Analysis Date2015-10-24 02:57:24
MD5d65e1f2369f77bf6bfbdad2f5949af1f
SHA1c31a76658e980fb257c8a59e17190ffe6336db5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d0fdead2c37aa0ca1fb8cf051586efcb sha1: a12a2560fed816f75626d92c102d46a7b254fde4 size: 196096
Section.rdata md5: 28e4994d7042093254c1fa2676623e21 sha1: 28ed78b42029e631ded8346b5260061b71b2d74d size: 53248
Section.data md5: f5018a8748a750d6fa3e9c21b2102dcb sha1: c0285ac9514329d6eb87c349b98fb74a6f163202 size: 7168
Section.reloc md5: 0c51aceabb913b7e0586ce9e4ddde7cd sha1: 0942788c2ea721e8eddb3af9cb931ccd542e79ca size: 14336
Timestamp2015-04-29 19:19:59
PackerMicrosoft Visual C++ 8
PEhashad221689d6e826b33b0b04bba245c77c09668830
IMPhash5d65671464dc7cf900556ee17abccb60
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!D65E1F2369F7
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\whpypbwbklh\nzlotvebpes
Creates FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates FileC:\whpypbwbklh\krl1m0zxntrmbntko.exe
Deletes FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates ProcessC:\whpypbwbklh\krl1m0zxntrmbntko.exe

Process
↳ C:\whpypbwbklh\krl1m0zxntrmbntko.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic CardSpace Scheduler Media ➝
C:\whpypbwbklh\fyjxpmlbnr.exe
Creates FileC:\whpypbwbklh\rfl7lct3or
Creates FileC:\whpypbwbklh\nzlotvebpes
Creates FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates FilePIPE\lsarpc
Creates FileC:\whpypbwbklh\fyjxpmlbnr.exe
Deletes FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates ProcessC:\whpypbwbklh\fyjxpmlbnr.exe
Creates ServiceBus List Presentation ActiveX Connect - C:\whpypbwbklh\fyjxpmlbnr.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1116

Process
↳ C:\whpypbwbklh\fyjxpmlbnr.exe

Creates FileC:\whpypbwbklh\rfl7lct3or
Creates FileC:\whpypbwbklh\nzlotvebpes
Creates Filepipe\net\NtControlPipe10
Creates FileC:\whpypbwbklh\lnffcjdkzwjx
Creates FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates File\Device\Afd\Endpoint
Creates FileC:\whpypbwbklh\xmkeqgusk.exe
Deletes FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Creates Processfcimczierw9h "c:\whpypbwbklh\fyjxpmlbnr.exe"

Process
↳ C:\whpypbwbklh\fyjxpmlbnr.exe

Creates FileC:\whpypbwbklh\nzlotvebpes
Creates FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Deletes FileC:\WINDOWS\whpypbwbklh\nzlotvebpes

Process
↳ fcimczierw9h "c:\whpypbwbklh\fyjxpmlbnr.exe"

Creates FileC:\whpypbwbklh\nzlotvebpes
Creates FileC:\WINDOWS\whpypbwbklh\nzlotvebpes
Deletes FileC:\WINDOWS\whpypbwbklh\nzlotvebpes

Network Details:

DNSeffortcountry.net
Type: A
195.22.26.254
DNSeffortcountry.net
Type: A
195.22.26.231
DNSeffortcountry.net
Type: A
195.22.26.252
DNSeffortcountry.net
Type: A
195.22.26.253
DNSincreasefamous.net
Type: A
209.99.40.222
DNSforgetcountry.net
Type: A
209.99.40.223
DNSremembercentury.net
Type: A
208.100.26.234
DNSlittleletter.net
Type: A
50.63.202.71
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSsuffercentury.net
Type: A
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSwouldfamous.net
Type: A
DNSrememberfamous.net
Type: A
DNSwouldpower.net
Type: A
DNSrememberpower.net
Type: A
DNSwouldcountry.net
Type: A
DNSremembercountry.net
Type: A
DNSjourneysurprise.net
Type: A
DNShusbandsurprise.net
Type: A
DNSjourneybeside.net
Type: A
DNShusbandbeside.net
Type: A
DNSjourneyletter.net
Type: A
DNShusbandletter.net
Type: A
DNSjourneydifferent.net
Type: A
DNShusbanddifferent.net
Type: A
DNSdestroysurprise.net
Type: A
DNSlittlesurprise.net
Type: A
DNSdestroybeside.net
Type: A
DNSlittlebeside.net
Type: A
DNSdestroyletter.net
Type: A
DNSdestroydifferent.net
Type: A
DNSlittledifferent.net
Type: A
DNSriddensurprise.net
Type: A
DNSbelongsurprise.net
Type: A
DNSriddenbeside.net
Type: A
DNSbelongbeside.net
Type: A
DNSriddenletter.net
Type: A
DNSbelongletter.net
Type: A
DNSriddendifferent.net
Type: A
DNSbelongdifferent.net
Type: A
DNSchairsurprise.net
Type: A
DNSthosesurprise.net
Type: A
DNSchairbeside.net
Type: A
DNSthosebeside.net
Type: A
DNSchairletter.net
Type: A
DNSthoseletter.net
Type: A
DNSchairdifferent.net
Type: A
DNSthosedifferent.net
Type: A
DNSwithinsurprise.net
Type: A
DNSsuffersurprise.net
Type: A
DNSwithinbeside.net
Type: A
DNSsufferbeside.net
Type: A
DNSwithinletter.net
Type: A
DNSsufferletter.net
Type: A
DNSwithindifferent.net
Type: A
DNSsufferdifferent.net
Type: A
DNSeffortsurprise.net
Type: A
DNSthroughsurprise.net
Type: A
DNSeffortbeside.net
Type: A
DNSthroughbeside.net
Type: A
DNSeffortletter.net
Type: A
DNSthroughletter.net
Type: A
DNSeffortdifferent.net
Type: A
DNSthroughdifferent.net
Type: A
DNSforgetsurprise.net
Type: A
DNSincreasesurprise.net
Type: A
DNSforgetbeside.net
Type: A
DNSincreasebeside.net
Type: A
DNSforgetletter.net
Type: A
DNSincreaseletter.net
Type: A
HTTP GEThttp://effortcountry.net/index.php
User-Agent:
HTTP GEThttp://increasefamous.net/index.php
User-Agent:
HTTP GEThttp://forgetcountry.net/index.php
User-Agent:
HTTP GEThttp://remembercentury.net/index.php
User-Agent:
HTTP GEThttp://littleletter.net/index.php
User-Agent:
HTTP GEThttp://littledifferent.net/index.php
User-Agent:
HTTP GEThttp://forgetsurprise.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1032 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.71:80
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   66666f72 74636f75 6e747279 2e6e6574   ffortcountry.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2069   : close..Host: i
0x00000040 (00064)   6e637265 61736566 616d6f75 732e6e65   ncreasefamous.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74636f75 6e747279 2e6e6574   orgetcountry.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   656d656d 62657263 656e7475 72792e6e   emembercentury.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 656c6574 7465722e 6e65740d   ittleletter.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 65646966 66657265 6e742e6e   ittledifferent.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74737572 70726973 652e6e65   orgetsurprise.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....


Strings