Analysis Date2015-08-20 07:08:37
MD562ed79a8c4cd932c24b23894d0f256b7
SHA1b81180cf0513e39658d8b05e364364720ef4e3a4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: adca0c3e62ecdfa0e60b95fa6871e358 sha1: 3672df2964ed36b4c69456174beadedd7eaa9319 size: 274944
Section.rdata md5: 1783528b7f307f427705b87e4a66e8d4 sha1: d21ba9f8a7ec65f28398c9f3bc4649a1f21982ab size: 44032
Section.data md5: 69848f0a7ea8d0475509b75744695793 sha1: cf570ea0b3df1e5f9e64a5ac05fd2cd08a184d77 size: 7168
Section.reloc md5: 3ff23c13a59d8ebe6f74c8de0a7f23c1 sha1: 9de4e6bfca88f0661ecbfe9876cd36bd9b54e185 size: 20992
Timestamp2015-05-21 04:46:13
PackerMicrosoft Visual C++ ?.?
PEhashbbef5878ee3588a2a6818c99c20c74b472ea81d0
IMPhash314662b3b4ca4355314cf270f222c9eb
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader15.36971
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.J4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Scar.jwpt
AVZillya!Trojan.Scar.Win32.93668
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Scar.A!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterW32.Bayrob.Y.riod
AVAvira (antivir)TR/Crypt.ZPACK.154212
AVMcafeeTrojan-FGIJ!62ED79A8C4CD
AVRising0x58f795bf

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\ubrbbfhtc\vp1kpoudvsabqax.exe
Deletes FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Creates ProcessC:\ubrbbfhtc\vp1kpoudvsabqax.exe

Process
↳ C:\ubrbbfhtc\vp1kpoudvsabqax.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Level Resolution Acquisition AutoConfig Visual ➝
C:\ubrbbfhtc\ttzeqsavmkzm.exe
Creates FileC:\ubrbbfhtc\d3d2nm4ju
Creates FileC:\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\ubrbbfhtc\ttzeqsavmkzm.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Deletes FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Creates ProcessC:\ubrbbfhtc\ttzeqsavmkzm.exe
Creates ServiceIKE Host DCOM Modules Management Image Drive - C:\ubrbbfhtc\ttzeqsavmkzm.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1164

Process
↳ C:\ubrbbfhtc\ttzeqsavmkzm.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ubrbbfhtc\d3d2nm4ju
Creates FileC:\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Creates File\Device\Afd\Endpoint
Creates FileC:\ubrbbfhtc\rgnuhygy.exe
Creates FileC:\ubrbbfhtc\coyeqfalv
Deletes FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Creates Processdknny88smmbq "c:\ubrbbfhtc\ttzeqsavmkzm.exe"

Process
↳ C:\ubrbbfhtc\ttzeqsavmkzm.exe

Creates FileC:\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Deletes FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw

Process
↳ dknny88smmbq "c:\ubrbbfhtc\ttzeqsavmkzm.exe"

Creates FileC:\ubrbbfhtc\q0mfmyvxqw
Creates FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw
Deletes FileC:\WINDOWS\ubrbbfhtc\q0mfmyvxqw

Network Details:

DNSwindowmaster.net
Type: A
207.148.248.143
DNSwindowwonder.net
Type: A
50.63.202.13
DNSperhapsdiscover.net
Type: A
195.22.26.231
DNSperhapsdiscover.net
Type: A
195.22.26.252
DNSperhapsdiscover.net
Type: A
195.22.26.253
DNSperhapsdiscover.net
Type: A
195.22.26.254
DNSsweetmaster.net
Type: A
199.168.188.154
DNSmaterialmaster.net
Type: A
216.21.239.197
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSperhapsmaster.net
Type: A
DNSperhapswonder.net
Type: A
DNSwindowdiscover.net
Type: A
DNSwintercontinue.net
Type: A
DNSsubjectcontinue.net
Type: A
DNSwintermaster.net
Type: A
DNSsubjectmaster.net
Type: A
DNSwinterwonder.net
Type: A
DNSsubjectwonder.net
Type: A
DNSwinterdiscover.net
Type: A
DNSsubjectdiscover.net
Type: A
DNSfinishcontinue.net
Type: A
DNSleavecontinue.net
Type: A
DNSfinishmaster.net
Type: A
DNSleavemaster.net
Type: A
DNSfinishwonder.net
Type: A
DNSleavewonder.net
Type: A
DNSfinishdiscover.net
Type: A
DNSleavediscover.net
Type: A
DNSsweetcontinue.net
Type: A
DNSprobablycontinue.net
Type: A
DNSprobablymaster.net
Type: A
DNSsweetwonder.net
Type: A
DNSprobablywonder.net
Type: A
DNSsweetdiscover.net
Type: A
DNSprobablydiscover.net
Type: A
DNSseveralcontinue.net
Type: A
DNSmaterialcontinue.net
Type: A
DNSseveralmaster.net
Type: A
DNSseveralwonder.net
Type: A
DNSmaterialwonder.net
Type: A
DNSseveraldiscover.net
Type: A
DNSmaterialdiscover.net
Type: A
DNSseveraindustry.net
Type: A
DNSlaughindustry.net
Type: A
DNSseverabecame.net
Type: A
DNSlaughbecame.net
Type: A
DNSseveracontain.net
Type: A
DNSlaughcontain.net
Type: A
DNSseverabasket.net
Type: A
DNSlaughbasket.net
Type: A
DNSsimpleindustry.net
Type: A
DNSmotherindustry.net
Type: A
DNSsimplebecame.net
Type: A
DNSmotherbecame.net
Type: A
DNSsimplecontain.net
Type: A
DNSmothercontain.net
Type: A
DNSsimplebasket.net
Type: A
DNSmotherbasket.net
Type: A
DNSmountainindustry.net
Type: A
DNSpossibleindustry.net
Type: A
DNSmountainbecame.net
Type: A
DNSpossiblebecame.net
Type: A
DNSmountaincontain.net
Type: A
DNSpossiblecontain.net
Type: A
DNSmountainbasket.net
Type: A
DNSpossiblebasket.net
Type: A
DNSperhapsindustry.net
Type: A
DNSwindowindustry.net
Type: A
DNSperhapsbecame.net
Type: A
DNSwindowbecame.net
Type: A
DNSperhapscontain.net
Type: A
DNSwindowcontain.net
Type: A
DNSperhapsbasket.net
Type: A
DNSwindowbasket.net
Type: A
DNSwinterindustry.net
Type: A
DNSsubjectindustry.net
Type: A
DNSwinterbecame.net
Type: A
DNSsubjectbecame.net
Type: A
DNSwintercontain.net
Type: A
DNSsubjectcontain.net
Type: A
DNSwinterbasket.net
Type: A
DNSsubjectbasket.net
Type: A
DNSfinishindustry.net
Type: A
DNSleaveindustry.net
Type: A
DNSfinishbecame.net
Type: A
DNSleavebecame.net
Type: A
DNSfinishcontain.net
Type: A
DNSleavecontain.net
Type: A
DNSfinishbasket.net
Type: A
HTTP GEThttp://windowmaster.net/index.php
User-Agent:
HTTP GEThttp://windowwonder.net/index.php
User-Agent:
HTTP GEThttp://perhapsdiscover.net/index.php
User-Agent:
HTTP GEThttp://sweetmaster.net/index.php
User-Agent:
HTTP GEThttp://materialmaster.net/index.php
User-Agent:
HTTP GEThttp://severabecame.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.13:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1034 ➝ 199.168.188.154:80
Flows TCP192.168.1.1:1035 ➝ 216.21.239.197:80
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 776d6173 7465722e 6e65740d   indowmaster.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77776f6e 6465722e 6e65740d   indowwonder.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   65726861 70736469 73636f76 65722e6e   erhapsdiscover.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6d617374 65722e6e 65740d0a   weetmaster.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c6d 61737465 722e6e65   aterialmaster.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   65766572 61626563 616d652e 6e65740d   everabecame.net.
0x00000050 (00080)   0a0d0a0d 0a0a                         ......


Strings