Analysis Date2015-08-29 22:38:59
MD517d1897954311287859b8bfd2e9f8704
SHA1ca33065e7b49017333bbb4cbaed825713bdb80ed

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7d6ecbc36d90990571ae809be6329d4b sha1: 2129ec2ffe7e59afc3e28136b45d4125f3a49f38 size: 286720
Section.rdata md5: 64806636d55b418d49bbc8525d14b516 sha1: 1f534c2f2772ad4f0da1b69c6b93e09384ba6554 size: 58880
Section.data md5: 637ed087d1a6a7920d0bd2cdd665f10e sha1: 9d4626e4008e09604d7c8e7eb9168ab8a66af176 size: 7680
Section.reloc md5: db08263b1ad30162a742efff6c777293 sha1: d144bba83005be1afbcc5581009c7a67ef95d493 size: 19968
Timestamp2015-05-11 06:32:26
PackerMicrosoft Visual C++ 8
PEhash805922aed4c6017c7633c92052bdffd6dfeb7d8f
IMPhash197c1cbaab3a10d5ff8d544d1978142b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.jiqd
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.V.gen
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVRisingTrojan.Win32.Bayrod.b
AVTwisterW32.Bayrob.V.gen.qdmh
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!17D189795431

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\iiizsmnaskexlr\isjhd1m66tnty9jhoofygj.exe
Creates FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\mvkkpewncc
Deletes FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates ProcessC:\iiizsmnaskexlr\isjhd1m66tnty9jhoofygj.exe

Process
↳ C:\iiizsmnaskexlr\isjhd1m66tnty9jhoofygj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Base Sharing Windows Firewall Connect ➝
C:\iiizsmnaskexlr\eeanzrvybndo.exe
Creates FileC:\iiizsmnaskexlr\eeanzrvybndo.exe
Creates FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\mvkkpewncc
Creates FilePIPE\lsarpc
Creates FileC:\iiizsmnaskexlr\stgmrgvbcq
Deletes FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates ProcessC:\iiizsmnaskexlr\eeanzrvybndo.exe
Creates ServiceRegistry Encryption Control Color - C:\iiizsmnaskexlr\eeanzrvybndo.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1104

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\iiizsmnaskexlr\eeanzrvybndo.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\stgmrgvbcq
Creates File\Device\Afd\Endpoint
Creates FileC:\iiizsmnaskexlr\hn3tl3uidkz
Creates FileC:\iiizsmnaskexlr\dahtcic.exe
Deletes FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates Processd8aldzbzchh0 "c:\iiizsmnaskexlr\eeanzrvybndo.exe"

Process
↳ C:\iiizsmnaskexlr\eeanzrvybndo.exe

Creates FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\mvkkpewncc
Deletes FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc

Process
↳ d8aldzbzchh0 "c:\iiizsmnaskexlr\eeanzrvybndo.exe"

Creates FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc
Creates FileC:\iiizsmnaskexlr\mvkkpewncc
Deletes FileC:\WINDOWS\iiizsmnaskexlr\mvkkpewncc

Network Details:

DNSbuildingmarket.net
Type: A
82.165.213.98
DNSbuildingreport.net
Type: A
184.106.55.51
DNSeveningreport.net
Type: A
210.55.30.67
DNSbuildingbeauty.net
Type: A
50.63.202.54
DNSstoremarket.net
Type: A
173.254.28.39
DNSstorereport.net
Type: A
50.194.159.145
DNSstoregarden.net
Type: A
46.30.212.240
DNSdoctormarket.net
Type: A
184.168.221.37
DNSdoctorreport.net
Type: A
204.11.56.48
DNSdoctorbeauty.net
Type: A
62.149.128.154
DNSdoctorbeauty.net
Type: A
62.149.128.151
DNSdoctorbeauty.net
Type: A
62.149.128.74
DNSdoctorbeauty.net
Type: A
62.149.128.72
DNSdoctorbeauty.net
Type: A
62.149.128.166
DNSdoctorbeauty.net
Type: A
62.149.128.163
DNSdoctorbeauty.net
Type: A
62.149.128.160
DNSdoctorbeauty.net
Type: A
62.149.128.157
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNSdoublebeauty.net
Type: A
192.0.78.25
DNSdoublebeauty.net
Type: A
192.0.78.24
DNSbrokenreport.net
Type: A
95.211.230.75
DNSdesirespread.net
Type: A
DNSstrengthattempt.net
Type: A
DNSstillattempt.net
Type: A
DNSstrengthsquare.net
Type: A
DNSstillsquare.net
Type: A
DNSstrengthneighbor.net
Type: A
DNSstillneighbor.net
Type: A
DNSstrengthspread.net
Type: A
DNSstillspread.net
Type: A
DNSmovementmarket.net
Type: A
DNSoutsidemarket.net
Type: A
DNSmovementreport.net
Type: A
DNSoutsidereport.net
Type: A
DNSmovementbeauty.net
Type: A
DNSoutsidebeauty.net
Type: A
DNSmovementgarden.net
Type: A
DNSoutsidegarden.net
Type: A
DNSeveningmarket.net
Type: A
DNSeveningbeauty.net
Type: A
DNSbuildinggarden.net
Type: A
DNSeveninggarden.net
Type: A
DNSmightmarket.net
Type: A
DNSmightreport.net
Type: A
DNSstorebeauty.net
Type: A
DNSmightbeauty.net
Type: A
DNSmightgarden.net
Type: A
DNSprettymarket.net
Type: A
DNSprettyreport.net
Type: A
DNSprettybeauty.net
Type: A
DNSdoctorgarden.net
Type: A
DNSprettygarden.net
Type: A
DNSfellowmarket.net
Type: A
DNSdoublemarket.net
Type: A
DNSfellowreport.net
Type: A
DNSdoublereport.net
Type: A
DNSfellowbeauty.net
Type: A
DNSfellowgarden.net
Type: A
DNSdoublegarden.net
Type: A
DNSbrokenmarket.net
Type: A
DNSresultmarket.net
Type: A
DNSresultreport.net
Type: A
DNSbrokenbeauty.net
Type: A
DNSresultbeauty.net
Type: A
DNSbrokengarden.net
Type: A
DNSresultgarden.net
Type: A
DNSpreparemarket.net
Type: A
DNSdesiremarket.net
Type: A
DNSpreparereport.net
Type: A
DNSdesirereport.net
Type: A
DNSpreparebeauty.net
Type: A
DNSdesirebeauty.net
Type: A
DNSpreparegarden.net
Type: A
DNSdesiregarden.net
Type: A
DNSstrengthmarket.net
Type: A
DNSstillmarket.net
Type: A
DNSstrengthreport.net
Type: A
DNSstillreport.net
Type: A
DNSstrengthbeauty.net
Type: A
DNSstillbeauty.net
Type: A
DNSstrengthgarden.net
Type: A
DNSstillgarden.net
Type: A
DNSmovementtoward.net
Type: A
DNSoutsidetoward.net
Type: A
DNSmovementpleasure.net
Type: A
DNSoutsidepleasure.net
Type: A
DNSmovementmillion.net
Type: A
DNSoutsidemillion.net
Type: A
DNSmovementwhite.net
Type: A
DNSoutsidewhite.net
Type: A
DNSbuildingtoward.net
Type: A
DNSeveningtoward.net
Type: A
DNSbuildingpleasure.net
Type: A
DNSeveningpleasure.net
Type: A
HTTP GEThttp://buildingmarket.net/index.php
User-Agent:
HTTP GEThttp://buildingreport.net/index.php
User-Agent:
HTTP GEThttp://eveningreport.net/index.php
User-Agent:
HTTP GEThttp://buildingbeauty.net/index.php
User-Agent:
HTTP GEThttp://storemarket.net/index.php
User-Agent:
HTTP GEThttp://storereport.net/index.php
User-Agent:
HTTP GEThttp://storegarden.net/index.php
User-Agent:
HTTP GEThttp://doctormarket.net/index.php
User-Agent:
HTTP GEThttp://doctorreport.net/index.php
User-Agent:
HTTP GEThttp://doctorbeauty.net/index.php
User-Agent:
HTTP GEThttp://prettygarden.net/index.php
User-Agent:
HTTP GEThttp://doublebeauty.net/index.php
User-Agent:
HTTP GEThttp://brokenreport.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 82.165.213.98:80
Flows TCP192.168.1.1:1032 ➝ 184.106.55.51:80
Flows TCP192.168.1.1:1033 ➝ 210.55.30.67:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1035 ➝ 173.254.28.39:80
Flows TCP192.168.1.1:1036 ➝ 50.194.159.145:80
Flows TCP192.168.1.1:1037 ➝ 46.30.212.240:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.37:80
Flows TCP192.168.1.1:1039 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1040 ➝ 62.149.128.154:80
Flows TCP192.168.1.1:1041 ➝ 54.174.31.254:80
Flows TCP192.168.1.1:1042 ➝ 192.0.78.25:80
Flows TCP192.168.1.1:1043 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e676d 61726b65 742e6e65   uildingmarket.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6772 65706f72 742e6e65   uildingreport.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e677265 706f7274 2e6e6574   veningreport.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6762 65617574 792e6e65   uildingbeauty.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 6d61726b 65742e6e 65740d0a   toremarket.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 7265706f 72742e6e 65740d0a   torereport.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   746f7265 67617264 656e2e6e 65740d0a   toregarden.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 726d6172 6b65742e 6e65740d   octormarket.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72726570 6f72742e 6e65740d   octorreport.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72626561 7574792e 6e65740d   octorbeauty.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   72657474 79676172 64656e2e 6e65740d   rettygarden.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65626561 7574792e 6e65740d   oublebeauty.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e726570 6f72742e 6e65740d   rokenreport.net.
0x00000050 (00080)   0a0d0a                                ...


Strings