Analysis Date2015-09-27 09:00:04
MD5fd5350a827a8ea6215b46ababe0b1345
SHA1e3fa4fac184c3ff832ae07871c124660769e732d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3fece790a7ce92d9ced8ce4ec8a73734 sha1: 7bc2bef09b07a1400913d794f868d5ab188ab228 size: 197120
Section.rdata md5: 2db3c4a4989135beac4821997e6e0336 sha1: c713f6adc6bf317cf661fcce88fc910a356d6b6a size: 52736
Section.data md5: 526e263cb3c68884773de218bd578584 sha1: 7d33cd96f60bd37fe2d5f4473b72705e75ef338c size: 7168
Section.reloc md5: 304bb75f6b8121d76d7743f047014825 sha1: 35fc3a385c39304cb8f784433545207c6fba17e4 size: 14336
Timestamp2015-04-29 18:58:33
PackerMicrosoft Visual C++ 8
PEhashe7f4ac3c2d6b130164d485d0b25e11a26678e358
IMPhash16cc5c0db87777c02976fe370212d2ae
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVEmsisoftGen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVMalwareBytesTrojan.Agent.KVTGen
AVMcafeeTrojan-FGIJ!FD5350A827A8
AVZillya!no_virus
AVTrend Microno_virus
AVClamAVno_virus
AVF-SecureGen:Variant.Kazy.604861
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Kryptik.qgmpd
AVBullGuardGen:Variant.Kazy.604861
AVIkarusTrojan.Win32.Bayrob
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )
AVTwisterTrojan.0000E9000000006A1.mg
AVBitDefenderGen:Variant.Kazy.604861
AVFortinetW32/Generic.AC.215362
AVAuthentiumW32/Scar.R.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)VB-AJEW [Trj]
AVEset (nod32)Win32/Bayrob.Q
AVAd-AwareGen:Variant.Kazy.604861
AVRisingTrojan.Win32.Bayrod.a
AVPadvishno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AF
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\aonytyw\wgjylourk7
Creates FileC:\aonytyw\yklzrngcifeyzqruzm.exe
Creates FileC:\WINDOWS\aonytyw\wgjylourk7
Deletes FileC:\WINDOWS\aonytyw\wgjylourk7
Creates ProcessC:\aonytyw\yklzrngcifeyzqruzm.exe

Process
↳ C:\aonytyw\yklzrngcifeyzqruzm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Endpoint Launcher Interactive ➝
C:\aonytyw\lgtjkdfqobsf.exe
Creates FileC:\aonytyw\sgnvojgz9t
Creates FileC:\aonytyw\lgtjkdfqobsf.exe
Creates FilePIPE\lsarpc
Creates FileC:\aonytyw\wgjylourk7
Creates FileC:\WINDOWS\aonytyw\wgjylourk7
Deletes FileC:\WINDOWS\aonytyw\wgjylourk7
Creates ProcessC:\aonytyw\lgtjkdfqobsf.exe
Creates ServiceClient Locator Networking Event Registry - C:\aonytyw\lgtjkdfqobsf.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\QCSACFMBKO.EXE-2A39F2E0.pf
Creates FileC:\WINDOWS\Prefetch\YKLZRNGCIFEYZQRUZM.EXE-1FECCE48.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\LGTJKDFQOBSF.EXE-07DAB3D1.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ Pid 1324

Process
↳ Pid 1864

Process
↳ Pid 1048

Process
↳ C:\aonytyw\lgtjkdfqobsf.exe

Creates FileC:\aonytyw\vikqhoxl88hr
Creates FileC:\aonytyw\sgnvojgz9t
Creates Filepipe\net\NtControlPipe10
Creates FileC:\aonytyw\wgjylourk7
Creates File\Device\Afd\Endpoint
Creates FileC:\aonytyw\qcsacfmbko.exe
Creates FileC:\WINDOWS\aonytyw\wgjylourk7
Deletes FileC:\WINDOWS\aonytyw\wgjylourk7
Creates Processedxtmcgs3que "c:\aonytyw\lgtjkdfqobsf.exe"

Process
↳ C:\aonytyw\lgtjkdfqobsf.exe

Creates FileC:\aonytyw\wgjylourk7
Creates FileC:\WINDOWS\aonytyw\wgjylourk7
Deletes FileC:\WINDOWS\aonytyw\wgjylourk7

Process
↳ edxtmcgs3que "c:\aonytyw\lgtjkdfqobsf.exe"

Creates FileC:\aonytyw\wgjylourk7
Creates FileC:\WINDOWS\aonytyw\wgjylourk7
Deletes FileC:\WINDOWS\aonytyw\wgjylourk7

Network Details:

DNSheavyfinger.net
Type: A
72.13.81.186
DNSjourneybeyond.net
Type: A
50.87.199.62
DNSincreasebeing.net
Type: A
95.211.230.75
DNSrememberforever.net
Type: A
188.40.1.55
DNSheavyshoulder.net
Type: A
DNSgentleshoulder.net
Type: A
DNSgentlefinger.net
Type: A
DNSvariousuntil.net
Type: A
DNSreturnuntil.net
Type: A
DNSvariousabove.net
Type: A
DNSreturnabove.net
Type: A
DNSvariousshoulder.net
Type: A
DNSreturnshoulder.net
Type: A
DNSvariousfinger.net
Type: A
DNSreturnfinger.net
Type: A
DNShusbandbeyond.net
Type: A
DNSjourneybeing.net
Type: A
DNShusbandbeing.net
Type: A
DNSjourneyforever.net
Type: A
DNShusbandforever.net
Type: A
DNSjourneybottom.net
Type: A
DNShusbandbottom.net
Type: A
DNSdestroybeyond.net
Type: A
DNSlittlebeyond.net
Type: A
DNSdestroybeing.net
Type: A
DNSlittlebeing.net
Type: A
DNSdestroyforever.net
Type: A
DNSlittleforever.net
Type: A
DNSdestroybottom.net
Type: A
DNSlittlebottom.net
Type: A
DNSriddenbeyond.net
Type: A
DNSbelongbeyond.net
Type: A
DNSriddenbeing.net
Type: A
DNSbelongbeing.net
Type: A
DNSriddenforever.net
Type: A
DNSbelongforever.net
Type: A
DNSriddenbottom.net
Type: A
DNSbelongbottom.net
Type: A
DNSchairbeyond.net
Type: A
DNSthosebeyond.net
Type: A
DNSchairbeing.net
Type: A
DNSthosebeing.net
Type: A
DNSchairforever.net
Type: A
DNSthoseforever.net
Type: A
DNSchairbottom.net
Type: A
DNSthosebottom.net
Type: A
DNSwithinbeyond.net
Type: A
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
HTTP GEThttp://heavyfinger.net/index.php
User-Agent:
HTTP GEThttp://journeybeyond.net/index.php
User-Agent:
HTTP GEThttp://increasebeing.net/index.php
User-Agent:
HTTP GEThttp://rememberforever.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.13.81.186:80
Flows TCP192.168.1.1:1032 ➝ 50.87.199.62:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 188.40.1.55:80

Raw Pcap

Strings