Analysis Date2016-01-28 10:32:41
MD5ca60c919345f976cb02cf1f3d066fde2
SHA1a7f8261aa1b2d8328476dc645de6d1ca51400760

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e8d3259f71ba3aeef64aaf7f6ad430fd sha1: 393268a83dca1cb38bcf567d8bebe13e08482544 size: 306688
Section.rdata md5: a5d50c6416e4ed510c7dc3d95fcf9f30 sha1: 70d989d9647b5c937b33cf21998e202dec69b574 size: 26112
Section.data md5: 0174f151ffaefc1e0b11ab81903f67ee sha1: 4a33d232dad998a9f1af7785d96994dbae991813 size: 20480
Section.reloc md5: aa4e415e1747772e8012f331ded4a1c2 sha1: 08a69f649ac644196fa79b0363f5a44fc5241bec size: 33280
Timestamp2014-05-20 10:04:32
PackerMicrosoft Visual C++ 8
PEhashe0f52a18a6529cb82d44fc471ceebf7e646752ba
IMPhashedd42d102bace3662cc1939d96c0c13d
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!CA60C919345F
AVAvira (antivir)TR/Taranis.2094
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BJ
AVGrisoft (avg)Generic37.AECA
AVSymantecNo Virus
AVFortinetW32/Bayrob.BJ!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Kazy.ES.gen!Eldorado
AVFrisk (f-prot)W32/Kazy.ES.gen!Eldorado
AVIkarusTrojan-Spy.Win32.Nivdort
AVEmsisoftGen:Variant.Zusy.141475
AVZillya!No Virus
AVKasperskyNo Virus
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gamnrduilc\el1kspqcelxahsymqj.exe
Creates FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates FileC:\gamnrduilc\ydiojmeiarc
Deletes FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates ProcessC:\gamnrduilc\el1kspqcelxahsymqj.exe

Process
↳ C:\gamnrduilc\el1kspqcelxahsymqj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Spooler Program Scheduler Source ➝
C:\gamnrduilc\osausncy.exe
Creates FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates FileC:\gamnrduilc\osausncy.exe
Creates FileC:\gamnrduilc\ydiojmeiarc
Creates FilePIPE\lsarpc
Creates FileC:\gamnrduilc\otlttg
Deletes FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates ProcessC:\gamnrduilc\osausncy.exe
Creates ServiceLocation PC Event Server iSCSI - C:\gamnrduilc\osausncy.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1160

Process
↳ C:\gamnrduilc\osausncy.exe

Creates FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates Filepipe\net\NtControlPipe10
Creates FileC:\gamnrduilc\vach0j
Creates FileC:\gamnrduilc\ydiojmeiarc
Creates FileC:\gamnrduilc\otlttg
Creates File\Device\Afd\Endpoint
Creates FileC:\gamnrduilc\uqzknpzg.exe
Deletes FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates Processeqnkqhllllpo "c:\gamnrduilc\osausncy.exe"

Process
↳ C:\gamnrduilc\osausncy.exe

Creates FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates FileC:\gamnrduilc\ydiojmeiarc
Deletes FileC:\WINDOWS\gamnrduilc\ydiojmeiarc

Process
↳ eqnkqhllllpo "c:\gamnrduilc\osausncy.exe"

Creates FileC:\WINDOWS\gamnrduilc\ydiojmeiarc
Creates FileC:\gamnrduilc\ydiojmeiarc
Deletes FileC:\WINDOWS\gamnrduilc\ydiojmeiarc

Network Details:

DNSfellowpeople.net
Type: A
184.168.221.37
DNSbrokenpeople.net
Type: A
184.168.221.96
DNSeveningcondition.net
Type: A
98.139.135.129
DNSmightplease.net
Type: A
208.100.26.234
DNSprettysoldier.net
Type: A
184.168.221.52
DNSprettyplease.net
Type: A
207.148.248.143
DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSstrengthfamous.net
Type: A
DNSdoctordaughter.net
Type: A
DNSprettydaughter.net
Type: A
DNSfellowready.net
Type: A
DNSdoubleready.net
Type: A
DNSfellowbrown.net
Type: A
DNSdoublebrown.net
Type: A
DNSdoublepeople.net
Type: A
DNSfellowdaughter.net
Type: A
DNSdoubledaughter.net
Type: A
DNSbrokenready.net
Type: A
DNSresultready.net
Type: A
DNSbrokenbrown.net
Type: A
DNSresultbrown.net
Type: A
DNSresultpeople.net
Type: A
DNSbrokendaughter.net
Type: A
DNSresultdaughter.net
Type: A
DNSprepareready.net
Type: A
DNSdesireready.net
Type: A
DNSpreparebrown.net
Type: A
DNSdesirebrown.net
Type: A
DNSpreparepeople.net
Type: A
DNSdesirepeople.net
Type: A
DNSpreparedaughter.net
Type: A
DNSdesiredaughter.net
Type: A
DNSstrengthready.net
Type: A
DNSstillready.net
Type: A
DNSstrengthbrown.net
Type: A
DNSstillbrown.net
Type: A
DNSstrengthpeople.net
Type: A
DNSstillpeople.net
Type: A
DNSstrengthdaughter.net
Type: A
DNSstilldaughter.net
Type: A
DNSmovementnation.net
Type: A
DNSoutsidenation.net
Type: A
DNSmovementsoldier.net
Type: A
DNSoutsidesoldier.net
Type: A
DNSmovementplease.net
Type: A
DNSoutsideplease.net
Type: A
DNSmovementcondition.net
Type: A
DNSoutsidecondition.net
Type: A
DNSbuildingnation.net
Type: A
DNSeveningnation.net
Type: A
DNSbuildingsoldier.net
Type: A
DNSeveningsoldier.net
Type: A
DNSbuildingplease.net
Type: A
DNSeveningplease.net
Type: A
DNSbuildingcondition.net
Type: A
DNSstorenation.net
Type: A
DNSmightnation.net
Type: A
DNSstoresoldier.net
Type: A
DNSmightsoldier.net
Type: A
DNSstoreplease.net
Type: A
DNSstorecondition.net
Type: A
DNSmightcondition.net
Type: A
DNSdoctornation.net
Type: A
DNSprettynation.net
Type: A
DNSdoctorsoldier.net
Type: A
DNSdoctorplease.net
Type: A
DNSdoctorcondition.net
Type: A
DNSprettycondition.net
Type: A
DNSfellownation.net
Type: A
DNSdoublenation.net
Type: A
DNSfellowsoldier.net
Type: A
DNSdoublesoldier.net
Type: A
DNSfellowplease.net
Type: A
DNSdoubleplease.net
Type: A
DNSfellowcondition.net
Type: A
DNSdoublecondition.net
Type: A
HTTP GEThttp://fellowpeople.net/index.php
User-Agent:
HTTP GEThttp://brokenpeople.net/index.php
User-Agent:
HTTP GEThttp://eveningcondition.net/index.php
User-Agent:
HTTP GEThttp://mightplease.net/index.php
User-Agent:
HTTP GEThttp://prettysoldier.net/index.php
User-Agent:
HTTP GEThttp://prettyplease.net/index.php
User-Agent:
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.37:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1039 ➝ 173.236.158.114:80

Raw Pcap

Strings