Analysis Date2015-07-25 06:23:30
MD56ea12845ecaf6e3ef51a177bbb81282f
SHA1ff1796273e5429bb5a353bc9d0c31645e1c68ba2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66fe21b5ccd3479f11df7f73268da5b1 sha1: 6dda7542fcb86c418aaa10e4ec8567f30d7e04ff size: 283136
Section.rdata md5: 3e48c00a04d1ac5a114c6d5fce966c0b sha1: fdfa66b257dd906303cda3ef5ebab98b8379b083 size: 43008
Section.data md5: e0009094b84f2ecb2b666100b637685c sha1: db341a2f956be048615fac08a6770a6b16b8323d size: 7168
Section.reloc md5: 52d7ec4586a1f2f37f54b834dec60591 sha1: d49417a0d252e1dcdd731d83cc78b615ce8bd890 size: 22528
Timestamp2015-05-21 03:59:41
PackerMicrosoft Visual C++ ?.?
PEhashaaf107f392ad77ad1a591348d03498eabcfd9106
IMPhash049dcc57ec815a58be3df59a20622f01
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.Bayrob.5
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)TrojanSpy.Nivdort.r4
AVTrend MicroTROJ_BAYROB.SM0
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Bayrob.Z
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVRisingno_virus
AVTwisterTrojan.Generic.yboz
AVAvira (antivir)TR/Crypt.ZPACK.84317
AVMcafeeTrojan-FGIJ!6EA12845ECAF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tuxzocmevibki\ik1m8cxhjmudskz.exe
Creates FileC:\tuxzocmevibki\i7nu9si4
Creates FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Deletes FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Creates ProcessC:\tuxzocmevibki\ik1m8cxhjmudskz.exe

Process
↳ C:\tuxzocmevibki\ik1m8cxhjmudskz.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AutoConfig IPsec Drive BranchCache Audio ➝
C:\tuxzocmevibki\zjxmdcddxr.exe
Creates FileC:\tuxzocmevibki\i7nu9si4
Creates FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Creates FileC:\tuxzocmevibki\zjxmdcddxr.exe
Creates FilePIPE\lsarpc
Creates FileC:\tuxzocmevibki\ktphcqratczv
Deletes FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Creates ProcessC:\tuxzocmevibki\zjxmdcddxr.exe
Creates ServiceResolution Reports Transfer - C:\tuxzocmevibki\zjxmdcddxr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1196

Process
↳ C:\tuxzocmevibki\zjxmdcddxr.exe

Creates FileC:\tuxzocmevibki\i7nu9si4
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tuxzocmevibki\q21coybidu
Creates FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Creates File\Device\Afd\Endpoint
Creates FileC:\tuxzocmevibki\ivohqzu.exe
Creates FileC:\tuxzocmevibki\ktphcqratczv
Deletes FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Creates Processpzas7vdufeve "c:\tuxzocmevibki\zjxmdcddxr.exe"

Process
↳ C:\tuxzocmevibki\zjxmdcddxr.exe

Creates FileC:\tuxzocmevibki\i7nu9si4
Creates FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Deletes FileC:\WINDOWS\tuxzocmevibki\i7nu9si4

Process
↳ pzas7vdufeve "c:\tuxzocmevibki\zjxmdcddxr.exe"

Creates FileC:\tuxzocmevibki\i7nu9si4
Creates FileC:\WINDOWS\tuxzocmevibki\i7nu9si4
Deletes FileC:\WINDOWS\tuxzocmevibki\i7nu9si4

Network Details:

DNSpartyclothes.net
Type: A
109.68.33.25
DNSfreshcatch.net
Type: A
192.155.217.146
DNScrowdcatch.net
Type: A
50.63.202.47
DNSsummerdress.net
Type: A
50.87.150.116
DNSpartydress.net
Type: A
208.73.211.179
DNSpartydress.net
Type: A
208.73.211.183
DNSpartydress.net
Type: A
208.73.211.192
DNSpartydress.net
Type: A
208.73.211.195
DNSlaughnotice.net
Type: A
95.211.230.75
DNSfightseparate.net
Type: A
DNSpartyhealth.net
Type: A
DNSfighthealth.net
Type: A
DNSfightclothes.net
Type: A
DNSpartydistant.net
Type: A
DNSfightdistant.net
Type: A
DNSexperiencecatch.net
Type: A
DNSfresheearly.net
Type: A
DNSexperienceeearly.net
Type: A
DNSfreshpublic.net
Type: A
DNSexperiencepublic.net
Type: A
DNSfreshdress.net
Type: A
DNSexperiencedress.net
Type: A
DNSgentlemancatch.net
Type: A
DNSalreadycatch.net
Type: A
DNSgentlemaneearly.net
Type: A
DNSalreadyeearly.net
Type: A
DNSgentlemanpublic.net
Type: A
DNSalreadypublic.net
Type: A
DNSgentlemandress.net
Type: A
DNSalreadydress.net
Type: A
DNSfollowcatch.net
Type: A
DNSmembercatch.net
Type: A
DNSfolloweearly.net
Type: A
DNSmembereearly.net
Type: A
DNSfollowpublic.net
Type: A
DNSmemberpublic.net
Type: A
DNSfollowdress.net
Type: A
DNSmemberdress.net
Type: A
DNSbegincatch.net
Type: A
DNSknowncatch.net
Type: A
DNSbegineearly.net
Type: A
DNSknowneearly.net
Type: A
DNSbeginpublic.net
Type: A
DNSknownpublic.net
Type: A
DNSbegindress.net
Type: A
DNSknowndress.net
Type: A
DNSsummercatch.net
Type: A
DNSsummereearly.net
Type: A
DNScrowdeearly.net
Type: A
DNSsummerpublic.net
Type: A
DNScrowdpublic.net
Type: A
DNScrowddress.net
Type: A
DNSthoughtcatch.net
Type: A
DNSwatercatch.net
Type: A
DNSthoughteearly.net
Type: A
DNSwatereearly.net
Type: A
DNSthoughtpublic.net
Type: A
DNSwaterpublic.net
Type: A
DNSthoughtdress.net
Type: A
DNSwaterdress.net
Type: A
DNSwomancatch.net
Type: A
DNSsmokecatch.net
Type: A
DNSwomaneearly.net
Type: A
DNSsmokeeearly.net
Type: A
DNSwomanpublic.net
Type: A
DNSsmokepublic.net
Type: A
DNSwomandress.net
Type: A
DNSsmokedress.net
Type: A
DNSpartycatch.net
Type: A
DNSfightcatch.net
Type: A
DNSpartyeearly.net
Type: A
DNSfighteearly.net
Type: A
DNSpartypublic.net
Type: A
DNSfightpublic.net
Type: A
DNSfightdress.net
Type: A
DNSseveralength.net
Type: A
DNSlaughlength.net
Type: A
DNSseveranotice.net
Type: A
DNSseveraindeed.net
Type: A
DNSlaughindeed.net
Type: A
DNSseveraduring.net
Type: A
DNSlaughduring.net
Type: A
DNSsimplelength.net
Type: A
DNSmotherlength.net
Type: A
DNSsimplenotice.net
Type: A
DNSmothernotice.net
Type: A
DNSsimpleindeed.net
Type: A
DNSmotherindeed.net
Type: A
HTTP GEThttp://partyclothes.net/index.php
User-Agent:
HTTP GEThttp://freshcatch.net/index.php
User-Agent:
HTTP GEThttp://crowdcatch.net/index.php
User-Agent:
HTTP GEThttp://summerdress.net/index.php
User-Agent:
HTTP GEThttp://partydress.net/index.php
User-Agent:
HTTP GEThttp://laughnotice.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 109.68.33.25:80
Flows TCP192.168.1.1:1032 ➝ 192.155.217.146:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.47:80
Flows TCP192.168.1.1:1034 ➝ 50.87.150.116:80
Flows TCP192.168.1.1:1035 ➝ 208.73.211.179:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 636c6f74 6865732e 6e65740d   artyclothes.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000040 (00064)   72657368 63617463 682e6e65 740d0a0d   reshcatch.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   726f7764 63617463 682e6e65 740d0a0d   rowdcatch.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   756d6d65 72647265 73732e6e 65740d0a   ummerdress.net..
0x00000050 (00080)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2070   : close..Host: p
0x00000040 (00064)   61727479 64726573 732e6e65 740d0a0d   artydress.net...
0x00000050 (00080)   0a0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206c   : close..Host: l
0x00000040 (00064)   61756768 6e6f7469 63652e6e 65740d0a   aughnotice.net..
0x00000050 (00080)   0d0a0a                                ...


Strings