Analysis Date | 2015-08-19 09:45:16 |
---|---|
MD5 | 665ede07d224b984e673e3239f95b7f8 |
SHA1 | f71ad0162ab1da9e630d10aaad9aad4ae8f33e2b |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 289f8b053d4e61b477dfd4344d5aaad7 sha1: 2fcb63e5e4009e60e0d041e0325940ce66dbf233 size: 466944 | |
Section | .rdata md5: c7369604bd96b7932c1423a8d4c8c307 sha1: 559365dbbe367140e6d1815eea9d2e949056c6ff size: 75776 | |
Section | .data md5: 73f23790e23b7a0b480b132329250f64 sha1: e4bce2da28729fb4f4d4494c71ca600de5bdcb60 size: 7168 | |
Section | .reloc md5: bf686c7f103115bdd37e1f0d52228253 sha1: 70037577e5188d408644a00e0ca6f185ab587aea size: 45568 | |
Timestamp | 2015-05-08 07:04:32 | |
Packer | Microsoft Visual C++ 8 | |
PEhash | f07f45438de8d898b8fef156ecd99c31df8754b4 | |
IMPhash | 1e3cc7db01a8fa9676373837f106e3c6 | |
AV | Rising | Trojan.Win32.Bayrod.a |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Kazy.609631 |
AV | Dr. Web | Trojan.Bayrob.1 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Kazy.609631 |
AV | BullGuard | Gen:Variant.Kazy.609631 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | TrojanSpy.Nivdort.OD4 |
AV | Trend Micro | TROJ_BAYROB.SM0 |
AV | Kaspersky | Trojan.Win32.Agent.nervjw |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Kazy.609631 |
AV | Ikarus | Trojan.Win32.Bayrob |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Scar.R.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent.KVTGen |
AV | MicroWorld (escan) | Gen:Variant.Kazy.609631 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.BG |
AV | K7 | Trojan ( 004c77f41 ) |
AV | BitDefender | Gen:Variant.Kazy.609631 |
AV | Fortinet | W32/Generic.AC.215362 |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Bayrob.T |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Ad-Aware | Gen:Variant.Kazy.609631 |
AV | Twister | W32.Toolbar.CrossRider.AE.lfcr.mg |
AV | Avira (antivir) | TR/Crypt.Xpack.254163 |
AV | Mcafee | Trojan-FGIJ!665EDE07D224 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\oidcnyqifqm\lsjdvlv |
---|---|
Creates File | C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe |
Creates File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Deletes File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Creates Process | C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe |
Process
↳ C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Credential Update Font ➝ C:\oidcnyqifqm\adpcjfei.exe |
---|---|
Creates File | C:\oidcnyqifqm\nr9gcllgwg |
Creates File | PIPE\lsarpc |
Creates File | C:\oidcnyqifqm\lsjdvlv |
Creates File | C:\oidcnyqifqm\adpcjfei.exe |
Creates File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Deletes File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Creates Process | C:\oidcnyqifqm\adpcjfei.exe |
Creates Service | Modules Error Host Collector Audio Link - C:\oidcnyqifqm\adpcjfei.exe |
Process
↳ Pid 800
Process
↳ Pid 852
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1112
Process
↳ Pid 1208
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Creates File | WMIDataDevice |
Process
↳ Pid 1876
Process
↳ Pid 1160
Process
↳ C:\oidcnyqifqm\adpcjfei.exe
Creates File | C:\oidcnyqifqm\nr9gcllgwg |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\oidcnyqifqm\eunvuxng |
Creates File | C:\oidcnyqifqm\qiengvfyhqso.exe |
Creates File | C:\oidcnyqifqm\lsjdvlv |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Deletes File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Creates Process | wvw5tgybyyew "c:\oidcnyqifqm\adpcjfei.exe" |
Process
↳ C:\oidcnyqifqm\adpcjfei.exe
Process
↳ wvw5tgybyyew "c:\oidcnyqifqm\adpcjfei.exe"
Creates File | C:\oidcnyqifqm\lsjdvlv |
---|---|
Creates File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Deletes File | C:\WINDOWS\oidcnyqifqm\lsjdvlv |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 696d706c 656f6666 6963652e 6e65740d impleoffice.net. 0x00000050 (00080) 0a0d0a ... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 6f756e74 61696e73 7570706c 792e6e65 ountainsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2077 : close..Host: w 0x00000040 (00064) 696e646f 77737570 706c792e 6e65740d indowsupply.net. 0x00000050 (00080) 0a0d0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a2073 : close..Host: s 0x00000040 (00064) 77656574 6f666669 63652e6e 65740d0a weetoffice.net.. 0x00000050 (00080) 0d0a0a0d 0a ..... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206d : close..Host: m 0x00000040 (00064) 61746572 69616c73 7570706c 792e6e65 aterialsupply.ne 0x00000050 (00080) 740d0a0d 0a t.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68702048 GET /index.php H 0x00000010 (00016) 5454502f 312e300d 0a416363 6570743a TTP/1.0..Accept: 0x00000020 (00032) 202a2f2a 0d0a436f 6e6e6563 74696f6e */*..Connection 0x00000030 (00048) 3a20636c 6f73650d 0a486f73 743a206c : close..Host: l 0x00000040 (00064) 61756768 7374726f 6e672e6e 65740d0a aughstrong.net.. 0x00000050 (00080) 0d0a0a0d 0a .....
Strings