Analysis Date2016-02-17 09:19:58
MD5d5393198f9b84e1c95e1ea42d5e59060
SHA1bb3ecabe600faf70b2dc255aeaa8f307d6d2b1fb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0b73d4b567778ee452618e7e50ebbef3 sha1: 76b661e3cef94d5272b50dae7fe514834ff849fb size: 198144
Section.rdata md5: ba680e96c4c1ad43e516e0abeb1e9501 sha1: 65f297d39dc8fea0859c3630fe3c4c1a9c86cd1d size: 3072
Section.data md5: fbfe7470dd7700bd670110845972ab42 sha1: 4b664f885fd9bb6fcacebd9542e2d378370af739 size: 15872
Section.reloc md5: 36b5ea2832a1ed857a894cd2aa810ec7 sha1: ed8ba91ebc4656819b8c4e26005b68153438b09b size: 30720
Timestamp2014-11-30 15:49:47
PEhash140ef827bc7cfb7f11807bde59b7267340d5f9b9
IMPhashac7b832f26281c6f898be6a7c93f1844
AVCA (E-Trust Ino)Gen:Variant.Razy.15460
AVRisingNo Virus
AVMcafeeTrojan-FHRG!D5393198F9B8
AVAvira (antivir)TR/Nivdort.A.32239
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.15460
AVAlwil (avast)Vupa [Cryp]
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.15460
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DD
AVMicroWorld (escan)Gen:Variant.Razy.15460
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.H.gen!Eldorado
AVEmsisoftGen:Variant.Razy.15460
AVFrisk (f-prot)W32/Nivdort.H.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVBullGuardGen:Variant.Razy.15460
AVArcabit (arcavir)Gen:Variant.Razy.15460
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.29304
AVF-SecureGen:Variant.Razy.15460

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jzsoezyqins\nbycpggljs18
Creates FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates FileC:\jzsoezyqins\kmavs1jx0abkgiveoki.exe
Deletes FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates ProcessC:\jzsoezyqins\kmavs1jx0abkgiveoki.exe

Process
↳ C:\jzsoezyqins\kmavs1jx0abkgiveoki.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Isolation Receiver Problem Scheduler Image ➝
C:\jzsoezyqins\gvctdkvpnba.exe
Creates FileC:\jzsoezyqins\gvctdkvpnba.exe
Creates FileC:\jzsoezyqins\nbycpggljs18
Creates FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates FilePIPE\lsarpc
Creates FileC:\jzsoezyqins\yclpqhqjyqu9
Deletes FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates ProcessC:\jzsoezyqins\gvctdkvpnba.exe
Creates ServiceAwareness Builder Presentation - C:\jzsoezyqins\gvctdkvpnba.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1852

Process
↳ Pid 1140

Process
↳ C:\jzsoezyqins\gvctdkvpnba.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\jzsoezyqins\nbycpggljs18
Creates FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates FileC:\jzsoezyqins\ybikynqr.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\jzsoezyqins\rgy372tjg
Creates FileC:\jzsoezyqins\yclpqhqjyqu9
Deletes FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Creates Processdqilvyxr1py4 "c:\jzsoezyqins\gvctdkvpnba.exe"

Process
↳ C:\jzsoezyqins\gvctdkvpnba.exe

Creates FileC:\jzsoezyqins\nbycpggljs18
Creates FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Deletes FileC:\WINDOWS\jzsoezyqins\nbycpggljs18

Process
↳ dqilvyxr1py4 "c:\jzsoezyqins\gvctdkvpnba.exe"

Creates FileC:\jzsoezyqins\nbycpggljs18
Creates FileC:\WINDOWS\jzsoezyqins\nbycpggljs18
Deletes FileC:\WINDOWS\jzsoezyqins\nbycpggljs18

Network Details:

DNSforeignoffice.net
Type: A
141.8.225.124
DNSforeignarrive.net
Type: A
195.22.28.197
DNSforeignarrive.net
Type: A
195.22.28.198
DNSforeignarrive.net
Type: A
195.22.28.199
DNSforeignarrive.net
Type: A
195.22.28.196
DNSfamilyoffice.net
Type: A
208.91.197.27
DNSexpectpresident.net
Type: A
208.100.26.234
DNScigarettepresident.net
Type: A
195.22.28.197
DNScigarettepresident.net
Type: A
195.22.28.198
DNScigarettepresident.net
Type: A
195.22.28.199
DNScigarettepresident.net
Type: A
195.22.28.196
DNSchildrenstrong.net
Type: A
50.63.202.52
DNSfamilystrong.net
Type: A
104.193.182.229
DNSenglishopinion.net
Type: A
DNSeitherpromise.net
Type: A
DNSenglishpromise.net
Type: A
DNSexpectsupply.net
Type: A
DNSbecausesupply.net
Type: A
DNSexpectdistance.net
Type: A
DNSbecausedistance.net
Type: A
DNSexpectoffice.net
Type: A
DNSbecauseoffice.net
Type: A
DNSexpectarrive.net
Type: A
DNSbecausearrive.net
Type: A
DNSpersonsupply.net
Type: A
DNSmachinesupply.net
Type: A
DNSpersondistance.net
Type: A
DNSmachinedistance.net
Type: A
DNSpersonoffice.net
Type: A
DNSmachineoffice.net
Type: A
DNSpersonarrive.net
Type: A
DNSmachinearrive.net
Type: A
DNSsuddensupply.net
Type: A
DNSforeignsupply.net
Type: A
DNSsuddendistance.net
Type: A
DNSforeigndistance.net
Type: A
DNSsuddenoffice.net
Type: A
DNSsuddenarrive.net
Type: A
DNSwhethersupply.net
Type: A
DNSrightsupply.net
Type: A
DNSwhetherdistance.net
Type: A
DNSrightdistance.net
Type: A
DNSwhetheroffice.net
Type: A
DNSrightoffice.net
Type: A
DNSwhetherarrive.net
Type: A
DNSrightarrive.net
Type: A
DNSfiguresupply.net
Type: A
DNSthoughsupply.net
Type: A
DNSfiguredistance.net
Type: A
DNSthoughdistance.net
Type: A
DNSfigureoffice.net
Type: A
DNSthoughoffice.net
Type: A
DNSfigurearrive.net
Type: A
DNSthougharrive.net
Type: A
DNSpicturesupply.net
Type: A
DNScigarettesupply.net
Type: A
DNSpicturedistance.net
Type: A
DNScigarettedistance.net
Type: A
DNSpictureoffice.net
Type: A
DNScigaretteoffice.net
Type: A
DNSpicturearrive.net
Type: A
DNScigarettearrive.net
Type: A
DNSchildrensupply.net
Type: A
DNSfamilysupply.net
Type: A
DNSchildrendistance.net
Type: A
DNSfamilydistance.net
Type: A
DNSchildrenoffice.net
Type: A
DNSchildrenarrive.net
Type: A
DNSfamilyarrive.net
Type: A
DNSeithersupply.net
Type: A
DNSenglishsupply.net
Type: A
DNSeitherdistance.net
Type: A
DNSenglishdistance.net
Type: A
DNSeitheroffice.net
Type: A
DNSenglishoffice.net
Type: A
DNSeitherarrive.net
Type: A
DNSenglisharrive.net
Type: A
DNSexpectstrong.net
Type: A
DNSbecausestrong.net
Type: A
DNSexpecttrouble.net
Type: A
DNSbecausetrouble.net
Type: A
DNSbecausepresident.net
Type: A
DNSexpectcaught.net
Type: A
DNSbecausecaught.net
Type: A
DNSpersonstrong.net
Type: A
DNSmachinestrong.net
Type: A
DNSpersontrouble.net
Type: A
DNSmachinetrouble.net
Type: A
DNSpersonpresident.net
Type: A
DNSmachinepresident.net
Type: A
DNSpersoncaught.net
Type: A
DNSmachinecaught.net
Type: A
DNSsuddenstrong.net
Type: A
DNSforeignstrong.net
Type: A
DNSsuddentrouble.net
Type: A
DNSforeigntrouble.net
Type: A
DNSsuddenpresident.net
Type: A
DNSforeignpresident.net
Type: A
DNSsuddencaught.net
Type: A
DNSforeigncaught.net
Type: A
DNSwhetherstrong.net
Type: A
DNSrightstrong.net
Type: A
DNSwhethertrouble.net
Type: A
DNSrighttrouble.net
Type: A
DNSwhetherpresident.net
Type: A
DNSrightpresident.net
Type: A
DNSwhethercaught.net
Type: A
DNSrightcaught.net
Type: A
DNSfigurestrong.net
Type: A
DNSthoughstrong.net
Type: A
DNSfiguretrouble.net
Type: A
DNSthoughtrouble.net
Type: A
DNSfigurepresident.net
Type: A
DNSthoughpresident.net
Type: A
DNSfigurecaught.net
Type: A
DNSthoughcaught.net
Type: A
DNSpicturestrong.net
Type: A
DNScigarettestrong.net
Type: A
DNSpicturetrouble.net
Type: A
DNScigarettetrouble.net
Type: A
DNSpicturepresident.net
Type: A
DNSpicturecaught.net
Type: A
DNScigarettecaught.net
Type: A
DNSchildrentrouble.net
Type: A
DNSfamilytrouble.net
Type: A
DNSchildrenpresident.net
Type: A
DNSfamilypresident.net
Type: A
DNSchildrencaught.net
Type: A
DNSfamilycaught.net
Type: A
DNSeitherstrong.net
Type: A
DNSenglishstrong.net
Type: A
DNSeithertrouble.net
Type: A
DNSenglishtrouble.net
Type: A
DNSeitherpresident.net
Type: A
DNSenglishpresident.net
Type: A
DNSeithercaught.net
Type: A
DNSenglishcaught.net
Type: A
DNSexpectcontinue.net
Type: A
DNSbecausecontinue.net
Type: A
DNSexpectmaster.net
Type: A
DNSbecausemaster.net
Type: A
DNSexpectwonder.net
Type: A
DNSbecausewonder.net
Type: A
DNSexpectdiscover.net
Type: A
DNSbecausediscover.net
Type: A
DNSpersoncontinue.net
Type: A
DNSmachinecontinue.net
Type: A
DNSpersonmaster.net
Type: A
DNSmachinemaster.net
Type: A
DNSpersonwonder.net
Type: A
DNSmachinewonder.net
Type: A
DNSpersondiscover.net
Type: A
DNSmachinediscover.net
Type: A
DNSsuddencontinue.net
Type: A
DNSforeigncontinue.net
Type: A
DNSsuddenmaster.net
Type: A
DNSforeignmaster.net
Type: A
DNSsuddenwonder.net
Type: A
DNSforeignwonder.net
Type: A
DNSsuddendiscover.net
Type: A
DNSforeigndiscover.net
Type: A
DNSwhethercontinue.net
Type: A
DNSrightcontinue.net
Type: A
DNSwhethermaster.net
Type: A
DNSrightmaster.net
Type: A
DNSwhetherwonder.net
Type: A
DNSrightwonder.net
Type: A
DNSwhetherdiscover.net
Type: A
DNSrightdiscover.net
Type: A
DNSfigurecontinue.net
Type: A
DNSthoughcontinue.net
Type: A
DNSfiguremaster.net
Type: A
DNSthoughmaster.net
Type: A
DNSfigurewonder.net
Type: A
DNSthoughwonder.net
Type: A
DNSfigurediscover.net
Type: A
HTTP GEThttp://foreignoffice.net/index.php
User-Agent:
HTTP GEThttp://foreignarrive.net/index.php
User-Agent:
HTTP GEThttp://familyoffice.net/index.php
User-Agent:
HTTP GEThttp://expectpresident.net/index.php
User-Agent:
HTTP GEThttp://cigarettepresident.net/index.php
User-Agent:
HTTP GEThttp://childrenstrong.net/index.php
User-Agent:
HTTP GEThttp://familystrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 141.8.225.124:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.52:80
Flows TCP192.168.1.1:1037 ➝ 104.193.182.229:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e6f66 66696365 2e6e6574   oreignoffice.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e6172 72697665 2e6e6574   oreignarrive.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 796f6666 6963652e 6e65740d   amilyoffice.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706563 74707265 73696465 6e742e6e   xpectpresident.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   69676172 65747465 70726573 6964656e   igarettepresiden
0x00000050 (00080)   742e6e65 740d0a0d 0a                  t.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e73 74726f6e 672e6e65   hildrenstrong.ne
0x00000050 (00080)   740d0a0d 0a0d0a0d 0a                  t........

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79737472 6f6e672e 6e65740d   amilystrong.net.
0x00000050 (00080)   0a0d0a0d 0a0d0a0d 0a                  .........


Strings