Analysis Date2015-08-01 19:38:45
MD592778ae0fd588d2e06c12dc14ae507d4
SHA1c9a4f6f533e680545e1293c6583e66e1d80a1e14

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 217ebd8370da2eb06060e3df5fe86d9f sha1: e6b737c987d127415468a9bf53b356722d9a1f13 size: 1314304
Section.rdata md5: 1cce431cc1da6282ce04ed13bce35232 sha1: bbfd210ecfd6013206338bb2592b5121f9c56864 size: 324096
Section.data md5: 88504be112b41045c34209aad6b87664 sha1: f99ac0ce940986bccc8cafd5520c026afd866ce1 size: 7680
Section.reloc md5: b2cc2661e134aece3b882b499d10d6fb sha1: d99680994dcffdab0a90db9a99fbdfe1e71efaa1 size: 176640
Timestamp2015-05-11 04:37:15
PackerVC8 -> Microsoft Corporation
PEhash297e6d5bfd0e188c9544444c433b528dad69c0cc
IMPhash36fcc05701d2c3c5a29f1629887b9633
AVPadvishno_virus
AVEset (nod32)Win32/Bayrob.Z
AVCAT (quickheal)no_virus
AVMcafeeTrojan-FGIJ!92778AE0FD58
AVAuthentiumW32/SoxGrave.A2.gen!Eldorado
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVDr. WebTrojan.Bayrob.5
AVEmsisoftGen:Variant.Kazy.611782
AVFrisk (f-prot)no_virus
AVKasperskyBackdoor.Win32.SoxGrave.bnz
AVAlwil (avast)Dropper-OJQ [Drp]
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611782
AVBullGuardGen:Variant.Kazy.611782
AVMicrosoft Security Essentialsno_virus
AVBitDefenderGen:Variant.Kazy.611782
AVRisingno_virus
AVVirusBlokAda (vba32)no_virus
AVIkarusTrojan.Win32.Bayrob
AVCA (E-Trust Ino)no_virus
AVZillya!no_virus
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVClamAVno_virus
AVAvira (antivir)TR/Crypt.Xpack.270787
AVMalwareBytesno_virus
AVTrend Microno_virus
AVF-SecureGen:Variant.Kazy.611782
AVFortinetW32/Bayrob.X!tr

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dwa7thz1lrvjmpgywlvqu.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwa7thz1lrvjmpgywlvqu.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dwa7thz1lrvjmpgywlvqu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Solutions Computer Instrumentation ➝
C:\WINDOWS\system32\qalmkgcfv.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\tst
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\etc
Creates FileC:\WINDOWS\system32\qalmkgcfv.exe
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qalmkgcfv.exe
Creates ServiceUser-mode Print Auto Internet - C:\WINDOWS\system32\qalmkgcfv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 820

Process
↳ Pid 868

Process
↳ Pid 1036

Process
↳ Pid 1224

Process
↳ Pid 1344

Process
↳ Pid 1892

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\qalmkgcfv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\dwa7thz1tdqjm.exe
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\run
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\rng
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\cfg
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\lck
Creates FileC:\WINDOWS\system32\yecsaxfv.exe
Deletes FileC:\WINDOWS\TEMP\dwa7thz1tdqjm.exe
Creates ProcessWATCHDOGPROC "c:\windows\system32\qalmkgcfv.exe"
Creates ProcessC:\WINDOWS\TEMP\dwa7thz1tdqjm.exe -r 47462 tcp

Process
↳ C:\WINDOWS\system32\qalmkgcfv.exe

Process
↳ WATCHDOGPROC "c:\windows\system32\qalmkgcfv.exe"

Creates FileC:\WINDOWS\system32\ajvbekwsvozfezr\tst

Process
↳ C:\WINDOWS\TEMP\dwa7thz1tdqjm.exe -r 47462 tcp

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSfaceleft.net
Type: A
94.23.64.5
DNSwednesdaythirteen.net
Type: A
95.211.230.75
DNSdrivethirteen.net
Type: A
208.91.197.241
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSafterfell.net
Type: A
DNSforcefell.net
Type: A
DNSaftercount.net
Type: A
DNSforcecount.net
Type: A
DNSsellcompe.net
Type: A
DNSwednesdaycompe.net
Type: A
DNSsellhour.net
Type: A
DNSwednesdayhour.net
Type: A
DNSsellfell.net
Type: A
DNSwednesdayfell.net
Type: A
DNSsellcount.net
Type: A
DNSwednesdaycount.net
Type: A
DNSdrivecompe.net
Type: A
DNSnailcompe.net
Type: A
DNSdrivehour.net
Type: A
DNSnailhour.net
Type: A
DNSdrivefell.net
Type: A
DNSnailfell.net
Type: A
DNSdrivecount.net
Type: A
DNSnailcount.net
Type: A
DNSfieldhope.net
Type: A
DNSqueenhope.net
Type: A
DNSfieldleft.net
Type: A
DNSqueenleft.net
Type: A
DNSfieldthirteen.net
Type: A
DNSqueenthirteen.net
Type: A
DNSfieldhurry.net
Type: A
DNSqueenhurry.net
Type: A
DNSbothhope.net
Type: A
DNSgainhope.net
Type: A
DNSbothleft.net
Type: A
DNSgainleft.net
Type: A
DNSboththirteen.net
Type: A
DNSgainthirteen.net
Type: A
DNSbothhurry.net
Type: A
DNSgainhurry.net
Type: A
DNSleasthope.net
Type: A
DNSfacehope.net
Type: A
DNSleastleft.net
Type: A
DNSleastthirteen.net
Type: A
DNSfacethirteen.net
Type: A
DNSleasthurry.net
Type: A
DNSfacehurry.net
Type: A
DNSmonthhope.net
Type: A
DNSwalkhope.net
Type: A
DNSmonthleft.net
Type: A
DNSwalkleft.net
Type: A
DNSmonththirteen.net
Type: A
DNSwalkthirteen.net
Type: A
DNSmonthhurry.net
Type: A
DNSwalkhurry.net
Type: A
DNSstoryhope.net
Type: A
DNSweakhope.net
Type: A
DNSstoryleft.net
Type: A
DNSweakleft.net
Type: A
DNSstorythirteen.net
Type: A
DNSweakthirteen.net
Type: A
DNSstoryhurry.net
Type: A
DNSweakhurry.net
Type: A
DNSafterhope.net
Type: A
DNSforcehope.net
Type: A
DNSafterleft.net
Type: A
DNSforceleft.net
Type: A
DNSafterthirteen.net
Type: A
DNSforcethirteen.net
Type: A
DNSafterhurry.net
Type: A
DNSforcehurry.net
Type: A
DNSsellhope.net
Type: A
DNSwednesdayhope.net
Type: A
DNSsellleft.net
Type: A
DNSwednesdayleft.net
Type: A
DNSsellthirteen.net
Type: A
DNSsellhurry.net
Type: A
DNSwednesdayhurry.net
Type: A
DNSdrivehope.net
Type: A
DNSnailhope.net
Type: A
DNSdriveleft.net
Type: A
DNSnailleft.net
Type: A
DNSnailthirteen.net
Type: A
DNSdrivehurry.net
Type: A
DNSnailhurry.net
Type: A
DNSfieldwild.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://faceleft.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://wednesdaythirteen.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://faceleft.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://wednesdaythirteen.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=050&sox=4fa6ea07&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 94.23.64.5:80
Flows TCP192.168.1.1:1051 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1064 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1065 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1066 ➝ 94.23.64.5:80
Flows TCP192.168.1.1:1067 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80

Raw Pcap

Strings