Analysis Date2015-08-14 20:19:01
MD520c4ca67b238baa43ab595a9746947b3
SHA1a7d198205aae69c4be298ebf39c42bb0c92c59ff

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 998222183bbf0d2803e058ab1092513c sha1: e0659527f351f047bba503af6c60ee0bc738c37a size: 274944
Section.rdata md5: 45d5efe89596de991a0b2042aff0429f sha1: e9a2aea2e2f80966d7e4d1dce71abd4723e60eab size: 44032
Section.data md5: 69848f0a7ea8d0475509b75744695793 sha1: cf570ea0b3df1e5f9e64a5ac05fd2cd08a184d77 size: 7168
Section.reloc md5: 3ff23c13a59d8ebe6f74c8de0a7f23c1 sha1: 9de4e6bfca88f0661ecbfe9876cd36bd9b54e185 size: 20992
Timestamp2015-05-21 04:46:13
PackerMicrosoft Visual C++ ?.?
PEhashbbef5878ee3588a2a6818c99c20c74b472ea81d0
IMPhash314662b3b4ca4355314cf270f222c9eb
AVVirusBlokAda (vba32)no_virus
AVMalwareBytesno_virus
AVEset (nod32)Win32/Bayrob.Y
AVEmsisoftGen:Variant.Diley.1
AVAd-AwareGen:Variant.Diley.1
AVMicroWorld (escan)Gen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.ZPACK.135307
AVIkarusTrojan.Win32.Bayrob
AVCAT (quickheal)TrojanSpy.Nivdort.J4
AVArcabit (arcavir)Gen:Variant.Diley.1
AVCA (E-Trust Ino)no_virus
AVDr. WebTrojan.DownLoader15.36971
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVFortinetW32/Scar.A!tr
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVTwisterno_virus
AVMcafeeTrojan-FGIJ!20C4CA67B238
AVRisingno_virus
AVFrisk (f-prot)no_virus
AVZillya!no_virus
AVPadvishno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVBullGuardGen:Variant.Diley.1
AVF-SecureGen:Variant.Diley.1
AVBitDefenderGen:Variant.Diley.1
AVClamAVno_virus
AVKasperskyTrojan.Win32.Scar.jwpt

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vnwclypnojhjpb\nymrdinj
Creates FileC:\vnwclypnojhjpb\ycs1ityhererleyhge.exe
Creates FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Deletes FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Creates ProcessC:\vnwclypnojhjpb\ycs1ityhererleyhge.exe

Process
↳ C:\vnwclypnojhjpb\ycs1ityhererleyhge.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Intelligent Distributed Adapter Engine KtmRm ➝
C:\vnwclypnojhjpb\cnbqttuftril.exe
Creates FileC:\vnwclypnojhjpb\nymrdinj
Creates FileC:\vnwclypnojhjpb\cnbqttuftril.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Creates FileC:\vnwclypnojhjpb\meda3zd57j
Deletes FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Creates ProcessC:\vnwclypnojhjpb\cnbqttuftril.exe
Creates ServiceLog Policy Protected Connectivity Removal - C:\vnwclypnojhjpb\cnbqttuftril.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1056

Process
↳ C:\vnwclypnojhjpb\cnbqttuftril.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\vnwclypnojhjpb\zeogrl4nmo
Creates FileC:\vnwclypnojhjpb\nymrdinj
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Creates FileC:\vnwclypnojhjpb\meda3zd57j
Creates FileC:\vnwclypnojhjpb\tldmkezhssqb.exe
Deletes FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Creates Processhhvolveuoxxj "c:\vnwclypnojhjpb\cnbqttuftril.exe"

Process
↳ C:\vnwclypnojhjpb\cnbqttuftril.exe

Creates FileC:\vnwclypnojhjpb\nymrdinj
Creates FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Deletes FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj

Process
↳ hhvolveuoxxj "c:\vnwclypnojhjpb\cnbqttuftril.exe"

Creates FileC:\vnwclypnojhjpb\nymrdinj
Creates FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj
Deletes FileC:\WINDOWS\vnwclypnojhjpb\nymrdinj

Network Details:

DNSenglishquestion.net
Type: A
85.25.201.249
DNSsuddenstorm.net
Type: A
199.116.78.152
DNSrighttraining.net
Type: A
50.63.202.68
DNScigarettehunger.net
Type: A
195.22.26.252
DNScigarettehunger.net
Type: A
195.22.26.253
DNScigarettehunger.net
Type: A
195.22.26.254
DNScigarettehunger.net
Type: A
195.22.26.231
DNSpicturestorm.net
Type: A
80.67.28.202
DNSfamilytraining.net
Type: A
199.34.228.55
DNSenglishtraining.net
Type: A
87.106.228.208
DNSexpecthowever.net
Type: A
95.211.230.75
DNSeithertherefore.net
Type: A
DNSenglishtherefore.net
Type: A
DNSexpecthunger.net
Type: A
DNSbecausehunger.net
Type: A
DNSexpecttraining.net
Type: A
DNSbecausetraining.net
Type: A
DNSexpectstorm.net
Type: A
DNSbecausestorm.net
Type: A
DNSexpectthrown.net
Type: A
DNSbecausethrown.net
Type: A
DNSpersonhunger.net
Type: A
DNSmachinehunger.net
Type: A
DNSpersontraining.net
Type: A
DNSmachinetraining.net
Type: A
DNSpersonstorm.net
Type: A
DNSmachinestorm.net
Type: A
DNSpersonthrown.net
Type: A
DNSmachinethrown.net
Type: A
DNSsuddenhunger.net
Type: A
DNSforeignhunger.net
Type: A
DNSsuddentraining.net
Type: A
DNSforeigntraining.net
Type: A
DNSforeignstorm.net
Type: A
DNSsuddenthrown.net
Type: A
DNSforeignthrown.net
Type: A
DNSwhetherhunger.net
Type: A
DNSrighthunger.net
Type: A
DNSwhethertraining.net
Type: A
DNSwhetherstorm.net
Type: A
DNSrightstorm.net
Type: A
DNSwhetherthrown.net
Type: A
DNSrightthrown.net
Type: A
DNSfigurehunger.net
Type: A
DNSthoughhunger.net
Type: A
DNSfiguretraining.net
Type: A
DNSthoughtraining.net
Type: A
DNSfigurestorm.net
Type: A
DNSthoughstorm.net
Type: A
DNSfigurethrown.net
Type: A
DNSthoughthrown.net
Type: A
DNSpicturehunger.net
Type: A
DNSpicturetraining.net
Type: A
DNScigarettetraining.net
Type: A
DNScigarettestorm.net
Type: A
DNSpicturethrown.net
Type: A
DNScigarettethrown.net
Type: A
DNSchildrenhunger.net
Type: A
DNSfamilyhunger.net
Type: A
DNSchildrentraining.net
Type: A
DNSchildrenstorm.net
Type: A
DNSfamilystorm.net
Type: A
DNSchildrenthrown.net
Type: A
DNSfamilythrown.net
Type: A
DNSeitherhunger.net
Type: A
DNSenglishhunger.net
Type: A
DNSeithertraining.net
Type: A
DNSeitherstorm.net
Type: A
DNSenglishstorm.net
Type: A
DNSeitherthrown.net
Type: A
DNSenglishthrown.net
Type: A
DNSexpectchoose.net
Type: A
DNSbecausechoose.net
Type: A
DNSexpectalthough.net
Type: A
DNSbecausealthough.net
Type: A
DNSexpectperiod.net
Type: A
DNSbecauseperiod.net
Type: A
DNSbecausehowever.net
Type: A
DNSpersonchoose.net
Type: A
DNSmachinechoose.net
Type: A
DNSpersonalthough.net
Type: A
DNSmachinealthough.net
Type: A
DNSpersonperiod.net
Type: A
DNSmachineperiod.net
Type: A
DNSpersonhowever.net
Type: A
DNSmachinehowever.net
Type: A
DNSsuddenchoose.net
Type: A
DNSforeignchoose.net
Type: A
HTTP GEThttp://englishquestion.net/index.php
User-Agent:
HTTP GEThttp://suddenstorm.net/index.php
User-Agent:
HTTP GEThttp://righttraining.net/index.php
User-Agent:
HTTP GEThttp://cigarettehunger.net/index.php
User-Agent:
HTTP GEThttp://picturestorm.net/index.php
User-Agent:
HTTP GEThttp://familytraining.net/index.php
User-Agent:
HTTP GEThttp://englishtraining.net/index.php
User-Agent:
HTTP GEThttp://expecthowever.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.25.201.249:80
Flows TCP192.168.1.1:1032 ➝ 199.116.78.152:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.68:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1035 ➝ 80.67.28.202:80
Flows TCP192.168.1.1:1036 ➝ 199.34.228.55:80
Flows TCP192.168.1.1:1037 ➝ 87.106.228.208:80
Flows TCP192.168.1.1:1038 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73687175 65737469 6f6e2e6e   nglishquestion.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75646465 6e73746f 726d2e6e 65740d0a   uddenstorm.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 74726169 6e696e67 2e6e6574   ighttraining.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   69676172 65747465 68756e67 65722e6e   igarettehunger.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72657374 6f726d2e 6e65740d   icturestorm.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79747261 696e696e 672e6e65   amilytraining.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73687472 61696e69 6e672e6e   nglishtraining.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706563 74686f77 65766572 2e6e6574   xpecthowever.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings