementdelight.net
Type: A
DNSoutsidedelight.net
Type: A
DNSbuildingborrow.net
Type: A
DNSeveningborrow.net
Type: A
DNSbuildingtrain.net
Type: A
DNSeveningtrain.net
Type: A
DNSbuildingelectricity.net
Type: A
DNSeveningelectricity.net
Type: A
DNSbuildingdelight.net
Type: A
DNSstoreborrow.net
Type: A
DNSmightborrow.net
Type: A
DNSstoretrain.net
Type: A
DNSmighttrain.net
Type: A
DNSmightelectricity.net
Type: A
DNSstoredelight.net
Type: A
DNSmightdelight.net
Type: A
DNSdoctorborrow.net
Type: A
DNSprettyborrow.net
Type: A
DNSdoctortrain.net
Type: A
DNSprettytrain.net
Type: A
DNSdoctorelectricity.net
Type: A
DNSprettyelectricity.net
Type: A
DNSdoctordelight.net
Type: A
DNSprettydelight.net
Type: A
DNSfellowborrow.net
Type: A
DNSdoubleborrow.net
Type: A
DNSfellowtrain.net
Type: A
HTTP GEThttp://mightmeeting.net/index.php
User-Agent:
HTTP GEThttp://fellowunderstood.net/index.php
User-Agent:
HTTP GEThttp://brokentwenty.net/index.php
User-Agent:
HTTP GEThttp://eveningdelight.net/index.php
User-Agent:
HTTP GEThttp://storeelectricity.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1032 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 72.21.91.60:80
Flows TCP192.168.1.1:1035 ➝ 75.126.76.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 6d656574 696e672e 6e65740d   ightmeeting.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   656c6c6f 77756e64 65727374 6f6f642e   ellowunderstood.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e747765 6e74792e 6e65740d   rokentwenty.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e676465 6c696768 742e6e65   veningdelight.ne
0x00000050 (00080)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 656c6563 74726963 6974792e   toreelectricity.
0x00000050 (00080)   6e65740d 0a0d0a                       net....


Strings