Analysis Date2015-09-27 06:34:18
MD5770c743a3b4a48459fee5382f6b32f64
SHA1c0feb6e07720dfeaa411c3868a0343b3ab5689b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d8bf68ee09897ecacb41864f132d9c89 sha1: cd96b7719496d317cd32e95beec6598c8ae4cbfc size: 197120
Section.rdata md5: 5cee8322e4c346e8083d052ba75086bf sha1: d40d69b09f67c95177e4a2dcce9d7088774317b5 size: 54272
Section.data md5: 53a92fcb11e14e259e754eaca2fff099 sha1: f487e802ef5baf1afd7c5b8088da23d3d1d860b5 size: 7168
Section.reloc md5: 2d9eb68013913e71afe49fa70ee6f790 sha1: b54b3858100fc002dc8d80c792f94b325a9d16be size: 14336
Timestamp2015-04-29 19:07:03
PackerMicrosoft Visual C++ 8
PEhashf75a83a72bd751a1f001da602f32f01454a17966
IMPhashbb6662c52d40d83bec89150897773488
AVRisingTrojan.Win32.Bayrod.a
AVMcafeeTrojan-FGIJ!770C743A3B4A
AVAvira (antivir)TR/Crypt.Xpack.169351
AVTwisterTrojan.0000E9000000006A1.mg
AVAd-AwareGen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic.AC.215362
AVBitDefenderGen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Scar.R.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.604861
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.604861
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.604861
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\uscfxlcmtig\vsjabwqvsw
Creates FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates FileC:\uscfxlcmtig\bvafe1lugkafiemuwzg.exe
Deletes FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates ProcessC:\uscfxlcmtig\bvafe1lugkafiemuwzg.exe

Process
↳ C:\uscfxlcmtig\bvafe1lugkafiemuwzg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BranchCache Debugger Adapter Experience ➝
C:\uscfxlcmtig\gubunvvu.exe
Creates FileC:\uscfxlcmtig\vsjabwqvsw
Creates FileC:\uscfxlcmtig\ncsnnida6f
Creates FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates FilePIPE\lsarpc
Creates FileC:\uscfxlcmtig\gubunvvu.exe
Deletes FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates ProcessC:\uscfxlcmtig\gubunvvu.exe
Creates ServiceCOM WebClient Play Tools - C:\uscfxlcmtig\gubunvvu.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1900

Process
↳ Pid 1332

Process
↳ C:\uscfxlcmtig\gubunvvu.exe

Creates FileC:\uscfxlcmtig\vsjabwqvsw
Creates Filepipe\net\NtControlPipe10
Creates FileC:\uscfxlcmtig\r7sljul5qcd
Creates FileC:\uscfxlcmtig\ncsnnida6f
Creates FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates File\Device\Afd\Endpoint
Creates FileC:\uscfxlcmtig\pcrlcqytdraq.exe
Deletes FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Creates Processmym9yqokhlnn "c:\uscfxlcmtig\gubunvvu.exe"

Process
↳ C:\uscfxlcmtig\gubunvvu.exe

Creates FileC:\uscfxlcmtig\vsjabwqvsw
Creates FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Deletes FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw

Process
↳ mym9yqokhlnn "c:\uscfxlcmtig\gubunvvu.exe"

Creates FileC:\uscfxlcmtig\vsjabwqvsw
Creates FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw
Deletes FileC:\WINDOWS\uscfxlcmtig\vsjabwqvsw

Network Details:

DNSheavenabove.net
Type: A
185.53.177.7
DNSheavyfinger.net
Type: A
72.13.81.186
DNSjourneybeyond.net
Type: A
50.87.199.62
DNSincreasebeing.net
Type: A
95.211.230.75
DNSrequireabove.net
Type: A
DNSordershoulder.net
Type: A
DNSrequireshoulder.net
Type: A
DNSorderfinger.net
Type: A
DNSrequirefinger.net
Type: A
DNSleaderuntil.net
Type: A
DNSheavenuntil.net
Type: A
DNSleaderabove.net
Type: A
DNSleadershoulder.net
Type: A
DNSheavenshoulder.net
Type: A
DNSleaderfinger.net
Type: A
DNSheavenfinger.net
Type: A
DNSheavyuntil.net
Type: A
DNSgentleuntil.net
Type: A
DNSheavyabove.net
Type: A
DNSgentleabove.net
Type: A
DNSheavyshoulder.net
Type: A
DNSgentleshoulder.net
Type: A
DNSgentlefinger.net
Type: A
DNSvariousuntil.net
Type: A
DNSreturnuntil.net
Type: A
DNSvariousabove.net
Type: A
DNSreturnabove.net
Type: A
DNSvariousshoulder.net
Type: A
DNSreturnshoulder.net
Type: A
DNSvariousfinger.net
Type: A
DNSreturnfinger.net
Type: A
DNShusbandbeyond.net
Type: A
DNSjourneybeing.net
Type: A
DNShusbandbeing.net
Type: A
DNSjourneyforever.net
Type: A
DNShusbandforever.net
Type: A
DNSjourneybottom.net
Type: A
DNShusbandbottom.net
Type: A
DNSdestroybeyond.net
Type: A
DNSlittlebeyond.net
Type: A
DNSdestroybeing.net
Type: A
DNSlittlebeing.net
Type: A
DNSdestroyforever.net
Type: A
DNSlittleforever.net
Type: A
DNSdestroybottom.net
Type: A
DNSlittlebottom.net
Type: A
DNSriddenbeyond.net
Type: A
DNSbelongbeyond.net
Type: A
DNSriddenbeing.net
Type: A
DNSbelongbeing.net
Type: A
DNSriddenforever.net
Type: A
DNSbelongforever.net
Type: A
DNSriddenbottom.net
Type: A
DNSbelongbottom.net
Type: A
DNSchairbeyond.net
Type: A
DNSthosebeyond.net
Type: A
DNSchairbeing.net
Type: A
DNSthosebeing.net
Type: A
DNSchairforever.net
Type: A
DNSthoseforever.net
Type: A
DNSchairbottom.net
Type: A
DNSthosebottom.net
Type: A
DNSwithinbeyond.net
Type: A
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
HTTP GEThttp://heavenabove.net/index.php
User-Agent:
HTTP GEThttp://heavyfinger.net/index.php
User-Agent:
HTTP GEThttp://journeybeyond.net/index.php
User-Agent:
HTTP GEThttp://increasebeing.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 185.53.177.7:80
Flows TCP192.168.1.1:1032 ➝ 72.13.81.186:80
Flows TCP192.168.1.1:1033 ➝ 50.87.199.62:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80

Raw Pcap

Strings