Analysis | #totalhash

Analysis Date	2016-02-09 20:47:45
MD5	71cd319607981f2d15278e48c3647e73
SHA1	a21efc7f98573c08a4e85eb924689b23942ce7b9

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: c8332580007695fbc623d20e7a1ecce8 sha1: 3b23ebeac2b87ef4ec3043e03880ad24c2544dec size: 185344
Section	.rdata md5: 739c1200587a95c41f92cbd0027909b3 sha1: b3974d53020f365388731a92da854e30f87ba7c2 size: 2560
Section	.data md5: 68162f574ed6e02b78335209d2269b8f sha1: 857f734aaafdfebddbe5a0a1f188ca5aea3da7aa size: 15872
Section	.reloc md5: 5c1bc8ba05afb203965945e80aef56b5 sha1: 5339e8939b0cf013cf3e1b24b53cbb709a6e3d26 size: 31232
Timestamp	2014-03-19 12:30:41
PEhash	86793a46e01399ba43e1024578f5c96af0542346
IMPhash	3af6b6233666e649077788ca13f513ca
AV	CA (E-Trust Ino)	No Virus
AV	Rising	No Virus
AV	Mcafee	Trojan-FHQT!71CD31960798
AV	Avira (antivir)	No Virus
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Kazy.790778
AV	Alwil (avast)	Vupa [Cryp]
AV	Eset (nod32)	Win32/Bayrob.BA
AV	Grisoft (avg)	No Virus
AV	Symantec	Trojan.Bayrob!gen6
AV	Fortinet	W32/Bayrob.AQ!tr
AV	BitDefender	Gen:Variant.Kazy.790778
AV	K7	Trojan ( 004dc2a31 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DE
AV	MicroWorld (escan)	Gen:Variant.Kazy.790778
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Emsisoft	Gen:Variant.Kazy.790778
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Ikarus	Trojan.Win32.Bayrob
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	CAT (quickheal)	No Virus
AV	BullGuard	Gen:Variant.Kazy.790778
AV	Arcabit (arcavir)	Gen:Variant.Kazy.790778
AV	ClamAV	No Virus
AV	Dr. Web	No Virus
AV	F-Secure	Gen:Variant.Kazy.790778

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\sjiidsnc\tgqi1luwxotjswiuz.exe
Creates File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates File	C:\sjiidsnc\n9zqb2o36f
Deletes File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates Process	C:\sjiidsnc\tgqi1luwxotjswiuz.exe

Process
↳ C:\sjiidsnc\tgqi1luwxotjswiuz.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CNG Link-Layer Trap Group Reports DNS ActiveX ➝ C:\sjiidsnc\tjtmmaobxt.exe
Creates File	C:\sjiidsnc\kdoealjghib
Creates File	C:\sjiidsnc\tjtmmaobxt.exe
Creates File	PIPE\lsarpc
Creates File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates File	C:\sjiidsnc\n9zqb2o36f
Deletes File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates Process	C:\sjiidsnc\tjtmmaobxt.exe
Creates Service	Upgrade Security Solutions Class iSCSI SNMP - C:\sjiidsnc\tjtmmaobxt.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1168

Process
↳ C:\sjiidsnc\tjtmmaobxt.exe

Creates File	C:\sjiidsnc\kdoealjghib
Creates File	pipe\net\NtControlPipe10
Creates File	C:\sjiidsnc\gmhrjhhc
Creates File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates File	\Device\Afd\Endpoint
Creates File	C:\sjiidsnc\yzaykuojgo.exe
Creates File	C:\sjiidsnc\n9zqb2o36f
Deletes File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates Process	ui5lhtjad1v7 "c:\sjiidsnc\tjtmmaobxt.exe"

Process
↳ C:\sjiidsnc\tjtmmaobxt.exe

Creates File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates File	C:\sjiidsnc\n9zqb2o36f
Deletes File	C:\WINDOWS\sjiidsnc\n9zqb2o36f

Process
↳ ui5lhtjad1v7 "c:\sjiidsnc\tjtmmaobxt.exe"

Creates File	C:\WINDOWS\sjiidsnc\n9zqb2o36f
Creates File	C:\sjiidsnc\n9zqb2o36f
Deletes File	C:\WINDOWS\sjiidsnc\n9zqb2o36f

Network Details:

DNS	crowdnation.net Type: A 107.161.23.204
DNS	crowdnation.net Type: A 107.191.99.114
DNS	crowdnation.net Type: A 167.114.213.199
DNS	crowdcondition.net Type: A 195.22.28.197
DNS	crowdcondition.net Type: A 195.22.28.198
DNS	crowdcondition.net Type: A 195.22.28.199
DNS	crowdcondition.net Type: A 195.22.28.196
DNS	smokenation.net Type: A 195.22.28.196
DNS	smokenation.net Type: A 195.22.28.197
DNS	smokenation.net Type: A 195.22.28.198
DNS	smokenation.net Type: A 195.22.28.199
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	partynation.net Type: A 72.52.4.91
DNS	freshpower.net Type: A 195.149.84.100
DNS	freshpower.net Type: A 195.149.84.101
DNS	memberfamous.net Type: A 208.100.26.234
DNS	alreadysoldier.net Type: A
DNS	gentlemanplease.net Type: A
DNS	alreadyplease.net Type: A
DNS	gentlemancondition.net Type: A
DNS	alreadycondition.net Type: A
DNS	follownation.net Type: A
DNS	membernation.net Type: A
DNS	followsoldier.net Type: A
DNS	membersoldier.net Type: A
DNS	followplease.net Type: A
DNS	memberplease.net Type: A
DNS	followcondition.net Type: A
DNS	membercondition.net Type: A
DNS	beginnation.net Type: A
DNS	knownnation.net Type: A
DNS	beginsoldier.net Type: A
DNS	knownsoldier.net Type: A
DNS	beginplease.net Type: A
DNS	knownplease.net Type: A
DNS	begincondition.net Type: A
DNS	knowncondition.net Type: A
DNS	summernation.net Type: A
DNS	summersoldier.net Type: A
DNS	crowdsoldier.net Type: A
DNS	summerplease.net Type: A
DNS	crowdplease.net Type: A
DNS	summercondition.net Type: A
DNS	thoughtnation.net Type: A
DNS	waternation.net Type: A
DNS	thoughtsoldier.net Type: A
DNS	watersoldier.net Type: A
DNS	thoughtplease.net Type: A
DNS	waterplease.net Type: A
DNS	thoughtcondition.net Type: A
DNS	watercondition.net Type: A
DNS	womannation.net Type: A
DNS	womansoldier.net Type: A
DNS	smokesoldier.net Type: A
DNS	womanplease.net Type: A
DNS	smokeplease.net Type: A
DNS	womancondition.net Type: A
DNS	smokecondition.net Type: A
DNS	fightnation.net Type: A
DNS	partysoldier.net Type: A
DNS	fightsoldier.net Type: A
DNS	partyplease.net Type: A
DNS	fightplease.net Type: A
DNS	partycondition.net Type: A
DNS	fightcondition.net Type: A
DNS	freshcentury.net Type: A
DNS	experiencecentury.net Type: A
DNS	freshfamous.net Type: A
DNS	experiencefamous.net Type: A
DNS	experiencepower.net Type: A
DNS	freshcountry.net Type: A
DNS	experiencecountry.net Type: A
DNS	gentlemancentury.net Type: A
DNS	alreadycentury.net Type: A
DNS	gentlemanfamous.net Type: A
DNS	alreadyfamous.net Type: A
DNS	gentlemanpower.net Type: A
DNS	alreadypower.net Type: A
DNS	gentlemancountry.net Type: A
DNS	alreadycountry.net Type: A
DNS	followcentury.net Type: A
DNS	membercentury.net Type: A
DNS	followfamous.net Type: A
DNS	followpower.net Type: A
DNS	memberpower.net Type: A
DNS	followcountry.net Type: A
DNS	membercountry.net Type: A
DNS	begincentury.net Type: A
DNS	knowncentury.net Type: A
DNS	beginfamous.net Type: A
DNS	knownfamous.net Type: A
DNS	beginpower.net Type: A
DNS	knownpower.net Type: A
DNS	begincountry.net Type: A
DNS	knowncountry.net Type: A
DNS	summercentury.net Type: A
DNS	crowdcentury.net Type: A
DNS	summerfamous.net Type: A
DNS	crowdfamous.net Type: A
HTTP GET	http://crowdnation.net/index.php User-Agent:
HTTP GET	http://crowdcondition.net/index.php User-Agent:
HTTP GET	http://smokenation.net/index.php User-Agent:
HTTP GET	http://smokecondition.net/index.php User-Agent:
HTTP GET	http://partynation.net/index.php User-Agent:
HTTP GET	http://freshpower.net/index.php User-Agent:
HTTP GET	http://memberfamous.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 107.161.23.204:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP	192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP	192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP	192.168.1.1:1036 ➝ 195.149.84.100:80
Flows TCP	192.168.1.1:1037 ➝ 208.100.26.234:80

Raw Pcap

Strings