Analysis Date2016-02-13 08:41:25
MD59207a315c2489ff5144c247e55ee4dda
SHA1ae8e9b1437031fb561f5d36f67ebcb56b93bb762

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 975deafcc3576a868fbd5374ce7b0216 sha1: 241713a1455b7914cd6628a2b66690754ceba523 size: 188928
Section.rdata md5: 06b4fed1c1227bd3bf6591e409fb1006 sha1: a81db5f04d58747a33b2d26c5b32c073c4748eee size: 18432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 6eb435af93b5e75b119175c9c20eb32f sha1: cda0ca71bbbbb820f9d289c3a9eb199cba1184d0 size: 30208
Timestamp2016-01-06 16:00:35
PEhash9d3350d0feae93320217c059e19cae56eb0249af
IMPhash542af73b6a51466966d792f9db3f7372
AVCA (E-Trust Ino)Gen:Variant.Razy.12226
AVRisingNo Virus
AVMcafeeTrojan-FHPX!9207A315C248
AVAvira (antivir)TR/Nivdort.A.29057
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.12226
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Razy.12226
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.12226
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates FileC:\dlcxywjjvlii\mrbrp1kx1cdgbksgvodjx.exe
Creates FileC:\dlcxywjjvlii\ympsd3jsciw
Deletes FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates ProcessC:\dlcxywjjvlii\mrbrp1kx1cdgbksgvodjx.exe

Process
↳ C:\dlcxywjjvlii\mrbrp1kx1cdgbksgvodjx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protection Manager BitLocker Error ➝
C:\dlcxywjjvlii\fbdaheh.exe
Creates FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates FileC:\dlcxywjjvlii\fbdaheh.exe
Creates FilePIPE\lsarpc
Creates FileC:\dlcxywjjvlii\fetgoijqj
Creates FileC:\dlcxywjjvlii\ympsd3jsciw
Deletes FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates ProcessC:\dlcxywjjvlii\fbdaheh.exe
Creates ServicePlug Smart Bluetooth VC Coordinator - C:\dlcxywjjvlii\fbdaheh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1140

Process
↳ C:\dlcxywjjvlii\fbdaheh.exe

Creates FileC:\dlcxywjjvlii\hgvogkytfb.exe
Creates FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\dlcxywjjvlii\n10ewg
Creates FileC:\dlcxywjjvlii\fetgoijqj
Creates FileC:\dlcxywjjvlii\ympsd3jsciw
Deletes FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates Processalaaoofnr2ur "c:\dlcxywjjvlii\fbdaheh.exe"

Process
↳ C:\dlcxywjjvlii\fbdaheh.exe

Creates FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates FileC:\dlcxywjjvlii\ympsd3jsciw
Deletes FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw

Process
↳ alaaoofnr2ur "c:\dlcxywjjvlii\fbdaheh.exe"

Creates FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw
Creates FileC:\dlcxywjjvlii\ympsd3jsciw
Deletes FileC:\WINDOWS\dlcxywjjvlii\ympsd3jsciw

Network Details:

DNSlaughletter.net
Type: A
184.168.221.36
DNSperhapsdifferent.net
Type: A
195.22.28.197
DNSperhapsdifferent.net
Type: A
195.22.28.198
DNSperhapsdifferent.net
Type: A
195.22.28.199
DNSperhapsdifferent.net
Type: A
195.22.28.196
DNSsubjectsurprise.net
Type: A
208.100.26.234
DNSsweetsurprise.net
Type: A
141.8.225.124
DNSdoctoropinion.net
Type: A
103.48.83.103
DNSbrokenpromise.net
Type: A
69.172.201.208
DNSoutsidesupply.net
Type: A
98.124.243.47
DNSoutsideoffice.net
Type: A
104.24.17.64
DNSoutsideoffice.net
Type: A
104.24.16.64
DNSperhapspower.net
Type: A
DNSwindowpower.net
Type: A
DNSperhapscountry.net
Type: A
DNSwindowcountry.net
Type: A
DNSwintercentury.net
Type: A
DNSsubjectcentury.net
Type: A
DNSwinterfamous.net
Type: A
DNSsubjectfamous.net
Type: A
DNSwinterpower.net
Type: A
DNSsubjectpower.net
Type: A
DNSwintercountry.net
Type: A
DNSsubjectcountry.net
Type: A
DNSfinishcentury.net
Type: A
DNSleavecentury.net
Type: A
DNSfinishfamous.net
Type: A
DNSleavefamous.net
Type: A
DNSfinishpower.net
Type: A
DNSleavepower.net
Type: A
DNSfinishcountry.net
Type: A
DNSleavecountry.net
Type: A
DNSsweetcentury.net
Type: A
DNSprobablycentury.net
Type: A
DNSsweetfamous.net
Type: A
DNSprobablyfamous.net
Type: A
DNSsweetpower.net
Type: A
DNSprobablypower.net
Type: A
DNSsweetcountry.net
Type: A
DNSprobablycountry.net
Type: A
DNSseveralcentury.net
Type: A
DNSmaterialcentury.net
Type: A
DNSseveralfamous.net
Type: A
DNSmaterialfamous.net
Type: A
DNSseveralpower.net
Type: A
DNSmaterialpower.net
Type: A
DNSseveralcountry.net
Type: A
DNSmaterialcountry.net
Type: A
DNSseverasurprise.net
Type: A
DNSlaughsurprise.net
Type: A
DNSseverabeside.net
Type: A
DNSlaughbeside.net
Type: A
DNSseveraletter.net
Type: A
DNSseveradifferent.net
Type: A
DNSlaughdifferent.net
Type: A
DNSsimplesurprise.net
Type: A
DNSmothersurprise.net
Type: A
DNSsimplebeside.net
Type: A
DNSmotherbeside.net
Type: A
DNSsimpleletter.net
Type: A
DNSmotherletter.net
Type: A
DNSsimpledifferent.net
Type: A
DNSmotherdifferent.net
Type: A
DNSmountainsurprise.net
Type: A
DNSpossiblesurprise.net
Type: A
DNSmountainbeside.net
Type: A
DNSpossiblebeside.net
Type: A
DNSmountainletter.net
Type: A
DNSpossibleletter.net
Type: A
DNSmountaindifferent.net
Type: A
DNSpossibledifferent.net
Type: A
DNSperhapssurprise.net
Type: A
DNSwindowsurprise.net
Type: A
DNSperhapsbeside.net
Type: A
DNSwindowbeside.net
Type: A
DNSperhapsletter.net
Type: A
DNSwindowletter.net
Type: A
DNSwindowdifferent.net
Type: A
DNSwintersurprise.net
Type: A
DNSwinterbeside.net
Type: A
DNSsubjectbeside.net
Type: A
DNSwinterletter.net
Type: A
DNSsubjectletter.net
Type: A
DNSwinterdifferent.net
Type: A
DNSsubjectdifferent.net
Type: A
DNSfinishsurprise.net
Type: A
DNSleavesurprise.net
Type: A
DNSfinishbeside.net
Type: A
DNSleavebeside.net
Type: A
DNSfinishletter.net
Type: A
DNSleaveletter.net
Type: A
DNSfinishdifferent.net
Type: A
DNSleavedifferent.net
Type: A
DNSprobablysurprise.net
Type: A
DNSsweetbeside.net
Type: A
DNSprobablybeside.net
Type: A
DNSsweetletter.net
Type: A
DNSprobablyletter.net
Type: A
DNSsweetdifferent.net
Type: A
DNSprobablydifferent.net
Type: A
DNSseveralsurprise.net
Type: A
DNSmaterialsurprise.net
Type: A
DNSseveralbeside.net
Type: A
DNSmaterialbeside.net
Type: A
DNSseveralletter.net
Type: A
DNSmaterialletter.net
Type: A
DNSseveraldifferent.net
Type: A
DNSmaterialdifferent.net
Type: A
DNSmovementshould.net
Type: A
DNSoutsideshould.net
Type: A
DNSmovementshort.net
Type: A
DNSoutsideshort.net
Type: A
DNSmovementopinion.net
Type: A
DNSoutsideopinion.net
Type: A
DNSmovementpromise.net
Type: A
DNSoutsidepromise.net
Type: A
DNSbuildingshould.net
Type: A
DNSeveningshould.net
Type: A
DNSbuildingshort.net
Type: A
DNSeveningshort.net
Type: A
DNSbuildingopinion.net
Type: A
DNSeveningopinion.net
Type: A
DNSbuildingpromise.net
Type: A
DNSeveningpromise.net
Type: A
DNSstoreshould.net
Type: A
DNSmightshould.net
Type: A
DNSstoreshort.net
Type: A
DNSmightshort.net
Type: A
DNSstoreopinion.net
Type: A
DNSmightopinion.net
Type: A
DNSstorepromise.net
Type: A
DNSmightpromise.net
Type: A
DNSdoctorshould.net
Type: A
DNSprettyshould.net
Type: A
DNSdoctorshort.net
Type: A
DNSprettyshort.net
Type: A
DNSprettyopinion.net
Type: A
DNSdoctorpromise.net
Type: A
DNSprettypromise.net
Type: A
DNSfellowshould.net
Type: A
DNSdoubleshould.net
Type: A
DNSfellowshort.net
Type: A
DNSdoubleshort.net
Type: A
DNSfellowopinion.net
Type: A
DNSdoubleopinion.net
Type: A
DNSfellowpromise.net
Type: A
DNSdoublepromise.net
Type: A
DNSbrokenshould.net
Type: A
DNSresultshould.net
Type: A
DNSbrokenshort.net
Type: A
DNSresultshort.net
Type: A
DNSbrokenopinion.net
Type: A
DNSresultopinion.net
Type: A
DNSresultpromise.net
Type: A
DNSprepareshould.net
Type: A
DNSdesireshould.net
Type: A
DNSprepareshort.net
Type: A
DNSdesireshort.net
Type: A
DNSprepareopinion.net
Type: A
DNSdesireopinion.net
Type: A
DNSpreparepromise.net
Type: A
DNSdesirepromise.net
Type: A
DNSstrengthshould.net
Type: A
DNSstillshould.net
Type: A
DNSstrengthshort.net
Type: A
DNSstillshort.net
Type: A
DNSstrengthopinion.net
Type: A
DNSstillopinion.net
Type: A
DNSstrengthpromise.net
Type: A
DNSstillpromise.net
Type: A
DNSmovementsupply.net
Type: A
DNSmovementdistance.net
Type: A
DNSoutsidedistance.net
Type: A
DNSmovementoffice.net
Type: A
HTTP GEThttp://laughletter.net/index.php
User-Agent:
HTTP GEThttp://perhapsdifferent.net/index.php
User-Agent:
HTTP GEThttp://subjectsurprise.net/index.php
User-Agent:
HTTP GEThttp://sweetsurprise.net/index.php
User-Agent:
HTTP GEThttp://doctoropinion.net/index.php
User-Agent:
HTTP GEThttp://brokenpromise.net/index.php
User-Agent:
HTTP GEThttp://outsidesupply.net/index.php
User-Agent:
HTTP GEThttp://outsideoffice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1035 ➝ 103.48.83.103:80
Flows TCP192.168.1.1:1036 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1037 ➝ 98.124.243.47:80
Flows TCP192.168.1.1:1038 ➝ 104.24.17.64:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6c657474 65722e6e 65740d0a   aughletter.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 66666572 656e742e   erhapsdifferent.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   75626a65 63747375 72707269 73652e6e   ubjectsurprise.n
0x00000050 (00080)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73757270 72697365 2e6e6574   weetsurprise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726f7069 6e696f6e 2e6e6574   octoropinion.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e70726f 6d697365 2e6e6574   rokenpromise.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657375 70706c79 2e6e6574   utsidesupply.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64656f66 66696365 2e6e6574   utsideoffice.net
0x00000050 (00080)   0d0a0d0a 0d0a0a                       .......


Strings