Analysis Date2015-10-13 07:39:02
MD55814e82a1480c52d78a978e01fbc8d2b
SHA1ab56f9b979ae86dbf8d3048eac170b1c3d856749

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 596e0b2fb63891c191ec695be70ae2b3 sha1: 16b5ac386cb6b97b26302fe4045fc702e765cc3e size: 652288
Section.rdata md5: 5a9577f17428be428a3cfe7ba97541af sha1: 4d93f809c40604de04370e77f7fc507f66c8b4b7 size: 90624
Section.data md5: b3e346d32b6bfe9231e10d73e6d16602 sha1: d232fb5a5a18fe9be22445abb2945ca00b1c85ca size: 6656
Section.reloc md5: cc6a61318ff8d3bc05eeb0568cefb3aa sha1: 5552bbe1768c796538a9c1db9d6df78d6ee24a09 size: 68608
Timestamp2015-05-08 07:26:20
PackerMicrosoft Visual C++ 8
PEhashae8f96d21dbfdbed6ee5bf5ea0f7334916c092e9
IMPhash16faa0687bf7a2c5936314fafb758021
AVFortinetW32/Generic.AC.215362
AVGrisoft (avg)Win32/Cryptor
AVF-SecureGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVMicroWorld (escan)Gen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVK7Trojan ( 004c17201 )
AVFrisk (f-prot)no_virus
AVBitDefenderGen:Variant.Diley.1
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVAuthentiumW32/Scar.R.gen!Eldorado
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVAd-AwareGen:Variant.Diley.1
AVAvira (antivir)TR/Kryptik.qgmpd
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)no_virus
AVMcafeeTrojan-FGIJ!5814E82A1480
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVTwisterno_virus
AVMalwareBytesTrojan.Agent.KVTGen
AVEset (nod32)Win32/Bayrob.T
AVZillya!Trojan.Scar.Win32.91346
AVSymantecDownloader.Upatre!g15
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates FileC:\dfmtdvcplfjnpf\kyxlx0q8fb
Creates FileC:\dfmtdvcplfjnpf\lew1mqlu2hk5abphos.exe
Deletes FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates ProcessC:\dfmtdvcplfjnpf\lew1mqlu2hk5abphos.exe

Process
↳ C:\dfmtdvcplfjnpf\lew1mqlu2hk5abphos.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Publication Video Parental ➝
C:\dfmtdvcplfjnpf\jimpdubjwzlu.exe
Creates FileC:\dfmtdvcplfjnpf\jimpdubjwzlu.exe
Creates FilePIPE\lsarpc
Creates FileC:\dfmtdvcplfjnpf\l1hbld
Creates FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates FileC:\dfmtdvcplfjnpf\kyxlx0q8fb
Deletes FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates ProcessC:\dfmtdvcplfjnpf\jimpdubjwzlu.exe
Creates ServiceVirtual Interactive WLAN Device - C:\dfmtdvcplfjnpf\jimpdubjwzlu.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\dfmtdvcplfjnpf\jimpdubjwzlu.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\dfmtdvcplfjnpf\igccdqncfdze.exe
Creates FileC:\dfmtdvcplfjnpf\l1hbld
Creates FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates File\Device\Afd\Endpoint
Creates FileC:\dfmtdvcplfjnpf\yyingsfl
Creates FileC:\dfmtdvcplfjnpf\kyxlx0q8fb
Deletes FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates Processtzloonyfio50 "c:\dfmtdvcplfjnpf\jimpdubjwzlu.exe"

Process
↳ C:\dfmtdvcplfjnpf\jimpdubjwzlu.exe

Creates FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates FileC:\dfmtdvcplfjnpf\kyxlx0q8fb
Deletes FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb

Process
↳ tzloonyfio50 "c:\dfmtdvcplfjnpf\jimpdubjwzlu.exe"

Creates FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb
Creates FileC:\dfmtdvcplfjnpf\kyxlx0q8fb
Deletes FileC:\WINDOWS\dfmtdvcplfjnpf\kyxlx0q8fb

Network Details:

DNSweatherminute.net
Type: A
72.52.4.90
DNSclassminute.net
Type: A
208.100.26.234
DNSthinkadvance.net
Type: A
184.168.221.58
DNScollegeadvance.net
Type: A
97.74.42.79
DNShistoryadvance.net
Type: A
195.22.26.252
DNShistoryadvance.net
Type: A
195.22.26.253
DNShistoryadvance.net
Type: A
195.22.26.254
DNShistoryadvance.net
Type: A
195.22.26.231
DNSstrangestranger.net
Type: A
98.139.135.129
DNSratherminute.net
Type: A
DNSmorningminute.net
Type: A
DNSratherspecial.net
Type: A
DNSmorningspecial.net
Type: A
DNSrathercorner.net
Type: A
DNSmorningcorner.net
Type: A
DNSstrangeflower.net
Type: A
DNShistoryflower.net
Type: A
DNSstrangeminute.net
Type: A
DNShistoryminute.net
Type: A
DNSstrangespecial.net
Type: A
DNShistoryspecial.net
Type: A
DNSstrangecorner.net
Type: A
DNShistorycorner.net
Type: A
DNSamountflower.net
Type: A
DNSweatherflower.net
Type: A
DNSamountminute.net
Type: A
DNSamountspecial.net
Type: A
DNSweatherspecial.net
Type: A
DNSamountcorner.net
Type: A
DNSweathercorner.net
Type: A
DNSthickflower.net
Type: A
DNSclassflower.net
Type: A
DNSthickminute.net
Type: A
DNSthickspecial.net
Type: A
DNSclassspecial.net
Type: A
DNSthickcorner.net
Type: A
DNSclasscorner.net
Type: A
DNSpresentadvance.net
Type: A
DNSthinkstranger.net
Type: A
DNSpresentstranger.net
Type: A
DNSthinkgoodbye.net
Type: A
DNSpresentgoodbye.net
Type: A
DNSthinkfortieth.net
Type: A
DNSpresentfortieth.net
Type: A
DNSchiefadvance.net
Type: A
DNSchiefstranger.net
Type: A
DNScollegestranger.net
Type: A
DNSchiefgoodbye.net
Type: A
DNScollegegoodbye.net
Type: A
DNSchieffortieth.net
Type: A
DNScollegefortieth.net
Type: A
DNSoftenadvance.net
Type: A
DNSaloneadvance.net
Type: A
DNSoftenstranger.net
Type: A
DNSalonestranger.net
Type: A
DNSoftengoodbye.net
Type: A
DNSalonegoodbye.net
Type: A
DNSoftenfortieth.net
Type: A
DNSalonefortieth.net
Type: A
DNSmiddleadvance.net
Type: A
DNStwelveadvance.net
Type: A
DNSmiddlestranger.net
Type: A
DNStwelvestranger.net
Type: A
DNSmiddlegoodbye.net
Type: A
DNStwelvegoodbye.net
Type: A
DNSmiddlefortieth.net
Type: A
DNStwelvefortieth.net
Type: A
DNSratheradvance.net
Type: A
DNSmorningadvance.net
Type: A
DNSratherstranger.net
Type: A
DNSmorningstranger.net
Type: A
DNSrathergoodbye.net
Type: A
DNSmorninggoodbye.net
Type: A
DNSratherfortieth.net
Type: A
DNSmorningfortieth.net
Type: A
DNSstrangeadvance.net
Type: A
DNShistorystranger.net
Type: A
DNSstrangegoodbye.net
Type: A
DNShistorygoodbye.net
Type: A
DNSstrangefortieth.net
Type: A
DNShistoryfortieth.net
Type: A
DNSamountadvance.net
Type: A
DNSweatheradvance.net
Type: A
DNSamountstranger.net
Type: A
DNSweatherstranger.net
Type: A
DNSamountgoodbye.net
Type: A
DNSweathergoodbye.net
Type: A
DNSamountfortieth.net
Type: A
HTTP GEThttp://weatherminute.net/index.php
User-Agent:
HTTP GEThttp://classminute.net/index.php
User-Agent:
HTTP GEThttp://thinkadvance.net/index.php
User-Agent:
HTTP GEThttp://collegeadvance.net/index.php
User-Agent:
HTTP GEThttp://historyadvance.net/index.php
User-Agent:
HTTP GEThttp://strangestranger.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1034 ➝ 97.74.42.79:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1036 ➝ 98.139.135.129:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65617468 65726d69 6e757465 2e6e6574   eatherminute.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6c617373 6d696e75 74652e6e 65740d0a   lassminute.net..
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   68696e6b 61647661 6e63652e 6e65740d   hinkadvance.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   6f6c6c65 67656164 76616e63 652e6e65   ollegeadvance.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2068   : close..Host: h
0x00000040 (00064)   6973746f 72796164 76616e63 652e6e65   istoryadvance.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472616e 67657374 72616e67 65722e6e   trangestranger.n
0x00000050 (00080)   65740d0a 0d0a                         et....


Strings