Analysis Date2015-08-15 03:19:52
MD5c2345d1adc463ac94f4ebe489a27b806
SHA1d26945fb5f5b6a92bf9dd0b4743f825b50c35073

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 215cb4f4cfa268bc33918136b33fa1ba sha1: 39cc884d9b5ad9b6a9309c82d199005064ef074f size: 197120
Section.rdata md5: 8cda7717ce5c0189cc04b125f4328a4d sha1: acfeee3079775a511a63237b05e2fa9c8caa0982 size: 53248
Section.data md5: 6e2b6505ead7f4bec7e4f87069fc0c47 sha1: 33280853224d6e030a9d616f159db793b8037b39 size: 6656
Section.reloc md5: b8aae1f2695e1921d832ff712b59e36a sha1: 294d3bbf08b201a347e2e231bcec967eda2dc619 size: 14336
Timestamp2015-04-29 18:42:49
PackerMicrosoft Visual C++ 8
PEhash56e725bddd226fea7db157cc7889be7ee58fef35
IMPhash03656e5ad777abb22131325a3876c17b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyTrojan.Win32.Scar.jbza
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!C2345D1ADC46
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates FileC:\ldyliejktyjmd\tcecm1kt5ttfyzcvy.exe
Creates FileC:\ldyliejktyjmd\cbhoa8pk
Deletes FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates ProcessC:\ldyliejktyjmd\tcecm1kt5ttfyzcvy.exe

Process
↳ C:\ldyliejktyjmd\tcecm1kt5ttfyzcvy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Instrumentation Solutions Connect ➝
C:\ldyliejktyjmd\edgdcvvt.exe
Creates FileC:\ldyliejktyjmd\i0ukquwlqp
Creates FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates FileC:\ldyliejktyjmd\edgdcvvt.exe
Creates FilePIPE\lsarpc
Creates FileC:\ldyliejktyjmd\cbhoa8pk
Deletes FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates ProcessC:\ldyliejktyjmd\edgdcvvt.exe
Creates ServiceTask Net.Tcp Protocol Tools - C:\ldyliejktyjmd\edgdcvvt.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1168

Process
↳ C:\ldyliejktyjmd\edgdcvvt.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ldyliejktyjmd\i0ukquwlqp
Creates FileC:\ldyliejktyjmd\vjriydhe.exe
Creates FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates File\Device\Afd\Endpoint
Creates FileC:\ldyliejktyjmd\tfgnskflpxv
Creates FileC:\ldyliejktyjmd\cbhoa8pk
Deletes FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates Processjmeyojro8fho "c:\ldyliejktyjmd\edgdcvvt.exe"

Process
↳ C:\ldyliejktyjmd\edgdcvvt.exe

Creates FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates FileC:\ldyliejktyjmd\cbhoa8pk
Deletes FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk

Process
↳ jmeyojro8fho "c:\ldyliejktyjmd\edgdcvvt.exe"

Creates FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk
Creates FileC:\ldyliejktyjmd\cbhoa8pk
Deletes FileC:\WINDOWS\ldyliejktyjmd\cbhoa8pk

Network Details:

DNSpicturestorm.net
Type: A
80.67.28.202
DNSfamilytraining.net
Type: A
199.34.228.55
DNSenglishtraining.net
Type: A
87.106.228.208
DNSexpecthowever.net
Type: A
95.211.230.75
DNScigarettetraining.net
Type: A
DNScigarettestorm.net
Type: A
DNSpicturethrown.net
Type: A
DNScigarettethrown.net
Type: A
DNSchildrenhunger.net
Type: A
DNSfamilyhunger.net
Type: A
DNSchildrentraining.net
Type: A
DNSchildrenstorm.net
Type: A
DNSfamilystorm.net
Type: A
DNSchildrenthrown.net
Type: A
DNSfamilythrown.net
Type: A
DNSeitherhunger.net
Type: A
DNSenglishhunger.net
Type: A
DNSeithertraining.net
Type: A
DNSeitherstorm.net
Type: A
DNSenglishstorm.net
Type: A
DNSeitherthrown.net
Type: A
DNSenglishthrown.net
Type: A
DNSexpectchoose.net
Type: A
DNSbecausechoose.net
Type: A
DNSexpectalthough.net
Type: A
DNSbecausealthough.net
Type: A
DNSexpectperiod.net
Type: A
DNSbecauseperiod.net
Type: A
DNSbecausehowever.net
Type: A
DNSpersonchoose.net
Type: A
DNSmachinechoose.net
Type: A
DNSpersonalthough.net
Type: A
DNSmachinealthough.net
Type: A
DNSpersonperiod.net
Type: A
DNSmachineperiod.net
Type: A
DNSpersonhowever.net
Type: A
DNSmachinehowever.net
Type: A
DNSsuddenchoose.net
Type: A
DNSforeignchoose.net
Type: A
DNSsuddenalthough.net
Type: A
DNSforeignalthough.net
Type: A
DNSsuddenperiod.net
Type: A
DNSforeignperiod.net
Type: A
DNSsuddenhowever.net
Type: A
DNSforeignhowever.net
Type: A
DNSwhetherchoose.net
Type: A
DNSrightchoose.net
Type: A
DNSwhetheralthough.net
Type: A
DNSrightalthough.net
Type: A
DNSwhetherperiod.net
Type: A
DNSrightperiod.net
Type: A
DNSwhetherhowever.net
Type: A
DNSrighthowever.net
Type: A
DNSfigurechoose.net
Type: A
DNSthoughchoose.net
Type: A
DNSfigurealthough.net
Type: A
DNSthoughalthough.net
Type: A
DNSfigureperiod.net
Type: A
DNSthoughperiod.net
Type: A
DNSfigurehowever.net
Type: A
DNSthoughhowever.net
Type: A
DNSpicturechoose.net
Type: A
DNScigarettechoose.net
Type: A
DNSpicturealthough.net
Type: A
DNScigarettealthough.net
Type: A
DNSpictureperiod.net
Type: A
DNScigaretteperiod.net
Type: A
DNSpicturehowever.net
Type: A
DNScigarettehowever.net
Type: A
DNSchildrenchoose.net
Type: A
DNSfamilychoose.net
Type: A
DNSchildrenalthough.net
Type: A
DNSfamilyalthough.net
Type: A
DNSchildrenperiod.net
Type: A
DNSfamilyperiod.net
Type: A
DNSchildrenhowever.net
Type: A
DNSfamilyhowever.net
Type: A
DNSeitherchoose.net
Type: A
DNSenglishchoose.net
Type: A
DNSeitheralthough.net
Type: A
DNSenglishalthough.net
Type: A
DNSeitherperiod.net
Type: A
DNSenglishperiod.net
Type: A
DNSeitherhowever.net
Type: A
DNSenglishhowever.net
Type: A
HTTP GEThttp://picturestorm.net/index.php
User-Agent:
HTTP GEThttp://familytraining.net/index.php
User-Agent:
HTTP GEThttp://englishtraining.net/index.php
User-Agent:
HTTP GEThttp://expecthowever.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 80.67.28.202:80
Flows TCP192.168.1.1:1032 ➝ 199.34.228.55:80
Flows TCP192.168.1.1:1033 ➝ 87.106.228.208:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72657374 6f726d2e 6e65740d   icturestorm.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79747261 696e696e 672e6e65   amilytraining.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73687472 61696e69 6e672e6e   nglishtraining.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   78706563 74686f77 65766572 2e6e6574   xpecthowever.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings