Analysis Date | 2015-07-30 21:49:20 |
---|---|
MD5 | b7b245b0f3874725c3463edcfc0315fc |
SHA1 | d738e7280fd210df047468fac79072fc4c99a54e |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 96cd8fcae8b614c14c80b646ae57bf98 sha1: 4ba825d07faed066f91817db376fca626812d992 size: 1272832 | |
Section | .rdata md5: 3086b1f6190a97e8f4bf83e296359790 sha1: b7a814ca7da7502f94ab250a2575fc1127500f36 size: 326144 | |
Section | .data md5: 562368c3427a8a99edae80235de8832e sha1: 6461d1a8d60f05734c54500a839e8ed905f9f540 size: 7680 | |
Section | .reloc md5: 5d6449763bc7c501045a1105d1d4a596 sha1: 42ff9b3f8dc8b0023abe2ee94bb6c318cc75d6cb size: 171008 | |
Timestamp | 2015-05-11 03:56:33 | |
Packer | VC8 -> Microsoft Corporation | |
PEhash | 0962157ce52e57c9d8d21a5a50bbbe29bf3c432a | |
IMPhash | 9e9105031eff2aa84e7be1481fda65f4 | |
AV | Rising | 0x58e5a58f |
AV | Mcafee | Trojan-FGIJ!B7B245B0F387 |
AV | Avira (antivir) | TR/Crypt.Xpack.266734 |
AV | Twister | no_virus |
AV | Ad-Aware | Gen:Variant.Diley.1 |
AV | Alwil (avast) | Dropper-OJQ [Drp] |
AV | Eset (nod32) | Win32/Bayrob.Y |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Symantec | Downloader.Upatre!g15 |
AV | Fortinet | W32/Bayrob.X!tr |
AV | BitDefender | Gen:Variant.Diley.1 |
AV | K7 | Trojan ( 004c77f41 ) |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BN |
AV | MicroWorld (escan) | Gen:Variant.Diley.1 |
AV | MalwareBytes | no_virus |
AV | Authentium | W32/SoxGrave.A2.gen!Eldorado |
AV | Frisk (f-prot) | no_virus |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Emsisoft | Gen:Variant.Diley.1 |
AV | Zillya! | Error Scanning File |
AV | Kaspersky | Backdoor.Win32.SoxGrave.aru |
AV | Trend Micro | no_virus |
AV | CAT (quickheal) | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | Padvish | no_virus |
AV | BullGuard | Gen:Variant.Diley.1 |
AV | Arcabit (arcavir) | Gen:Variant.Diley.1 |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.Bayrob.5 |
AV | F-Secure | Gen:Variant.Diley.1 |
AV | CA (E-Trust Ino) | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe |
---|---|
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\tst |
Creates Process | C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\pwlhwwr1m8cs2vgvsosa.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Access DHCP Logon System TP Computer Shadow ➝ C:\WINDOWS\system32\lzbrzrnbkk.exe |
---|---|
Creates File | C:\WINDOWS\system32\drivers\etc\hosts |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\etc |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\tst |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\lck |
Creates File | C:\WINDOWS\system32\lzbrzrnbkk.exe |
Deletes File | C:\WINDOWS\system32\\drivers\etc\hosts |
Creates Process | C:\WINDOWS\system32\lzbrzrnbkk.exe |
Creates Service | Event WWAN Themes Protocol Hardware - C:\WINDOWS\system32\lzbrzrnbkk.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 816
Process
↳ Pid 864
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1220
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝ NULL |
Creates File | WMIDataDevice |
Process
↳ Pid 1864
Process
↳ Pid 1152
Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1 |
---|---|
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\cfg |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\run |
Creates File | C:\WINDOWS\system32\fgiumul.exe |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\tst |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\lck |
Creates File | C:\WINDOWS\TEMP\pwlhwwr1twes2.exe |
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\rng |
Creates File | \Device\Afd\Endpoint |
Creates Process | WATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe" |
Creates Process | C:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp |
Process
↳ C:\WINDOWS\system32\lzbrzrnbkk.exe
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\tst |
---|
Process
↳ WATCHDOGPROC "c:\windows\system32\lzbrzrnbkk.exe"
Creates File | C:\WINDOWS\system32\dtkeexxlfyauk\tst |
---|
Process
↳ C:\WINDOWS\TEMP\pwlhwwr1twes2.exe -r 36873 tcp
Creates File | \Device\Afd\Endpoint |
---|---|
Winsock DNS | 239.255.255.250 |
Network Details:
DNS | recordsoldier.net Type: A 208.91.197.241 |
---|---|
DNS | fliersurprise.net Type: A 208.91.197.241 |
DNS | historybright.net Type: A 208.91.197.241 |
DNS | chiefsoldier.net Type: A 208.91.197.241 |
DNS | classsurprise.net Type: A 208.91.197.241 |
DNS | thosecontinue.net Type: A 208.91.197.241 |
DNS | throughcontain.net Type: A 208.91.197.241 |
DNS | belongguard.net Type: A 208.91.197.241 |
DNS | maybellinethaddeus.net Type: A 208.91.197.241 |
DNS | kimberleyshavonne.net Type: A 208.91.197.241 |
DNS | naildeep.com Type: A 74.220.215.218 |
DNS | riddenstorm.net Type: A 66.147.240.171 |
DNS | destroystorm.net Type: A 216.239.138.86 |
DNS | lifefind.net Type: A 66.151.181.49 |
DNS | lifewear.net Type: A 72.29.73.31 |
DNS | tillfind.net Type: A 95.211.230.75 |
DNS | deepfind.net Type: A 68.178.232.100 |
DNS | pushwear.net Type: A 192.186.216.0 |
DNS | fridaywear.net Type: A 216.21.239.197 |
DNS | husbandfound.net Type: A |
DNS | leadershort.net Type: A |
DNS | eggbraker.com Type: A |
DNS | ithouneed.com Type: A |
DNS | pushopen.net Type: A |
DNS | fridayopen.net Type: A |
DNS | alongboat.net Type: A |
DNS | decemberboat.net Type: A |
DNS | alongpress.net Type: A |
DNS | decemberpress.net Type: A |
DNS | alongrest.net Type: A |
DNS | decemberrest.net Type: A |
DNS | alongopen.net Type: A |
DNS | decemberopen.net Type: A |
DNS | longtold.net Type: A |
DNS | soiltold.net Type: A |
DNS | longfind.net Type: A |
DNS | soilfind.net Type: A |
DNS | longwear.net Type: A |
DNS | soilwear.net Type: A |
DNS | longhurt.net Type: A |
DNS | soilhurt.net Type: A |
DNS | wheeltold.net Type: A |
DNS | saidtold.net Type: A |
DNS | wheelfind.net Type: A |
DNS | saidfind.net Type: A |
DNS | wheelwear.net Type: A |
DNS | saidwear.net Type: A |
DNS | wheelhurt.net Type: A |
DNS | saidhurt.net Type: A |
DNS | sticktold.net Type: A |
DNS | balltold.net Type: A |
DNS | stickfind.net Type: A |
DNS | ballfind.net Type: A |
DNS | stickwear.net Type: A |
DNS | ballwear.net Type: A |
DNS | stickhurt.net Type: A |
DNS | ballhurt.net Type: A |
DNS | enemytold.net Type: A |
DNS | lifetold.net Type: A |
DNS | enemyfind.net Type: A |
DNS | enemywear.net Type: A |
DNS | enemyhurt.net Type: A |
DNS | lifehurt.net Type: A |
DNS | mouthtold.net Type: A |
DNS | tilltold.net Type: A |
DNS | mouthfind.net Type: A |
DNS | mouthwear.net Type: A |
DNS | tillwear.net Type: A |
DNS | mouthhurt.net Type: A |
DNS | tillhurt.net Type: A |
DNS | shalltold.net Type: A |
DNS | deeptold.net Type: A |
DNS | shallfind.net Type: A |
DNS | shallwear.net Type: A |
DNS | deepwear.net Type: A |
DNS | shallhurt.net Type: A |
DNS | deephurt.net Type: A |
DNS | pushtold.net Type: A |
DNS | fridaytold.net Type: A |
DNS | pushfind.net Type: A |
DNS | fridayfind.net Type: A |
DNS | pushhurt.net Type: A |
DNS | fridayhurt.net Type: A |
DNS | alongtold.net Type: A |
DNS | decembertold.net Type: A |
DNS | alongfind.net Type: A |
DNS | decemberfind.net Type: A |
DNS | alongwear.net Type: A |
DNS | decemberwear.net Type: A |
DNS | alonghurt.net Type: A |
DNS | decemberhurt.net Type: A |
DNS | longslow.net Type: A |
DNS | soilslow.net Type: A |
DNS | longfebruary.net Type: A |
DNS | soilfebruary.net Type: A |
DNS | longhelp.net Type: A |
DNS | soilhelp.net Type: A |
DNS | longnovember.net Type: A |
DNS | soilnovember.net Type: A |
DNS | wheelslow.net Type: A |
DNS | saidslow.net Type: A |
DNS | wheelfebruary.net Type: A |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://lifefind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://lifewear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://tillfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://deepfind.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://pushwear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
HTTP GET | http://fridaywear.net/index.php?method=validate&mode=sox&v=050&sox=42d23200&lenhdr User-Agent: |
Flows TCP | 192.168.1.1:1036 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1037 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1038 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1039 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1040 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1041 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1042 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1043 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1044 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1045 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1047 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1048 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1049 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1050 ➝ 66.151.181.49:80 |
Flows TCP | 192.168.1.1:1051 ➝ 72.29.73.31:80 |
Flows TCP | 192.168.1.1:1052 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1053 ➝ 68.178.232.100:80 |
Flows TCP | 192.168.1.1:1054 ➝ 192.186.216.0:80 |
Flows TCP | 192.168.1.1:1055 ➝ 216.21.239.197:80 |
Flows TCP | 192.168.1.1:1056 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1057 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1058 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1059 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1060 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1061 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1062 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1063 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1064 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1065 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1066 ➝ 74.220.215.218:80 |
Flows TCP | 192.168.1.1:1067 ➝ 66.147.240.171:80 |
Flows TCP | 192.168.1.1:1068 ➝ 216.239.138.86:80 |
Flows TCP | 192.168.1.1:1069 ➝ 66.151.181.49:80 |
Flows TCP | 192.168.1.1:1070 ➝ 72.29.73.31:80 |
Flows TCP | 192.168.1.1:1071 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1072 ➝ 68.178.232.100:80 |
Flows TCP | 192.168.1.1:1073 ➝ 192.186.216.0:80 |
Flows TCP | 192.168.1.1:1074 ➝ 216.21.239.197:80 |
Raw Pcap
Strings