Analysis | #totalhash

Analysis Date	2015-08-19 09:45:16
MD5	665ede07d224b984e673e3239f95b7f8
SHA1	f71ad0162ab1da9e630d10aaad9aad4ae8f33e2b

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 289f8b053d4e61b477dfd4344d5aaad7 sha1: 2fcb63e5e4009e60e0d041e0325940ce66dbf233 size: 466944
Section	.rdata md5: c7369604bd96b7932c1423a8d4c8c307 sha1: 559365dbbe367140e6d1815eea9d2e949056c6ff size: 75776
Section	.data md5: 73f23790e23b7a0b480b132329250f64 sha1: e4bce2da28729fb4f4d4494c71ca600de5bdcb60 size: 7168
Section	.reloc md5: bf686c7f103115bdd37e1f0d52228253 sha1: 70037577e5188d408644a00e0ca6f185ab587aea size: 45568
Timestamp	2015-05-08 07:04:32
Packer	Microsoft Visual C++ 8
PEhash	f07f45438de8d898b8fef156ecd99c31df8754b4
IMPhash	1e3cc7db01a8fa9676373837f106e3c6
AV	Rising	Trojan.Win32.Bayrod.a
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Kazy.609631
AV	Dr. Web	Trojan.Bayrob.1
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Kazy.609631
AV	BullGuard	Gen:Variant.Kazy.609631
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	TrojanSpy.Nivdort.OD4
AV	Trend Micro	TROJ_BAYROB.SM0
AV	Kaspersky	Trojan.Win32.Agent.nervjw
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Kazy.609631
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Scar.R.gen!Eldorado
AV	MalwareBytes	Trojan.Agent.KVTGen
AV	MicroWorld (escan)	Gen:Variant.Kazy.609631
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BG
AV	K7	Trojan ( 004c77f41 )
AV	BitDefender	Gen:Variant.Kazy.609631
AV	Fortinet	W32/Generic.AC.215362
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Bayrob.T
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	Ad-Aware	Gen:Variant.Kazy.609631
AV	Twister	W32.Toolbar.CrossRider.AE.lfcr.mg
AV	Avira (antivir)	TR/Crypt.Xpack.254163
AV	Mcafee	Trojan-FGIJ!665EDE07D224

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\oidcnyqifqm\lsjdvlv
Creates File	C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe
Creates File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Deletes File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Creates Process	C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe

Process
↳ C:\oidcnyqifqm\lp1m5rl6wgjvphfox.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Credential Update Font ➝ C:\oidcnyqifqm\adpcjfei.exe
Creates File	C:\oidcnyqifqm\nr9gcllgwg
Creates File	PIPE\lsarpc
Creates File	C:\oidcnyqifqm\lsjdvlv
Creates File	C:\oidcnyqifqm\adpcjfei.exe
Creates File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Deletes File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Creates Process	C:\oidcnyqifqm\adpcjfei.exe
Creates Service	Modules Error Host Collector Audio Link - C:\oidcnyqifqm\adpcjfei.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1876

Process
↳ Pid 1160

Process
↳ C:\oidcnyqifqm\adpcjfei.exe

Creates File	C:\oidcnyqifqm\nr9gcllgwg
Creates File	pipe\net\NtControlPipe10
Creates File	C:\oidcnyqifqm\eunvuxng
Creates File	C:\oidcnyqifqm\qiengvfyhqso.exe
Creates File	C:\oidcnyqifqm\lsjdvlv
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Deletes File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Creates Process	wvw5tgybyyew "c:\oidcnyqifqm\adpcjfei.exe"

Process
↳ C:\oidcnyqifqm\adpcjfei.exe

Process
↳ wvw5tgybyyew "c:\oidcnyqifqm\adpcjfei.exe"

Creates File	C:\oidcnyqifqm\lsjdvlv
Creates File	C:\WINDOWS\oidcnyqifqm\lsjdvlv
Deletes File	C:\WINDOWS\oidcnyqifqm\lsjdvlv

Network Details:

DNS	simpleoffice.net Type: A 50.63.202.104
DNS	mountainsupply.net Type: A 67.18.199.2
DNS	windowsupply.net Type: A 173.236.172.44
DNS	sweetoffice.net Type: A 162.213.251.173
DNS	materialsupply.net Type: A 184.168.221.36
DNS	laughstrong.net Type: A 50.21.189.209
DNS	simpledistance.net Type: A
DNS	motherdistance.net Type: A
DNS	motheroffice.net Type: A
DNS	simplearrive.net Type: A
DNS	motherarrive.net Type: A
DNS	possiblesupply.net Type: A
DNS	mountaindistance.net Type: A
DNS	possibledistance.net Type: A
DNS	mountainoffice.net Type: A
DNS	possibleoffice.net Type: A
DNS	mountainarrive.net Type: A
DNS	possiblearrive.net Type: A
DNS	perhapssupply.net Type: A
DNS	perhapsdistance.net Type: A
DNS	windowdistance.net Type: A
DNS	perhapsoffice.net Type: A
DNS	windowoffice.net Type: A
DNS	perhapsarrive.net Type: A
DNS	windowarrive.net Type: A
DNS	wintersupply.net Type: A
DNS	subjectsupply.net Type: A
DNS	winterdistance.net Type: A
DNS	subjectdistance.net Type: A
DNS	winteroffice.net Type: A
DNS	subjectoffice.net Type: A
DNS	winterarrive.net Type: A
DNS	subjectarrive.net Type: A
DNS	finishsupply.net Type: A
DNS	leavesupply.net Type: A
DNS	finishdistance.net Type: A
DNS	leavedistance.net Type: A
DNS	finishoffice.net Type: A
DNS	leaveoffice.net Type: A
DNS	finisharrive.net Type: A
DNS	leavearrive.net Type: A
DNS	sweetsupply.net Type: A
DNS	probablysupply.net Type: A
DNS	sweetdistance.net Type: A
DNS	probablydistance.net Type: A
DNS	probablyoffice.net Type: A
DNS	sweetarrive.net Type: A
DNS	probablyarrive.net Type: A
DNS	severalsupply.net Type: A
DNS	severaldistance.net Type: A
DNS	materialdistance.net Type: A
DNS	severaloffice.net Type: A
DNS	materialoffice.net Type: A
DNS	severalarrive.net Type: A
DNS	materialarrive.net Type: A
DNS	severastrong.net Type: A
DNS	severatrouble.net Type: A
DNS	laughtrouble.net Type: A
DNS	severapresident.net Type: A
DNS	laughpresident.net Type: A
DNS	severacaught.net Type: A
DNS	laughcaught.net Type: A
DNS	simplestrong.net Type: A
DNS	motherstrong.net Type: A
DNS	simpletrouble.net Type: A
DNS	mothertrouble.net Type: A
DNS	simplepresident.net Type: A
DNS	motherpresident.net Type: A
DNS	simplecaught.net Type: A
DNS	mothercaught.net Type: A
DNS	mountainstrong.net Type: A
DNS	possiblestrong.net Type: A
DNS	mountaintrouble.net Type: A
DNS	possibletrouble.net Type: A
DNS	mountainpresident.net Type: A
DNS	possiblepresident.net Type: A
DNS	mountaincaught.net Type: A
DNS	possiblecaught.net Type: A
DNS	perhapsstrong.net Type: A
DNS	windowstrong.net Type: A
DNS	perhapstrouble.net Type: A
DNS	windowtrouble.net Type: A
DNS	perhapspresident.net Type: A
DNS	windowpresident.net Type: A
DNS	perhapscaught.net Type: A
HTTP GET	http://simpleoffice.net/index.php User-Agent:
HTTP GET	http://mountainsupply.net/index.php User-Agent:
HTTP GET	http://windowsupply.net/index.php User-Agent:
HTTP GET	http://sweetoffice.net/index.php User-Agent:
HTTP GET	http://materialsupply.net/index.php User-Agent:
HTTP GET	http://laughstrong.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 50.63.202.104:80
Flows TCP	192.168.1.1:1032 ➝ 67.18.199.2:80
Flows TCP	192.168.1.1:1033 ➝ 173.236.172.44:80
Flows TCP	192.168.1.1:1034 ➝ 162.213.251.173:80
Flows TCP	192.168.1.1:1035 ➝ 184.168.221.36:80
Flows TCP	192.168.1.1:1036 ➝ 50.21.189.209:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   696d706c 656f6666 6963652e 6e65740d   impleoffice.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f756e74 61696e73 7570706c 792e6e65   ountainsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2077   : close..Host: w
0x00000040 (00064)   696e646f 77737570 706c792e 6e65740d   indowsupply.net.
0x00000050 (00080)   0a0d0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   77656574 6f666669 63652e6e 65740d0a   weetoffice.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   61746572 69616c73 7570706c 792e6e65   aterialsupply.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 7374726f 6e672e6e 65740d0a   aughstrong.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

Strings