Analysis Date2015-08-14 09:57:14
MD50d633d0a440a1f10a348b61a96ef4660
SHA1e124e55ac29c81959bfce30005aea3768562de49

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 06e8075d9ca615bfd89bd60fcc4d86c6 sha1: 42e4ffaa052f19ce15c76b01927eb10cc630944f size: 198144
Section.rdata md5: 56eacd97b37aa47feba71dfd161daf2a sha1: d72f26dcbbcc1cf05c6ccf43849838e6c5198673 size: 52736
Section.data md5: 9b140bc903cb39b667fe44e1e2289fed sha1: bbc9e3ba7ec01bf53c6a1eb21ce89600660e6064 size: 7168
Section.reloc md5: 1470f1e4bb559ef7d3a9e833a9e1affb sha1: 0ce333af5029bf68b4a344397eb37704e5351667 size: 14336
Timestamp2015-04-29 19:18:36
PackerMicrosoft Visual C++ 8
PEhashcf0945e21ea3d897a3f74fd2efdf937c4e20ef51
IMPhashea09f92ea0ffb532009bb7e6d8478105
AVTwisterTrojan.0000E9000000006A1.mg
AVZillya!no_virus
AVVirusBlokAda (vba32)Trojan.Scar
AVClamAVno_virus
AVK7Trojan ( 004c12491 )
AVFrisk (f-prot)no_virus
AVMcafeeTrojan-FGIJ!0D633D0A440A
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Win32/Cryptor
AVDr. WebTrojan.Bayrob.1
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVAuthentiumW32/Scar.R.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVBullGuardGen:Variant.Kazy.604861
AVAvira (antivir)TR/Crypt.Xpack.196268
AVEset (nod32)Win32/Bayrob.Q
AVBitDefenderGen:Variant.Kazy.604861
AVKasperskyTrojan.Win32.Generic
AVFortinetW32/Generic.AC.215362
AVTrend MicroTROJ_BAYROB.SM0
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVEmsisoftGen:Variant.Kazy.604861
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVAlwil (avast)VB-AJEW [Trj]
AVIkarusTrojan.Win32.Bayrob
AVAd-AwareGen:Variant.Kazy.604861
AVF-SecureGen:Variant.Kazy.604861
AVPadvishno_virus
AVRisingTrojan.Win32.Bayrod.a
AVMalwareBytesTrojan.Agent.KVTGen
AVMicrosoft Security Essentialsno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\iepuwkjayedknn\ns7xqf
Creates FileC:\iepuwkjayedknn\m51llsxvyume9suc.exe
Creates FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Deletes FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Creates ProcessC:\iepuwkjayedknn\m51llsxvyume9suc.exe

Process
↳ C:\iepuwkjayedknn\m51llsxvyume9suc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Themes Wired UPnP CNG Key COM User-mode DLL ➝
C:\iepuwkjayedknn\vdmijllosb.exe
Creates FileC:\iepuwkjayedknn\ns7xqf
Creates FileC:\iepuwkjayedknn\vdmijllosb.exe
Creates FileC:\iepuwkjayedknn\ayirsu9
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Deletes FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Creates ProcessC:\iepuwkjayedknn\vdmijllosb.exe
Creates ServiceRPC Compatibility WMI Filtering - C:\iepuwkjayedknn\vdmijllosb.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1160

Process
↳ C:\iepuwkjayedknn\vdmijllosb.exe

Creates FileC:\iepuwkjayedknn\ns7xqf
Creates Filepipe\net\NtControlPipe10
Creates FileC:\iepuwkjayedknn\o6xohh
Creates FileC:\iepuwkjayedknn\ayirsu9
Creates File\Device\Afd\Endpoint
Creates FileC:\iepuwkjayedknn\ulyqvviigf.exe
Creates FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Deletes FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Creates Processfmvmydheisb4 "c:\iepuwkjayedknn\vdmijllosb.exe"

Process
↳ C:\iepuwkjayedknn\vdmijllosb.exe

Creates FileC:\iepuwkjayedknn\ns7xqf
Creates FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Deletes FileC:\WINDOWS\iepuwkjayedknn\ns7xqf

Process
↳ fmvmydheisb4 "c:\iepuwkjayedknn\vdmijllosb.exe"

Creates FileC:\iepuwkjayedknn\ns7xqf
Creates FileC:\WINDOWS\iepuwkjayedknn\ns7xqf
Deletes FileC:\WINDOWS\iepuwkjayedknn\ns7xqf

Network Details:

DNSwhetherforest.net
Type: A
95.211.230.75
DNSrightforest.net
Type: A
98.130.238.135
DNSenglishforest.net
Type: A
59.188.232.88
DNSpersonschool.net
Type: A
165.160.15.20
DNSpersonschool.net
Type: A
165.160.13.20
DNSforeignquestion.net
Type: A
195.22.26.231
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.253
DNSforeignquestion.net
Type: A
195.22.26.254
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSwhetheralways.net
Type: A
DNSrightalways.net
Type: A
DNSfigurewheat.net
Type: A
DNSthoughwheat.net
Type: A
DNSfigureanger.net
Type: A
DNSthoughanger.net
Type: A
DNSfigurealways.net
Type: A
DNSthoughalways.net
Type: A
DNSfigureforest.net
Type: A
DNSthoughforest.net
Type: A
DNSpicturewheat.net
Type: A
DNScigarettewheat.net
Type: A
DNSpictureanger.net
Type: A
DNScigaretteanger.net
Type: A
DNSpicturealways.net
Type: A
DNScigarettealways.net
Type: A
DNSpictureforest.net
Type: A
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
HTTP GEThttp://whetherforest.net/index.php
User-Agent:
HTTP GEThttp://rightforest.net/index.php
User-Agent:
HTTP GEThttp://englishforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 98.130.238.135:80
Flows TCP192.168.1.1:1033 ➝ 59.188.232.88:80
Flows TCP192.168.1.1:1034 ➝ 165.160.15.20:80
Flows TCP192.168.1.1:1035 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1036 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.27:80

Raw Pcap

Strings