Analysis Date2015-10-11 21:14:26
MD5998deec63cbe438006720ed0855eadec
SHA1a2c5c5ae66f31259860501b83e8229ed53c00bb4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 63c08de6247398d685c0d9173fc09ad2 sha1: 38e5e0116bccc77508a4dc833d85a72b5299f5e7 size: 321024
Section.rdata md5: 314f85ea20704fce950a92ffbc2f19c7 sha1: dddfa0703e043a9f78015ce14e1a0718a219315a size: 60928
Section.data md5: 60aa3525a323803970029e68283f4c55 sha1: 738ca5e178f366cdf4164cf0d307b1a6c7bd6523 size: 7168
Section.reloc md5: 2beb0a9a8d4a05ef923b5607d413023d sha1: 6117e3ad60ad1cb3133f5a3c2a985e42e6a0aaf2 size: 26624
Timestamp2015-05-11 07:10:03
PackerMicrosoft Visual C++ 8
PEhash735c42ca734756b45cfae94800735d1e06bebbc7
IMPhashb65ad29fc7ef499309f3893d9b69a0ce
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterTrojan.Scar.jjls.vhhw
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!998DEEC63CBE
AVRisingTrojan.Win32.Bayrod.b

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\fcarkwctgzozr\ndjdywa
Creates FileC:\fcarkwctgzozr\td1maimdgtpjxmlf.exe
Creates FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Deletes FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Creates ProcessC:\fcarkwctgzozr\td1maimdgtpjxmlf.exe

Process
↳ C:\fcarkwctgzozr\td1maimdgtpjxmlf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Builder IKE SNMP Time IPsec Reports Networking ➝
C:\fcarkwctgzozr\srkppgnjcja.exe
Creates FileC:\fcarkwctgzozr\ndjdywa
Creates FileC:\fcarkwctgzozr\srkppgnjcja.exe
Creates FileC:\fcarkwctgzozr\u8ajrpccvt
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Deletes FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Creates ProcessC:\fcarkwctgzozr\srkppgnjcja.exe
Creates ServiceRouting Reports Transfer DCOM AutoConnect - C:\fcarkwctgzozr\srkppgnjcja.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1136

Process
↳ C:\fcarkwctgzozr\srkppgnjcja.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\fcarkwctgzozr\nlioegoyspmf
Creates FileC:\fcarkwctgzozr\ndjdywa
Creates FileC:\fcarkwctgzozr\bemobfa.exe
Creates FileC:\fcarkwctgzozr\u8ajrpccvt
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Deletes FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Creates Processby7hznhtovax "c:\fcarkwctgzozr\srkppgnjcja.exe"

Process
↳ C:\fcarkwctgzozr\srkppgnjcja.exe

Creates FileC:\fcarkwctgzozr\ndjdywa
Creates FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Deletes FileC:\WINDOWS\fcarkwctgzozr\ndjdywa

Process
↳ by7hznhtovax "c:\fcarkwctgzozr\srkppgnjcja.exe"

Creates FileC:\fcarkwctgzozr\ndjdywa
Creates FileC:\WINDOWS\fcarkwctgzozr\ndjdywa
Deletes FileC:\WINDOWS\fcarkwctgzozr\ndjdywa

Network Details:

DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSdoubttravel.net
Type: A
72.52.4.90
DNSnightspace.net
Type: A
91.250.101.43
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSdecideclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
DNScaptainyellow.net
Type: A
DNSlargeclose.net
Type: A
DNScaptainclose.net
Type: A
DNSrecordspace.net
Type: A
DNSelectricspace.net
Type: A
DNSrecordtravel.net
Type: A
DNSelectrictravel.net
Type: A
DNSrecordyellow.net
Type: A
DNSelectricyellow.net
Type: A
DNSrecordclose.net
Type: A
DNSelectricclose.net
Type: A
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
HTTP GEThttp://doubttravel.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1033 ➝ 65.211.211.21:80
Flows TCP192.168.1.1:1034 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1035 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1036 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.96:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696373 74617469 6f6e2e6e   lectricstation.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74737461 74696f6e 2e6e6574   treetstation.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 73746174 696f6e2e 6e65740d   radestation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f756274 74726176 656c2e6e 65740d0a   oubttravel.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 73706163 652e6e65 740d0a0d   ightspace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 73706163 652e6e65 740d0a0d   argespace.net...
0x00000050 (00080)   0a0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7370 6163652e 6e65740d   aptainspace.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e7472 6176656c 2e6e6574   aptaintravel.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings