Analysis Date2015-08-14 10:05:10
MD5610095e5fe7fa26b8a1cd40cacfcd373
SHA1f1574d0346858cc1228c2040bf4a2ffd0929967b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a3110f742d10492ac21a4d05a2d1897d sha1: 286db2f70d6e9ea6adfcea706139d6217c336a2a size: 197632
Section.rdata md5: 6035edc0867899a642dc631e6060759b sha1: 73f0360eda9e2f645ab793b2c685280e705277cd size: 53760
Section.data md5: f47c6a40c1c1249d0716ce8acf5771a0 sha1: e383d5d9770a065fcf4480f76fcf4eb94f032d8b size: 7168
Section.reloc md5: c51a267da7a97547092eced7e7159788 sha1: 4bc7dadfd41364280697548bf075586a9c78458b size: 14336
Timestamp2015-04-29 19:22:04
PackerMicrosoft Visual C++ 8
PEhashab491d2ccafdf83678cf7a6537956f4ed028416b
IMPhash9c5e6cd735944ac00313550d5b307b18
AVAuthentiumW32/Scar.R.gen!Eldorado
AVBullGuardGen:Variant.Kazy.604861
AVAd-AwareGen:Variant.Kazy.604861
AVMicroWorld (escan)Gen:Variant.Kazy.604861
AVZillya!no_virus
AVFrisk (f-prot)no_virus
AVClamAVno_virus
AVAlwil (avast)VB-AJEW [Trj]
AVGrisoft (avg)PSW.Generic12.BSCD
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AY
AVVirusBlokAda (vba32)no_virus
AVRisingTrojan.Win32.Bayrod.a
AVKasperskyTrojan.Win32.Scar.jckp
AVTwisterTrojan.0000E9000000006A1.mg
AVBitDefenderGen:Variant.Kazy.604861
AVPadvishno_virus
AVEmsisoftGen:Variant.Kazy.604861
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVArcabit (arcavir)Gen:Variant.Kazy.604861
AVDr. WebTrojan.Bayrob.1
AVCA (E-Trust Ino)no_virus
AVTrend MicroTROJ_BAYROB.SM0
AVAvira (antivir)TR/Crypt.Xpack.196074
AVMcafeeTrojan-FGIJ!610095E5FE7F
AVFortinetW32/Generic.AC.215362
AVSymantecDownloader.Upatre!g15
AVEset (nod32)Win32/Bayrob.Q
AVMalwareBytesTrojan.Agent.KVTGen
AVIkarusTrojan-Spy.Win32.Nivdort
AVF-SecureGen:Variant.Kazy.604861
AVK7Trojan ( 004c12491 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\onxzbrqvdw\blepizkkpmy
Creates FileC:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe
Creates FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Deletes FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Creates ProcessC:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe

Process
↳ C:\onxzbrqvdw\vfq41l3kkxmmw5mt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Tracking Backup Certificate ➝
C:\onxzbrqvdw\gdfjbygsr.exe
Creates FileC:\onxzbrqvdw\blepizkkpmy
Creates FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Creates FilePIPE\lsarpc
Creates FileC:\onxzbrqvdw\gdfjbygsr.exe
Creates FileC:\onxzbrqvdw\teckjal3
Deletes FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Creates ProcessC:\onxzbrqvdw\gdfjbygsr.exe
Creates ServiceNet.Tcp Connections Trap - C:\onxzbrqvdw\gdfjbygsr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1144

Process
↳ C:\onxzbrqvdw\gdfjbygsr.exe

Creates FileC:\onxzbrqvdw\blepizkkpmy
Creates Filepipe\net\NtControlPipe10
Creates FileC:\onxzbrqvdw\ubjzpuijfmu.exe
Creates FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Creates File\Device\Afd\Endpoint
Creates FileC:\onxzbrqvdw\qvxrrxph1a
Creates FileC:\onxzbrqvdw\teckjal3
Deletes FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Creates Processlikyojbsjlr3 "c:\onxzbrqvdw\gdfjbygsr.exe"

Process
↳ C:\onxzbrqvdw\gdfjbygsr.exe

Creates FileC:\onxzbrqvdw\blepizkkpmy
Creates FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Deletes FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy

Process
↳ likyojbsjlr3 "c:\onxzbrqvdw\gdfjbygsr.exe"

Creates FileC:\onxzbrqvdw\blepizkkpmy
Creates FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy
Deletes FileC:\WINDOWS\onxzbrqvdw\blepizkkpmy

Network Details:

DNSenglishforest.net
Type: A
59.188.232.88
DNSpersonschool.net
Type: A
165.160.15.20
DNSpersonschool.net
Type: A
165.160.13.20
DNSforeignquestion.net
Type: A
195.22.26.254
DNSforeignquestion.net
Type: A
195.22.26.253
DNSforeignquestion.net
Type: A
195.22.26.252
DNSforeignquestion.net
Type: A
195.22.26.231
DNSrightschool.net
Type: A
82.144.197.54
DNSrightquestion.net
Type: A
208.91.197.27
DNSfamilyschool.net
Type: A
50.63.202.104
DNSchildrenwhile.net
Type: A
95.211.230.75
DNSthoughwheat.net
Type: A
DNSfigureanger.net
Type: A
DNSthoughanger.net
Type: A
DNSfigurealways.net
Type: A
DNSthoughalways.net
Type: A
DNSfigureforest.net
Type: A
DNSthoughforest.net
Type: A
DNSpicturewheat.net
Type: A
DNScigarettewheat.net
Type: A
DNSpictureanger.net
Type: A
DNScigaretteanger.net
Type: A
DNSpicturealways.net
Type: A
DNScigarettealways.net
Type: A
DNSpictureforest.net
Type: A
DNScigaretteforest.net
Type: A
DNSchildrenwheat.net
Type: A
DNSfamilywheat.net
Type: A
DNSchildrenanger.net
Type: A
DNSfamilyanger.net
Type: A
DNSchildrenalways.net
Type: A
DNSfamilyalways.net
Type: A
DNSchildrenforest.net
Type: A
DNSfamilyforest.net
Type: A
DNSeitherwheat.net
Type: A
DNSenglishwheat.net
Type: A
DNSeitheranger.net
Type: A
DNSenglishanger.net
Type: A
DNSeitheralways.net
Type: A
DNSenglishalways.net
Type: A
DNSeitherforest.net
Type: A
DNSexpectschool.net
Type: A
DNSbecauseschool.net
Type: A
DNSexpectwhile.net
Type: A
DNSbecausewhile.net
Type: A
DNSexpectquestion.net
Type: A
DNSbecausequestion.net
Type: A
DNSexpecttherefore.net
Type: A
DNSbecausetherefore.net
Type: A
DNSmachineschool.net
Type: A
DNSpersonwhile.net
Type: A
DNSmachinewhile.net
Type: A
DNSpersonquestion.net
Type: A
DNSmachinequestion.net
Type: A
DNSpersontherefore.net
Type: A
DNSmachinetherefore.net
Type: A
DNSsuddenschool.net
Type: A
DNSforeignschool.net
Type: A
DNSsuddenwhile.net
Type: A
DNSforeignwhile.net
Type: A
DNSsuddenquestion.net
Type: A
DNSsuddentherefore.net
Type: A
DNSforeigntherefore.net
Type: A
DNSwhetherschool.net
Type: A
DNSwhetherwhile.net
Type: A
DNSrightwhile.net
Type: A
DNSwhetherquestion.net
Type: A
DNSwhethertherefore.net
Type: A
DNSrighttherefore.net
Type: A
DNSfigureschool.net
Type: A
DNSthoughschool.net
Type: A
DNSfigurewhile.net
Type: A
DNSthoughwhile.net
Type: A
DNSfigurequestion.net
Type: A
DNSthoughquestion.net
Type: A
DNSfiguretherefore.net
Type: A
DNSthoughtherefore.net
Type: A
DNSpictureschool.net
Type: A
DNScigaretteschool.net
Type: A
DNSpicturewhile.net
Type: A
DNScigarettewhile.net
Type: A
DNSpicturequestion.net
Type: A
DNScigarettequestion.net
Type: A
DNSpicturetherefore.net
Type: A
DNScigarettetherefore.net
Type: A
DNSchildrenschool.net
Type: A
DNSfamilywhile.net
Type: A
DNSchildrenquestion.net
Type: A
DNSfamilyquestion.net
Type: A
HTTP GEThttp://englishforest.net/index.php
User-Agent:
HTTP GEThttp://personschool.net/index.php
User-Agent:
HTTP GEThttp://foreignquestion.net/index.php
User-Agent:
HTTP GEThttp://rightschool.net/index.php
User-Agent:
HTTP GEThttp://rightquestion.net/index.php
User-Agent:
HTTP GEThttp://familyschool.net/index.php
User-Agent:
HTTP GEThttp://childrenwhile.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 59.188.232.88:80
Flows TCP192.168.1.1:1032 ➝ 165.160.15.20:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1034 ➝ 82.144.197.54:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap



Strings