Analysis Date2015-08-19 06:17:51
MD519de9bf381de3d85ca50afa40c037af2
SHA1f3972ad3a79536e030ab925becdddabec0e3b977

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 554381b1f607d3aec5cbb1d7c1b19606 sha1: 2e600a9739028b71f886c3284b18a8b852c99a33 size: 299008
Section.rdata md5: 14bde5900f682c81e1cd967174046448 sha1: 7bb0d9b82fa6947132366af1cf1658ea72a1b726 size: 58368
Section.data md5: a340fa7fd2e7e01a3b7b03fd005ca952 sha1: ccedd3d986856be51950d3bf4754f40108af629a size: 7680
Section.reloc md5: e69a7d924096686d028f82d284e390b3 sha1: e62425bbbcc7c88c3c2c81fed4ea29a42a37f9d3 size: 22528
Timestamp2015-05-11 07:03:27
PackerMicrosoft Visual C++ 8
PEhash176d8d0f4797845b9b531986aaf7ab877e25b486
IMPhash262cea0549269e191f59e54edc2c249c
AVSymantecDownloader.Upatre!g15
AVMicroWorld (escan)Gen:Variant.Diley.1
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVEset (nod32)Win32/Bayrob.W
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVIkarusTrojan.Win32.Bayrob
AVBitDefenderGen:Variant.Diley.1
AVTwisterTrojan.Scar.jnru.ovgp
AVArcabit (arcavir)Gen:Variant.Diley.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Bayrob.T!tr
AVPadvishno_virus
AVTrend MicroTROJ_BAYROB.SM0
AVEmsisoftGen:Variant.Diley.1
AVMalwareBytesTrojan.Agent.KVTGen
AVK7Trojan ( 004c3a4d1 )
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Diley.1
AVRisingTrojan.Win32.Bayrod.b
AVDr. WebTrojan.Bayrob.1
AVMcafeePWS-FCCE!19DE9BF381DE
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)no_virus
AVFrisk (f-prot)no_virus
AVClamAVno_virus
AVBullGuardGen:Variant.Diley.1
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVKasperskyTrojan.Win32.Scar.jnru
AVZillya!Trojan.Scar.Win32.91104
AVF-SecureGen:Variant.Diley.1
AVAuthentiumW32/Nivdort.B.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\ogycixnonpfivsu\mja51lrfojw4jswp3g.exe
Deletes FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates ProcessC:\ogycixnonpfivsu\mja51lrfojw4jswp3g.exe

Process
↳ C:\ogycixnonpfivsu\mja51lrfojw4jswp3g.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Brightness IPsec DHCP Smart Upgrade ➝
C:\ogycixnonpfivsu\qvgnmtn.exe
Creates FileC:\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\ogycixnonpfivsu\iecxjllyztrf
Creates FilePIPE\lsarpc
Creates FileC:\ogycixnonpfivsu\qvgnmtn.exe
Deletes FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates ProcessC:\ogycixnonpfivsu\qvgnmtn.exe
Creates ServiceTelephony Publication Connect Auto - C:\ogycixnonpfivsu\qvgnmtn.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1096

Process
↳ C:\ogycixnonpfivsu\qvgnmtn.exe

Creates FileC:\ogycixnonpfivsu\tlxtzbwyvwlq.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\ogycixnonpfivsu\iecxjllyztrf
Creates File\Device\Afd\Endpoint
Creates FileC:\ogycixnonpfivsu\lddqgofxynk
Deletes FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Creates Processa8sbazx4heqy "c:\ogycixnonpfivsu\qvgnmtn.exe"

Process
↳ C:\ogycixnonpfivsu\qvgnmtn.exe

Creates FileC:\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Deletes FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa

Process
↳ a8sbazx4heqy "c:\ogycixnonpfivsu\qvgnmtn.exe"

Creates FileC:\ogycixnonpfivsu\bnm6anoukfa
Creates FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa
Deletes FileC:\WINDOWS\ogycixnonpfivsu\bnm6anoukfa

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSprobablyshort.net
Type: A
208.91.197.241
DNSsweetpromise.net
Type: A
69.64.147.249
DNSmaterialopinion.net
Type: A
195.22.26.252
DNSmaterialopinion.net
Type: A
195.22.26.253
DNSmaterialopinion.net
Type: A
195.22.26.254
DNSmaterialopinion.net
Type: A
195.22.26.231
DNSsimpleoffice.net
Type: A
50.63.202.104
DNSmountainsupply.net
Type: A
67.18.199.2
DNSwindowsupply.net
Type: A
173.236.172.44
DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSsweetshort.net
Type: A
DNSsweetopinion.net
Type: A
DNSprobablyopinion.net
Type: A
DNSprobablypromise.net
Type: A
DNSseveralshould.net
Type: A
DNSmaterialshould.net
Type: A
DNSseveralshort.net
Type: A
DNSmaterialshort.net
Type: A
DNSseveralopinion.net
Type: A
DNSseveralpromise.net
Type: A
DNSmaterialpromise.net
Type: A
DNSseverasupply.net
Type: A
DNSlaughsupply.net
Type: A
DNSseveradistance.net
Type: A
DNSlaughdistance.net
Type: A
DNSseveraoffice.net
Type: A
DNSlaughoffice.net
Type: A
DNSseveraarrive.net
Type: A
DNSlaugharrive.net
Type: A
DNSsimplesupply.net
Type: A
DNSmothersupply.net
Type: A
DNSsimpledistance.net
Type: A
DNSmotherdistance.net
Type: A
DNSmotheroffice.net
Type: A
DNSsimplearrive.net
Type: A
DNSmotherarrive.net
Type: A
DNSpossiblesupply.net
Type: A
DNSmountaindistance.net
Type: A
DNSpossibledistance.net
Type: A
DNSmountainoffice.net
Type: A
DNSpossibleoffice.net
Type: A
DNSmountainarrive.net
Type: A
DNSpossiblearrive.net
Type: A
DNSperhapssupply.net
Type: A
DNSperhapsdistance.net
Type: A
DNSwindowdistance.net
Type: A
DNSperhapsoffice.net
Type: A
DNSwindowoffice.net
Type: A
DNSperhapsarrive.net
Type: A
DNSwindowarrive.net
Type: A
DNSwintersupply.net
Type: A
DNSsubjectsupply.net
Type: A
DNSwinterdistance.net
Type: A
DNSsubjectdistance.net
Type: A
DNSwinteroffice.net
Type: A
DNSsubjectoffice.net
Type: A
DNSwinterarrive.net
Type: A
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
DNSseveracaught.net
Type: A
HTTP GEThttp://sweetshort.net/index.php
User-Agent:
HTTP GEThttp://probablyshort.net/index.php
User-Agent:
HTTP GEThttp://sweetpromise.net/index.php
User-Agent:
HTTP GEThttp://materialopinion.net/index.php
User-Agent:
HTTP GEThttp://simpleoffice.net/index.php
User-Agent:
HTTP GEThttp://mountainsupply.net/index.php
User-Agent:
HTTP GEThttp://windowsupply.net/index.php
User-Agent:
HTTP GEThttp://sweetoffice.net/index.php
User-Agent:
HTTP GEThttp://materialsupply.net/index.php
User-Agent:
HTTP GEThttp://laughstrong.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1032 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1033 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1034 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1036 ➝ 67.18.199.2:80
Flows TCP192.168.1.1:1037 ➝ 173.236.172.44:80
Flows TCP192.168.1.1:1038 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1040 ➝ 50.21.189.209:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 73686f72 742e6e65 740d0a0d   weetshort.net...
0x00000050 (00080)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   726f6261 626c7973 686f7274 2e6e6574   robablyshort.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 70726f6d 6973652e 6e65740d   weetpromise.net.
0x00000050 (00080)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c6f 70696e69 6f6e2e6e   aterialopinion.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 656f6666 6963652e 6e65740d   impleoffice.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a0a                         ......


Strings