Analysis Date2015-11-04 17:49:42
MD5ad03534dceea535fc38d21d18612772f
SHA1f95dc78639a886460f3ee1816811c22f71f8949f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a1304cb26480381f1dec9fa3d243e444 sha1: 4bf59a92dcba567e87f3731f8bad87ddd5392cc0 size: 319488
Section.rdata md5: eb6dddb96f72b79c8eca302846c5a43e sha1: ad0a11475fa197f1be54e1783208d29a3ba6fb62 size: 60928
Section.data md5: aee31ad56f926bf7e4af0e25ef79d61c sha1: 1f7aeb253d49e876c8e6bf1acbc90039282a760a size: 7680
Section.reloc md5: 0fab9c2e9716e9c526b8e9239516562e sha1: 8e2f00f16dc2fd4aa8f3ffc80fffbdac475afdbb size: 26112
Timestamp2015-05-11 06:27:55
PackerMicrosoft Visual C++ 8
PEhash3d19e40afd335dea97c0a1ae5ce1e6e6d63a54ae
IMPhash87238054ad8e4fe76186b4a7fd0548ea
AVRisingTrojan.Win32.Bayrod.b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.611009
AVDr. WebTrojan.Bayrob.1
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.611009
AVBullGuardGen:Variant.Kazy.611009
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.OD4
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.611009
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.B.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Kazy.611009
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AL
AVK7Trojan ( 004c3a4d1 )
AVBitDefenderGen:Variant.Kazy.611009
AVFortinetW32/Bayrob.T!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.W
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.611009
AVTwisterno_virus
AVAvira (antivir)TR/Spy.ZBot.xbbeomq
AVMcafeePWS-FCCE!AD03534DCEEA

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\mpugpavqedbttm\brwdfddppepn
Creates FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates FileC:\mpugpavqedbttm\reea1lwmzaayh1pfpgq.exe
Deletes FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates ProcessC:\mpugpavqedbttm\reea1lwmzaayh1pfpgq.exe

Process
↳ C:\mpugpavqedbttm\reea1lwmzaayh1pfpgq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Adaptive Protection Distributed ➝
C:\mpugpavqedbttm\ilopkomq.exe
Creates FileC:\mpugpavqedbttm\brwdfddppepn
Creates FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates FilePIPE\lsarpc
Creates FileC:\mpugpavqedbttm\uchjilsmb
Creates FileC:\mpugpavqedbttm\ilopkomq.exe
Deletes FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates ProcessC:\mpugpavqedbttm\ilopkomq.exe
Creates ServiceAuto-Discovery Proxy Connectivity - C:\mpugpavqedbttm\ilopkomq.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1856

Process
↳ Pid 1148

Process
↳ C:\mpugpavqedbttm\ilopkomq.exe

Creates FileC:\mpugpavqedbttm\brwdfddppepn
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates FileC:\mpugpavqedbttm\qnjgopor2ivk
Creates FileC:\mpugpavqedbttm\ailwvbdnmskx.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\mpugpavqedbttm\uchjilsmb
Deletes FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Creates Processo0wwqxscqwfs "c:\mpugpavqedbttm\ilopkomq.exe"

Process
↳ C:\mpugpavqedbttm\ilopkomq.exe

Process
↳ o0wwqxscqwfs "c:\mpugpavqedbttm\ilopkomq.exe"

Creates FileC:\mpugpavqedbttm\brwdfddppepn
Creates FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn
Deletes FileC:\WINDOWS\mpugpavqedbttm\brwdfddppepn

Network Details:

DNSnightcondition.net
Type: A
208.100.26.234
DNSlargenation.net
Type: A
50.63.202.57
DNSrecordsoldier.net
Type: A
208.91.197.241
DNSstreetsoldier.net
Type: A
207.150.212.42
DNSquietplease.net
Type: A
62.149.128.74
DNSquietplease.net
Type: A
62.149.128.151
DNSquietplease.net
Type: A
62.149.128.154
DNSquietplease.net
Type: A
62.149.128.157
DNSquietplease.net
Type: A
62.149.128.160
DNSquietplease.net
Type: A
62.149.128.163
DNSquietplease.net
Type: A
62.149.128.166
DNSquietplease.net
Type: A
62.149.128.72
DNSnightpower.net
Type: A
207.148.248.143
DNS079184.ichengyun.net
Type: A
162.211.181.53
DNScaptainpower.net
Type: A
69.172.201.208
DNSelectriccentury.net
Type: A
74.208.87.176
DNSrecordfamous.net
Type: A
69.195.129.70
DNSelectricpower.net
Type: A
69.172.201.208
DNSnightplease.net
Type: A
DNSdecideplease.net
Type: A
DNSdecidecondition.net
Type: A
DNScaptainnation.net
Type: A
DNSlargesoldier.net
Type: A
DNScaptainsoldier.net
Type: A
DNSlargeplease.net
Type: A
DNScaptainplease.net
Type: A
DNSlargecondition.net
Type: A
DNScaptaincondition.net
Type: A
DNSrecordnation.net
Type: A
DNSelectricnation.net
Type: A
DNSelectricsoldier.net
Type: A
DNSrecordplease.net
Type: A
DNSelectricplease.net
Type: A
DNSrecordcondition.net
Type: A
DNSelectriccondition.net
Type: A
DNSstreetnation.net
Type: A
DNStradenation.net
Type: A
DNStradesoldier.net
Type: A
DNSstreetplease.net
Type: A
DNStradeplease.net
Type: A
DNSstreetcondition.net
Type: A
DNStradecondition.net
Type: A
DNSbetternation.net
Type: A
DNSgathernation.net
Type: A
DNSbettersoldier.net
Type: A
DNSgathersoldier.net
Type: A
DNSbetterplease.net
Type: A
DNSgatherplease.net
Type: A
DNSbettercondition.net
Type: A
DNSgathercondition.net
Type: A
DNSfliernation.net
Type: A
DNSbreadnation.net
Type: A
DNSfliersoldier.net
Type: A
DNSbreadsoldier.net
Type: A
DNSflierplease.net
Type: A
DNSbreadplease.net
Type: A
DNSfliercondition.net
Type: A
DNSbreadcondition.net
Type: A
DNSquietnation.net
Type: A
DNSseasonnation.net
Type: A
DNSquietsoldier.net
Type: A
DNSseasonsoldier.net
Type: A
DNSseasonplease.net
Type: A
DNSquietcondition.net
Type: A
DNSseasoncondition.net
Type: A
DNSagainstcentury.net
Type: A
DNSdoubtcentury.net
Type: A
DNSagainstfamous.net
Type: A
DNSdoubtfamous.net
Type: A
DNSagainstpower.net
Type: A
DNSdoubtpower.net
Type: A
DNSagainstcountry.net
Type: A
DNSdoubtcountry.net
Type: A
DNSnightcentury.net
Type: A
DNSdecidecentury.net
Type: A
DNSnightfamous.net
Type: A
DNSdecidefamous.net
Type: A
DNSdecidepower.net
Type: A
DNSnightcountry.net
Type: A
DNSdecidecountry.net
Type: A
DNSlargecentury.net
Type: A
DNScaptaincentury.net
Type: A
DNSlargefamous.net
Type: A
DNScaptainfamous.net
Type: A
DNSlargepower.net
Type: A
DNSlargecountry.net
Type: A
DNScaptaincountry.net
Type: A
DNSrecordcentury.net
Type: A
DNSelectricfamous.net
Type: A
DNSrecordpower.net
Type: A
DNSrecordcountry.net
Type: A
DNSelectriccountry.net
Type: A
DNSstreetcentury.net
Type: A
HTTP GEThttp://nightcondition.net/index.php
User-Agent:
HTTP GEThttp://largenation.net/index.php
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php
User-Agent:
HTTP GEThttp://streetsoldier.net/index.php
User-Agent:
HTTP GEThttp://quietplease.net/index.php
User-Agent:
HTTP GEThttp://nightpower.net/index.php
User-Agent:
HTTP GEThttp://largepower.net/index.php
User-Agent:
HTTP GEThttp://captainpower.net/index.php
User-Agent:
HTTP GEThttp://electriccentury.net/index.php
User-Agent:
HTTP GEThttp://recordfamous.net/index.php
User-Agent:
HTTP GEThttp://electricpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.57:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 207.150.212.42:80
Flows TCP192.168.1.1:1035 ➝ 62.149.128.74:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 162.211.181.53:80
Flows TCP192.168.1.1:1038 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1039 ➝ 74.208.87.176:80
Flows TCP192.168.1.1:1040 ➝ 69.195.129.70:80
Flows TCP192.168.1.1:1041 ➝ 69.172.201.208:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 636f6e64 6974696f 6e2e6e65   ightcondition.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 6e617469 6f6e2e6e 65740d0a   argenation.net..
0x00000050 (00080)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   65636f72 64736f6c 64696572 2e6e6574   ecordsoldier.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   74726565 74736f6c 64696572 2e6e6574   treetsoldier.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000040 (00064)   75696574 706c6561 73652e6e 65740d0a   uietplease.net..
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000040 (00064)   69676874 706f7765 722e6e65 740d0a0d   ightpower.net...
0x00000050 (00080)   0a0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61726765 706f7765 722e6e65 740d0a0d   argepower.net...
0x00000050 (00080)   0a0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61707461 696e706f 7765722e 6e65740d   aptainpower.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696363 656e7475 72792e6e   lectriccentury.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   65636f72 6466616d 6f75732e 6e65740d   ecordfamous.net.
0x00000050 (00080)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   6c656374 72696370 6f776572 2e6e6574   lectricpower.net
0x00000050 (00080)   0d0a0d0a 0d0a                         ......


Strings