Analysis Date2015-08-30 04:54:40
MD5907ac88c7816173f67c276b94fe319a2
SHA1a787daa011d3aa89764692a10b43858e416ef102

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bd4f545af0601e813b8a13566a41971b sha1: 53c0cb29b872efc90fcbc8cec34af94185ca332e size: 267776
Section.rdata md5: 33020426accbd73dbce32d10657ae635 sha1: 01aec260a0966df31d1c40fd0d0bb0ff2f38d520 size: 41984
Section.data md5: d9910e8fce84de8b9c829255cab33a0a sha1: a77843f28cdce2c6b51ea1cd0dbcb9376712f960 size: 6656
Section.reloc md5: 9289eeb590dc5f952479a64a5802501a sha1: f8000ad4f845bd5aafe621348716c9199d952603 size: 19456
Timestamp2015-05-21 04:47:58
PackerMicrosoft Visual C++ ?.?
PEhash6dd774779c0eb61ea9191955dedc664e5b51a68e
IMPhash44e075660b623e561792b6e69b9103a0
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Bayrob.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVRisingno_virus
AVTwisterTrojan.Generic.cwzu
AVAvira (antivir)TR/Spy.Agent.336896.5
AVMcafeeTrojan-FGIJ!907AC88C7816

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates FileC:\fybwbhjsrbtk\zrhzp1lvrwldnuxqwhx.exe
Creates FileC:\fybwbhjsrbtk\afkzfgeyop0
Deletes FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates ProcessC:\fybwbhjsrbtk\zrhzp1lvrwldnuxqwhx.exe

Process
↳ C:\fybwbhjsrbtk\zrhzp1lvrwldnuxqwhx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tunneling Studio Protected Media ➝
C:\fybwbhjsrbtk\astjkdgnoly.exe
Creates FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates FileC:\fybwbhjsrbtk\psdeunbo
Creates FilePIPE\lsarpc
Creates FileC:\fybwbhjsrbtk\astjkdgnoly.exe
Creates FileC:\fybwbhjsrbtk\afkzfgeyop0
Deletes FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates ProcessC:\fybwbhjsrbtk\astjkdgnoly.exe
Creates ServiceList Gateway Support Debugger Font - C:\fybwbhjsrbtk\astjkdgnoly.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1844

Process
↳ Pid 1164

Process
↳ C:\fybwbhjsrbtk\astjkdgnoly.exe

Creates FileC:\fybwbhjsrbtk\thfneqij.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\fybwbhjsrbtk\saifjyrgfime
Creates FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates FileC:\fybwbhjsrbtk\psdeunbo
Creates File\Device\Afd\Endpoint
Creates FileC:\fybwbhjsrbtk\afkzfgeyop0
Deletes FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates Processowntilglbf0p "c:\fybwbhjsrbtk\astjkdgnoly.exe"

Process
↳ C:\fybwbhjsrbtk\astjkdgnoly.exe

Creates FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates FileC:\fybwbhjsrbtk\afkzfgeyop0
Deletes FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0

Process
↳ owntilglbf0p "c:\fybwbhjsrbtk\astjkdgnoly.exe"

Creates FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0
Creates FileC:\fybwbhjsrbtk\afkzfgeyop0
Deletes FileC:\WINDOWS\fybwbhjsrbtk\afkzfgeyop0

Network Details:

DNSdoctorwhite.net
Type: A
157.112.152.45
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdoublepleasure.net
Type: A
184.168.221.104
DNSdesirewhite.net
Type: A
93.115.38.30
DNSstrengthwhite.net
Type: A
95.211.230.75
DNSstillwhite.net
Type: A
112.125.17.103
DNSresultbeauty.net
Type: A
DNSbrokengarden.net
Type: A
DNSresultgarden.net
Type: A
DNSpreparemarket.net
Type: A
DNSdesiremarket.net
Type: A
DNSpreparereport.net
Type: A
DNSdesirereport.net
Type: A
DNSpreparebeauty.net
Type: A
DNSdesirebeauty.net
Type: A
DNSpreparegarden.net
Type: A
DNSdesiregarden.net
Type: A
DNSstrengthmarket.net
Type: A
DNSstillmarket.net
Type: A
DNSstrengthreport.net
Type: A
DNSstillreport.net
Type: A
DNSstrengthbeauty.net
Type: A
DNSstillbeauty.net
Type: A
DNSstrengthgarden.net
Type: A
DNSstillgarden.net
Type: A
DNSmovementtoward.net
Type: A
DNSoutsidetoward.net
Type: A
DNSmovementpleasure.net
Type: A
DNSoutsidepleasure.net
Type: A
DNSmovementmillion.net
Type: A
DNSoutsidemillion.net
Type: A
DNSmovementwhite.net
Type: A
DNSoutsidewhite.net
Type: A
DNSbuildingtoward.net
Type: A
DNSeveningtoward.net
Type: A
DNSbuildingpleasure.net
Type: A
DNSeveningpleasure.net
Type: A
DNSbuildingmillion.net
Type: A
DNSeveningmillion.net
Type: A
DNSbuildingwhite.net
Type: A
DNSeveningwhite.net
Type: A
DNSstoretoward.net
Type: A
DNSmighttoward.net
Type: A
DNSstorepleasure.net
Type: A
DNSmightpleasure.net
Type: A
DNSstoremillion.net
Type: A
DNSmightmillion.net
Type: A
DNSstorewhite.net
Type: A
DNSmightwhite.net
Type: A
DNSdoctortoward.net
Type: A
DNSprettytoward.net
Type: A
DNSdoctorpleasure.net
Type: A
DNSprettypleasure.net
Type: A
DNSdoctormillion.net
Type: A
DNSprettymillion.net
Type: A
DNSprettywhite.net
Type: A
DNSfellowtoward.net
Type: A
DNSdoubletoward.net
Type: A
DNSfellowpleasure.net
Type: A
DNSfellowmillion.net
Type: A
DNSdoublemillion.net
Type: A
DNSfellowwhite.net
Type: A
DNSdoublewhite.net
Type: A
DNSbrokentoward.net
Type: A
DNSresulttoward.net
Type: A
DNSbrokenpleasure.net
Type: A
DNSresultpleasure.net
Type: A
DNSbrokenmillion.net
Type: A
DNSresultmillion.net
Type: A
DNSbrokenwhite.net
Type: A
DNSresultwhite.net
Type: A
DNSpreparetoward.net
Type: A
DNSdesiretoward.net
Type: A
DNSpreparepleasure.net
Type: A
DNSdesirepleasure.net
Type: A
DNSpreparemillion.net
Type: A
DNSdesiremillion.net
Type: A
DNSpreparewhite.net
Type: A
DNSstrengthtoward.net
Type: A
DNSstilltoward.net
Type: A
DNSstrengthpleasure.net
Type: A
DNSstillpleasure.net
Type: A
DNSstrengthmillion.net
Type: A
DNSstillmillion.net
Type: A
DNSmovementheart.net
Type: A
DNSoutsideheart.net
Type: A
HTTP GEThttp://doctorwhite.net/index.php
User-Agent:
HTTP GEThttp://doubletoward.net/index.php
User-Agent:
HTTP GEThttp://doublepleasure.net/index.php
User-Agent:
HTTP GEThttp://desirewhite.net/index.php
User-Agent:
HTTP GEThttp://strengthwhite.net/index.php
User-Agent:
HTTP GEThttp://stillwhite.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 157.112.152.45:80
Flows TCP192.168.1.1:1032 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1034 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 112.125.17.103:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72776869 74652e6e 65740d0a   octorwhite.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65746f77 6172642e 6e65740d   oubletoward.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65706c65 61737572 652e6e65   oublepleasure.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65736972 65776869 74652e6e 65740d0a   esirewhite.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746877 68697465 2e6e6574   trengthwhite.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74696c6c 77686974 652e6e65 740d0a0d   tillwhite.net...
0x00000050 (00080)   0a0a0d0a 0a                           .....


Strings