Analysis Date2015-10-11 14:45:47
MD508b485d97fdc0ab56c2da7b6e66c6535
SHA1e55438b5373bfa55baff0094e5c8ad0ab7f2bde9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f962fb4f9562449ef8fe23663dd8636a sha1: fa5a77454457e07e67b43ad97cbd4a48a75c1925 size: 301568
Section.rdata md5: fb2f23ed243653f727624e43f728383e sha1: 2196e5a887a05bb7fc49f74f10b79b5e989f9f24 size: 58368
Section.data md5: c2b82ceebbcaa923d7c6d0be5a56fa28 sha1: 9f09e5619a1f3a02aca833a4ba0d683713907819 size: 7680
Section.reloc md5: 4413af6f2ddac85344f161dcd4741193 sha1: 0fe54b1311a92165e49a892d5aa4b2c557719396 size: 23040
Timestamp2015-05-11 06:48:10
PackerMicrosoft Visual C++ 8
PEhashe961f3a2cb17439bb758121897dd1523ab6e02ec
IMPhash3627033efd3c61a68d8669cc0a1fc7e2
AVRisingTrojan.Win32.Bayrod.b
AVMcafeePWS-FCCE!08B485D97FDC
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVTwisterno_virus
AVAd-AwareGen:Variant.Kazy.611009
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.W
AVGrisoft (avg)Generic36.BLLW
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.T!tr
AVBitDefenderGen:Variant.Kazy.611009
AVK7Trojan ( 004c3a4d1 )
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMalwareBytesTrojan.Agent.KVTGen
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611009
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Kazy.611009
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVClamAVno_virus
AVDr. WebTrojan.Bayrob.1
AVF-SecureGen:Variant.Kazy.611009
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ozvtaetwh\wgezy2
Creates FileC:\ozvtaetwh\waaa1lqkcugqwb1aw.exe
Creates FileC:\WINDOWS\ozvtaetwh\wgezy2
Deletes FileC:\WINDOWS\ozvtaetwh\wgezy2
Creates ProcessC:\ozvtaetwh\waaa1lqkcugqwb1aw.exe

Process
↳ C:\ozvtaetwh\waaa1lqkcugqwb1aw.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services Modules DNS Agent Fax Bluetooth ➝
C:\ozvtaetwh\wjepekfs.exe
Creates FileC:\ozvtaetwh\wgezy2
Creates FileC:\ozvtaetwh\wjepekfs.exe
Creates FileC:\ozvtaetwh\vfpifxfkg
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\ozvtaetwh\wgezy2
Deletes FileC:\WINDOWS\ozvtaetwh\wgezy2
Creates ProcessC:\ozvtaetwh\wjepekfs.exe
Creates ServiceiSCSI Disk Tablet Registrar - C:\ozvtaetwh\wjepekfs.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1136

Process
↳ C:\ozvtaetwh\wjepekfs.exe

Creates FileC:\ozvtaetwh\wgezy2
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ozvtaetwh\t5jrlr
Creates FileC:\ozvtaetwh\vfpifxfkg
Creates FileC:\WINDOWS\ozvtaetwh\wgezy2
Creates File\Device\Afd\Endpoint
Creates FileC:\ozvtaetwh\soywdqaz.exe
Deletes FileC:\WINDOWS\ozvtaetwh\wgezy2
Creates Processyb8zhwpovo8h "c:\ozvtaetwh\wjepekfs.exe"

Process
↳ C:\ozvtaetwh\wjepekfs.exe

Creates FileC:\ozvtaetwh\wgezy2
Creates FileC:\WINDOWS\ozvtaetwh\wgezy2
Deletes FileC:\WINDOWS\ozvtaetwh\wgezy2

Process
↳ yb8zhwpovo8h "c:\ozvtaetwh\wjepekfs.exe"

Creates FileC:\ozvtaetwh\wgezy2
Creates FileC:\WINDOWS\ozvtaetwh\wgezy2
Deletes FileC:\WINDOWS\ozvtaetwh\wgezy2

Network Details:

DNSbetterbring.net
Type: A
195.22.26.231
DNSbetterbring.net
Type: A
195.22.26.252
DNSbetterbring.net
Type: A
195.22.26.253
DNSbetterbring.net
Type: A
195.22.26.254
DNSbetterlisten.net
Type: A
97.74.144.153
DNSquietdemand.net
Type: A
208.100.26.234
DNSseasondemand.net
Type: A
72.52.4.90
DNSnightstation.net
Type: A
69.163.242.16
DNSelectricstation.net
Type: A
50.63.202.37
DNSstreetstation.net
Type: A
72.52.4.90
DNStradestation.net
Type: A
65.211.211.21
DNSstreetdemand.net
Type: A
DNStradedemand.net
Type: A
DNSstreetshout.net
Type: A
DNStradeshout.net
Type: A
DNSgatherbring.net
Type: A
DNSgatherlisten.net
Type: A
DNSbetterdemand.net
Type: A
DNSgatherdemand.net
Type: A
DNSbettershout.net
Type: A
DNSgathershout.net
Type: A
DNSflierbring.net
Type: A
DNSbreadbring.net
Type: A
DNSflierlisten.net
Type: A
DNSbreadlisten.net
Type: A
DNSflierdemand.net
Type: A
DNSbreaddemand.net
Type: A
DNSfliershout.net
Type: A
DNSbreadshout.net
Type: A
DNSquietbring.net
Type: A
DNSseasonbring.net
Type: A
DNSquietlisten.net
Type: A
DNSseasonlisten.net
Type: A
DNSquietshout.net
Type: A
DNSseasonshout.net
Type: A
DNSagainststation.net
Type: A
DNSdoubtstation.net
Type: A
DNSagainstthird.net
Type: A
DNSdoubtthird.net
Type: A
DNSagainstobject.net
Type: A
DNSdoubtobject.net
Type: A
DNSagainstchildhood.net
Type: A
DNSdoubtchildhood.net
Type: A
DNSdecidestation.net
Type: A
DNSnightthird.net
Type: A
DNSdecidethird.net
Type: A
DNSnightobject.net
Type: A
DNSdecideobject.net
Type: A
DNSnightchildhood.net
Type: A
DNSdecidechildhood.net
Type: A
DNSlargestation.net
Type: A
DNScaptainstation.net
Type: A
DNSlargethird.net
Type: A
DNScaptainthird.net
Type: A
DNSlargeobject.net
Type: A
DNScaptainobject.net
Type: A
DNSlargechildhood.net
Type: A
DNScaptainchildhood.net
Type: A
DNSrecordstation.net
Type: A
DNSrecordthird.net
Type: A
DNSelectricthird.net
Type: A
DNSrecordobject.net
Type: A
DNSelectricobject.net
Type: A
DNSrecordchildhood.net
Type: A
DNSelectricchildhood.net
Type: A
DNSstreetthird.net
Type: A
DNStradethird.net
Type: A
DNSstreetobject.net
Type: A
DNStradeobject.net
Type: A
DNSstreetchildhood.net
Type: A
DNStradechildhood.net
Type: A
DNSbetterstation.net
Type: A
DNSgatherstation.net
Type: A
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSbreadstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSbreadchildhood.net
Type: A
DNSquietstation.net
Type: A
HTTP GEThttp://betterbring.net/index.php
User-Agent:
HTTP GEThttp://betterlisten.net/index.php
User-Agent:
HTTP GEThttp://quietdemand.net/index.php
User-Agent:
HTTP GEThttp://seasondemand.net/index.php
User-Agent:
HTTP GEThttp://nightstation.net/index.php
User-Agent:
HTTP GEThttp://electricstation.net/index.php
User-Agent:
HTTP GEThttp://streetstation.net/index.php
User-Agent:
HTTP GEThttp://tradestation.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 97.74.144.153:80
Flows TCP192.168.1.1:1033 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1034 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1035 ➝ 69.163.242.16:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.37:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 65.211.211.21:80

Raw Pcap

Strings