Analysis Date2015-12-08 10:32:40
MD51102eca087a6b8fb3b9edf2a28a9e434
SHA1e535581cd30203f1405e4759ba52c8beb06b874b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9836c74f0c96c97734a57ff53f429300 sha1: b0be846e81352221c7e27576319f49d2b76b5fd5 size: 294912
Section.rdata md5: 512836e636d35ade078f691e6e8a4261 sha1: bf37b19bc700a96ba46c9499b9e16981172379bc size: 38912
Section.data md5: 63b0b68819a58c7159c07459f995c3a4 sha1: 04ad2c07b8fc0666ba4a2101ab5ab9df2e525161 size: 7168
Timestamp2015-11-23 02:56:42
PackerMicrosoft Visual C++ ?.?
PEhash7efddf0554a230f9e7a83591b5bf72b3cc38edf4
IMPhash091b2f737f03fcbcd70927ecd1bc8cd3
AVFrisk (f-prot)no_virus
AVMcafeeno_virus
AVAlwil (avast)no_virus
AVDr. WebTrojan.DownLoader17.58746
AVMicrosoft Security Essentialsno_virus
AVF-SecureTrojan.GenericKD.2891406
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)no_virus
AVBitDefenderTrojan.GenericKD.2891406
AVGrisoft (avg)Generic36.COKN
AVPadvishno_virus
AVRisingno_virus
AVEmsisoftTrojan.Win32.Agent
AVArcabit (arcavir)Trojan.GenericKD.2891406
AVIkarusTrojan.Win32.Bayrob
AVCAT (quickheal)no_virus
AVSymantecDownloader.Upatre
AVEset (nod32)Win32/Bayrob.AD
AVK7no_virus
AVTrend Microno_virus
AVAvira (antivir)no_virus
AVBullGuardTrojan.GenericKD.2891406
AVTwisterno_virus
AVKasperskyTrojan.Win32.Agent.netfkf
AVFortinetW32/Bayrob.AD!tr
AVVirusBlokAda (vba32)no_virus
AVClamAVno_virus
AVMalwareBytesno_virus
AVZillya!no_virus
AVAuthentiumno_virus
AVAd-AwareTrojan.GenericKD.2891406

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\dhjxozqitiiu\jburmuskn
Creates FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates FileC:\dhjxozqitiiu\iuy1lhgjecdiu2l0sk.exe
Deletes FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates ProcessC:\dhjxozqitiiu\iuy1lhgjecdiu2l0sk.exe

Process
↳ C:\dhjxozqitiiu\iuy1lhgjecdiu2l0sk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Filtering Protocol Software ➝
C:\dhjxozqitiiu\vxgtoqe.exe
Creates FileC:\dhjxozqitiiu\jburmuskn
Creates FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates FileC:\dhjxozqitiiu\vxgtoqe.exe
Creates FilePIPE\lsarpc
Creates FileC:\dhjxozqitiiu\bmylfy
Deletes FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates ProcessC:\dhjxozqitiiu\vxgtoqe.exe
Creates ServiceHelper Microsoft Counter Port Trap Enumerator - C:\dhjxozqitiiu\vxgtoqe.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\dhjxozqitiiu\vxgtoqe.exe

Creates FileC:\dhjxozqitiiu\foddwawc.exe
Creates FileC:\dhjxozqitiiu\jburmuskn
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates File\Device\Afd\Endpoint
Creates FileC:\dhjxozqitiiu\f1sbdvty6dv
Creates FileC:\dhjxozqitiiu\bmylfy
Deletes FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Creates Processzdknbky5xx7b "c:\dhjxozqitiiu\vxgtoqe.exe"

Process
↳ C:\dhjxozqitiiu\vxgtoqe.exe

Creates FileC:\dhjxozqitiiu\jburmuskn
Creates FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Deletes FileC:\WINDOWS\dhjxozqitiiu\jburmuskn

Process
↳ zdknbky5xx7b "c:\dhjxozqitiiu\vxgtoqe.exe"

Creates FileC:\dhjxozqitiiu\jburmuskn
Creates FileC:\WINDOWS\dhjxozqitiiu\jburmuskn
Deletes FileC:\WINDOWS\dhjxozqitiiu\jburmuskn

Network Details:

DNSheavygarden.net
Type: A
98.139.135.129
DNSgentlepleasure.net
Type: A
104.18.37.180
DNSgentlepleasure.net
Type: A
104.18.36.180
DNSgentlemillion.net
Type: A
208.91.197.241
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNSleaderperfect.net
Type: A
74.208.214.100
DNSheavenperfect.net
Type: A
98.139.135.129
DNSheavyheart.net
Type: A
208.48.81.179
DNSheavyheart.net
Type: A
64.15.205.100
DNSheavyheart.net
Type: A
64.15.205.101
DNSheavyheart.net
Type: A
208.48.81.133
DNSheavyheart.net
Type: A
208.48.81.134
DNSbelongbehind.net
Type: A
72.52.4.91
DNSheavyreport.net
Type: A
DNSgentlereport.net
Type: A
DNSheavybeauty.net
Type: A
DNSgentlebeauty.net
Type: A
DNSgentlegarden.net
Type: A
DNSvariousmarket.net
Type: A
DNSreturnmarket.net
Type: A
DNSvariousreport.net
Type: A
DNSreturnreport.net
Type: A
DNSvariousbeauty.net
Type: A
DNSreturnbeauty.net
Type: A
DNSvariousgarden.net
Type: A
DNSreturngarden.net
Type: A
DNSdegreetoward.net
Type: A
DNSforwardtoward.net
Type: A
DNSdegreepleasure.net
Type: A
DNSforwardpleasure.net
Type: A
DNSdegreemillion.net
Type: A
DNSforwardmillion.net
Type: A
DNSdegreewhite.net
Type: A
DNSforwardwhite.net
Type: A
DNSanswertoward.net
Type: A
DNSglasstoward.net
Type: A
DNSanswerpleasure.net
Type: A
DNSglasspleasure.net
Type: A
DNSanswermillion.net
Type: A
DNSglassmillion.net
Type: A
DNSanswerwhite.net
Type: A
DNSglasswhite.net
Type: A
DNSdifficulttoward.net
Type: A
DNSheardtoward.net
Type: A
DNSdifficultpleasure.net
Type: A
DNSheardpleasure.net
Type: A
DNSdifficultmillion.net
Type: A
DNSheardmillion.net
Type: A
DNSdifficultwhite.net
Type: A
DNSheardwhite.net
Type: A
DNSpleasanttoward.net
Type: A
DNSnecessarytoward.net
Type: A
DNSpleasantpleasure.net
Type: A
DNSnecessarypleasure.net
Type: A
DNSpleasantmillion.net
Type: A
DNSnecessarymillion.net
Type: A
DNSpleasantwhite.net
Type: A
DNSnecessarywhite.net
Type: A
DNSordertoward.net
Type: A
DNSrequiretoward.net
Type: A
DNSorderpleasure.net
Type: A
DNSrequirepleasure.net
Type: A
DNSordermillion.net
Type: A
DNSrequiremillion.net
Type: A
DNSorderwhite.net
Type: A
DNSrequirewhite.net
Type: A
DNSleadertoward.net
Type: A
DNSheaventoward.net
Type: A
DNSleaderpleasure.net
Type: A
DNSheavenpleasure.net
Type: A
DNSleadermillion.net
Type: A
DNSheavenmillion.net
Type: A
DNSleaderwhite.net
Type: A
DNSheavenwhite.net
Type: A
DNSheavytoward.net
Type: A
DNSgentletoward.net
Type: A
DNSheavypleasure.net
Type: A
DNSheavymillion.net
Type: A
DNSheavywhite.net
Type: A
DNSgentlewhite.net
Type: A
DNSvarioustoward.net
Type: A
DNSreturntoward.net
Type: A
DNSvariouspleasure.net
Type: A
DNSreturnpleasure.net
Type: A
DNSvariousmillion.net
Type: A
DNSreturnmillion.net
Type: A
DNSvariouswhite.net
Type: A
DNSreturnwhite.net
Type: A
DNSdegreeheart.net
Type: A
DNSforwardheart.net
Type: A
DNSdegreeperfect.net
Type: A
DNSforwardperfect.net
Type: A
DNSdegreemayor.net
Type: A
DNSforwardmayor.net
Type: A
DNSdegreebattle.net
Type: A
DNSforwardbattle.net
Type: A
DNSanswerheart.net
Type: A
DNSglassheart.net
Type: A
DNSanswerperfect.net
Type: A
DNSglassperfect.net
Type: A
DNSanswermayor.net
Type: A
DNSglassmayor.net
Type: A
DNSanswerbattle.net
Type: A
DNSglassbattle.net
Type: A
DNSdifficultheart.net
Type: A
DNSheardheart.net
Type: A
DNSdifficultperfect.net
Type: A
DNSheardperfect.net
Type: A
DNSdifficultmayor.net
Type: A
DNSheardmayor.net
Type: A
DNSdifficultbattle.net
Type: A
DNSheardbattle.net
Type: A
DNSpleasantheart.net
Type: A
DNSnecessaryheart.net
Type: A
DNSpleasantperfect.net
Type: A
DNSnecessaryperfect.net
Type: A
DNSpleasantmayor.net
Type: A
DNSnecessarymayor.net
Type: A
DNSpleasantbattle.net
Type: A
DNSnecessarybattle.net
Type: A
DNSorderheart.net
Type: A
DNSrequireheart.net
Type: A
DNSorderperfect.net
Type: A
DNSrequireperfect.net
Type: A
DNSordermayor.net
Type: A
DNSrequiremayor.net
Type: A
DNSorderbattle.net
Type: A
DNSrequirebattle.net
Type: A
DNSleaderheart.net
Type: A
DNSheavenheart.net
Type: A
DNSleadermayor.net
Type: A
DNSheavenmayor.net
Type: A
DNSleaderbattle.net
Type: A
DNSheavenbattle.net
Type: A
DNSgentleheart.net
Type: A
DNSheavyperfect.net
Type: A
DNSgentleperfect.net
Type: A
DNSheavymayor.net
Type: A
DNSgentlemayor.net
Type: A
DNSheavybattle.net
Type: A
DNSgentlebattle.net
Type: A
DNSvariousheart.net
Type: A
DNSreturnheart.net
Type: A
DNSvariousperfect.net
Type: A
DNSreturnperfect.net
Type: A
DNSvariousmayor.net
Type: A
DNSreturnmayor.net
Type: A
DNSvariousbattle.net
Type: A
DNSreturnbattle.net
Type: A
DNSjourneyunderstand.net
Type: A
DNShusbandunderstand.net
Type: A
DNSjourneybroad.net
Type: A
DNShusbandbroad.net
Type: A
DNSjourneybehind.net
Type: A
DNShusbandbehind.net
Type: A
DNSjourneybutter.net
Type: A
DNShusbandbutter.net
Type: A
DNSdestroyunderstand.net
Type: A
DNSlittleunderstand.net
Type: A
DNSdestroybroad.net
Type: A
DNSlittlebroad.net
Type: A
DNSdestroybehind.net
Type: A
DNSlittlebehind.net
Type: A
DNSdestroybutter.net
Type: A
DNSlittlebutter.net
Type: A
DNSriddenunderstand.net
Type: A
DNSbelongunderstand.net
Type: A
DNSriddenbroad.net
Type: A
DNSbelongbroad.net
Type: A
DNSriddenbehind.net
Type: A
DNSriddenbutter.net
Type: A
DNSbelongbutter.net
Type: A
DNSchairunderstand.net
Type: A
DNSthoseunderstand.net
Type: A
DNSchairbroad.net
Type: A
DNSthosebroad.net
Type: A
HTTP GEThttp://heavygarden.net/index.php
User-Agent:
HTTP GEThttp://gentlepleasure.net/index.php
User-Agent:
HTTP GEThttp://gentlemillion.net/index.php
User-Agent:
HTTP GEThttp://glassheart.net/index.php
User-Agent:
HTTP GEThttp://leaderperfect.net/index.php
User-Agent:
HTTP GEThttp://heavenperfect.net/index.php
User-Agent:
HTTP GEThttp://heavyheart.net/index.php
User-Agent:
HTTP GEThttp://belongbehind.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 104.18.37.180:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 54.208.74.215:80
Flows TCP192.168.1.1:1035 ➝ 74.208.214.100:80
Flows TCP192.168.1.1:1036 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1037 ➝ 208.48.81.179:80
Flows TCP192.168.1.1:1038 ➝ 72.52.4.91:80

Raw Pcap

Strings