Analysis Date2015-08-19 09:25:00
MD5415564d0ad1c58d72c3e16e7774b65aa
SHA1b13492d52a5e7619177f10f277b55d1ecc351ed4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a8eabe681765287044f3cda50cef8c2e sha1: 865a3048093df73d1c218f3d2c95755da5f9c7e4 size: 658432
Section.rdata md5: c80b7f4fba4ea048d72b44b31c8d31a3 sha1: 96578e8f189ee3cb47bb244cfe769dd8439be3cc size: 88576
Section.data md5: 8475a69cee7914eba4b7533f59b77411 sha1: 0f80e3be7281e60ed68d19eed482fee8a3b09b44 size: 7168
Section.reloc md5: 22c5da059d76747097d69d7d82ce3b77 sha1: 78ddf3f60a36cd5f184cd654fb0e107340a185bb size: 69120
Timestamp2015-05-08 07:29:44
PackerMicrosoft Visual C++ 8
PEhashfcc0c600e542948695001f8e1c260fffcc640871
IMPhash53a3c5711c715c089fdc569e6765aaa9
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.609540
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.609540
AVBullGuardGen:Variant.Kazy.609540
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Scar.Win32.92333
AVEmsisoftGen:Variant.Kazy.609540
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.609540
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.609540
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.T
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVAd-AwareGen:Variant.Kazy.609540
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.250735
AVMcafeeTrojan-FGIJ!415564D0AD1C

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe
Creates FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates FileC:\vgxjdfmaaf\bgenvotq5xoz
Deletes FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates ProcessC:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe

Process
↳ C:\vgxjdfmaaf\iaf1jp7l56wsvnljhp50.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Config Logon Procedure WLAN DCOM ➝
C:\vgxjdfmaaf\gwctwgwig.exe
Creates FileC:\vgxjdfmaaf\gwctwgwig.exe
Creates FilePIPE\lsarpc
Creates FileC:\vgxjdfmaaf\xlmt9e
Creates FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates FileC:\vgxjdfmaaf\bgenvotq5xoz
Deletes FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates ProcessC:\vgxjdfmaaf\gwctwgwig.exe
Creates ServiceConnection Launcher Initiator Builder Installer - C:\vgxjdfmaaf\gwctwgwig.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1152

Process
↳ C:\vgxjdfmaaf\gwctwgwig.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\vgxjdfmaaf\oppy6jnpt
Creates FileC:\vgxjdfmaaf\erlxpfq.exe
Creates FileC:\vgxjdfmaaf\xlmt9e
Creates FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates File\Device\Afd\Endpoint
Creates FileC:\vgxjdfmaaf\bgenvotq5xoz
Deletes FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates Processe10ksbhvjfaj "c:\vgxjdfmaaf\gwctwgwig.exe"

Process
↳ C:\vgxjdfmaaf\gwctwgwig.exe

Creates FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates FileC:\vgxjdfmaaf\bgenvotq5xoz
Deletes FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz

Process
↳ e10ksbhvjfaj "c:\vgxjdfmaaf\gwctwgwig.exe"

Creates FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz
Creates FileC:\vgxjdfmaaf\bgenvotq5xoz
Deletes FileC:\WINDOWS\vgxjdfmaaf\bgenvotq5xoz

Network Details:

DNSmountainsupply.net
Type: A
67.18.199.2
DNSwindowsupply.net
Type: A
173.236.172.44
DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSsimplearrive.net
Type: A
DNSmotherarrive.net
Type: A
DNSpossiblesupply.net
Type: A
DNSmountaindistance.net
Type: A
DNSpossibledistance.net
Type: A
DNSmountainoffice.net
Type: A
DNSpossibleoffice.net
Type: A
DNSmountainarrive.net
Type: A
DNSpossiblearrive.net
Type: A
DNSperhapssupply.net
Type: A
DNSperhapsdistance.net
Type: A
DNSwindowdistance.net
Type: A
DNSperhapsoffice.net
Type: A
DNSwindowoffice.net
Type: A
DNSperhapsarrive.net
Type: A
DNSwindowarrive.net
Type: A
DNSwintersupply.net
Type: A
DNSsubjectsupply.net
Type: A
DNSwinterdistance.net
Type: A
DNSsubjectdistance.net
Type: A
DNSwinteroffice.net
Type: A
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
DNSseveracaught.net
Type: A
DNSlaughcaught.net
Type: A
DNSsimplestrong.net
Type: A
DNSmotherstrong.net
Type: A
DNSsimpletrouble.net
Type: A
DNSmothertrouble.net
Type: A
DNSsimplepresident.net
Type: A
DNSmotherpresident.net
Type: A
DNSsimplecaught.net
Type: A
DNSmothercaught.net
Type: A
DNSmountainstrong.net
Type: A
DNSpossiblestrong.net
Type: A
DNSmountaintrouble.net
Type: A
DNSpossibletrouble.net
Type: A
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
HTTP GEThttp://mountainsupply.net/index.php
User-Agent:
HTTP GEThttp://windowsupply.net/index.php
User-Agent:
HTTP GEThttp://sweetoffice.net/index.php
User-Agent:
HTTP GEThttp://materialsupply.net/index.php
User-Agent:
HTTP GEThttp://laughstrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 67.18.199.2:80
Flows TCP192.168.1.1:1032 ➝ 173.236.172.44:80
Flows TCP192.168.1.1:1033 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1035 ➝ 50.21.189.209:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....


Strings