Analysis Date2015-08-22 08:48:07
MD53924a935d53c694299f1a1906734c6f4
SHA1de5472447c605e2634b76fb80be260d75344f561

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 93231a2cf5f1d280834535012a3843d0 sha1: 5fc7c0ba9700f6b4f0376c56d59f778e8688ba1f size: 1403904
Section.rdata md5: d02ec7f529786ae0f9160c9fc842bd8a sha1: c7c162ab001b76bb3634e2b0897d158e884907df size: 329728
Section.data md5: 1f12974af3d1b265612fe48a4b76a467 sha1: dd534f50d1ebc599833f2b74439717bb3e2b5f25 size: 7680
Section.reloc md5: 1dd12e4ffdd88a7e87e4f736af8c543b sha1: 46656ca2e59ee6844dffa5947b06730f6b75c0a3 size: 198144
Timestamp2015-05-11 04:36:32
PackerVC8 -> Microsoft Corporation
PEhashd77f1032f614ee2c23bae169459d891114b1ec6a
IMPhash766132c6f507900e3d9ddb9ac7a3eda6
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGIJ!3924A935D53C
AVAvira (antivir)TR/Crypt.Xpack.258697
AVTwisterno_virus
AVAd-AwareGen:Variant.Diley.1
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Z
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Diley.1
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMalwareBytesno_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Diley.1
AVZillya!Trojan.Bayrob.Win32.1385
AVKasperskyBackdoor.Win32.SoxGrave.bse
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Diley.1
AVArcabit (arcavir)Gen:Variant.Diley.1
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Diley.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\oflpgcri1lu1mu46zmxjmpo.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\oflpgcri1lu1mu46zmxjmpo.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\oflpgcri1lu1mu46zmxjmpo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Discovery Provider Services WinHTTP ➝
C:\WINDOWS\system32\cczrijtj.exe
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\lck
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\tst
Creates FileC:\WINDOWS\system32\cczrijtj.exe
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\cczrijtj.exe
Creates ServiceAccounts Superfetch Tracking DHCP - C:\WINDOWS\system32\cczrijtj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1144

Process
↳ C:\WINDOWS\system32\cczrijtj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\lck
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\tst
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\cfg
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\rng
Creates FileC:\WINDOWS\system32\qujcyomo.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\run
Creates FileC:\WINDOWS\TEMP\oflpgcri1ti2mu46z.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\oflpgcri1ti2mu46z.exe -r 38651 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\cczrijtj.exe"

Process
↳ C:\WINDOWS\system32\cczrijtj.exe

Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\cczrijtj.exe"

Creates FileC:\WINDOWS\system32\nrzjfhjklxbmc\tst

Process
↳ C:\WINDOWS\TEMP\oflpgcri1ti2mu46z.exe -r 38651 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNSpushpull.net
Type: A
207.148.248.143
DNSlongcross.net
Type: A
88.208.252.175
DNSlifecross.net
Type: A
50.63.87.9
DNSdeepthrew.net
Type: A
195.22.26.252
DNSdeepthrew.net
Type: A
195.22.26.231
DNSdeepthrew.net
Type: A
195.22.26.254
DNSdeepthrew.net
Type: A
195.22.26.253
DNSshallcross.net
Type: A
91.222.8.96
DNSdeepshade.net
Type: A
50.63.202.53
DNSalongthrew.net
Type: A
95.211.230.75
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSdeeppull.net
Type: A
DNSpushfruit.net
Type: A
DNSfridayfruit.net
Type: A
DNSpushrise.net
Type: A
DNSfridayrise.net
Type: A
DNSpushnoise.net
Type: A
DNSfridaynoise.net
Type: A
DNSfridaypull.net
Type: A
DNSalongfruit.net
Type: A
DNSdecemberfruit.net
Type: A
DNSalongrise.net
Type: A
DNSdecemberrise.net
Type: A
DNSalongnoise.net
Type: A
DNSdecembernoise.net
Type: A
DNSalongpull.net
Type: A
DNSdecemberpull.net
Type: A
DNSlongthrew.net
Type: A
DNSsoilthrew.net
Type: A
DNSsoilcross.net
Type: A
DNSlongshade.net
Type: A
DNSsoilshade.net
Type: A
DNSlongfloor.net
Type: A
DNSsoilfloor.net
Type: A
DNSwheelthrew.net
Type: A
DNSsaidthrew.net
Type: A
DNSwheelcross.net
Type: A
DNSsaidcross.net
Type: A
DNSwheelshade.net
Type: A
DNSsaidshade.net
Type: A
DNSwheelfloor.net
Type: A
DNSsaidfloor.net
Type: A
DNSstickthrew.net
Type: A
DNSballthrew.net
Type: A
DNSstickcross.net
Type: A
DNSballcross.net
Type: A
DNSstickshade.net
Type: A
DNSballshade.net
Type: A
DNSstickfloor.net
Type: A
DNSballfloor.net
Type: A
DNSenemythrew.net
Type: A
DNSlifethrew.net
Type: A
DNSenemycross.net
Type: A
DNSenemyshade.net
Type: A
DNSlifeshade.net
Type: A
DNSenemyfloor.net
Type: A
DNSlifefloor.net
Type: A
DNSmouththrew.net
Type: A
DNStillthrew.net
Type: A
DNSmouthcross.net
Type: A
DNStillcross.net
Type: A
DNSmouthshade.net
Type: A
DNStillshade.net
Type: A
DNSmouthfloor.net
Type: A
DNStillfloor.net
Type: A
DNSshallthrew.net
Type: A
DNSdeepcross.net
Type: A
DNSshallshade.net
Type: A
DNSshallfloor.net
Type: A
DNSdeepfloor.net
Type: A
DNSpushthrew.net
Type: A
DNSfridaythrew.net
Type: A
DNSpushcross.net
Type: A
DNSfridaycross.net
Type: A
DNSpushshade.net
Type: A
DNSfridayshade.net
Type: A
DNSpushfloor.net
Type: A
DNSfridayfloor.net
Type: A
DNSdecemberthrew.net
Type: A
DNSalongcross.net
Type: A
DNSdecembercross.net
Type: A
DNSalongshade.net
Type: A
DNSdecembershade.net
Type: A
DNSalongfloor.net
Type: A
DNSdecemberfloor.net
Type: A
DNSlongusual.net
Type: A
DNSsoilusual.net
Type: A
DNSlongcould.net
Type: A
DNSsoilcould.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://pushpull.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://longcross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://lifecross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://deepthrew.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://shallcross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://deepshade.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://alongthrew.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://pushpull.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://longcross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://lifecross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://deepthrew.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://shallcross.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://deepshade.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
HTTP GEThttp://alongthrew.net/index.php?method=validate&mode=sox&v=050&sox=50434c00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1047 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1048 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1049 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1051 ➝ 88.208.252.175:80
Flows TCP192.168.1.1:1052 ➝ 50.63.87.9:80
Flows TCP192.168.1.1:1053 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1054 ➝ 91.222.8.96:80
Flows TCP192.168.1.1:1055 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1056 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1068 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1069 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1070 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1071 ➝ 88.208.252.175:80
Flows TCP192.168.1.1:1072 ➝ 50.63.87.9:80
Flows TCP192.168.1.1:1073 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1074 ➝ 91.222.8.96:80
Flows TCP192.168.1.1:1075 ➝ 50.63.202.53:80
Flows TCP192.168.1.1:1076 ➝ 95.211.230.75:80

Raw Pcap

Strings