Analysis Date2015-10-24 03:06:22
MD5f61ad25b186a737294040786b82dac92
SHA1d888c58927d353d52327998af642a8d79feccf53

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cc3d81d7253c3bb2dc1d8e53abe33c54 sha1: 74901df8fcb969b86af8a6f4ca33ed089731263d size: 197120
Section.rdata md5: ba16582613f29b61c95e6c013b851680 sha1: ea0dca000bba67998e6dd424435d7cb6d91197ef size: 52736
Section.data md5: 5c4bd9f47f3aad67be6787cab4d493e7 sha1: 76c4b23062ee1bf6ff6c04d8d18364bf08dc7a9d size: 7168
Section.reloc md5: 3b6ee3a303ec7dcd089b6cebf64a63f0 sha1: 68ca3618ee80985286696a1a3614bed6cf46a0f7 size: 14336
Timestamp2015-04-29 18:41:00
PackerMicrosoft Visual C++ 8
PEhashe7f4ac3c2d6b130164d485d0b25e11a26678e358
IMPhash4fd801905cbbc452ccf6805363a4c681
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVClamAVWin.Trojan.Kazy-1602
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVBullGuardGen:Variant.Kazy.604861
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.R.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c12491 )
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Q
AVAlwil (avast)VB-AJEW [Trj]
AVAd-AwareGen:Variant.Kazy.604861
AVTwisterTrojan.0000E9000000006A1.mg
AVAvira (antivir)TR/Kryptik.qgmpd
AVMcafeeTrojan-FGIJ!F61AD25B186A
AVRisingTrojan.Win32.Bayrod.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\edzegytoakri\mdv1kn2nmeqqqjbjj.exe
Creates FileC:\edzegytoakri\xmvdbyuv2uom
Creates FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Deletes FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Creates ProcessC:\edzegytoakri\mdv1kn2nmeqqqjbjj.exe

Process
↳ C:\edzegytoakri\mdv1kn2nmeqqqjbjj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Configuration Mapper Event Routing ➝
C:\edzegytoakri\ohcqchfsjqbo.exe
Creates FileC:\edzegytoakri\ohcqchfsjqbo.exe
Creates FileC:\edzegytoakri\c815f0mdat
Creates FilePIPE\lsarpc
Creates FileC:\edzegytoakri\xmvdbyuv2uom
Creates FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Deletes FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Creates ProcessC:\edzegytoakri\ohcqchfsjqbo.exe
Creates ServiceRedirector Publication Alerts - C:\edzegytoakri\ohcqchfsjqbo.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1148

Process
↳ C:\edzegytoakri\ohcqchfsjqbo.exe

Creates FileC:\edzegytoakri\ocdutiqptyr
Creates Filepipe\net\NtControlPipe10
Creates FileC:\edzegytoakri\c815f0mdat
Creates File\Device\Afd\Endpoint
Creates FileC:\edzegytoakri\xmvdbyuv2uom
Creates FileC:\edzegytoakri\kmtckymvmbl.exe
Creates FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Deletes FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Creates Processqbpekdzdubux "c:\edzegytoakri\ohcqchfsjqbo.exe"

Process
↳ C:\edzegytoakri\ohcqchfsjqbo.exe

Creates FileC:\edzegytoakri\xmvdbyuv2uom
Creates FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Deletes FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom

Process
↳ qbpekdzdubux "c:\edzegytoakri\ohcqchfsjqbo.exe"

Creates FileC:\edzegytoakri\xmvdbyuv2uom
Creates FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom
Deletes FileC:\WINDOWS\edzegytoakri\xmvdbyuv2uom

Network Details:

DNSeffortcountry.net
Type: A
195.22.26.252
DNSeffortcountry.net
Type: A
195.22.26.253
DNSeffortcountry.net
Type: A
195.22.26.254
DNSeffortcountry.net
Type: A
195.22.26.231
DNSincreasefamous.net
Type: A
209.99.40.222
DNSforgetcountry.net
Type: A
209.99.40.223
DNSremembercentury.net
Type: A
208.100.26.234
DNSlittleletter.net
Type: A
50.63.202.71
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSwithinfamous.net
Type: A
DNSsufferfamous.net
Type: A
DNSwithinpower.net
Type: A
DNSsufferpower.net
Type: A
DNSwithincountry.net
Type: A
DNSsuffercountry.net
Type: A
DNSeffortcentury.net
Type: A
DNSthroughcentury.net
Type: A
DNSeffortfamous.net
Type: A
DNSthroughfamous.net
Type: A
DNSeffortpower.net
Type: A
DNSthroughpower.net
Type: A
DNSthroughcountry.net
Type: A
DNSforgetcentury.net
Type: A
DNSincreasecentury.net
Type: A
DNSforgetfamous.net
Type: A
DNSforgetpower.net
Type: A
DNSincreasepower.net
Type: A
DNSincreasecountry.net
Type: A
DNSwouldcentury.net
Type: A
DNSwouldfamous.net
Type: A
DNSrememberfamous.net
Type: A
DNSwouldpower.net
Type: A
DNSrememberpower.net
Type: A
DNSwouldcountry.net
Type: A
DNSremembercountry.net
Type: A
DNSjourneysurprise.net
Type: A
DNShusbandsurprise.net
Type: A
DNSjourneybeside.net
Type: A
DNShusbandbeside.net
Type: A
DNSjourneyletter.net
Type: A
DNShusbandletter.net
Type: A
DNSjourneydifferent.net
Type: A
DNShusbanddifferent.net
Type: A
DNSdestroysurprise.net
Type: A
DNSlittlesurprise.net
Type: A
DNSdestroybeside.net
Type: A
DNSlittlebeside.net
Type: A
DNSdestroyletter.net
Type: A
DNSdestroydifferent.net
Type: A
DNSlittledifferent.net
Type: A
DNSriddensurprise.net
Type: A
DNSbelongsurprise.net
Type: A
DNSriddenbeside.net
Type: A
DNSbelongbeside.net
Type: A
DNSriddenletter.net
Type: A
DNSbelongletter.net
Type: A
DNSriddendifferent.net
Type: A
DNSbelongdifferent.net
Type: A
DNSchairsurprise.net
Type: A
DNSthosesurprise.net
Type: A
DNSchairbeside.net
Type: A
DNSthosebeside.net
Type: A
DNSchairletter.net
Type: A
DNSthoseletter.net
Type: A
DNSchairdifferent.net
Type: A
DNSthosedifferent.net
Type: A
DNSwithinsurprise.net
Type: A
DNSsuffersurprise.net
Type: A
DNSwithinbeside.net
Type: A
DNSsufferbeside.net
Type: A
DNSwithinletter.net
Type: A
DNSsufferletter.net
Type: A
DNSwithindifferent.net
Type: A
DNSsufferdifferent.net
Type: A
DNSeffortsurprise.net
Type: A
DNSthroughsurprise.net
Type: A
DNSeffortbeside.net
Type: A
DNSthroughbeside.net
Type: A
DNSeffortletter.net
Type: A
DNSthroughletter.net
Type: A
DNSeffortdifferent.net
Type: A
DNSthroughdifferent.net
Type: A
DNSforgetsurprise.net
Type: A
DNSincreasesurprise.net
Type: A
DNSforgetbeside.net
Type: A
DNSincreasebeside.net
Type: A
DNSforgetletter.net
Type: A
DNSincreaseletter.net
Type: A
DNSforgetdifferent.net
Type: A
HTTP GEThttp://effortcountry.net/index.php
User-Agent:
HTTP GEThttp://increasefamous.net/index.php
User-Agent:
HTTP GEThttp://forgetcountry.net/index.php
User-Agent:
HTTP GEThttp://remembercentury.net/index.php
User-Agent:
HTTP GEThttp://littleletter.net/index.php
User-Agent:
HTTP GEThttp://littledifferent.net/index.php
User-Agent:
HTTP GEThttp://forgetsurprise.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1032 ➝ 209.99.40.222:80
Flows TCP192.168.1.1:1033 ➝ 209.99.40.223:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.71:80
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   66666f72 74636f75 6e747279 2e6e6574   ffortcountry.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2069   : close..Host: i
0x00000040 (00064)   6e637265 61736566 616d6f75 732e6e65   ncreasefamous.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74636f75 6e747279 2e6e6574   orgetcountry.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   656d656d 62657263 656e7475 72792e6e   emembercentury.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 656c6574 7465722e 6e65740d   ittleletter.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   6974746c 65646966 66657265 6e742e6e   ittledifferent.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726765 74737572 70726973 652e6e65   orgetsurprise.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....


Strings