Analysis Date2016-02-12 08:51:06
MD55c0acdef38fbc7264833688a9078f49c
SHA1defc0c7b254af39e3739023221250853c6d5b730

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9c945350444701a6c9b04f19ecbcfde7 sha1: 0ac9b115d17e243cd570c3a2360a51786613b037 size: 1108992
Section.rdata md5: 152f4cf816b72e6c2e63a5fc1cb0749c sha1: bcccba2f5e8cb17b38f3e8cde86995c42eb453be size: 259584
Section.data md5: 0c1fa605749fcbd604413d60725bfb96 sha1: d8c784f46ef43f5f9b3df1133c5b245c155a6176 size: 3072
Section.reloc md5: 1d989653b243994277efacc29820131e sha1: a45edf24920736b5d7acb2fa25c034bf119ae541 size: 140288
Timestamp2015-03-04 17:21:35
PackerMicrosoft Visual C++ ?.?
PEhash9865d708c8f3ecb2278c2d9decd5931f9bb4f8e0
IMPhashd8d74e558a985ee46fea91edb75d7736
AVCA (E-Trust Ino)Gen:Variant.Razy.16325
AVRisingNo Virus
AVMcafeeTrojan-FHSX!5C0ACDEF38FB
AVAvira (antivir)TR/Nivdort.A.28394
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.16325
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Generic37.AMSJ
AVSymantecNo Virus
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.16325
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Razy.16325
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.HFRH-7842
AVEmsisoftGen:Variant.Razy.16325
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!Trojan.Bayrob.Win32.12900
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.16325
AVArcabit (arcavir)Gen:Variant.Razy.16325
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.23681
AVF-SecureGen:Variant.Razy.16325

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\xtdrwcea\tst
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ip9e9jbqp79ux1hdfvb11hq.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ip9e9jbqp79ux1hdfvb11hq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ip9e9jbqp79ux1hdfvb11hq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Transaction TCP/IP Base ➝
C:\WINDOWS\system32\jfonzorzjt.exe
Creates FileC:\WINDOWS\system32\xtdrwcea\tst
Creates FileC:\WINDOWS\system32\jfonzorzjt.exe
Creates FileC:\WINDOWS\system32\xtdrwcea\lck
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\jfonzorzjt.exe
Creates ServiceGateway Initiator Bluetooth Encrypting Image - C:\WINDOWS\system32\jfonzorzjt.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\jfonzorzjt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\xtdrwcea\rng
Creates FileC:\WINDOWS\TEMP\ip9e9jjkw15gx1hd.exe
Creates FileC:\WINDOWS\system32\xtdrwcea\tst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\xtdrwcea\lck
Creates FileC:\WINDOWS\system32\xtdrwcea\run
Creates FileC:\WINDOWS\system32\xtdrwcea\cfg
Creates FileC:\WINDOWS\system32\vnvfovvs.exe
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\ip9e9jjkw15gx1hd.exe -r 32139 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\jfonzorzjt.exe"

Process
↳ C:\WINDOWS\system32\jfonzorzjt.exe

Creates FileC:\WINDOWS\system32\xtdrwcea\tst
Creates FilePIPE\lsarpc

Process
↳ c:\windows\system32\jfonzorzjt.exe

Creates FileC:\WINDOWS\system32\xtdrwcea\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\jfonzorzjt.exe"

Creates FileC:\WINDOWS\system32\xtdrwcea\tst
Creates Processc:\windows\system32\jfonzorzjt.exe

Process
↳ C:\WINDOWS\TEMP\ip9e9jjkw15gx1hd.exe -r 32139 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSdrivehope.net
Type: A
195.22.28.197
DNSdrivehope.net
Type: A
195.22.28.196
DNSdrivehope.net
Type: A
195.22.28.199
DNSdrivehope.net
Type: A
195.22.28.198
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfacebegan.net
Type: A
195.22.28.197
DNSfacebegan.net
Type: A
195.22.28.196
DNSfacebegan.net
Type: A
195.22.28.199
DNSfacebegan.net
Type: A
195.22.28.198
DNSwalkkind.net
Type: A
112.127.46.75
DNSafterjune.net
Type: A
195.154.108.241
DNSdrivewild.net
Type: A
72.52.4.90
DNSnailwild.net
Type: A
208.100.26.234
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
DNSforceleft.net
Type: A
DNSafterthirteen.net
Type: A
DNSforcethirteen.net
Type: A
DNSafterhurry.net
Type: A
DNSforcehurry.net
Type: A
DNSsellhope.net
Type: A
DNSwednesdayhope.net
Type: A
DNSsellleft.net
Type: A
DNSwednesdayleft.net
Type: A
DNSsellthirteen.net
Type: A
DNSwednesdaythirteen.net
Type: A
DNSsellhurry.net
Type: A
DNSwednesdayhurry.net
Type: A
DNSnailhope.net
Type: A
DNSdriveleft.net
Type: A
DNSnailleft.net
Type: A
DNSdrivethirteen.net
Type: A
DNSnailthirteen.net
Type: A
DNSdrivehurry.net
Type: A
DNSnailhurry.net
Type: A
DNSfieldwild.net
Type: A
DNSqueenwild.net
Type: A
DNSfieldjune.net
Type: A
DNSqueenjune.net
Type: A
DNSfieldbegan.net
Type: A
DNSqueenbegan.net
Type: A
DNSfieldkind.net
Type: A
DNSqueenkind.net
Type: A
DNSbothwild.net
Type: A
DNSgainwild.net
Type: A
DNSbothjune.net
Type: A
DNSgainjune.net
Type: A
DNSbothbegan.net
Type: A
DNSgainbegan.net
Type: A
DNSbothkind.net
Type: A
DNSgainkind.net
Type: A
DNSleastwild.net
Type: A
DNSfacewild.net
Type: A
DNSleastjune.net
Type: A
DNSfacejune.net
Type: A
DNSleastbegan.net
Type: A
DNSleastkind.net
Type: A
DNSfacekind.net
Type: A
DNSmonthwild.net
Type: A
DNSwalkwild.net
Type: A
DNSmonthjune.net
Type: A
DNSwalkjune.net
Type: A
DNSmonthbegan.net
Type: A
DNSwalkbegan.net
Type: A
DNSmonthkind.net
Type: A
DNSstorywild.net
Type: A
DNSweakwild.net
Type: A
DNSstoryjune.net
Type: A
DNSweakjune.net
Type: A
DNSstorybegan.net
Type: A
DNSweakbegan.net
Type: A
DNSstorykind.net
Type: A
DNSweakkind.net
Type: A
DNSafterwild.net
Type: A
DNSforcewild.net
Type: A
DNSforcejune.net
Type: A
DNSafterbegan.net
Type: A
DNSforcebegan.net
Type: A
DNSafterkind.net
Type: A
DNSforcekind.net
Type: A
DNSsellwild.net
Type: A
DNSwednesdaywild.net
Type: A
DNSselljune.net
Type: A
DNSwednesdayjune.net
Type: A
DNSsellbegan.net
Type: A
DNSwednesdaybegan.net
Type: A
DNSsellkind.net
Type: A
DNSwednesdaykind.net
Type: A
DNSdrivejune.net
Type: A
DNSnailjune.net
Type: A
DNSdrivebegan.net
Type: A
DNSnailbegan.net
Type: A
DNSdrivekind.net
Type: A
DNSnailkind.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://drivehope.net/index.php
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php
User-Agent:
HTTP GEThttp://facebegan.net/index.php
User-Agent:
HTTP GEThttp://walkkind.net/index.php
User-Agent:
HTTP GEThttp://afterjune.net/index.php
User-Agent:
HTTP GEThttp://drivewild.net/index.php
User-Agent:
HTTP GEThttp://nailwild.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1039 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1040 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1041 ➝ 112.127.46.75:80
Flows TCP192.168.1.1:1042 ➝ 195.154.108.241:80
Flows TCP192.168.1.1:1043 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 66.147.240.171:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 686f7065 2e6e6574 0d0a0d0a   rivehope.net....
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 74686972 7465656e 2e6e6574   rivethirteen.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   61636562 6567616e 2e6e6574 0d0a0d0a   acebegan.net....
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   616c6b6b 696e642e 6e65740d 0a0d0a0a   alkkind.net.....
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2061   : close..Host: a
0x00000040 (00064)   66746572 6a756e65 2e6e6574 0d0a0d0a   fterjune.net....
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   72697665 77696c64 2e6e6574 0d0a0d0a   rivewild.net....
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   61696c77 696c642e 6e65740d 0a0d0a0a   ailwild.net.....
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a0d0a                              ....


Strings