Analysis Date2016-01-28 17:46:05
MD55bed531af59ded11e86a1a31d98d2350
SHA1cfbac978e3eb846ffbf5e64642203ea14e51d549

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5e7313f95dd13ef42542c5d283a3a631 sha1: e454e7ba4babea5fd22fe275fa2b00634f74a776 size: 901632
Section.rdata md5: 73d121a2cfbd7aff39f959e99bea02f0 sha1: fc6b0e679876440de288b87f456a08ea765ecfc2 size: 377344
Section.data md5: cc1044ba520fb266781f67240696a8a5 sha1: 7199ec51d19ec6c018ff861b928fd647ccfa11ec size: 6656
Section.reloc md5: 3aab578ec9618c3995d0e2811d3f2877 sha1: e16960984b1098b76fbc3780e4ecf5606ede948f size: 120832
Timestamp2015-12-15 15:37:04
PackerVC8 -> Microsoft Corporation
PEhash26f5fa21c02e80b2a3d8ece01b8a4dcbaaf3420a
IMPhash3f438f90d23b8cc7b2269e9ea70301b3
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.272324
AVTwisterW32.Bayrob.AG.uslt
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)Generic37.JHX
AVSymantecNo Virus
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DJ
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.QZCX-8095
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.788788
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.19588
AVF-SecureGen:Variant.Kazy.788788
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ermzibbw\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ostwpfnsafouvyi66s1undtbz.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ostwpfnsafouvyi66s1undtbz.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ostwpfnsafouvyi66s1undtbz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Foundation Solutions Awareness IKE Upgrade ➝
C:\WINDOWS\system32\auiikhz.exe
Creates FileC:\WINDOWS\system32\auiikhz.exe
Creates FileC:\WINDOWS\system32\ermzibbw\tst
Creates FileC:\WINDOWS\system32\ermzibbw\lck
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\auiikhz.exe
Creates ServiceInitiator Registrar Agent Link User-mode - C:\WINDOWS\system32\auiikhz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1848

Process
↳ Pid 1140

Process
↳ C:\WINDOWS\system32\auiikhz.exe

Creates FileC:\WINDOWS\system32\ermzibbw\tst
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\auiikhz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\TEMP\ostwpf82oah1vyi66.exe
Creates FileC:\WINDOWS\system32\ermzibbw\rng
Creates FileC:\WINDOWS\system32\hgftxxm.exe
Creates FileC:\WINDOWS\system32\ermzibbw\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ermzibbw\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ermzibbw\run
Creates FileC:\WINDOWS\system32\ermzibbw\cfg
Creates ProcessC:\WINDOWS\TEMP\ostwpf82oah1vyi66.exe -r 42416 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\auiikhz.exe"

Process
↳ WATCHDOGPROC "c:\windows\system32\auiikhz.exe"

Creates FileC:\WINDOWS\system32\ermzibbw\tst

Process
↳ C:\WINDOWS\TEMP\ostwpf82oah1vyi66.exe -r 42416 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSfearboat.net
Type: A
195.22.28.199
DNSfearboat.net
Type: A
195.22.28.196
DNSfearboat.net
Type: A
195.22.28.197
DNSfearboat.net
Type: A
195.22.28.198
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
DNSpointrest.net
Type: A
DNScallrest.net
Type: A
DNSpointopen.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://fearboat.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1037 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1038 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1040 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1041 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1042 ➝ 98.124.199.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206a   : close..Host: j
0x00000040 (00064)   6f75726e 65796d65 61737572 652e6e65   ourneymeasure.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d6f6e 65747465 64776572 7279686f   imonettedwerryho
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f726e69 6e676475 72696e67 2e6e6574   orningduring.net
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   66666f72 74627569 6c742e6e 65740d0a   ffortbuilt.net..
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7365 7768696c 652e6e65 740d0a0d   hosewhile.net...
0x00000050 (00080)   0a0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617262 6f61742e 6e65740d 0a0d0a0d   earboat.net.....
0x00000050 (00080)   0a0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737462 6f61742e 6e65740d 0a0d0a0d   estboat.net.....
0x00000050 (00080)   0a0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737472 6573742e 6e65740d 0a0d0a0d   estrest.net.....
0x00000050 (00080)   0a0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616470 72657373 2e6e6574 0d0a0d0a   eadpress.net....
0x00000050 (00080)   0a0a0d0a 6e65740d 0a0d0a              ....net....


Strings