Analysis Date2016-02-09 21:51:47
MD569ca2bec571f1a1515000681283ef079
SHA1d70dd37cdbfcbc648f228e619deabe572a0f7da6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c814a56e44b6219e7ec4bc154841090a sha1: a8dd7557772ef7f741b71cf58a9b5f691d155d8f size: 261120
Section.rdata md5: 614a754cd10d8257e5b12ead6e700fe8 sha1: ec009b8e74146d5779e16bb29122f9574367be68 size: 43520
Section.data md5: 28acce6cfa592fffedd52916f6366ddb sha1: fd885ce8fbbf9788839871dd0af723b7c6bba0e9 size: 1536
Section.reloc md5: 9e6627da3830c0476a8b2d196539c85a sha1: 10c1998fce3df3ba633e61256ddad200195e3abc size: 51712
Timestamp2015-12-23 05:00:45
PackerBorland Delphi 3.0 (???)
PEhash81d5ca0864f8cba8986bdda17458a687bba1c5b7
IMPhasha1e864ac53df0658702f62f602cc8631
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVRisingNo Virus
AVMcafeeTrojan-FHPD!69CA2BEC571F
AVAvira (antivir)TR/Crypt.Xpack.444700
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AQ
AVGrisoft (avg)Generic37.QFY
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.11545
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.46251
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FileC:\boysctnqmxlwjz\xb3wb1kosxjmeafuwl.exe
Deletes FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Creates ProcessC:\boysctnqmxlwjz\xb3wb1kosxjmeafuwl.exe

Process
↳ C:\boysctnqmxlwjz\xb3wb1kosxjmeafuwl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Group Reports RPC Service ➝
C:\boysctnqmxlwjz\njcrgct.exe
Creates FileC:\boysctnqmxlwjz\njcrgct.exe
Creates FileC:\boysctnqmxlwjz\ccofdortlau
Creates FileC:\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Deletes FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Creates ProcessC:\boysctnqmxlwjz\njcrgct.exe
Creates ServiceBase Spooler Access Installer Coordinator - C:\boysctnqmxlwjz\njcrgct.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1868

Process
↳ Pid 1184

Process
↳ C:\boysctnqmxlwjz\njcrgct.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\boysctnqmxlwjz\ccofdortlau
Creates FileC:\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Creates File\Device\Afd\Endpoint
Creates FileC:\boysctnqmxlwjz\axapczcmbr
Creates FileC:\boysctnqmxlwjz\nmthjgsusz.exe
Deletes FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Creates Processjpm2kdzvcsdo "c:\boysctnqmxlwjz\njcrgct.exe"

Process
↳ C:\boysctnqmxlwjz\njcrgct.exe

Creates FileC:\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Deletes FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik

Process
↳ jpm2kdzvcsdo "c:\boysctnqmxlwjz\njcrgct.exe"

Creates FileC:\boysctnqmxlwjz\hhdcsoiqj7ik
Creates FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik
Deletes FileC:\WINDOWS\boysctnqmxlwjz\hhdcsoiqj7ik

Network Details:

DNScrowdnation.net
Type: A
107.191.99.114
DNScrowdnation.net
Type: A
167.114.213.199
DNScrowdnation.net
Type: A
107.161.23.204
DNScrowdcondition.net
Type: A
195.22.28.199
DNScrowdcondition.net
Type: A
195.22.28.196
DNScrowdcondition.net
Type: A
195.22.28.197
DNScrowdcondition.net
Type: A
195.22.28.198
DNSsmokenation.net
Type: A
195.22.28.199
DNSsmokenation.net
Type: A
195.22.28.196
DNSsmokenation.net
Type: A
195.22.28.197
DNSsmokenation.net
Type: A
195.22.28.198
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSpartynation.net
Type: A
72.52.4.91
DNSfreshpower.net
Type: A
195.149.84.101
DNSfreshpower.net
Type: A
195.149.84.100
DNSmemberfamous.net
Type: A
208.100.26.234
DNSgentlemancondition.net
Type: A
DNSalreadycondition.net
Type: A
DNSfollownation.net
Type: A
DNSmembernation.net
Type: A
DNSfollowsoldier.net
Type: A
DNSmembersoldier.net
Type: A
DNSfollowplease.net
Type: A
DNSmemberplease.net
Type: A
DNSfollowcondition.net
Type: A
DNSmembercondition.net
Type: A
DNSbeginnation.net
Type: A
DNSknownnation.net
Type: A
DNSbeginsoldier.net
Type: A
DNSknownsoldier.net
Type: A
DNSbeginplease.net
Type: A
DNSknownplease.net
Type: A
DNSbegincondition.net
Type: A
DNSknowncondition.net
Type: A
DNSsummernation.net
Type: A
DNSsummersoldier.net
Type: A
DNScrowdsoldier.net
Type: A
DNSsummerplease.net
Type: A
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSwaterplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSwatercondition.net
Type: A
DNSwomannation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSsmokecondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSpartyplease.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNScrowdfamous.net
Type: A
HTTP GEThttp://crowdnation.net/index.php
User-Agent:
HTTP GEThttp://crowdcondition.net/index.php
User-Agent:
HTTP GEThttp://smokenation.net/index.php
User-Agent:
HTTP GEThttp://smokecondition.net/index.php
User-Agent:
HTTP GEThttp://partynation.net/index.php
User-Agent:
HTTP GEThttp://freshpower.net/index.php
User-Agent:
HTTP GEThttp://memberfamous.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 107.191.99.114:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1036 ➝ 195.149.84.101:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80

Raw Pcap



Strings