Analysis Date2016-01-28 10:45:56
MD586d17c3e3a99ea50d8811b827bd75bf4
SHA1f60a9aedc15a6d3f03375e38d5ed4c5dde3252d2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2cb73a5cb264e0d7856fa13ebdfc3185 sha1: 6ec4345fe7fbe95c1054de0635de6026aa7d1828 size: 907264
Section.rdata md5: 539a3823573ca3631667f0545d3cc86f sha1: cf23618391c1ce0ae629c5960b1158487d77ff9c size: 397312
Section.data md5: f52f8ceff3f27637ff7bed84a6492136 sha1: 0f5f084c3fade6a6f01fffbc38b122b8f74fd56c size: 6656
Section.reloc md5: 56fe7dae2ddf3a7e3cd23121a7c4669b sha1: 47f6d52e0597a656f47e5596aaa5183b27fb4a0f size: 122368
Timestamp2015-12-15 15:56:38
PackerVC8 -> Microsoft Corporation
PEhash47d9393ba2c271e6c85422f31aedf20eb4f6f042
IMPhashdc93043b2e857b014f9f60e2bcc1cceb
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHOH!86D17C3E3A99
AVAvira (antivir)TR/Crypt.Xpack.422165
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.788788
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AG
AVGrisoft (avg)Generic37.ACCA
AVSymantecNo Virus
AVFortinetNo Virus
AVBitDefenderGen:Variant.Kazy.788788
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Kazy.788788
AVMalwareBytesNo Virus
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.788788
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Kazy.788788
AVArcabit (arcavir)Gen:Variant.Kazy.788788
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.6870
AVF-SecureGen:Variant.Kazy.788788

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\hgcoklejcvl\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vhpoctle7nahwdpgrymjqm.exe
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\vhpoctle7nahwdpgrymjqm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vhpoctle7nahwdpgrymjqm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Telephony UserMode Secondary Problem ➝
C:\WINDOWS\system32\wiccbnt.exe
Creates FileC:\WINDOWS\system32\wiccbnt.exe
Creates FileC:\WINDOWS\system32\hgcoklejcvl\lck
Creates FileC:\WINDOWS\system32\hgcoklejcvl\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\wiccbnt.exe
Creates ServiceAuto-Discovery Protection Link Video Link-Layer - C:\WINDOWS\system32\wiccbnt.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1160

Process
↳ C:\WINDOWS\system32\wiccbnt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\bnesjwevpj.exe
Creates FileC:\WINDOWS\TEMP\vhpoct7tvxt8wdpg.exe
Creates FileC:\WINDOWS\system32\hgcoklejcvl\run
Creates FileC:\WINDOWS\system32\hgcoklejcvl\cfg
Creates FileC:\WINDOWS\system32\hgcoklejcvl\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\hgcoklejcvl\lck
Creates FileC:\WINDOWS\system32\hgcoklejcvl\tst
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\vhpoct7tvxt8wdpg.exe -r 42351 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\wiccbnt.exe"

Process
↳ C:\WINDOWS\system32\wiccbnt.exe

Creates FileC:\WINDOWS\system32\hgcoklejcvl\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\wiccbnt.exe"

Creates FileC:\WINDOWS\system32\hgcoklejcvl\tst

Process
↳ C:\WINDOWS\TEMP\vhpoct7tvxt8wdpg.exe -r 42351 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSjourneymeasure.net
Type: A
50.87.249.65
DNSsimonettedwerryhouse.net
Type: A
98.139.135.129
DNSmorningduring.net
Type: A
98.139.135.129
DNSriddenstorm.net
Type: A
66.147.240.171
DNSeffortbuilt.net
Type: A
198.27.70.45
DNSthosewhile.net
Type: A
198.27.70.45
DNSwestboat.net
Type: A
213.186.33.104
DNSwestrest.net
Type: A
208.100.26.234
DNSleadpress.net
Type: A
98.124.199.4
DNSorderthrown.net
Type: A
DNSdecidepromise.net
Type: A
DNSseasonstrong.net
Type: A
DNSchiefanother.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSoftensurprise.net
Type: A
DNStablekind.net
Type: A
DNSleadkind.net
Type: A
DNSpointwild.net
Type: A
DNScallwild.net
Type: A
DNSpointjune.net
Type: A
DNScalljune.net
Type: A
DNSpointbegan.net
Type: A
DNScallbegan.net
Type: A
DNSpointkind.net
Type: A
DNScallkind.net
Type: A
DNSnonewild.net
Type: A
DNSliarwild.net
Type: A
DNSnonejune.net
Type: A
DNSliarjune.net
Type: A
DNSnonebegan.net
Type: A
DNSliarbegan.net
Type: A
DNSnonekind.net
Type: A
DNSliarkind.net
Type: A
DNSwellwild.net
Type: A
DNSnosewild.net
Type: A
DNSwelljune.net
Type: A
DNSnosejune.net
Type: A
DNSwellbegan.net
Type: A
DNSnosebegan.net
Type: A
DNSwellkind.net
Type: A
DNSnosekind.net
Type: A
DNSringwild.net
Type: A
DNSfavorwild.net
Type: A
DNSringjune.net
Type: A
DNSfavorjune.net
Type: A
DNSringbegan.net
Type: A
DNSfavorbegan.net
Type: A
DNSringkind.net
Type: A
DNSfavorkind.net
Type: A
DNSsorryboat.net
Type: A
DNSfiftyboat.net
Type: A
DNSsorrypress.net
Type: A
DNSfiftypress.net
Type: A
DNSsorryrest.net
Type: A
DNSfiftyrest.net
Type: A
DNSsorryopen.net
Type: A
DNSfiftyopen.net
Type: A
DNStheirboat.net
Type: A
DNSlikrboat.net
Type: A
DNStheirpress.net
Type: A
DNSlikrpress.net
Type: A
DNStheirrest.net
Type: A
DNSlikrrest.net
Type: A
DNStheiropen.net
Type: A
DNSlikropen.net
Type: A
DNSfearboat.net
Type: A
DNSfearpress.net
Type: A
DNSwestpress.net
Type: A
DNSfearrest.net
Type: A
DNSfearopen.net
Type: A
DNSwestopen.net
Type: A
DNStableboat.net
Type: A
DNSleadboat.net
Type: A
DNStablepress.net
Type: A
DNStablerest.net
Type: A
DNSleadrest.net
Type: A
DNStableopen.net
Type: A
DNSleadopen.net
Type: A
DNSpointboat.net
Type: A
DNScallboat.net
Type: A
DNSpointpress.net
Type: A
DNScallpress.net
Type: A
DNSpointrest.net
Type: A
DNScallrest.net
Type: A
DNSpointopen.net
Type: A
DNScallopen.net
Type: A
DNSnoneboat.net
Type: A
DNSliarboat.net
Type: A
DNSnonepress.net
Type: A
DNSliarpress.net
Type: A
DNSnonerest.net
Type: A
DNSliarrest.net
Type: A
DNSnoneopen.net
Type: A
DNSliaropen.net
Type: A
DNSwellboat.net
Type: A
DNSnoseboat.net
Type: A
DNSwellpress.net
Type: A
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
HTTP GEThttp://effortbuilt.net/index.php
User-Agent:
HTTP GEThttp://thosewhile.net/index.php
User-Agent:
HTTP GEThttp://westboat.net/index.php
User-Agent:
HTTP GEThttp://westrest.net/index.php
User-Agent:
HTTP GEThttp://leadpress.net/index.php
User-Agent:
HTTP GEThttp://journeymeasure.net/index.php
User-Agent:
HTTP GEThttp://simonettedwerryhouse.net/index.php
User-Agent:
HTTP GEThttp://morningduring.net/index.php
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1040 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1041 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1042 ➝ 198.27.70.45:80
Flows TCP192.168.1.1:1043 ➝ 213.186.33.104:80
Flows TCP192.168.1.1:1044 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1045 ➝ 98.124.199.4:80
Flows TCP192.168.1.1:1046 ➝ 50.87.249.65:80
Flows TCP192.168.1.1:1047 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1048 ➝ 98.139.135.129:80

Raw Pcap

Strings