Analysis Date2016-01-28 17:33:52
MD559bfd7cc76d657ee223e6156d35b8cd1
SHA1d5acf0b91377525280a6c1bba714984baede631d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c103b4a8e7dd80daf621086e3d5e9afc sha1: 3e786f7ba67e8ece1a01c8b4a4d6e4974cb83516 size: 902144
Section.rdata md5: 90c36140b2f11742a6b52324ca831998 sha1: a62ea067682c9410e71600b4865f826183a67884 size: 377856
Section.data md5: 349512bba8909c0ece9f1acae7ad13b9 sha1: afaace1bc674960a9b0067cabfcfee699ec5e5dc size: 7168
Section.reloc md5: 71925791197b775180f0dde30cc12200 sha1: 8dbbed30dccb6a4e6f3b4f899f4997305b5a5d3c size: 121856
Timestamp2015-12-15 16:21:53
PackerVC8 -> Microsoft Corporation
PEhashec19b64e134d5ab253cfffef258c6249a23380fb
IMPhasha17d1948d347ea69e690d0cce75b7101
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.416966
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)Generic37.FIJ
AVSymantecNo Virus
AVFortinetW32/Bayrob.AT!tr
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.NYYT-1277
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.788788
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.36285
AVF-SecureGen:Variant.Kazy.788788
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\x56fltwl9b5hanetvyhftdvuy.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\embojled\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\x56fltwl9b5hanetvyhftdvuy.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\x56fltwl9b5hanetvyhftdvuy.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Management Session Center Receiver ➝
C:\WINDOWS\system32\wwkensrerf.exe
Creates FileC:\WINDOWS\system32\embojled\lck
Creates FileC:\WINDOWS\system32\wwkensrerf.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\embojled\tst
Creates ProcessC:\WINDOWS\system32\wwkensrerf.exe
Creates ServiceVideo Configuration Offline Removal - C:\WINDOWS\system32\wwkensrerf.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ Pid 1020

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1120

Process
↳ C:\WINDOWS\system32\wwkensrerf.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\embojled\cfg
Creates FileC:\WINDOWS\system32\oommmkbse.exe
Creates FileC:\WINDOWS\system32\embojled\lck
Creates FileC:\WINDOWS\TEMP\x56fltwls1v3lyetv.exe
Creates FileC:\WINDOWS\system32\embojled\rng
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\embojled\run
Creates FileC:\WINDOWS\system32\embojled\tst
Deletes FileC:\WINDOWS\TEMP\x56fltwls1v3lyetv.exe
Creates ProcessC:\WINDOWS\TEMP\x56fltwls1v3lyetv.exe -r 45146 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\wwkensrerf.exe"

Process
↳ C:\WINDOWS\system32\wwkensrerf.exe

Process
↳ WATCHDOGPROC "c:\windows\system32\wwkensrerf.exe"

Creates FileC:\WINDOWS\system32\embojled\tst

Process
↳ C:\WINDOWS\TEMP\x56fltwls1v3lyetv.exe -r 45146 tcp

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSfearboat.net
Type: A
195.22.28.198
DNSfearboat.net
Type: A
195.22.28.199
DNSfearboat.net
Type: A
195.22.28.196
DNSfearboat.net
Type: A
195.22.28.197
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNSlikropen.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
DNSpointrest.net
Type: A
DNScallrest.net
Type: A
DNSpointopen.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://fearboat.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1041 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1042 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1043 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1044 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 98.124.199.4:80

Raw Pcap

Strings