Analysis Date2016-02-03 01:58:57
MD572772e43c53f1ad0f9be00247bfad5e6
SHA1e7161a547e818685081c575f0e37c20dfb0d7f17

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5784f309b021865b58f2f815b263be1c sha1: d8734eb438f487f571f52cd9e387d5d4b25e3e79 size: 534016
Section.rdata md5: b7d128d6929eebcf4bfb6ae58c2e7ef2 sha1: 6ff1d1c9fd1c324b0a3528472cdb4befc8120611 size: 26112
Section.data md5: 222849047368589ca8f4fa2f8434d1ce sha1: 35abb898398435af1557ea1f4a90e043766b43d1 size: 20992
Section.reloc md5: 1f50440c71acee6fdcb31867d7554270 sha1: f5e686eb231ebbbb83820eb04d5f7aec81e25fda size: 39936
Timestamp2014-01-31 08:27:03
PackerMicrosoft Visual C++ 8
PEhash18eb4cf56638d13ba9b36c5b8311b1c9575d1f2f
IMPhashb512eff71b50507d511256018f9b67cb
AVCA (E-Trust Ino)No Virus
AVRising0x59a3f458
AVMcafeeTrojan-FHSQ!72772E43C53F
AVAvira (antivir)TR/Taranis.2158
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AIAM
AVSymantecTrojan.Gen
AVFortinetW32/Bayrob.BM!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mkykdcyvarr\ntjpi1mk2bk48kweavyvz.exe
Creates FileC:\mkykdcyvarr\t3mwxth
Creates FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Deletes FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Creates ProcessC:\mkykdcyvarr\ntjpi1mk2bk48kweavyvz.exe

Process
↳ C:\mkykdcyvarr\ntjpi1mk2bk48kweavyvz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Link-Layer DCOM Multimedia Discovery ➝
C:\mkykdcyvarr\fkotkig.exe
Creates FileC:\mkykdcyvarr\fkotkig.exe
Creates FileC:\mkykdcyvarr\t3mwxth
Creates FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Creates FilePIPE\lsarpc
Creates FileC:\mkykdcyvarr\pjwn4cx38rkj
Deletes FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Creates ProcessC:\mkykdcyvarr\fkotkig.exe
Creates ServiceCredential NetBIOS Font Tracking Extender WMI - C:\mkykdcyvarr\fkotkig.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1172

Process
↳ C:\mkykdcyvarr\fkotkig.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\mkykdcyvarr\t3mwxth
Creates FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Creates FileC:\mkykdcyvarr\pjwn4cx38rkj
Creates File\Device\Afd\Endpoint
Creates FileC:\mkykdcyvarr\pfobyncd
Creates FileC:\mkykdcyvarr\cwwolbk.exe
Deletes FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Creates Processjznt92hfsf58 "c:\mkykdcyvarr\fkotkig.exe"

Process
↳ C:\mkykdcyvarr\fkotkig.exe

Creates FileC:\mkykdcyvarr\t3mwxth
Creates FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Deletes FileC:\WINDOWS\mkykdcyvarr\t3mwxth

Process
↳ jznt92hfsf58 "c:\mkykdcyvarr\fkotkig.exe"

Creates FileC:\mkykdcyvarr\t3mwxth
Creates FileC:\WINDOWS\mkykdcyvarr\t3mwxth
Deletes FileC:\WINDOWS\mkykdcyvarr\t3mwxth

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNScrowdneither.net
Type: A
195.22.28.196
DNScrowdneither.net
Type: A
195.22.28.197
DNScrowdneither.net
Type: A
195.22.28.198
DNScrowdneither.net
Type: A
195.22.28.199
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSsmokesystem.net
Type: A
208.100.26.234
DNSsmoketrust.net
Type: A
98.139.135.129
DNSpartysystem.net
Type: A
82.165.73.79
DNScrowdfriend.net
Type: A
50.63.202.48
DNSwaterfriend.net
Type: A
69.64.147.242
DNSpartyfriend.net
Type: A
89.31.143.16
DNSfreshfuture.net
Type: A
66.39.68.24
DNSgentlemanearly.net
Type: A
208.100.26.234
DNSknownfuture.net
Type: A
94.127.112.93
DNSknownfuture.net
Type: A
94.127.112.92
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSwomantrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSfreshfriend.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
DNSgentlemanfancy.net
Type: A
DNSalreadyfancy.net
Type: A
DNSgentlemanconsider.net
Type: A
DNSalreadyconsider.net
Type: A
DNSgentlemanfriend.net
Type: A
DNSalreadyfriend.net
Type: A
DNSfollowlaughter.net
Type: A
DNSmemberlaughter.net
Type: A
DNSfollowfancy.net
Type: A
DNSmemberfancy.net
Type: A
DNSfollowconsider.net
Type: A
DNSmemberconsider.net
Type: A
DNSfollowfriend.net
Type: A
DNSmemberfriend.net
Type: A
DNSbeginlaughter.net
Type: A
DNSknownlaughter.net
Type: A
DNSbeginfancy.net
Type: A
DNSknownfancy.net
Type: A
DNSbeginconsider.net
Type: A
DNSknownconsider.net
Type: A
DNSbeginfriend.net
Type: A
DNSknownfriend.net
Type: A
DNSsummerlaughter.net
Type: A
DNScrowdlaughter.net
Type: A
DNSsummerfancy.net
Type: A
DNScrowdfancy.net
Type: A
DNSsummerconsider.net
Type: A
DNScrowdconsider.net
Type: A
DNSsummerfriend.net
Type: A
DNSthoughtlaughter.net
Type: A
DNSwaterlaughter.net
Type: A
DNSthoughtfancy.net
Type: A
DNSwaterfancy.net
Type: A
DNSthoughtconsider.net
Type: A
DNSwaterconsider.net
Type: A
DNSthoughtfriend.net
Type: A
DNSwomanlaughter.net
Type: A
DNSsmokelaughter.net
Type: A
DNSwomanfancy.net
Type: A
DNSsmokefancy.net
Type: A
DNSwomanconsider.net
Type: A
DNSsmokeconsider.net
Type: A
DNSwomanfriend.net
Type: A
DNSsmokefriend.net
Type: A
DNSpartylaughter.net
Type: A
DNSfightlaughter.net
Type: A
DNSpartyfancy.net
Type: A
DNSfightfancy.net
Type: A
DNSpartyconsider.net
Type: A
DNSfightconsider.net
Type: A
DNSfightfriend.net
Type: A
DNSfreshsmell.net
Type: A
DNSexperiencesmell.net
Type: A
DNSfreshearly.net
Type: A
DNSexperienceearly.net
Type: A
DNSfreshsafety.net
Type: A
DNSexperiencesafety.net
Type: A
DNSexperiencefuture.net
Type: A
DNSgentlemansmell.net
Type: A
DNSalreadysmell.net
Type: A
DNSalreadyearly.net
Type: A
DNSgentlemansafety.net
Type: A
DNSalreadysafety.net
Type: A
DNSgentlemanfuture.net
Type: A
DNSalreadyfuture.net
Type: A
DNSfollowsmell.net
Type: A
DNSmembersmell.net
Type: A
DNSfollowearly.net
Type: A
DNSmemberearly.net
Type: A
DNSfollowsafety.net
Type: A
DNSmembersafety.net
Type: A
DNSfollowfuture.net
Type: A
DNSmemberfuture.net
Type: A
DNSbeginsmell.net
Type: A
DNSknownsmell.net
Type: A
DNSbeginearly.net
Type: A
DNSknownearly.net
Type: A
DNSbeginsafety.net
Type: A
DNSknownsafety.net
Type: A
DNSbeginfuture.net
Type: A
HTTP GEThttp://membersystem.net/index.php
User-Agent:
HTTP GEThttp://followtrust.net/index.php
User-Agent:
HTTP GEThttp://crowdneither.net/index.php
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php
User-Agent:
HTTP GEThttp://watersystem.net/index.php
User-Agent:
HTTP GEThttp://watertrust.net/index.php
User-Agent:
HTTP GEThttp://smokesystem.net/index.php
User-Agent:
HTTP GEThttp://smoketrust.net/index.php
User-Agent:
HTTP GEThttp://partysystem.net/index.php
User-Agent:
HTTP GEThttp://crowdfriend.net/index.php
User-Agent:
HTTP GEThttp://waterfriend.net/index.php
User-Agent:
HTTP GEThttp://partyfriend.net/index.php
User-Agent:
HTTP GEThttp://freshfuture.net/index.php
User-Agent:
HTTP GEThttp://gentlemanearly.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1034 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1035 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1039 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1041 ➝ 69.64.147.242:80
Flows TCP192.168.1.1:1042 ➝ 89.31.143.16:80
Flows TCP192.168.1.1:1043 ➝ 66.39.68.24:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80

Raw Pcap



Strings