Analysis Date2016-02-03 22:26:42
MD5e45b0269f8cae5f2c09304d8c6f9bef1
SHA1bb72739c92450c79e3b6078daafd916e9e7cb2ba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c22ecacb5f4ec2c27334f5b7fb1b8b13 sha1: 339ffc1fac3c527351bfc4c17b94058a9a796252 size: 265216
Section.rdata md5: 93a63ba20ca774893fca5b4460c31156 sha1: c2fa67f7003447de6a4e87993ea2c04039d3b40c size: 38912
Section.data md5: 83a5d0a6b65a6121ab6b20721064ac7e sha1: 2bb138a0bb962bd513d86ff5715fcb88bc352747 size: 2048
Section.reloc md5: ff1f67fc6f9d06176d84bee4c318af2a sha1: d3c194d670db4c00497ec0cb242cf4fcaade88a5 size: 50688
Timestamp2015-12-23 04:11:54
PackerBorland Delphi 3.0 (???)
PEhash9d2676d04326fe2ec069a3c57a9c09d1cf97e1a2
IMPhash48ead3e843e56a1c14419cf54442c5a7
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Variant.Razy.11545
AVDr. WebTrojan.DownLoader18.43124
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVBullGuardGen:Variant.Razy.11545
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Kazy.784853
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.11545
AVFortinetW32/Bayrob.AQ!tr
AVSymantecTrojan.Bayrob!gen6
AVGrisoft (avg)Win32/Heur
AVEset (nod32)Win32/Bayrob.AQ
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.437347
AVMcafeeTrojan-FHPD!E45B0269F8CA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mmaczme\ysluhk
Creates FileC:\WINDOWS\mmaczme\ysluhk
Creates FileC:\mmaczme\ap1lqkxajbldu3o2j.exe
Deletes FileC:\WINDOWS\mmaczme\ysluhk
Creates ProcessC:\mmaczme\ap1lqkxajbldu3o2j.exe

Process
↳ C:\mmaczme\ap1lqkxajbldu3o2j.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Presentation Problem Intelligent Volume ➝
C:\mmaczme\jrlctipmje.exe
Creates FileC:\mmaczme\ysluhk
Creates FileC:\WINDOWS\mmaczme\ysluhk
Creates FilePIPE\lsarpc
Creates FileC:\mmaczme\kdnqq5mvj
Creates FileC:\mmaczme\jrlctipmje.exe
Deletes FileC:\WINDOWS\mmaczme\ysluhk
Creates ProcessC:\mmaczme\jrlctipmje.exe
Creates ServiceNet.Tcp Adaptive Protocol Parental Upgrade - C:\mmaczme\jrlctipmje.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1136

Process
↳ C:\mmaczme\jrlctipmje.exe

Creates FileC:\mmaczme\nkueosia
Creates Filepipe\net\NtControlPipe10
Creates FileC:\mmaczme\ysluhk
Creates FileC:\WINDOWS\mmaczme\ysluhk
Creates FileC:\mmaczme\oawmrrf.exe
Creates FileC:\mmaczme\kdnqq5mvj
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\mmaczme\ysluhk
Creates Processzjapssqjtofb "c:\mmaczme\jrlctipmje.exe"

Process
↳ C:\mmaczme\jrlctipmje.exe

Creates FileC:\mmaczme\ysluhk
Creates FileC:\WINDOWS\mmaczme\ysluhk
Deletes FileC:\WINDOWS\mmaczme\ysluhk

Process
↳ zjapssqjtofb "c:\mmaczme\jrlctipmje.exe"

Creates FileC:\mmaczme\ysluhk
Creates FileC:\WINDOWS\mmaczme\ysluhk
Deletes FileC:\WINDOWS\mmaczme\ysluhk

Network Details:

DNSknownfuture.net
Type: A
94.127.112.92
DNSknownfuture.net
Type: A
94.127.112.93
DNScrowdfuture.net
Type: A
188.226.181.245
DNSwatersafety.net
Type: A
217.160.52.166
DNSwaterfuture.net
Type: A
184.168.221.9
DNSfreshhealth.net
Type: A
208.91.197.27
DNSexperiencehealth.net
Type: A
198.1.89.4
DNSfreshclothes.net
Type: A
188.93.150.107
DNSalreadyclothes.net
Type: A
195.22.28.198
DNSalreadyclothes.net
Type: A
195.22.28.197
DNSalreadyclothes.net
Type: A
195.22.28.196
DNSalreadyclothes.net
Type: A
195.22.28.199
DNSfollowhealth.net
Type: A
184.168.221.52
DNSmemberhealth.net
Type: A
141.8.225.31
DNSbegindistant.net
Type: A
208.100.26.234
DNScrowdseparate.net
Type: A
98.139.135.129
DNSsummerclothes.net
Type: A
184.168.221.20
DNSwaterhealth.net
Type: A
72.52.4.120
DNSwomanhealth.net
Type: A
69.89.22.137
DNSpartyclothes.net
Type: A
109.68.33.25
DNSfreshcatch.net
Type: A
192.155.217.146
DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.179
DNSpartydress.net
Type: A
208.73.211.195
DNSpartydress.net
Type: A
208.73.211.192
DNSsummersmell.net
Type: A
DNScrowdsmell.net
Type: A
DNSsummerearly.net
Type: A
DNScrowdearly.net
Type: A
DNSsummersafety.net
Type: A
DNScrowdsafety.net
Type: A
DNSsummerfuture.net
Type: A
DNSthoughtsmell.net
Type: A
DNSwatersmell.net
Type: A
DNSthoughtearly.net
Type: A
DNSwaterearly.net
Type: A
DNSthoughtsafety.net
Type: A
DNSthoughtfuture.net
Type: A
DNSwomansmell.net
Type: A
DNSsmokesmell.net
Type: A
DNSwomanearly.net
Type: A
DNSsmokeearly.net
Type: A
DNSwomansafety.net
Type: A
DNSsmokesafety.net
Type: A
DNSwomanfuture.net
Type: A
DNSsmokefuture.net
Type: A
DNSpartysmell.net
Type: A
DNSfightsmell.net
Type: A
DNSpartyearly.net
Type: A
DNSfightearly.net
Type: A
DNSpartysafety.net
Type: A
DNSfightsafety.net
Type: A
DNSpartyfuture.net
Type: A
DNSfightfuture.net
Type: A
DNSfreshseparate.net
Type: A
DNSexperienceseparate.net
Type: A
DNSexperienceclothes.net
Type: A
DNSfreshdistant.net
Type: A
DNSexperiencedistant.net
Type: A
DNSgentlemanseparate.net
Type: A
DNSalreadyseparate.net
Type: A
DNSgentlemanhealth.net
Type: A
DNSalreadyhealth.net
Type: A
DNSgentlemanclothes.net
Type: A
DNSgentlemandistant.net
Type: A
DNSalreadydistant.net
Type: A
DNSfollowseparate.net
Type: A
DNSmemberseparate.net
Type: A
DNSfollowclothes.net
Type: A
DNSmemberclothes.net
Type: A
DNSfollowdistant.net
Type: A
DNSmemberdistant.net
Type: A
DNSbeginseparate.net
Type: A
DNSknownseparate.net
Type: A
DNSbeginhealth.net
Type: A
DNSknownhealth.net
Type: A
DNSbeginclothes.net
Type: A
DNSknownclothes.net
Type: A
DNSknowndistant.net
Type: A
DNSsummerseparate.net
Type: A
DNSsummerhealth.net
Type: A
DNScrowdhealth.net
Type: A
DNScrowdclothes.net
Type: A
DNSsummerdistant.net
Type: A
DNScrowddistant.net
Type: A
DNSthoughtseparate.net
Type: A
DNSwaterseparate.net
Type: A
DNSthoughthealth.net
Type: A
DNSthoughtclothes.net
Type: A
DNSwaterclothes.net
Type: A
DNSthoughtdistant.net
Type: A
DNSwaterdistant.net
Type: A
DNSwomanseparate.net
Type: A
DNSsmokeseparate.net
Type: A
DNSsmokehealth.net
Type: A
DNSwomanclothes.net
Type: A
DNSsmokeclothes.net
Type: A
DNSwomandistant.net
Type: A
DNSsmokedistant.net
Type: A
DNSpartyseparate.net
Type: A
DNSfightseparate.net
Type: A
DNSpartyhealth.net
Type: A
DNSfighthealth.net
Type: A
DNSfightclothes.net
Type: A
DNSpartydistant.net
Type: A
DNSfightdistant.net
Type: A
DNSexperiencecatch.net
Type: A
DNSfresheearly.net
Type: A
DNSexperienceeearly.net
Type: A
DNSfreshpublic.net
Type: A
DNSexperiencepublic.net
Type: A
DNSfreshdress.net
Type: A
DNSexperiencedress.net
Type: A
DNSgentlemancatch.net
Type: A
DNSalreadycatch.net
Type: A
DNSgentlemaneearly.net
Type: A
DNSalreadyeearly.net
Type: A
DNSgentlemanpublic.net
Type: A
DNSalreadypublic.net
Type: A
DNSgentlemandress.net
Type: A
DNSalreadydress.net
Type: A
DNSfollowcatch.net
Type: A
DNSmembercatch.net
Type: A
DNSfolloweearly.net
Type: A
DNSmembereearly.net
Type: A
DNSfollowpublic.net
Type: A
DNSmemberpublic.net
Type: A
DNSfollowdress.net
Type: A
DNSmemberdress.net
Type: A
DNSbegincatch.net
Type: A
DNSknowncatch.net
Type: A
DNSbegineearly.net
Type: A
DNSknowneearly.net
Type: A
DNSbeginpublic.net
Type: A
DNSknownpublic.net
Type: A
DNSbegindress.net
Type: A
DNSknowndress.net
Type: A
DNSsummercatch.net
Type: A
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSsmokeeearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSlaughnotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
HTTP GEThttp://knownfuture.net/index.php
User-Agent:
HTTP GEThttp://crowdfuture.net/index.php
User-Agent:
HTTP GEThttp://watersafety.net/index.php
User-Agent:
HTTP GEThttp://waterfuture.net/index.php
User-Agent:
HTTP GEThttp://freshhealth.net/index.php
User-Agent:
HTTP GEThttp://experiencehealth.net/index.php
User-Agent:
HTTP GEThttp://freshclothes.net/index.php
User-Agent:
HTTP GEThttp://alreadyclothes.net/index.php
User-Agent:
HTTP GEThttp://followhealth.net/index.php
User-Agent:
HTTP GEThttp://memberhealth.net/index.php
User-Agent:
HTTP GEThttp://begindistant.net/index.php
User-Agent:
HTTP GEThttp://crowdseparate.net/index.php
User-Agent:
HTTP GEThttp://summerclothes.net/index.php
User-Agent:
HTTP GEThttp://waterhealth.net/index.php
User-Agent:
HTTP GEThttp://womanhealth.net/index.php
User-Agent:
HTTP GEThttp://partyclothes.net/index.php
User-Agent:
HTTP GEThttp://freshcatch.net/index.php
User-Agent:
HTTP GEThttp://crowdcatch.net/index.php
User-Agent:
HTTP GEThttp://summerdress.net/index.php
User-Agent:
HTTP GEThttp://partydress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 94.127.112.92:80
Flows TCP192.168.1.1:1032 ➝ 188.226.181.245:80
Flows TCP192.168.1.1:1033 ➝ 217.160.52.166:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.9:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 198.1.89.4:80
Flows TCP192.168.1.1:1037 ➝ 188.93.150.107:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1040 ➝ 141.8.225.31:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.20:80
Flows TCP192.168.1.1:1044 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1045 ➝ 69.89.22.137:80
Flows TCP192.168.1.1:1046 ➝ 109.68.33.25:80
Flows TCP192.168.1.1:1047 ➝ 192.155.217.146:80
Flows TCP192.168.1.1:1048 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1049 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1050 ➝ 208.73.211.183:80

Raw Pcap

Strings