Analysis Date2016-02-10 06:40:29
MD5703658a7cc9e4fad6414da3b9d85d280
SHA1d31c64e72a5189260bc1aff2bc0b9f7e1dd1ef4e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f55362dfca478d9d448e47fa26c12805 sha1: 577cbe30d61ddf3082077f941d2d06dd84445062 size: 1097216
Section.rdata md5: a54c5c38b9058ac5597b5d9ce3f12249 sha1: bf81fdae1f39c0c7941e94685789dac351b68ae9 size: 318976
Section.data md5: 916d52df17d1dfb63d9145bbe3ce0dca sha1: 46f3bd11760b33e1b076a9e8dfa02d1e578fc98a size: 11264
Section.reloc md5: d50b410e679f4cdd86c9bcfea099e1ae sha1: 772b0c674bd687d8cfe15ec85088f1f7335e050a size: 70656
Timestamp2015-04-30 21:29:55
PackerMicrosoft Visual C++ 8
PEhash191fe363ef220cc92cb0ec7bb40d2f438a51fbbb
IMPhash639354e46bc52da981f83fab36480db0
AVEset (nod32)Win32/Bayrob.R
AVCA (E-Trust Ino)No Virus
AVMalwareBytesNo Virus
AVBullGuardGen:Variant.Razy.5659
AVF-SecureGen:Variant.Razy.5659
AVMicroWorld (escan)Gen:Variant.Razy.5659
AVBitDefenderGen:Variant.Razy.5659
AVVirusBlokAda (vba32)No Virus
AVIkarusTrojan.Win32.Bayrob
AVArcabit (arcavir)Gen:Variant.Razy.5659
AVDr. WebTrojan.Bayrob.1
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVMcafeeNo Virus
AVAlwil (avast)Dropper-OJI [Drp]
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFortinetW32/Kryptic.WU!tr
AVEmsisoftGen:Variant.Razy.5659
AVAvira (antivir)TR/Boryab.aiez
AVSymantecDownloader.Upatre!g15
AVFrisk (f-prot)No Virus
AVZillya!Trojan.Bayrob.Win32.1288
AVAd-AwareGen:Variant.Razy.5659
AVRising0x58e5e5db
AVGrisoft (avg)Win32/Cryptor
AVTwisterW32.Bayrob.R.hbaa
AVTrend MicroNo Virus
AVK7Trojan ( 004c77f41 )
AVClamAVNo Virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dpjheusf1lsqprq4o5hw.exe
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dpjheusf1lsqprq4o5hw.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dpjheusf1lsqprq4o5hw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Registrar Themes Client Image Panel Update ➝
C:\WINDOWS\system32\qbitfezgws.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\lck
Creates FileC:\WINDOWS\system32\qbitfezgws.exe
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\etc
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qbitfezgws.exe
Creates ServiceSession List User-mode Routing Web - C:\WINDOWS\system32\qbitfezgws.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\qbitfezgws.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\run
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\lck
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\cfg
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\nndpvfsqfjn.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\dpjheusf1t2gpr.exe
Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\tst
Creates ProcessWATCHDOGPROC "c:\windows\system32\qbitfezgws.exe"
Creates ProcessC:\WINDOWS\TEMP\dpjheusf1t2gpr.exe -r 30388 tcp

Process
↳ C:\WINDOWS\system32\qbitfezgws.exe

Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qbitfezgws.exe"

Creates FileC:\WINDOWS\system32\cayyduzvhnzxie\tst

Process
↳ C:\WINDOWS\TEMP\dpjheusf1t2gpr.exe -r 30388 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSnaildeep.com
Type: A
74.220.215.218
DNSlifefind.net
Type: A
207.148.248.143
DNSlifewear.net
Type: A
72.29.73.31
DNSableread.net
Type: A
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
DNSrathersystem.net
Type: A
DNSstrangedistant.net
Type: A
DNSdoubtpaint.net
Type: A
DNSrecorddivide.net
Type: A
DNSwithmarry.net
Type: A
DNSwithgoes.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSballhurt.net
Type: A
DNSenemytold.net
Type: A
DNSlifetold.net
Type: A
DNSenemyfind.net
Type: A
DNSenemywear.net
Type: A
DNSenemyhurt.net
Type: A
DNSlifehurt.net
Type: A
DNSmouthtold.net
Type: A
DNStilltold.net
Type: A
DNSmouthfind.net
Type: A
DNStillfind.net
Type: A
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=049&sox=4ea71603&lenhdr
User-Agent:
HTTP GEThttp://lifefind.net/index.php?method=validate&mode=sox&v=049&sox=4ea71603&lenhdr
User-Agent:
HTTP GEThttp://lifewear.net/index.php?method=validate&mode=sox&v=049&sox=4ea71603&lenhdr
User-Agent:
Flows TCP192.168.1.1:1037 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1038 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1039 ➝ 72.29.73.31:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3926736f   ode=sox&v=049&so
0x00000030 (00048)   783d3465 61373136 3033266c 656e6864   x=4ea71603&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206e61 696c6465 65702e63 6f6d0d0a   : naildeep.com..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3926736f   ode=sox&v=049&so
0x00000030 (00048)   783d3465 61373136 3033266c 656e6864   x=4ea71603&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 66656669 6e642e6e 65740d0a   : lifefind.net..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3034 3926736f   ode=sox&v=049&so
0x00000030 (00048)   783d3465 61373136 3033266c 656e6864   x=4ea71603&lenhd
0x00000040 (00064)   72204854 54502f31 2e300d0a 41636365   r HTTP/1.0..Acce
0x00000050 (00080)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000060 (00096)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000070 (00112)   3a206c69 66657765 61722e6e 65740d0a   : lifewear.net..
0x00000080 (00128)   0d0a                                  ..


Strings