Analysis Date2016-01-28 20:01:10
MD5c3b077f0f03afb9359d7588f042c7973
SHA1e0b089f27bfc23ec317c90b1dd95b74d492e6340

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4a16ff01782cdcc54c6ecc6b772157fe sha1: 31ddbc77a5e9390e3ee7f55a74f8f0c02299a59b size: 653312
Section.rdata md5: 6bb8000d33d99797e331c1e4005cf90a sha1: 9deac059014b034ff9607cd5cec39ee8f1ccc008 size: 233984
Section.data md5: 2a2b69648cc51db2eaf1842b158036f2 sha1: b79a36cf859047b46d7448f46fb83d64a16ed534 size: 5120
Section.reloc md5: 4789b9fdb67bbf063251f3a105a28250 sha1: b298d8c617f6d26d33849c20e5c938e307ce8506 size: 88576
Timestamp2014-12-31 00:05:18
PackerMicrosoft Visual C++ ?.?
PEhash3250ffee8ca55cd7b13f01847728150b6fb2751c
IMPhash7a06c0ea9b7055e23b3bdb3e24f63307
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSI!C3B077F0F03A
AVAvira (antivir)TR/Boryab.982016
AVTwisterNo Virus
AVAd-AwareTrojan.Generic.15747300
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BK
AVGrisoft (avg)Crypt_c.APRE
AVSymantecNo Virus
AVFortinetNo Virus
AVBitDefenderTrojan.Generic.15747300
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Trojan.Generic.15747300
AVMalwareBytesNo Virus
AVAuthentiumW32/Trojan.EPZD-4569
AVEmsisoftTrojan.Generic.15747300
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardTrojan.Generic.15747300
AVArcabit (arcavir)Trojan.Generic.15747300
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureTrojan.Generic.15747300

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\yppyfmaul\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fikqbez4qs1u1jwgnjiahwksoh.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\fikqbez4qs1u1jwgnjiahwksoh.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\fikqbez4qs1u1jwgnjiahwksoh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TPM Link-Layer Defragmenter Information ➝
C:\WINDOWS\system32\zsavfmellh.exe
Creates FileC:\WINDOWS\system32\zsavfmellh.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\yppyfmaul\tst
Creates FileC:\WINDOWS\system32\yppyfmaul\lck
Creates ProcessC:\WINDOWS\system32\zsavfmellh.exe
Creates ServiceCounter Registry Grouping Connect SPP - C:\WINDOWS\system32\zsavfmellh.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1876

Process
↳ Pid 1192

Process
↳ C:\WINDOWS\system32\zsavfmellh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\yppyfmaul\rng
Creates FileC:\WINDOWS\system32\yppyfmaul\run
Creates FileC:\WINDOWS\system32\yppyfmaul\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\fikqbez4uhw7g2wgnji.exe
Creates FileC:\WINDOWS\system32\uvihizrvdbt.exe
Creates FileC:\WINDOWS\system32\yppyfmaul\tst
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\yppyfmaul\lck
Creates ProcessC:\WINDOWS\TEMP\fikqbez4uhw7g2wgnji.exe -r 31667 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\zsavfmellh.exe"

Process
↳ C:\WINDOWS\system32\zsavfmellh.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\yppyfmaul\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\zsavfmellh.exe"

Creates FileC:\WINDOWS\system32\yppyfmaul\tst

Process
↳ C:\WINDOWS\TEMP\fikqbez4uhw7g2wgnji.exe -r 31667 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSwifeabout.net
Type: A
98.139.135.129
DNScasestep.net
Type: A
98.139.135.129
DNSfearboat.net
Type: A
195.22.28.198
DNSfearboat.net
Type: A
195.22.28.199
DNSfearboat.net
Type: A
195.22.28.196
DNSfearboat.net
Type: A
195.22.28.197
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
DNSpointrest.net
Type: A
DNScallrest.net
Type: A
DNSpointopen.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://wifeabout.net/index.php
User-Agent:
HTTP GEThttp://casestep.net/index.php
User-Agent:
HTTP GEThttp://fearboat.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1037 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1040 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1043 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1044 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1045 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1046 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1048 ➝ 98.124.199.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 656f626a 6563742e 6e65740d   oubleobject.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e746869 72642e6e 65740d0a   rokenthird.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   656e746c 65616e67 72792e6e 65740d0a   entleangry.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d6f6e 65747465 64776572 7279686f   imonettedwerryho
0x00000050 (00080)   7573652e 6e65740d 0a0d0a              use.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f726e69 6e676475 72696e67 2e6e6574   orningduring.net
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   69666561 626f7574 2e6e6574 0d0a0d0a   ifeabout.net....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61736573 7465702e 6e65740d 0a0d0a0a   asestep.net.....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   65617262 6f61742e 6e65740d 0a0d0a0a   earboat.net.....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737462 6f61742e 6e65740d 0a0d0a0a   estboat.net.....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   65737472 6573742e 6e65740d 0a0d0a0a   estrest.net.....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   65616470 72657373 2e6e6574 0d0a0d0a   eadpress.net....
0x00000050 (00080)   0d0a0d0a 6e65740d 0a0d0a              ....net....


Strings