Analysis Date2015-12-02 05:00:25
MD51fcab3c446933f1ea750947b5940ce6c
SHA1be3c88c279d4afa7f586da7f8c96000350473e31

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a916268004ce510d0ab84b6355b85bb8 sha1: b8cfbf416075cf0c0ae032dc5fec002bcb050927 size: 1052160
Section.rdata md5: 2a5055999c28f6b83d004f5023d0421f sha1: f3b56ab737eecfdef27ac850b386e0ab2cf96157 size: 339456
Section.data md5: c9d1c33922637e6f9ea35694a50b8a30 sha1: 01fb7c622820f10ebd9a07c5540ce21f910cac14 size: 11264
Section.reloc md5: cc5e966c8c27f86c1e45085734ced5f8 sha1: 79d4b5fa7dafb5f2f36ea152350576f5be0ecdb9 size: 64512
Timestamp2015-04-30 20:06:17
PackerMicrosoft Visual C++ 8
PEhash1b97d92d975935a453153afeb15ae082c7fe3c97
IMPhash7fdd6733234563d8b1b2d66d8cae03a3
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVGrisoft (avg)Win32/Cryptor
AVKasperskyTrojan.Win32.Generic
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BE
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BE
AVFortinetW32/Kryptic.WU!tr
AVFortinetW32/Kryptic.WU!tr
AVCAT (quickheal)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVDr. WebTrojan.Bayrob.1
AVMalwareBytesno_virus
AVAd-AwareGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVEmsisoftGen:Variant.Kazy.606112
AVAvira (antivir)TR/Boryab.aiez
AVAvira (antivir)TR/Boryab.aiez
AVEmsisoftGen:Variant.Kazy.606112
AVEset (nod32)Win32/Bayrob.R
AVEset (nod32)Win32/Bayrob.R
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVCAT (quickheal)no_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVAlwil (avast)Dropper-OJG [Drp]
AVAlwil (avast)Dropper-OJG [Drp]
AVClamAVno_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\pzbjosn1llscgz6nahnsm.exe
Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\pzbjosn1llscgz6nahnsm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pzbjosn1llscgz6nahnsm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Event iSCSI RPC DLL Input IKE Update ➝
C:\WINDOWS\system32\jzzdoqcjnqqp.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\yfrcgqo\lck
Creates FileC:\WINDOWS\system32\yfrcgqo\etc
Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates FileC:\WINDOWS\system32\jzzdoqcjnqqp.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\jzzdoqcjnqqp.exe
Creates ServiceInformation Studio Logon Discovery - C:\WINDOWS\system32\jzzdoqcjnqqp.exe

Process
↳ Pid 808

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1132

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1152

Process
↳ C:\WINDOWS\system32\jzzdoqcjnqqp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yfrcgqo\cfg
Creates FileC:\WINDOWS\system32\yfrcgqo\tst
Creates FileC:\WINDOWS\system32\fmgpjvf.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\pzbjosn1syjcgz6.exe
Creates FileC:\WINDOWS\system32\yfrcgqo\lck
Creates FileC:\WINDOWS\system32\yfrcgqo\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\yfrcgqo\run
Creates ProcessC:\WINDOWS\TEMP\pzbjosn1syjcgz6.exe -r 35148 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\jzzdoqcjnqqp.exe"

Process
↳ C:\WINDOWS\system32\jzzdoqcjnqqp.exe

Creates FileC:\WINDOWS\system32\yfrcgqo\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\jzzdoqcjnqqp.exe"

Creates FileC:\WINDOWS\system32\yfrcgqo\tst

Process
↳ C:\WINDOWS\TEMP\pzbjosn1syjcgz6.exe -r 35148 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4e6f3600&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80

Raw Pcap

Strings