Analysis Date2015-10-04 02:00:08
MD5056b459081b011c043c09d879f1943cf
SHA1c7b32dd1a3a4fc421b6dbe4b8df85534b0f74ca3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f81b10f70217add1432777fd3f7a9c9b sha1: fccc93d9d061bf66e79938238f2967b55f705bfb size: 284160
Section.rdata md5: d17c334ea0e20d246ba347f5651f26f2 sha1: 2c8f9b4aaef447135858d49da4953247957c9dd9 size: 57856
Section.data md5: bfe5096b17865a1a0a94617ae7d4771d sha1: 75f3493fbac801676bca4c6723d6aca7318cd127 size: 7168
Section.reloc md5: a819a49a8525e9a6865879229ddffb5d sha1: e337e44e27493d3f00fe5ef0ab07afafa4ff3e2d size: 19456
Timestamp2015-05-11 06:08:10
PackerMicrosoft Visual C++ 8
PEhashd83cd0cfbb66cacace3bfe76dd087ec703330c35
IMPhash2abc42d6ab9dad7b97f0fec45b6363b3
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVPadvishno_virus
AVCA (E-Trust Ino)no_virus
AVFortinetW32/Bayrob.T!tr
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVMalwareBytesTrojan.Agent.KVTGen
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVSymantecDownloader.Upatre!g15
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVBullGuardGen:Variant.Kazy.611009
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVEset (nod32)Win32/Bayrob.V.gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeeno_virus
AVRisingno_virus
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jpnjbbuovoopalc\ndatnbudtapfhwb7wz.exe
Creates FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates FileC:\jpnjbbuovoopalc\zlzslk
Deletes FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates ProcessC:\jpnjbbuovoopalc\ndatnbudtapfhwb7wz.exe

Process
↳ C:\jpnjbbuovoopalc\ndatnbudtapfhwb7wz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SNMP Interface Netlogon Card ➝
C:\jpnjbbuovoopalc\tuztlwnnss.exe
Creates FileC:\jpnjbbuovoopalc\bshgbkgvj2
Creates FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates FilePIPE\lsarpc
Creates FileC:\jpnjbbuovoopalc\zlzslk
Creates FileC:\jpnjbbuovoopalc\tuztlwnnss.exe
Deletes FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates ProcessC:\jpnjbbuovoopalc\tuztlwnnss.exe
Creates ServiceMicrosoft Controls Provider Connectivity - C:\jpnjbbuovoopalc\tuztlwnnss.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\NDATNBUDTAPFHWB7WZ.EXE-08C2DD14.pf
Creates FileC:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\YTCTPBGZUON.EXE-2ECA1503.pf
Creates FileC:\WINDOWS\Prefetch\TUZTLWNNSS.EXE-10B14B06.pf
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1332

Process
↳ Pid 1876

Process
↳ Pid 1856

Process
↳ C:\jpnjbbuovoopalc\tuztlwnnss.exe

Creates FileC:\jpnjbbuovoopalc\bshgbkgvj2
Creates Filepipe\net\NtControlPipe10
Creates FileC:\jpnjbbuovoopalc\jhvozlbyweh
Creates FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates FileC:\jpnjbbuovoopalc\zlzslk
Creates File\Device\Afd\Endpoint
Creates FileC:\jpnjbbuovoopalc\ytctpbgzuon.exe
Deletes FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates Processsdnti4mf9llj "c:\jpnjbbuovoopalc\tuztlwnnss.exe"

Process
↳ C:\jpnjbbuovoopalc\tuztlwnnss.exe

Creates FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates FileC:\jpnjbbuovoopalc\zlzslk
Deletes FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk

Process
↳ sdnti4mf9llj "c:\jpnjbbuovoopalc\tuztlwnnss.exe"

Creates FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk
Creates FileC:\jpnjbbuovoopalc\zlzslk
Deletes FileC:\WINDOWS\jpnjbbuovoopalc\zlzslk

Network Details:

DNSbreadboard.net
Type: A
103.224.182.210
DNSquietboard.net
Type: A
95.211.230.75
DNSdecidebridge.net
Type: A
72.52.4.90
DNSrecordbridge.net
Type: A
184.168.221.10
DNSelectricbridge.net
Type: A
182.18.145.136
DNSelectricbicycle.net
Type: A
72.52.4.119
DNStradebridge.net
Type: A
72.52.4.119
DNSbetterbicycle.net
Type: A
213.171.195.105
DNSbetterwhose.net
Type: A
72.52.4.90
DNSgatherboard.net
Type: A
DNSbetterenter.net
Type: A
DNSgatherenter.net
Type: A
DNSfliercharacter.net
Type: A
DNSbreadcharacter.net
Type: A
DNSflierladder.net
Type: A
DNSbreadladder.net
Type: A
DNSflierboard.net
Type: A
DNSflierenter.net
Type: A
DNSbreadenter.net
Type: A
DNSquietcharacter.net
Type: A
DNSseasoncharacter.net
Type: A
DNSquietladder.net
Type: A
DNSseasonladder.net
Type: A
DNSseasonboard.net
Type: A
DNSquietenter.net
Type: A
DNSseasonenter.net
Type: A
DNSagainstexcept.net
Type: A
DNSdoubtexcept.net
Type: A
DNSagainstbridge.net
Type: A
DNSdoubtbridge.net
Type: A
DNSagainstbicycle.net
Type: A
DNSdoubtbicycle.net
Type: A
DNSagainstwhose.net
Type: A
DNSdoubtwhose.net
Type: A
DNSnightexcept.net
Type: A
DNSdecideexcept.net
Type: A
DNSnightbridge.net
Type: A
DNSnightbicycle.net
Type: A
DNSdecidebicycle.net
Type: A
DNSnightwhose.net
Type: A
DNSdecidewhose.net
Type: A
DNSlargeexcept.net
Type: A
DNScaptainexcept.net
Type: A
DNSlargebridge.net
Type: A
DNScaptainbridge.net
Type: A
DNSlargebicycle.net
Type: A
DNScaptainbicycle.net
Type: A
DNSlargewhose.net
Type: A
DNScaptainwhose.net
Type: A
DNSrecordexcept.net
Type: A
DNSelectricexcept.net
Type: A
DNSrecordbicycle.net
Type: A
DNSrecordwhose.net
Type: A
DNSelectricwhose.net
Type: A
DNSstreetexcept.net
Type: A
DNStradeexcept.net
Type: A
DNSstreetbridge.net
Type: A
DNSstreetbicycle.net
Type: A
DNStradebicycle.net
Type: A
DNSstreetwhose.net
Type: A
DNStradewhose.net
Type: A
DNSbetterexcept.net
Type: A
DNSgatherexcept.net
Type: A
DNSbetterbridge.net
Type: A
DNSgatherbridge.net
Type: A
DNSgatherbicycle.net
Type: A
DNSgatherwhose.net
Type: A
DNSflierexcept.net
Type: A
DNSbreadexcept.net
Type: A
DNSflierbridge.net
Type: A
DNSbreadbridge.net
Type: A
DNSflierbicycle.net
Type: A
DNSbreadbicycle.net
Type: A
DNSflierwhose.net
Type: A
DNSbreadwhose.net
Type: A
DNSquietexcept.net
Type: A
DNSseasonexcept.net
Type: A
DNSquietbridge.net
Type: A
DNSseasonbridge.net
Type: A
DNSquietbicycle.net
Type: A
DNSseasonbicycle.net
Type: A
DNSquietwhose.net
Type: A
DNSseasonwhose.net
Type: A
DNSagainstwagon.net
Type: A
DNSdoubtwagon.net
Type: A
HTTP GEThttp://breadboard.net/index.php
User-Agent:
HTTP GEThttp://quietboard.net/index.php
User-Agent:
HTTP GEThttp://decidebridge.net/index.php
User-Agent:
HTTP GEThttp://recordbridge.net/index.php
User-Agent:
HTTP GEThttp://electricbridge.net/index.php
User-Agent:
HTTP GEThttp://electricbicycle.net/index.php
User-Agent:
HTTP GEThttp://tradebridge.net/index.php
User-Agent:
HTTP GEThttp://betterbicycle.net/index.php
User-Agent:
HTTP GEThttp://betterwhose.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 103.224.182.210:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.10:80
Flows TCP192.168.1.1:1035 ➝ 182.18.145.136:80
Flows TCP192.168.1.1:1036 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1038 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.90:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   72656164 626f6172 642e6e65 740d0a0d   readboard.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000040 (00064)   75696574 626f6172 642e6e65 740d0a0d   uietboard.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   65636964 65627269 6467652e 6e65740d   ecidebridge.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   65636f72 64627269 6467652e 6e65740d   ecordbridge.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696362 72696467 652e6e65   lectricbridge.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696362 69637963 6c652e6e   lectricbicycle.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   72616465 62726964 67652e6e 65740d0a   radebridge.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 72626963 79636c65 2e6e6574   etterbicycle.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   65747465 7277686f 73652e6e 65740d0a   etterwhose.net..
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings