Analysis Date2015-10-26 11:16:53
MD59dc9c17a87d46424bf14b9093189827b
SHA19eadd52f5f57c11cc54fdf58ba5a9e07df420ed7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c01b9dc048cb6930a10cf9e147a5327 sha1: b37d60dbfcb664ffc6d0d62823d1f0a04ebf55b7 size: 300032
Section.rdata md5: 2934bdcc7c69b15d3f1f48e6c0ee7b21 sha1: bfed215abf008ce85893a59bc79e3103eeefd60e size: 59904
Section.data md5: 9761643ec0bacfafdf5bf0dd939259d1 sha1: 452635a1394d1b44c924bc174894182a435c5fc7 size: 7680
Section.reloc md5: 07b5ebdf94ea3e5ecd8ff335504f85bc sha1: d629b79b10c3c02bd75c74609a439dd5257545e6 size: 22528
Timestamp2015-05-11 06:46:34
PackerMicrosoft Visual C++ 8
PEhash53c4b79b2125dff613170f8f1a2d095ab30cf622
IMPhash41c40d44b7cef01f002537816067a808
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.1
AVClamAVWin.Trojan.Agent-951483
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!9DC9C17A87D4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cczftnv\ytegmmx3gku
Creates FileC:\WINDOWS\cczftnv\ytegmmx3gku
Creates FileC:\cczftnv\ftvudt6rxdj2dgqmv.exe
Deletes FileC:\WINDOWS\cczftnv\ytegmmx3gku
Creates ProcessC:\cczftnv\ftvudt6rxdj2dgqmv.exe

Process
↳ C:\cczftnv\ftvudt6rxdj2dgqmv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reports Machine Management Removal Software ➝
C:\cczftnv\pavsebczth.exe
Creates FileC:\cczftnv\ytegmmx3gku
Creates FilePIPE\lsarpc
Creates FileC:\cczftnv\wub6upyalvpt
Creates FileC:\cczftnv\pavsebczth.exe
Creates FileC:\WINDOWS\cczftnv\ytegmmx3gku
Deletes FileC:\WINDOWS\cczftnv\ytegmmx3gku
Creates ProcessC:\cczftnv\pavsebczth.exe
Creates ServiceSession Task Link-Layer Shell Location - C:\cczftnv\pavsebczth.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\9EADD52F5F57C11CC54FDF58BA5A9-37EBDA90.pf
Creates FileC:\WINDOWS\Prefetch\PAVSEBCZTH.EXE-1C6889B4.pf
Creates FileC:\WINDOWS\Prefetch\QUAFBFENWJZW.EXE-0ACB6F1B.pf
Creates FileC:\WINDOWS\Prefetch\FTVUDT6RXDJ2DGQMV.EXE-284D3A56.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1112

Process
↳ Pid 1212

Process
↳ Pid 1320

Process
↳ Pid 1860

Process
↳ Pid 1440

Process
↳ C:\cczftnv\pavsebczth.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\cczftnv\ytegmmx3gku
Creates FileC:\cczftnv\eecxwu
Creates FileC:\cczftnv\quafbfenwjzw.exe
Creates FileC:\cczftnv\wub6upyalvpt
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\cczftnv\ytegmmx3gku
Deletes FileC:\WINDOWS\cczftnv\ytegmmx3gku
Creates Processhfhvfwhocqrr "c:\cczftnv\pavsebczth.exe"

Process
↳ C:\cczftnv\pavsebczth.exe

Creates FileC:\cczftnv\ytegmmx3gku
Creates FileC:\WINDOWS\cczftnv\ytegmmx3gku
Deletes FileC:\WINDOWS\cczftnv\ytegmmx3gku

Process
↳ hfhvfwhocqrr "c:\cczftnv\pavsebczth.exe"

Creates FileC:\cczftnv\ytegmmx3gku
Creates FileC:\WINDOWS\cczftnv\ytegmmx3gku
Deletes FileC:\WINDOWS\cczftnv\ytegmmx3gku

Network Details:

DNSpleasantpeople.net
Type: A
54.217.250.161
DNSpleasantpeople.net
Type: A
54.246.118.197
DNSpleasantpeople.net
Type: A
54.247.173.130
DNSpleasantpeople.net
Type: A
176.34.103.58
DNSpleasantpeople.net
Type: A
46.137.176.135
DNSpleasantpeople.net
Type: A
54.75.238.30
DNSleaderready.net
Type: A
68.178.232.100
DNSvariousdaughter.net
Type: A
98.139.135.129
DNSanswernation.net
Type: A
8.5.1.36
DNSglassnation.net
Type: A
88.208.252.205
DNSanswerplease.net
Type: A
195.22.26.252
DNSanswerplease.net
Type: A
195.22.26.253
DNSanswerplease.net
Type: A
195.22.26.254
DNSanswerplease.net
Type: A
195.22.26.231
DNSnecessarycondition.net
Type: A
208.100.26.234
DNSleadernation.net
Type: A
74.208.24.220
DNSpleasantready.net
Type: A
DNSnecessaryready.net
Type: A
DNSpleasantbrown.net
Type: A
DNSnecessarybrown.net
Type: A
DNSnecessarypeople.net
Type: A
DNSpleasantdaughter.net
Type: A
DNSnecessarydaughter.net
Type: A
DNSorderready.net
Type: A
DNSrequireready.net
Type: A
DNSorderbrown.net
Type: A
DNSrequirebrown.net
Type: A
DNSorderpeople.net
Type: A
DNSrequirepeople.net
Type: A
DNSorderdaughter.net
Type: A
DNSrequiredaughter.net
Type: A
DNSheavenready.net
Type: A
DNSleaderbrown.net
Type: A
DNSheavenbrown.net
Type: A
DNSleaderpeople.net
Type: A
DNSheavenpeople.net
Type: A
DNSleaderdaughter.net
Type: A
DNSheavendaughter.net
Type: A
DNSheavyready.net
Type: A
DNSgentleready.net
Type: A
DNSheavybrown.net
Type: A
DNSgentlebrown.net
Type: A
DNSheavypeople.net
Type: A
DNSgentlepeople.net
Type: A
DNSheavydaughter.net
Type: A
DNSgentledaughter.net
Type: A
DNSvariousready.net
Type: A
DNSreturnready.net
Type: A
DNSvariousbrown.net
Type: A
DNSreturnbrown.net
Type: A
DNSvariouspeople.net
Type: A
DNSreturnpeople.net
Type: A
DNSreturndaughter.net
Type: A
DNSdegreenation.net
Type: A
DNSforwardnation.net
Type: A
DNSdegreesoldier.net
Type: A
DNSforwardsoldier.net
Type: A
DNSdegreeplease.net
Type: A
DNSforwardplease.net
Type: A
DNSdegreecondition.net
Type: A
DNSforwardcondition.net
Type: A
DNSanswersoldier.net
Type: A
DNSglasssoldier.net
Type: A
DNSglassplease.net
Type: A
DNSanswercondition.net
Type: A
DNSglasscondition.net
Type: A
DNSdifficultnation.net
Type: A
DNSheardnation.net
Type: A
DNSdifficultsoldier.net
Type: A
DNSheardsoldier.net
Type: A
DNSdifficultplease.net
Type: A
DNSheardplease.net
Type: A
DNSdifficultcondition.net
Type: A
DNSheardcondition.net
Type: A
DNSpleasantnation.net
Type: A
DNSnecessarynation.net
Type: A
DNSpleasantsoldier.net
Type: A
DNSnecessarysoldier.net
Type: A
DNSpleasantplease.net
Type: A
DNSnecessaryplease.net
Type: A
DNSpleasantcondition.net
Type: A
DNSordernation.net
Type: A
DNSrequirenation.net
Type: A
DNSordersoldier.net
Type: A
DNSrequiresoldier.net
Type: A
DNSorderplease.net
Type: A
DNSrequireplease.net
Type: A
DNSordercondition.net
Type: A
DNSrequirecondition.net
Type: A
DNSheavennation.net
Type: A
DNSleadersoldier.net
Type: A
DNSheavensoldier.net
Type: A
DNSleaderplease.net
Type: A
HTTP GEThttp://pleasantpeople.net/index.php
User-Agent:
HTTP GEThttp://leaderready.net/index.php
User-Agent:
HTTP GEThttp://variousdaughter.net/index.php
User-Agent:
HTTP GEThttp://answernation.net/index.php
User-Agent:
HTTP GEThttp://glassnation.net/index.php
User-Agent:
HTTP GEThttp://answerplease.net/index.php
User-Agent:
HTTP GEThttp://necessarycondition.net/index.php
User-Agent:
HTTP GEThttp://leadernation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 54.217.250.161:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.36:80
Flows TCP192.168.1.1:1035 ➝ 88.208.252.205:80
Flows TCP192.168.1.1:1036 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 74.208.24.220:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6c656173 616e7470 656f706c 652e6e65   leasantpeople.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616465 72726561 64792e6e 65740d0a   eaderready.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2076   : close..Host: v
0x00000040 (00064)   6172696f 75736461 75676874 65722e6e   ariousdaughter.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6e737765 726e6174 696f6e2e 6e65740d   nswernation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   6c617373 6e617469 6f6e2e6e 65740d0a   lassnation.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6e737765 72706c65 6173652e 6e65740d   nswerplease.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   65636573 73617279 636f6e64 6974696f   ecessaryconditio
0x00000050 (00080)   6e2e6e65 740d0a0d 0a                  n.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616465 726e6174 696f6e2e 6e65740d   eadernation.net.
0x00000050 (00080)   0a0d0a65 740d0a0d 0a                  ...et....


Strings