Analysis Date2015-12-04 14:31:40
MD527ceb5596ba6564976df6a6c5a5dc780
SHA1de77a41602c2d255d849a3ec52aa45fea72bd164

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 16d6a9cbdf4afe37f13defa9b8bacc62 sha1: de83290bb840f2c149329e3c9d82a18fd1b980bb size: 1103872
Section.rdata md5: 253b5ca8236d9b4b54c202766d05d533 sha1: 5a334447d44be01558e29096a24ce3c10d7e9138 size: 336384
Section.data md5: b2e064844beb770037f76c27befd7053 sha1: 646cee480bc7fd172a754c276e03c074fb4718eb size: 10752
Section.reloc md5: 4b5d92d241ff933271a593a3a3a8c878 sha1: 778cedb18df870ecffb96c521cccc3f1eca6e3dd size: 72192
Timestamp2015-04-30 21:18:44
PackerMicrosoft Visual C++ 8
PEhashef4e8e8226ed1cf270cf51177f3df13eee350669
IMPhash75f92f42f7f8ade4fbc88270be9704c2
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVGrisoft (avg)Win32/Cryptor
AVKasperskyTrojan.Win32.Generic
AVMcafeeno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.606112
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CH
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CH
AVFortinetW32/Kryptic.WU!tr
AVFortinetW32/Kryptic.WU!tr
AVCAT (quickheal)no_virus
AVF-SecureGen:Variant.Kazy.606112
AVClamAVno_virus
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Bayrob
AVK7Trojan ( 004c77f41 )
AVDr. WebTrojan.Bayrob.1
AVMalwareBytesno_virus
AVAd-AwareGen:Variant.Kazy.606112
AVDr. WebTrojan.Bayrob.1
AVEmsisoftGen:Variant.Kazy.606112
AVAvira (antivir)TR/Boryab.aiez
AVAvira (antivir)TR/Boryab.aiez
AVEmsisoftGen:Variant.Kazy.606112
AVEset (nod32)Win32/Bayrob.R
AVEset (nod32)Win32/Bayrob.R
AVArcabit (arcavir)Gen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVBitDefenderGen:Variant.Kazy.606112
AVArcabit (arcavir)Error Scanning File
AVCAT (quickheal)no_virus
AVFrisk (f-prot)no_virus
AVAd-AwareGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVBullGuardGen:Variant.Kazy.606112
AVAlwil (avast)Dropper-OJG [Drp]
AVAlwil (avast)Dropper-OJG [Drp]
AVClamAVno_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVPadvishno_virus
AVPadvishno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\ivbydyumokktjui\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\hcjbfh1l97zpcrdsz2ajsmn.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\hcjbfh1l97zpcrdsz2ajsmn.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\hcjbfh1l97zpcrdsz2ajsmn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RPC Link-Layer Font DNS Service Server ➝
C:\WINDOWS\system32\kctzubmojgwc.exe
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\tst
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\lck
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\etc
Creates FileC:\WINDOWS\system32\kctzubmojgwc.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\kctzubmojgwc.exe
Creates ServiceName Performance DHCP Panel - C:\WINDOWS\system32\kctzubmojgwc.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ Pid 1024

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ Pid 1312

Process
↳ Pid 1848

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\kctzubmojgwc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\run
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\rng
Creates FileC:\WINDOWS\TEMP\hcjbfh1si1zpcrd.exe
Creates FileC:\WINDOWS\system32\qqyeykoim.exe
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\lck
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\ivbydyumokktjui\cfg
Creates ProcessWATCHDOGPROC "c:\windows\system32\kctzubmojgwc.exe"
Creates ProcessC:\WINDOWS\TEMP\hcjbfh1si1zpcrd.exe -r 35375 tcp

Process
↳ C:\WINDOWS\system32\kctzubmojgwc.exe

Creates FileC:\WINDOWS\system32\ivbydyumokktjui\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\kctzubmojgwc.exe"

Creates FileC:\WINDOWS\system32\ivbydyumokktjui\tst

Process
↳ C:\WINDOWS\TEMP\hcjbfh1si1zpcrd.exe -r 35375 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSableread.net
Type: A
208.91.197.241
DNSmaybellinecherokee.net
Type: A
DNSalexandrinacalleigh.net
Type: A
DNSrecordtrust.net
Type: A
DNSelectricseparate.net
Type: A
DNSflierdress.net
Type: A
DNSoftenbranch.net
Type: A
DNSthicklaughter.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=049&sox=4f45f806&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80

Raw Pcap

Strings