Analysis Date2016-01-30 15:32:25
MD5d0ec618a77730119594f564c065de12e
SHA1a61861e8f2313687336cbac6bf8d1acb5c4c8545

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 68e91a31e203171e58142d9c9a128716 sha1: 34879686581041460960543cc5d0363bb8c93a66 size: 528896
Section.rdata md5: 293c9f719ccdf286825849fd134a28a8 sha1: 7280dfc6e0d723d2b930f80332459543641985de size: 26112
Section.data md5: e91685710b5fe2458823a2342378cca5 sha1: bdff65fe196bbd197d979fc7ee48f3d56c109e75 size: 19968
Section.reloc md5: 16902119c2fd0dc133932265f7e99968 sha1: 8c994e44edd43148d1c4269de0273d8b50f8df2d size: 39424
Timestamp2014-05-25 15:36:47
PackerMicrosoft Visual C++ 8
PEhashb8329e61c9e85fdcf075c54543adc55067320f13
IMPhashca95e0efccfcbdbb4e412f9358797400
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Zusy.141475
AVDr. WebNo Virus
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVBullGuardGen:Variant.Zusy.141475
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusNo Virus
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004dc2a31 )
AVBitDefenderGen:Variant.Zusy.141475
AVFortinetW32/Bayrob.BM!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.ADDD
AVEset (nod32)Win32/Bayrob.BM
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAvira (antivir)TR/Boryab.615424.20
AVMcafeeTrojan-FHSQ!D0EC618A7773

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\n0yfu1l0ybhyesirjn.exe
Deletes FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates ProcessC:\axwojhaajtbsk\n0yfu1l0ybhyesirjn.exe

Process
↳ C:\axwojhaajtbsk\n0yfu1l0ybhyesirjn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Auto-Discovery Event Performance Input ➝
C:\axwojhaajtbsk\ifopmaz.exe
Creates FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\vxfixr1mvgqa
Creates FileC:\axwojhaajtbsk\ifopmaz.exe
Creates FileC:\axwojhaajtbsk\ynohftw
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates ProcessC:\axwojhaajtbsk\ifopmaz.exe
Creates ServiceProblem Information Port Control - C:\axwojhaajtbsk\ifopmaz.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1128

Process
↳ C:\axwojhaajtbsk\ifopmaz.exe

Creates FileC:\axwojhaajtbsk\ukfccv
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\vxfixr1mvgqa
Creates FileC:\axwojhaajtbsk\ynohftw
Creates File\Device\Afd\Endpoint
Creates FileC:\axwojhaajtbsk\pisooqsl.exe
Deletes FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates Processpiomkg8rny38 "c:\axwojhaajtbsk\ifopmaz.exe"

Process
↳ C:\axwojhaajtbsk\ifopmaz.exe

Creates FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\ynohftw
Deletes FileC:\WINDOWS\axwojhaajtbsk\ynohftw

Process
↳ piomkg8rny38 "c:\axwojhaajtbsk\ifopmaz.exe"

Creates FileC:\WINDOWS\axwojhaajtbsk\ynohftw
Creates FileC:\axwojhaajtbsk\ynohftw
Deletes FileC:\WINDOWS\axwojhaajtbsk\ynohftw

Network Details:

DNSmachinebusiness.net
Type: A
69.73.160.55
DNSforeignanother.net
Type: A
195.22.28.197
DNSforeignanother.net
Type: A
195.22.28.196
DNSforeignanother.net
Type: A
195.22.28.199
DNSforeignanother.net
Type: A
195.22.28.198
DNSthoughanother.net
Type: A
98.139.135.129
DNSthoughappear.net
Type: A
208.100.26.234
DNSpicturebusiness.net
Type: A
76.8.58.103
DNSfamilybusiness.net
Type: A
69.172.201.208
DNSenglishmanner.net
Type: A
202.143.64.131
DNSenglishbusiness.net
Type: A
184.168.221.71
DNSpicturebright.net
Type: A
72.52.4.90
DNSfamilybright.net
Type: A
208.91.197.39
DNSeitherinstead.net
Type: A
98.139.135.129
DNSenglishexplain.net
Type: A
208.100.26.234
DNSrightpeople.net
Type: A
114.141.197.235
DNSpicturepeople.net
Type: A
207.148.248.143
DNSbecausebusiness.net
Type: A
DNSexpectappear.net
Type: A
DNSbecauseappear.net
Type: A
DNSpersonmanner.net
Type: A
DNSmachinemanner.net
Type: A
DNSpersonanother.net
Type: A
DNSmachineanother.net
Type: A
DNSpersonbusiness.net
Type: A
DNSpersonappear.net
Type: A
DNSmachineappear.net
Type: A
DNSsuddenmanner.net
Type: A
DNSforeignmanner.net
Type: A
DNSsuddenanother.net
Type: A
DNSsuddenbusiness.net
Type: A
DNSforeignbusiness.net
Type: A
DNSsuddenappear.net
Type: A
DNSforeignappear.net
Type: A
DNSwhethermanner.net
Type: A
DNSrightmanner.net
Type: A
DNSwhetheranother.net
Type: A
DNSrightanother.net
Type: A
DNSwhetherbusiness.net
Type: A
DNSrightbusiness.net
Type: A
DNSwhetherappear.net
Type: A
DNSrightappear.net
Type: A
DNSfiguremanner.net
Type: A
DNSthoughmanner.net
Type: A
DNSfigureanother.net
Type: A
DNSfigurebusiness.net
Type: A
DNSthoughbusiness.net
Type: A
DNSfigureappear.net
Type: A
DNSpicturemanner.net
Type: A
DNScigarettemanner.net
Type: A
DNSpictureanother.net
Type: A
DNScigaretteanother.net
Type: A
DNScigarettebusiness.net
Type: A
DNSpictureappear.net
Type: A
DNScigaretteappear.net
Type: A
DNSchildrenmanner.net
Type: A
DNSfamilymanner.net
Type: A
DNSchildrenanother.net
Type: A
DNSfamilyanother.net
Type: A
DNSchildrenbusiness.net
Type: A
DNSchildrenappear.net
Type: A
DNSfamilyappear.net
Type: A
DNSeithermanner.net
Type: A
DNSeitheranother.net
Type: A
DNSenglishanother.net
Type: A
DNSeitherbusiness.net
Type: A
DNSeitherappear.net
Type: A
DNSenglishappear.net
Type: A
DNSexpectinstead.net
Type: A
DNSbecauseinstead.net
Type: A
DNSexpectexplain.net
Type: A
DNSbecauseexplain.net
Type: A
DNSexpectbright.net
Type: A
DNSbecausebright.net
Type: A
DNSexpectinside.net
Type: A
DNSbecauseinside.net
Type: A
DNSpersoninstead.net
Type: A
DNSmachineinstead.net
Type: A
DNSpersonexplain.net
Type: A
DNSmachineexplain.net
Type: A
DNSpersonbright.net
Type: A
DNSmachinebright.net
Type: A
DNSpersoninside.net
Type: A
DNSmachineinside.net
Type: A
DNSsuddeninstead.net
Type: A
DNSforeigninstead.net
Type: A
DNSsuddenexplain.net
Type: A
DNSforeignexplain.net
Type: A
DNSsuddenbright.net
Type: A
DNSforeignbright.net
Type: A
DNSsuddeninside.net
Type: A
DNSforeigninside.net
Type: A
DNSwhetherinstead.net
Type: A
DNSrightinstead.net
Type: A
DNSwhetherexplain.net
Type: A
DNSrightexplain.net
Type: A
DNSwhetherbright.net
Type: A
DNSrightbright.net
Type: A
DNSwhetherinside.net
Type: A
DNSrightinside.net
Type: A
DNSfigureinstead.net
Type: A
DNSthoughinstead.net
Type: A
DNSfigureexplain.net
Type: A
DNSthoughexplain.net
Type: A
DNSfigurebright.net
Type: A
DNSthoughbright.net
Type: A
DNSfigureinside.net
Type: A
DNSthoughinside.net
Type: A
DNSpictureinstead.net
Type: A
DNScigaretteinstead.net
Type: A
DNSpictureexplain.net
Type: A
DNScigaretteexplain.net
Type: A
DNScigarettebright.net
Type: A
DNSpictureinside.net
Type: A
DNScigaretteinside.net
Type: A
DNSchildreninstead.net
Type: A
DNSfamilyinstead.net
Type: A
DNSchildrenexplain.net
Type: A
DNSfamilyexplain.net
Type: A
DNSchildrenbright.net
Type: A
DNSchildreninside.net
Type: A
DNSfamilyinside.net
Type: A
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
DNSbecausedaughter.net
Type: A
DNSpersonready.net
Type: A
DNSmachineready.net
Type: A
DNSpersonbrown.net
Type: A
DNSmachinebrown.net
Type: A
DNSpersonpeople.net
Type: A
DNSmachinepeople.net
Type: A
DNSpersondaughter.net
Type: A
DNSmachinedaughter.net
Type: A
DNSsuddenready.net
Type: A
DNSforeignready.net
Type: A
DNSsuddenbrown.net
Type: A
DNSforeignbrown.net
Type: A
DNSsuddenpeople.net
Type: A
DNSforeignpeople.net
Type: A
DNSsuddendaughter.net
Type: A
DNSforeigndaughter.net
Type: A
DNSwhetherready.net
Type: A
DNSrightready.net
Type: A
DNSwhetherbrown.net
Type: A
DNSrightbrown.net
Type: A
DNSwhetherpeople.net
Type: A
DNSwhetherdaughter.net
Type: A
DNSrightdaughter.net
Type: A
DNSfigureready.net
Type: A
DNSthoughready.net
Type: A
DNSfigurebrown.net
Type: A
DNSthoughbrown.net
Type: A
DNSfigurepeople.net
Type: A
DNSthoughpeople.net
Type: A
DNSfiguredaughter.net
Type: A
DNSthoughdaughter.net
Type: A
DNSpictureready.net
Type: A
DNScigaretteready.net
Type: A
DNSpicturebrown.net
Type: A
DNScigarettebrown.net
Type: A
DNScigarettepeople.net
Type: A
DNSpicturedaughter.net
Type: A
HTTP GEThttp://machinebusiness.net/index.php
User-Agent:
HTTP GEThttp://foreignanother.net/index.php
User-Agent:
HTTP GEThttp://thoughanother.net/index.php
User-Agent:
HTTP GEThttp://thoughappear.net/index.php
User-Agent:
HTTP GEThttp://picturebusiness.net/index.php
User-Agent:
HTTP GEThttp://familybusiness.net/index.php
User-Agent:
HTTP GEThttp://englishmanner.net/index.php
User-Agent:
HTTP GEThttp://englishbusiness.net/index.php
User-Agent:
HTTP GEThttp://picturebright.net/index.php
User-Agent:
HTTP GEThttp://familybright.net/index.php
User-Agent:
HTTP GEThttp://eitherinstead.net/index.php
User-Agent:
HTTP GEThttp://englishexplain.net/index.php
User-Agent:
HTTP GEThttp://rightpeople.net/index.php
User-Agent:
HTTP GEThttp://picturepeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 69.73.160.55:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 76.8.58.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 202.143.64.131:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.39:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1043 ➝ 114.141.197.235:80
Flows TCP192.168.1.1:1044 ➝ 207.148.248.143:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61636869 6e656275 73696e65 73732e6e   achinebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e616e 6f746865 722e6e65   oreignanother.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68616e6f 74686572 2e6e6574   houghanother.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68617070 6561722e 6e65740d   houghappear.net.
0x00000050 (00080)   0a0d0a0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656275 73696e65 73732e6e   icturebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627573 696e6573 732e6e65   amilybusiness.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686d61 6e6e6572 2e6e6574   nglishmanner.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686275 73696e65 73732e6e   nglishbusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656272 69676874 2e6e6574   icturebright.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627269 6768742e 6e65740d   amilybright.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   69746865 72696e73 74656164 2e6e6574   itherinstead.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686578 706c6169 6e2e6e65   nglishexplain.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 70656f70 6c652e6e 65740d0a   ightpeople.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72657065 6f706c65 2e6e6574   icturepeople.net
0x00000050 (00080)   0d0a0d0a                              ....


Strings