Analysis Date2015-10-26 09:32:24
MD57ceeb169edcf4414dbe15bc25cd1329d
SHA1b7073871423182f26bdf33f102ad911c96766b05

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dad72cd56720b5fe365ce2536a0a3b12 sha1: 9500851fb2355bfd10dab14d279ec56e1e6d6063 size: 198144
Section.rdata md5: 9e6a6e5c46fe7ecd8b3a2f56dd6bd721 sha1: 252c630fd4aabfddc17a6ef241b0e527ddefa93f size: 50688
Section.data md5: 7e4e6011f01056103f974823de529891 sha1: 7fceb0fd6b0aba12f1cf70b121768f7b7db8cb3d size: 7680
Section.reloc md5: 9e6f34a622491dec5d169e9e91450d82 sha1: 7ccd6ddb1e4ed1059327a25654c59be32e205e9b size: 14336
Timestamp2015-04-29 18:52:30
PackerMicrosoft Visual C++ 8
PEhashd9987de32b7c734da1511ff27ec0735b34fc0ef4
IMPhasha496faa2c2f5f097efaabb6661dc485b
AVRisingTrojan.Win32.Bayrod.a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!7CEEB169EDCF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\wsnqmtqjx\yfcizifqrh
Creates FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates FileC:\wsnqmtqjx\sjrqi1lg5dxtjbioxbgvgw.exe
Deletes FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates ProcessC:\wsnqmtqjx\sjrqi1lg5dxtjbioxbgvgw.exe

Process
↳ C:\wsnqmtqjx\sjrqi1lg5dxtjbioxbgvgw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Shell Base Tools Computer Receiver ➝
C:\wsnqmtqjx\lbcddfkfu.exe
Creates FileC:\wsnqmtqjx\yfcizifqrh
Creates FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates FilePIPE\lsarpc
Creates FileC:\wsnqmtqjx\gnqw1ng
Creates FileC:\wsnqmtqjx\lbcddfkfu.exe
Deletes FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates ProcessC:\wsnqmtqjx\lbcddfkfu.exe
Creates ServiceAdapter Secure TPM Store Windows - C:\wsnqmtqjx\lbcddfkfu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1880

Process
↳ Pid 1160

Process
↳ C:\wsnqmtqjx\lbcddfkfu.exe

Creates FileC:\wsnqmtqjx\yfcizifqrh
Creates Filepipe\net\NtControlPipe10
Creates FileC:\wsnqmtqjx\yhrqqbtq4q
Creates FileC:\wsnqmtqjx\zzjoqflpqf.exe
Creates FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates FileC:\wsnqmtqjx\gnqw1ng
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Creates Processuqwnvxubldce "c:\wsnqmtqjx\lbcddfkfu.exe"

Process
↳ C:\wsnqmtqjx\lbcddfkfu.exe

Creates FileC:\wsnqmtqjx\yfcizifqrh
Creates FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Deletes FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh

Process
↳ uqwnvxubldce "c:\wsnqmtqjx\lbcddfkfu.exe"

Creates FileC:\wsnqmtqjx\yfcizifqrh
Creates FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh
Deletes FileC:\WINDOWS\wsnqmtqjx\yfcizifqrh

Network Details:

DNSleaderready.net
Type: A
68.178.232.100
DNSvariousdaughter.net
Type: A
98.139.135.129
DNSanswernation.net
Type: A
8.5.1.36
DNSglassnation.net
Type: A
88.208.252.205
DNSanswerplease.net
Type: A
195.22.26.248
DNSnecessarycondition.net
Type: A
208.100.26.234
DNSleadernation.net
Type: A
74.208.24.220
DNSnecessarypeople.net
Type: A
DNSpleasantdaughter.net
Type: A
DNSnecessarydaughter.net
Type: A
DNSorderready.net
Type: A
DNSrequireready.net
Type: A
DNSorderbrown.net
Type: A
DNSrequirebrown.net
Type: A
DNSorderpeople.net
Type: A
DNSrequirepeople.net
Type: A
DNSorderdaughter.net
Type: A
DNSrequiredaughter.net
Type: A
DNSheavenready.net
Type: A
DNSleaderbrown.net
Type: A
DNSheavenbrown.net
Type: A
DNSleaderpeople.net
Type: A
DNSheavenpeople.net
Type: A
DNSleaderdaughter.net
Type: A
DNSheavendaughter.net
Type: A
DNSheavyready.net
Type: A
DNSgentleready.net
Type: A
DNSheavybrown.net
Type: A
DNSgentlebrown.net
Type: A
DNSheavypeople.net
Type: A
DNSgentlepeople.net
Type: A
DNSheavydaughter.net
Type: A
DNSgentledaughter.net
Type: A
DNSvariousready.net
Type: A
DNSreturnready.net
Type: A
DNSvariousbrown.net
Type: A
DNSreturnbrown.net
Type: A
DNSvariouspeople.net
Type: A
DNSreturnpeople.net
Type: A
DNSreturndaughter.net
Type: A
DNSdegreenation.net
Type: A
DNSforwardnation.net
Type: A
DNSdegreesoldier.net
Type: A
DNSforwardsoldier.net
Type: A
DNSdegreeplease.net
Type: A
DNSforwardplease.net
Type: A
DNSdegreecondition.net
Type: A
DNSforwardcondition.net
Type: A
DNSanswersoldier.net
Type: A
DNSglasssoldier.net
Type: A
DNSglassplease.net
Type: A
DNSanswercondition.net
Type: A
DNSglasscondition.net
Type: A
DNSdifficultnation.net
Type: A
DNSheardnation.net
Type: A
DNSdifficultsoldier.net
Type: A
DNSheardsoldier.net
Type: A
DNSdifficultplease.net
Type: A
DNSheardplease.net
Type: A
DNSdifficultcondition.net
Type: A
DNSheardcondition.net
Type: A
DNSpleasantnation.net
Type: A
DNSnecessarynation.net
Type: A
DNSpleasantsoldier.net
Type: A
DNSnecessarysoldier.net
Type: A
DNSpleasantplease.net
Type: A
DNSnecessaryplease.net
Type: A
DNSpleasantcondition.net
Type: A
DNSordernation.net
Type: A
DNSrequirenation.net
Type: A
DNSordersoldier.net
Type: A
DNSrequiresoldier.net
Type: A
DNSorderplease.net
Type: A
DNSrequireplease.net
Type: A
DNSordercondition.net
Type: A
DNSrequirecondition.net
Type: A
DNSheavennation.net
Type: A
DNSleadersoldier.net
Type: A
DNSheavensoldier.net
Type: A
DNSleaderplease.net
Type: A
DNSheavenplease.net
Type: A
DNSleadercondition.net
Type: A
DNSheavencondition.net
Type: A
DNSheavynation.net
Type: A
DNSgentlenation.net
Type: A
HTTP GEThttp://leaderready.net/index.php
User-Agent:
HTTP GEThttp://variousdaughter.net/index.php
User-Agent:
HTTP GEThttp://answernation.net/index.php
User-Agent:
HTTP GEThttp://glassnation.net/index.php
User-Agent:
HTTP GEThttp://answerplease.net/index.php
User-Agent:
HTTP GEThttp://necessarycondition.net/index.php
User-Agent:
HTTP GEThttp://leadernation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1032 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.36:80
Flows TCP192.168.1.1:1034 ➝ 88.208.252.205:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 74.208.24.220:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616465 72726561 64792e6e 65740d0a   eaderready.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2076   : close..Host: v
0x00000040 (00064)   6172696f 75736461 75676874 65722e6e   ariousdaughter.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6e737765 726e6174 696f6e2e 6e65740d   nswernation.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   6c617373 6e617469 6f6e2e6e 65740d0a   lassnation.net..
0x00000050 (00080)   0d0a0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   6e737765 72706c65 6173652e 6e65740d   nswerplease.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   65636573 73617279 636f6e64 6974696f   ecessaryconditio
0x00000050 (00080)   6e2e6e65 740d0a0d 0a                  n.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616465 726e6174 696f6e2e 6e65740d   eadernation.net.
0x00000050 (00080)   0a0d0a65 740d0a0d 0a                  ...et....


Strings