Analysis | #totalhash

Analysis Date	2016-02-23 00:12:40
MD5	f14592616682ea11fd433a7bd629aed9
SHA1	e75baf6bff67709c01af844bed1867824e7b1b22

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 599f62c1d3bbcd7d2d5109182ea29f66 sha1: d3feb5bb52a24d7e47850b6398642669246d4833 size: 189440
Section	.rdata md5: 9d3102629021f3f6e34000eaadb7c3bd sha1: 3957071148da8565cdc066576ac41086c034ce5a size: 18432
Section	.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section	.reloc md5: 8da23321f05a057056327ed7a12ca8a5 sha1: 4e8e2f03beb9e6d297f404078cb1e6f51e590e55 size: 30720
Timestamp	2016-01-06 16:45:50
PEhash	61d586d7e362725919bd3581c0622335b4374b23
IMPhash	9cd11555e734dd5da01c573ef6d96b03
AV	CA (E-Trust Ino)	Gen:Variant.Razy.12226
AV	Rising	No Virus
AV	Mcafee	Trojan-FHPX!F14592616682
AV	Avira (antivir)	TR/AD.Nivdort.Y.11526
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Razy.12226
AV	Alwil (avast)	Win32:Malware-gen
AV	Eset (nod32)	Win32/Bayrob.AT.gen
AV	Grisoft (avg)	Win32/Heur
AV	Symantec	Trojan.Bayrob!gen6
AV	Fortinet	W32/Bayrob.AQ!tr
AV	BitDefender	Gen:Variant.Razy.12226
AV	K7	Trojan ( 004db0c61 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort!rfn
AV	MicroWorld (escan)	Gen:Variant.Razy.12226
AV	MalwareBytes	No Virus
AV	Authentium	W32/Nivdort.G.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.12226
AV	Frisk (f-prot)	W32/Nivdort.G.gen!Eldorado
AV	Ikarus	Trojan.Win32.Bayrob
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.WR4
AV	BullGuard	Gen:Variant.Razy.12226
AV	Arcabit (arcavir)	Gen:Variant.Razy.12226
AV	ClamAV	No Virus
AV	Dr. Web	No Virus
AV	F-Secure	Gen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\zkqiukopljc\xgs8ijs
Creates File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates File	C:\zkqiukopljc\ifd1kaheid1nkwhog.exe
Deletes File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates Process	C:\zkqiukopljc\ifd1kaheid1nkwhog.exe

Process
↳ C:\zkqiukopljc\ifd1kaheid1nkwhog.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Alerts Encrypting Receiver Biometric Framework ➝ C:\zkqiukopljc\yxwfbkkpe.exe
Creates File	C:\zkqiukopljc\yxwfbkkpe.exe
Creates File	C:\zkqiukopljc\xgs8ijs
Creates File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates File	PIPE\lsarpc
Creates File	C:\zkqiukopljc\gv2uky7r
Deletes File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates Process	C:\zkqiukopljc\yxwfbkkpe.exe
Creates Service	Volume Link-Layer Quality Information Shadow - C:\zkqiukopljc\yxwfbkkpe.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 796

Process
↳ Pid 844

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1164

Process
↳ C:\zkqiukopljc\yxwfbkkpe.exe

Creates File	C:\zkqiukopljc\xgs8ijs
Creates File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates File	pipe\net\NtControlPipe10
Creates File	C:\zkqiukopljc\gv2uky7r
Creates File	\Device\Afd\Endpoint
Creates File	C:\zkqiukopljc\lnwfgbhua.exe
Creates File	C:\zkqiukopljc\r9h1ahdvldw
Deletes File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Creates Process	hsqfwgop8xru "c:\zkqiukopljc\yxwfbkkpe.exe"

Process
↳ C:\zkqiukopljc\yxwfbkkpe.exe

Creates File	C:\zkqiukopljc\xgs8ijs
Creates File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Deletes File	C:\WINDOWS\zkqiukopljc\xgs8ijs

Process
↳ hsqfwgop8xru "c:\zkqiukopljc\yxwfbkkpe.exe"

Creates File	C:\zkqiukopljc\xgs8ijs
Creates File	C:\WINDOWS\zkqiukopljc\xgs8ijs
Deletes File	C:\WINDOWS\zkqiukopljc\xgs8ijs

Network Details:

DNS	machinecontrol.net Type: A 63.247.142.64
DNS	foreigncontrol.net Type: A 195.22.28.199
DNS	foreigncontrol.net Type: A 195.22.28.196
DNS	foreigncontrol.net Type: A 195.22.28.197
DNS	foreigncontrol.net Type: A 195.22.28.198
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	figurematter.net Type: A 195.22.28.198
DNS	figurematter.net Type: A 195.22.28.199
DNS	figurematter.net Type: A 195.22.28.196
DNS	figurematter.net Type: A 195.22.28.197
DNS	figuretogether.net Type: A 208.100.26.234
DNS	childrenmatter.net Type: A 162.144.16.48
DNS	familytogether.net Type: A 104.219.41.65
DNS	cigaretteapple.net Type: A 195.22.28.199
DNS	cigaretteapple.net Type: A 195.22.28.196
DNS	cigaretteapple.net Type: A 195.22.28.197
DNS	cigaretteapple.net Type: A 195.22.28.198
DNS	familyapple.net Type: A 184.168.221.55
DNS	englishfather.net Type: A 208.100.26.234
DNS	personmeasure.net Type: A 184.168.221.35
DNS	preparesingle.net Type: A
DNS	desiresingle.net Type: A
DNS	preparecharge.net Type: A
DNS	desirecharge.net Type: A
DNS	preparedifference.net Type: A
DNS	desiredifference.net Type: A
DNS	prepareevery.net Type: A
DNS	desireevery.net Type: A
DNS	strengthsingle.net Type: A
DNS	stillsingle.net Type: A
DNS	strengthcharge.net Type: A
DNS	stillcharge.net Type: A
DNS	strengthdifference.net Type: A
DNS	stilldifference.net Type: A
DNS	strengthevery.net Type: A
DNS	stillevery.net Type: A
DNS	expectmatter.net Type: A
DNS	becausematter.net Type: A
DNS	expectspent.net Type: A
DNS	becausespent.net Type: A
DNS	expecttogether.net Type: A
DNS	becausetogether.net Type: A
DNS	expectcontrol.net Type: A
DNS	becausecontrol.net Type: A
DNS	personmatter.net Type: A
DNS	machinematter.net Type: A
DNS	personspent.net Type: A
DNS	machinespent.net Type: A
DNS	persontogether.net Type: A
DNS	machinetogether.net Type: A
DNS	personcontrol.net Type: A
DNS	suddenmatter.net Type: A
DNS	foreignmatter.net Type: A
DNS	suddenspent.net Type: A
DNS	foreignspent.net Type: A
DNS	suddentogether.net Type: A
DNS	foreigntogether.net Type: A
DNS	suddencontrol.net Type: A
DNS	whethermatter.net Type: A
DNS	rightmatter.net Type: A
DNS	whetherspent.net Type: A
DNS	rightspent.net Type: A
DNS	whethertogether.net Type: A
DNS	righttogether.net Type: A
DNS	whethercontrol.net Type: A
DNS	rightcontrol.net Type: A
DNS	thoughmatter.net Type: A
DNS	figurespent.net Type: A
DNS	thoughspent.net Type: A
DNS	thoughtogether.net Type: A
DNS	figurecontrol.net Type: A
DNS	thoughcontrol.net Type: A
DNS	picturematter.net Type: A
DNS	cigarettematter.net Type: A
DNS	picturespent.net Type: A
DNS	cigarettespent.net Type: A
DNS	picturetogether.net Type: A
DNS	cigarettetogether.net Type: A
DNS	picturecontrol.net Type: A
DNS	cigarettecontrol.net Type: A
DNS	familymatter.net Type: A
DNS	childrenspent.net Type: A
DNS	familyspent.net Type: A
DNS	childrentogether.net Type: A
DNS	childrencontrol.net Type: A
DNS	familycontrol.net Type: A
DNS	eithermatter.net Type: A
DNS	englishmatter.net Type: A
DNS	eitherspent.net Type: A
DNS	englishspent.net Type: A
DNS	eithertogether.net Type: A
DNS	englishtogether.net Type: A
DNS	eithercontrol.net Type: A
DNS	englishcontrol.net Type: A
DNS	expectfather.net Type: A
DNS	becausefather.net Type: A
DNS	expectapple.net Type: A
DNS	becauseapple.net Type: A
DNS	expectbuilt.net Type: A
DNS	becausebuilt.net Type: A
DNS	expectcarry.net Type: A
DNS	becausecarry.net Type: A
DNS	personfather.net Type: A
DNS	machinefather.net Type: A
DNS	personapple.net Type: A
DNS	machineapple.net Type: A
DNS	personbuilt.net Type: A
DNS	machinebuilt.net Type: A
DNS	personcarry.net Type: A
DNS	machinecarry.net Type: A
DNS	suddenfather.net Type: A
DNS	foreignfather.net Type: A
DNS	suddenapple.net Type: A
DNS	foreignapple.net Type: A
DNS	suddenbuilt.net Type: A
DNS	foreignbuilt.net Type: A
DNS	suddencarry.net Type: A
DNS	foreigncarry.net Type: A
DNS	whetherfather.net Type: A
DNS	rightfather.net Type: A
DNS	whetherapple.net Type: A
DNS	rightapple.net Type: A
DNS	whetherbuilt.net Type: A
DNS	rightbuilt.net Type: A
DNS	whethercarry.net Type: A
DNS	rightcarry.net Type: A
DNS	figurefather.net Type: A
DNS	thoughfather.net Type: A
DNS	figureapple.net Type: A
DNS	thoughapple.net Type: A
DNS	figurebuilt.net Type: A
DNS	thoughbuilt.net Type: A
DNS	figurecarry.net Type: A
DNS	thoughcarry.net Type: A
DNS	picturefather.net Type: A
DNS	cigarettefather.net Type: A
DNS	pictureapple.net Type: A
DNS	picturebuilt.net Type: A
DNS	cigarettebuilt.net Type: A
DNS	picturecarry.net Type: A
DNS	cigarettecarry.net Type: A
DNS	childrenfather.net Type: A
DNS	familyfather.net Type: A
DNS	childrenapple.net Type: A
DNS	childrenbuilt.net Type: A
DNS	familybuilt.net Type: A
DNS	childrencarry.net Type: A
DNS	familycarry.net Type: A
DNS	eitherfather.net Type: A
DNS	eitherapple.net Type: A
DNS	englishapple.net Type: A
DNS	eitherbuilt.net Type: A
DNS	englishbuilt.net Type: A
DNS	eithercarry.net Type: A
DNS	englishcarry.net Type: A
DNS	expectmeasure.net Type: A
DNS	becausemeasure.net Type: A
DNS	expectdinner.net Type: A
DNS	becausedinner.net Type: A
DNS	expectafraid.net Type: A
DNS	becauseafraid.net Type: A
DNS	expectcircle.net Type: A
DNS	becausecircle.net Type: A
DNS	machinemeasure.net Type: A
DNS	persondinner.net Type: A
DNS	machinedinner.net Type: A
DNS	personafraid.net Type: A
DNS	machineafraid.net Type: A
DNS	personcircle.net Type: A
DNS	machinecircle.net Type: A
DNS	suddenmeasure.net Type: A
DNS	foreignmeasure.net Type: A
DNS	suddendinner.net Type: A
DNS	foreigndinner.net Type: A
DNS	suddenafraid.net Type: A
DNS	foreignafraid.net Type: A
DNS	suddencircle.net Type: A
DNS	foreigncircle.net Type: A
DNS	whethermeasure.net Type: A
DNS	rightmeasure.net Type: A
HTTP GET	http://machinecontrol.net/index.php User-Agent:
HTTP GET	http://foreigncontrol.net/index.php User-Agent:
HTTP GET	http://righttogether.net/index.php User-Agent:
HTTP GET	http://figurematter.net/index.php User-Agent:
HTTP GET	http://figuretogether.net/index.php User-Agent:
HTTP GET	http://childrenmatter.net/index.php User-Agent:
HTTP GET	http://familytogether.net/index.php User-Agent:
HTTP GET	http://cigaretteapple.net/index.php User-Agent:
HTTP GET	http://familyapple.net/index.php User-Agent:
HTTP GET	http://englishfather.net/index.php User-Agent:
HTTP GET	http://personmeasure.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 63.247.142.64:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1034 ➝ 195.22.28.198:80
Flows TCP	192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1036 ➝ 162.144.16.48:80
Flows TCP	192.168.1.1:1037 ➝ 104.219.41.65:80
Flows TCP	192.168.1.1:1038 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1039 ➝ 184.168.221.55:80
Flows TCP	192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1041 ➝ 184.168.221.35:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61636869 6e65636f 6e74726f 6c2e6e65   achinecontrol.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   6f726569 676e636f 6e74726f 6c2e6e65   oreigncontrol.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 746f6765 74686572 2e6e6574   ighttogether.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69677572 656d6174 7465722e 6e65740d   igurematter.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   69677572 65746f67 65746865 722e6e65   iguretogether.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   68696c64 72656e6d 61747465 722e6e65   hildrenmatter.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79746f67 65746865 722e6e65   amilytogether.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   69676172 65747465 6170706c 652e6e65   igaretteapple.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79617070 6c652e6e 65740d0a   amilyapple.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686661 74686572 2e6e6574   nglishfather.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   6572736f 6e6d6561 73757265 2e6e6574   ersonmeasure.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

Strings