Analysis Date | 2015-08-19 09:25:00 |
---|---|
MD5 | 415564d0ad1c58d72c3e16e7774b65aa |
SHA1 | b13492d52a5e7619177f10f277b55d1ecc351ed4 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: a8eabe681765287044f3cda50cef8c2e sha1: 865a3048093df73d1c218f3d2c95755da5f9c7e4 size: 658432 | |
Section | .rdata md5: c80b7f4fba4ea048d72b44b31c8d31a3 sha1: 96578e8f189ee3cb47bb244cfe769dd8439be3cc size: 88576 | |
Section | .data md5: 8475a69cee7914eba4b7533f59b77411 sha1: 0f80e3be7281e60ed68d19eed482fee8a3b09b44 size: 7168 | |
Section | .reloc md5: 22c5da059d76747097d69d7d82ce3b77 sha1: 78ddf3f60a36cd5f184cd654fb0e107340a185bb size: 69120 | |
Timestamp | 2015-05-08 07:29:44 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | fcc0c600e542948695001f8e1c260fffcc640871 | |
IMPhash | 53a3c5711c715c089fdc569e6765aaa9 | |
AV | Rising | Trojan.Win32.Bayrod.a |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Kazy.609540 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.609540 |
AV | BullGuard | Gen:Variant.Kazy.609540 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | Trojan.Scar.Win32.92333 |
AV | Emsisoft | Gen:Variant.Kazy.609540 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Scar.R.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Kazy.609540 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.AF |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BitDefender | Gen:Variant.Kazy.609540 |
AV | Fortinet | W32/Generic.AC.215362 |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Bayrob.T |
AV | Alwil (avast) | Trojan-gen:Win32:Trojan-gen |
AV | Ad-Aware | Gen:Variant.Kazy.609540 |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Crypt.Xpack.250735 |
AV | Mcafee | Trojan-FGIJ!415564D0AD1C |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe |
---|---|
Creates File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates File | C:\vgxjdfmaaf\bgenvotq5xoz |
Deletes File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates Process | C:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe |
Process
↳ C:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Config Logon Procedure WLAN DCOM ➝ C:\vgxjdfmaaf\gwctwgwig.exe |
---|---|
Creates File | C:\vgxjdfmaaf\gwctwgwig.exe |
Creates File | PIPE\lsarpc |
Creates File | C:\vgxjdfmaaf\xlmt9e |
Creates File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates File | C:\vgxjdfmaaf\bgenvotq5xoz |
Deletes File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates Process | C:\vgxjdfmaaf\gwctwgwig.exe |
Creates Service | Connection Launcher Initiator Builder Installer - C:\vgxjdfmaaf\gwctwgwig.exe |
Process
↳ Pid 812
Process
↳ Pid 856
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1116
Process
↳ Pid 1216
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1864
Process
↳ Pid 1152
Process
↳ C:\vgxjdfmaaf\gwctwgwig.exe
Creates File | pipe\net\NtControlPipe10 |
---|---|
Creates File | C:\vgxjdfmaaf\oppy6jnpt |
Creates File | C:\vgxjdfmaaf\erlxpfq.exe |
Creates File | C:\vgxjdfmaaf\xlmt9e |
Creates File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\vgxjdfmaaf\bgenvotq5xoz |
Deletes File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Creates Process | e10ksbhvjfaj "c:\vgxjdfmaaf\gwctwgwig.exe" |
Process
↳ C:\vgxjdfmaaf\gwctwgwig.exe
Creates File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
---|---|
Creates File | C:\vgxjdfmaaf\bgenvotq5xoz |
Deletes File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Process
↳ e10ksbhvjfaj "c:\vgxjdfmaaf\gwctwgwig.exe"
Creates File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
---|---|
Creates File | C:\vgxjdfmaaf\bgenvotq5xoz |
Deletes File | C:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 6f756e74 61696e73 7570706c 792e6e65 ountainsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 696e646f 77737570 706c792e 6e65740d indowsupply.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 6f666669 63652e6e 65740d0a weetoffice.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61746572 69616c73 7570706c 792e6e65 aterialsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206c : close..Host: l 0x00000040 (00064) 61756768 7374726f 6e672e6e 65740d0a aughstrong.net.. 0x00000050 (00080) 0d0a0a0d 0a .....
Strings