Analysis Date2016-01-28 06:31:48
MD52975e30901c61981a8bf73e422c063de
SHA1e63932c5bf22427b4f09961c0ebe7f351f284296

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0a8c347bbc7031f685e453749371dd94 sha1: c34b249858fe3c001c92dbd26113e692cef5886e size: 545792
Section.rdata md5: d41d63a63cf44f64be8670912e21e779 sha1: 73c644b094c0decda6306faa0b043714b8823e78 size: 274432
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 3eefde687f181ea342bb8bef5f6214d1 sha1: 66e23e32c319676cac2204a5790a15187452563a size: 87040
Timestamp2015-12-29 20:01:40
PEhash7720f9ccb9b5e7ee686d81d6a97278ffb094bba9
IMPhashb9a4163dd4933fe783dd086487f2580c
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.791077
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AS
AVGrisoft (avg)Win32/Heur
AVSymantecNo Virus
AVFortinetW32/Bayrob.AS!tr
AVBitDefenderGen:Variant.Kazy.791077
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVMicroWorld (escan)Gen:Variant.Kazy.791077
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusNo Virus
AVEmsisoftGen:Variant.Kazy.791077
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.dbkb
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.791077
AVArcabit (arcavir)Gen:Variant.Kazy.791077
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Kazy.791077
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\inorjnzysvxsnbhtth9udgbar.exe
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\inorjnzysvxsnbhtth9udgbar.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\inorjnzysvxsnbhtth9udgbar.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protocol Tablet Adaptive TCP/IP Publication ➝
C:\WINDOWS\system32\ygphasfgiq.exe
Creates FileC:\WINDOWS\system32\ygphasfgiq.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\tst
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\lck
Creates ProcessC:\WINDOWS\system32\ygphasfgiq.exe
Creates ServiceRegistry Control Certificate Coordinator - C:\WINDOWS\system32\ygphasfgiq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1128

Process
↳ C:\WINDOWS\system32\ygphasfgiq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\rng
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\cfg
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\tst
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\run
Creates FileC:\WINDOWS\TEMP\inorjnzywefn55htth9.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\xsqwxubglpx.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\lck
Creates ProcessWATCHDOGPROC "c:\windows\system32\ygphasfgiq.exe"
Creates ProcessC:\WINDOWS\TEMP\inorjnzywefn55htth9.exe -r 40876 tcp

Process
↳ C:\WINDOWS\system32\ygphasfgiq.exe

Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ygphasfgiq.exe"

Creates FileC:\WINDOWS\system32\zpyoaxqvvjmsg\tst

Process
↳ C:\WINDOWS\TEMP\inorjnzywefn55htth9.exe -r 40876 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSdoubleobject.net
Type: A
69.195.124.153
DNSbrokenthird.net
Type: A
74.220.215.249
DNSriddenstorm.net
Type: A
66.147.240.171
DNSgentleangry.net
Type: A
98.139.135.129
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
HTTP GEThttp://doubleobject.net/index.php
User-Agent:
HTTP GEThttp://brokenthird.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://gentleangry.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
Flows TCP192.168.1.1:1038 ➝ 69.195.124.153:80
Flows TCP192.168.1.1:1039 ➝ 74.220.215.249:80
Flows TCP192.168.1.1:1040 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1041 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1042 ➝ 98.139.135.129:80

Raw Pcap

Strings