Analysis Date2016-01-30 17:43:40
MD5919a91ce2f98312db5cb31b4528bc233
SHA1e8874294b5a7a0cdb7bd3d2be2e482dfbe26ee23

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7260858fc43281adcead296d32510ff5 sha1: 412ae2c73bd2bbe42de872e5aaf1fdba9c25f216 size: 306688
Section.rdata md5: 4808d99b7bbdcf727493fb52ba18c058 sha1: f145e45caefeb0ca5f2fac8e4c2510c4630a7651 size: 26112
Section.data md5: 9f085c39efec3696468256b9f5a2c878 sha1: de2ba00f7a7b72a344e366eee0c6926bb3740c98 size: 20992
Section.reloc md5: a395b6d0bb96e040b2b7c2e97e5e72fe sha1: c0f9d1e5b130de33cf3c4f5d13d8a5c269d43b16 size: 33280
Timestamp2014-02-24 23:30:02
PackerMicrosoft Visual C++ 8
PEhash4f0f6eb493a55353caeb4f292ee02ae85c7bb4c2
IMPhash9c997f80143611cdd4894c209a21d36f
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!919A91CE2F98
AVAvira (antivir)TR/Taranis.2080
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BJ
AVGrisoft (avg)Generic37.ACKD
AVSymantecNo Virus
AVFortinetW32/Bayrob.BJ!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.I.gen!Eldorado
AVEmsisoftGen:Variant.Zusy.141475
AVFrisk (f-prot)W32/Nivdort.I.gen!Eldorado
AVIkarusTrojan-Spy.Win32.Nivdort
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.cneu
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mxxyokrrwzt\elhne1lhgjqridyjjkxe.exe
Creates FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\dbgwnefmwxs
Deletes FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates ProcessC:\mxxyokrrwzt\elhne1lhgjqridyjjkxe.exe

Process
↳ C:\mxxyokrrwzt\elhne1lhgjqridyjjkxe.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Function Superfetch Connect Coordinator ➝
C:\mxxyokrrwzt\csykabam.exe
Creates FileC:\mxxyokrrwzt\csykabam.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\gspbqpdmc
Deletes FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates ProcessC:\mxxyokrrwzt\csykabam.exe
Creates ServiceTracking Plug Engine Access BitLocker - C:\mxxyokrrwzt\csykabam.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1156

Process
↳ C:\mxxyokrrwzt\csykabam.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\mxxyokrrwzt\vvbhnvokzin.exe
Creates FileC:\mxxyokrrwzt\nru7pttcg
Creates FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates File\Device\Afd\Endpoint
Creates FileC:\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\gspbqpdmc
Deletes FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates Processvehximavmdqf "c:\mxxyokrrwzt\csykabam.exe"

Process
↳ C:\mxxyokrrwzt\csykabam.exe

Creates FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\dbgwnefmwxs
Deletes FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs

Process
↳ vehximavmdqf "c:\mxxyokrrwzt\csykabam.exe"

Creates FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs
Creates FileC:\mxxyokrrwzt\dbgwnefmwxs
Deletes FileC:\WINDOWS\mxxyokrrwzt\dbgwnefmwxs

Network Details:

DNSthoughanother.net
Type: A
98.139.135.129
DNSthoughappear.net
Type: A
208.100.26.234
DNSpicturebusiness.net
Type: A
76.8.58.103
DNSfamilybusiness.net
Type: A
69.172.201.208
DNSenglishmanner.net
Type: A
202.143.64.131
DNSenglishbusiness.net
Type: A
184.168.221.71
DNSpicturebright.net
Type: A
72.52.4.90
DNSfamilybright.net
Type: A
208.91.197.39
DNSeitherinstead.net
Type: A
98.139.135.129
DNSenglishexplain.net
Type: A
208.100.26.234
DNSrightpeople.net
Type: A
114.141.197.235
DNSpicturepeople.net
Type: A
207.148.248.143
DNSfamilyready.net
Type: A
96.30.52.60
DNSfamilybrown.net
Type: A
83.170.69.51
DNSfamilypeople.net
Type: A
72.52.226.92
DNSfiguremanner.net
Type: A
DNSthoughmanner.net
Type: A
DNSfigureanother.net
Type: A
DNSfigurebusiness.net
Type: A
DNSthoughbusiness.net
Type: A
DNSfigureappear.net
Type: A
DNSpicturemanner.net
Type: A
DNScigarettemanner.net
Type: A
DNSpictureanother.net
Type: A
DNScigaretteanother.net
Type: A
DNScigarettebusiness.net
Type: A
DNSpictureappear.net
Type: A
DNScigaretteappear.net
Type: A
DNSchildrenmanner.net
Type: A
DNSfamilymanner.net
Type: A
DNSchildrenanother.net
Type: A
DNSfamilyanother.net
Type: A
DNSchildrenbusiness.net
Type: A
DNSchildrenappear.net
Type: A
DNSfamilyappear.net
Type: A
DNSeithermanner.net
Type: A
DNSeitheranother.net
Type: A
DNSenglishanother.net
Type: A
DNSeitherbusiness.net
Type: A
DNSeitherappear.net
Type: A
DNSenglishappear.net
Type: A
DNSexpectinstead.net
Type: A
DNSbecauseinstead.net
Type: A
DNSexpectexplain.net
Type: A
DNSbecauseexplain.net
Type: A
DNSexpectbright.net
Type: A
DNSbecausebright.net
Type: A
DNSexpectinside.net
Type: A
DNSbecauseinside.net
Type: A
DNSpersoninstead.net
Type: A
DNSmachineinstead.net
Type: A
DNSpersonexplain.net
Type: A
DNSmachineexplain.net
Type: A
DNSpersonbright.net
Type: A
DNSmachinebright.net
Type: A
DNSpersoninside.net
Type: A
DNSmachineinside.net
Type: A
DNSsuddeninstead.net
Type: A
DNSforeigninstead.net
Type: A
DNSsuddenexplain.net
Type: A
DNSforeignexplain.net
Type: A
DNSsuddenbright.net
Type: A
DNSforeignbright.net
Type: A
DNSsuddeninside.net
Type: A
DNSforeigninside.net
Type: A
DNSwhetherinstead.net
Type: A
DNSrightinstead.net
Type: A
DNSwhetherexplain.net
Type: A
DNSrightexplain.net
Type: A
DNSwhetherbright.net
Type: A
DNSrightbright.net
Type: A
DNSwhetherinside.net
Type: A
DNSrightinside.net
Type: A
DNSfigureinstead.net
Type: A
DNSthoughinstead.net
Type: A
DNSfigureexplain.net
Type: A
DNSthoughexplain.net
Type: A
DNSfigurebright.net
Type: A
DNSthoughbright.net
Type: A
DNSfigureinside.net
Type: A
DNSthoughinside.net
Type: A
DNSpictureinstead.net
Type: A
DNScigaretteinstead.net
Type: A
DNSpictureexplain.net
Type: A
DNScigaretteexplain.net
Type: A
DNScigarettebright.net
Type: A
DNSpictureinside.net
Type: A
DNScigaretteinside.net
Type: A
DNSchildreninstead.net
Type: A
DNSfamilyinstead.net
Type: A
DNSchildrenexplain.net
Type: A
DNSfamilyexplain.net
Type: A
DNSchildrenbright.net
Type: A
DNSchildreninside.net
Type: A
DNSfamilyinside.net
Type: A
DNSenglishinstead.net
Type: A
DNSeitherexplain.net
Type: A
DNSeitherbright.net
Type: A
DNSenglishbright.net
Type: A
DNSeitherinside.net
Type: A
DNSenglishinside.net
Type: A
DNSexpectready.net
Type: A
DNSbecauseready.net
Type: A
DNSexpectbrown.net
Type: A
DNSbecausebrown.net
Type: A
DNSexpectpeople.net
Type: A
DNSbecausepeople.net
Type: A
DNSexpectdaughter.net
Type: A
DNSbecausedaughter.net
Type: A
DNSpersonready.net
Type: A
DNSmachineready.net
Type: A
DNSpersonbrown.net
Type: A
DNSmachinebrown.net
Type: A
DNSpersonpeople.net
Type: A
DNSmachinepeople.net
Type: A
DNSpersondaughter.net
Type: A
DNSmachinedaughter.net
Type: A
DNSsuddenready.net
Type: A
DNSforeignready.net
Type: A
DNSsuddenbrown.net
Type: A
DNSforeignbrown.net
Type: A
DNSsuddenpeople.net
Type: A
DNSforeignpeople.net
Type: A
DNSsuddendaughter.net
Type: A
DNSforeigndaughter.net
Type: A
DNSwhetherready.net
Type: A
DNSrightready.net
Type: A
DNSwhetherbrown.net
Type: A
DNSrightbrown.net
Type: A
DNSwhetherpeople.net
Type: A
DNSwhetherdaughter.net
Type: A
DNSrightdaughter.net
Type: A
DNSfigureready.net
Type: A
DNSthoughready.net
Type: A
DNSfigurebrown.net
Type: A
DNSthoughbrown.net
Type: A
DNSfigurepeople.net
Type: A
DNSthoughpeople.net
Type: A
DNSfiguredaughter.net
Type: A
DNSthoughdaughter.net
Type: A
DNSpictureready.net
Type: A
DNScigaretteready.net
Type: A
DNSpicturebrown.net
Type: A
DNScigarettebrown.net
Type: A
DNScigarettepeople.net
Type: A
DNSpicturedaughter.net
Type: A
DNScigarettedaughter.net
Type: A
DNSchildrenready.net
Type: A
DNSchildrenbrown.net
Type: A
DNSchildrenpeople.net
Type: A
DNSchildrendaughter.net
Type: A
DNSfamilydaughter.net
Type: A
DNSeitherready.net
Type: A
DNSenglishready.net
Type: A
DNSeitherbrown.net
Type: A
DNSenglishbrown.net
Type: A
DNSeitherpeople.net
Type: A
DNSenglishpeople.net
Type: A
DNSeitherdaughter.net
Type: A
DNSenglishdaughter.net
Type: A
DNSexpectnation.net
Type: A
DNSbecausenation.net
Type: A
DNSexpectsoldier.net
Type: A
DNSbecausesoldier.net
Type: A
DNSexpectplease.net
Type: A
DNSbecauseplease.net
Type: A
DNSexpectcondition.net
Type: A
DNSbecausecondition.net
Type: A
DNSpersonnation.net
Type: A
DNSmachinenation.net
Type: A
HTTP GEThttp://thoughanother.net/index.php
User-Agent:
HTTP GEThttp://thoughappear.net/index.php
User-Agent:
HTTP GEThttp://picturebusiness.net/index.php
User-Agent:
HTTP GEThttp://familybusiness.net/index.php
User-Agent:
HTTP GEThttp://englishmanner.net/index.php
User-Agent:
HTTP GEThttp://englishbusiness.net/index.php
User-Agent:
HTTP GEThttp://picturebright.net/index.php
User-Agent:
HTTP GEThttp://familybright.net/index.php
User-Agent:
HTTP GEThttp://eitherinstead.net/index.php
User-Agent:
HTTP GEThttp://englishexplain.net/index.php
User-Agent:
HTTP GEThttp://rightpeople.net/index.php
User-Agent:
HTTP GEThttp://picturepeople.net/index.php
User-Agent:
HTTP GEThttp://familyready.net/index.php
User-Agent:
HTTP GEThttp://familybrown.net/index.php
User-Agent:
HTTP GEThttp://familypeople.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 76.8.58.103:80
Flows TCP192.168.1.1:1034 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1035 ➝ 202.143.64.131:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.71:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.39:80
Flows TCP192.168.1.1:1039 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 114.141.197.235:80
Flows TCP192.168.1.1:1042 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1043 ➝ 96.30.52.60:80
Flows TCP192.168.1.1:1044 ➝ 83.170.69.51:80
Flows TCP192.168.1.1:1045 ➝ 72.52.226.92:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68616e6f 74686572 2e6e6574   houghanother.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000040 (00064)   686f7567 68617070 6561722e 6e65740d   houghappear.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656275 73696e65 73732e6e   icturebusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627573 696e6573 732e6e65   amilybusiness.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686d61 6e6e6572 2e6e6574   nglishmanner.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686275 73696e65 73732e6e   nglishbusiness.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72656272 69676874 2e6e6574   icturebright.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79627269 6768742e 6e65740d   amilybright.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   69746865 72696e73 74656164 2e6e6574   itherinstead.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6e676c69 73686578 706c6169 6e2e6e65   nglishexplain.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69676874 70656f70 6c652e6e 65740d0a   ightpeople.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   69637475 72657065 6f706c65 2e6e6574   icturepeople.net
0x00000050 (00080)   0d0a0d0a 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 79726561 64792e6e 65740d0a   amilyready.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 7962726f 776e2e6e 65740d0a   amilybrown.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   616d696c 7970656f 706c652e 6e65740d   amilypeople.net.
0x00000050 (00080)   0a0d0a                                ...


Strings