Analysis Date2015-07-29 20:35:55
MD5b128a7255539f61b20ccc002bf7147d4
SHA1f75f178b67f02a2d540c25157627045a1cd10097

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 037b3ee780332ce3f103ad5173ba71ba sha1: b9e33691ed634623f04865519589645b1bbe0c7d size: 316928
Section.rdata md5: ea8e35e2dee3fd904d83e5154b75fb1f sha1: b349e9a1066598d06b17469ddc7b15f132643a5f size: 60928
Section.data md5: 0c94acf0a2676c1c93aff967c17f5471 sha1: b5422505e864bf685a7a8205481b83542027604b size: 7680
Section.reloc md5: c1aa0e0e03662d26ce933cd6fe9924b5 sha1: 23d597787b1cccdb6671be536fa1d0a315840b93 size: 25600
Timestamp2015-05-11 06:33:33
PackerMicrosoft Visual C++ 8
PEhash264c441ef0967a86d18b4c2f93ffb5aed1315a27
IMPhashaefa7056e45ac91fd41e8a8bd6e44cc8
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend MicroBKDR_BAYROB.KFP
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Bayrob.Win32.1184
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.148346
AVMcafeeRDN/Generic.dx!dsn

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\ygtn1knhdyksbcvxznlh.exe
Deletes FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates ProcessC:\necrcnbt\ygtn1knhdyksbcvxznlh.exe

Process
↳ C:\necrcnbt\ygtn1knhdyksbcvxznlh.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Helper Publication Network Identity ➝
C:\necrcnbt\geijpyqqpdoj.exe
Creates FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\geijpyqqpdoj.exe
Creates FileC:\necrcnbt\xvq15dtguddp
Creates FilePIPE\lsarpc
Creates FileC:\necrcnbt\fjzj6xlh6ga
Deletes FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates ProcessC:\necrcnbt\geijpyqqpdoj.exe
Creates ServiceSpooler NGEN Computer Event Routing Control - C:\necrcnbt\geijpyqqpdoj.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1128

Process
↳ C:\necrcnbt\geijpyqqpdoj.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\mycreatpv
Creates FileC:\necrcnbt\xvq15dtguddp
Creates File\Device\Afd\Endpoint
Creates FileC:\necrcnbt\rowlpkv.exe
Creates FileC:\necrcnbt\fjzj6xlh6ga
Deletes FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates Processl5dlvugajoqy "c:\necrcnbt\geijpyqqpdoj.exe"

Process
↳ C:\necrcnbt\geijpyqqpdoj.exe

Creates FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\fjzj6xlh6ga
Deletes FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga

Process
↳ l5dlvugajoqy "c:\necrcnbt\geijpyqqpdoj.exe"

Creates FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga
Creates FileC:\necrcnbt\fjzj6xlh6ga
Deletes FileC:\WINDOWS\necrcnbt\fjzj6xlh6ga

Network Details:

DNSsmokeinside.net
Type: A
50.63.202.34
DNSpartyexplain.net
Type: A
95.211.230.75
DNSpartybright.net
Type: A
50.63.202.44
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
DNSfollowinstead.net
Type: A
DNSmemberinstead.net
Type: A
DNSfollowexplain.net
Type: A
DNSmemberexplain.net
Type: A
DNSfollowbright.net
Type: A
DNSmemberbright.net
Type: A
DNSfollowinside.net
Type: A
DNSmemberinside.net
Type: A
DNSbegininstead.net
Type: A
DNSknowninstead.net
Type: A
DNSbeginexplain.net
Type: A
DNSknownexplain.net
Type: A
DNSbeginbright.net
Type: A
DNSknownbright.net
Type: A
DNSbegininside.net
Type: A
DNSknowninside.net
Type: A
DNSsummerinstead.net
Type: A
DNScrowdinstead.net
Type: A
DNSsummerexplain.net
Type: A
DNScrowdexplain.net
Type: A
DNSsummerbright.net
Type: A
DNScrowdbright.net
Type: A
DNSsummerinside.net
Type: A
DNScrowdinside.net
Type: A
DNSthoughtinstead.net
Type: A
DNSwaterinstead.net
Type: A
DNSthoughtexplain.net
Type: A
DNSwaterexplain.net
Type: A
DNSthoughtbright.net
Type: A
DNSwaterbright.net
Type: A
DNSthoughtinside.net
Type: A
DNSwaterinside.net
Type: A
DNSwomaninstead.net
Type: A
DNSsmokeinstead.net
Type: A
DNSwomanexplain.net
Type: A
DNSsmokeexplain.net
Type: A
DNSwomanbright.net
Type: A
DNSsmokebright.net
Type: A
DNSwomaninside.net
Type: A
DNSpartyinstead.net
Type: A
DNSfightinstead.net
Type: A
DNSfightexplain.net
Type: A
DNSfightbright.net
Type: A
DNSpartyinside.net
Type: A
DNSfightinside.net
Type: A
DNSfreshready.net
Type: A
DNSexperienceready.net
Type: A
DNSfreshbrown.net
Type: A
DNSexperiencebrown.net
Type: A
DNSfreshpeople.net
Type: A
DNSexperiencepeople.net
Type: A
DNSfreshdaughter.net
Type: A
DNSexperiencedaughter.net
Type: A
DNSgentlemanready.net
Type: A
DNSalreadyready.net
Type: A
DNSgentlemanbrown.net
Type: A
DNSalreadybrown.net
Type: A
DNSgentlemanpeople.net
Type: A
DNSalreadypeople.net
Type: A
DNSgentlemandaughter.net
Type: A
DNSalreadydaughter.net
Type: A
DNSfollowready.net
Type: A
DNSmemberready.net
Type: A
DNSfollowbrown.net
Type: A
DNSmemberbrown.net
Type: A
DNSfollowpeople.net
Type: A
DNSmemberpeople.net
Type: A
DNSfollowdaughter.net
Type: A
DNSmemberdaughter.net
Type: A
DNSbeginready.net
Type: A
DNSknownready.net
Type: A
HTTP GEThttp://smokeinside.net/index.php
User-Agent:
HTTP GEThttp://partyexplain.net/index.php
User-Agent:
HTTP GEThttp://partybright.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   6d6f6b65 696e7369 64652e6e 65740d0a   mokeinside.net..
0x00000050 (00080)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 6578706c 61696e2e 6e65740d   artyexplain.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 62726967 68742e6e 65740d0a   artybright.net..
0x00000050 (00080)   0d0a0a                                ...


Strings