Analysis Date2015-10-31 17:06:40
MD5dbb0839844f796f95d5cbdab5c41d37b
SHA100e88714dbdcd59a65d8db8dbc2e683fa01c67e0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 05c73c0c12bff105553fd4167ef6ef35 sha1: 65ceac2068a034da935b5d15bd520af6e22379cf size: 107008
Section.rdata md5: 63136b06a80d8fb6fd76a6e22db9f8f4 sha1: 0e13ac54c163b7cf09fefa73540742ea8a23a24d size: 41984
Section.data md5: 9353f652a49d5f2b4686eb703b69fa4a sha1: 473c77eb94f6c9825d49ac430aa8bac59bc30d97 size: 35840
Section.rsrc md5: 41efe110e53428a2d83bde7496d45b2c sha1: fb02d055ecd62cdbcaf8adac233ef1b40f5ad292 size: 127488
Timestamp2015-10-19 11:08:22
PackerMicrosoft Visual C++ ?.?
PEhash5e56c646668d6201a9e18b3979b0167567706a25
IMPhash9d3d9d3f20c4ef483f0b0905b09e4505
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKDZ.30724
AVDr. WebTrojan.Inject1.56622
AVClamAVno_virus
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVBullGuardTrojan.GenericKDZ.30724
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aahw
AVZillya!no_virus
AVEmsisoftTrojan.GenericKDZ.30724
AVIkarusTrojan.Win32.Injector
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMalwareBytesRansom.CryptoWall
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVK7Trojan ( 004cef571 )
AVBitDefenderTrojan.GenericKDZ.30724
AVFortinetW32/Kryptik.EASA!tr
AVSymantecno_virus
AVGrisoft (avg)Crypt_r.AEY
AVEset (nod32)Win32/Injector.BNHS
AVAlwil (avast)Androp [Drp]
AVAd-AwareTrojan.GenericKDZ.30724
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.196143
AVMcafeeGamarue-FDC!DBB0839844F7

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSobjetivografico.es
Winsock DNSbono.by
Winsock DNSdivinemodels.ru
Winsock DNSshugrmedia.com
Winsock DNSpositivefxstudio.co.uk
Winsock DNSaye2zee.biz
Winsock DNSdkforma.ru
Winsock DNSsoftware-select.nl
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpamperedpetsgroomingacademy.co.uk
Winsock DNSxn--80auckeg1db2a.xn--p1ai
Winsock DNSpeegas.ru
Winsock DNSz-en.ru
Winsock DNSvoteforbrendan.us
Winsock DNSbestinyourtown.info
Winsock DNSberattv.com.tr
Winsock DNSmyexternalip.com
Winsock DNSbursauygulamaoteli.com
Winsock DNSip-addr.es
Winsock DNSqrcp.us
Winsock DNSathleticequine.org.nz
Winsock DNSgarlanddeli.com
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSmartinelacasse.ca
Winsock DNSdirecttrailer.us
Winsock DNSproductprovider.nl
Winsock DNSvoteforbrendan.info
Winsock DNSvoteforbrendan.biz
Winsock DNSrostbiznesa.ru
Winsock DNSopportunitycup.com
Winsock DNSmetroloto.ru
Winsock DNScapodimonte.ua
Winsock DNSvoteforbrendan.me
Winsock DNSelectrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSshugrmedia.com
Type: A
184.168.193.215
DNSpeegas.ru
Type: A
176.57.216.209
DNSbestinyourtown.info
Type: A
192.185.157.29
DNSrostbiznesa.ru
Type: A
92.53.114.211
DNSdkforma.ru
Type: A
195.19.214.27
DNSvoteforbrendan.info
Type: A
67.23.254.89
DNSopportunitycup.com
Type: A
192.185.29.132
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSvoteforbrendan.me
Type: A
67.23.254.89
DNSsoftware-select.nl
Type: A
37.128.147.21
DNSdivinemodels.ru
Type: A
5.9.23.71
DNSaye2zee.biz
Type: A
192.185.198.153
DNSqrcp.us
Type: A
198.57.246.6
DNSgarlanddeli.com
Type: A
192.185.48.207
DNSpositivefxstudio.co.uk
Type: A
88.208.252.82
DNSmartinelacasse.ca
Type: A
192.185.79.75
DNScapodimonte.ua
Type: A
188.95.154.41
DNSbursauygulamaoteli.com
Type: A
89.106.12.62
DNSmetroloto.ru
Type: A
89.207.89.233
DNSvoteforbrendan.mobi
Type: A
67.23.254.89
DNSathleticequine.org.nz
Type: A
182.50.130.37
DNSelectrosim.ro
Type: A
37.156.37.11
DNSz-en.ru
Type: A
185.58.207.147
DNSberattv.com.tr
Type: A
185.33.128.131
DNSnewconsult.by
Type: A
93.125.99.68
DNSifloresti.ro
Type: A
176.126.201.10
DNSdirecttrailer.us
Type: A
69.89.31.160
DNSobjetivografico.es
Type: A
192.185.14.142
DNSvoteforbrendan.us
Type: A
67.23.254.89
DNSpamperedpetsgroomingacademy.co.uk
Type: A
192.254.187.55
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
109.70.26.37
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
194.85.61.76
DNSproductprovider.nl
Type: A
37.153.204.79
DNSbono.by
Type: A
91.149.157.185
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?v=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?l=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?y=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?w=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?h=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?n=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?a=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?k=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?v=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?y=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://software-select.nl/wp-content/themes/genesis/qMfFUp.php?k=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?n=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?t=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?s=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?m=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?k=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?e=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?e=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?j=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?g=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?e=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?i=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?z=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?l=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?i=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?m=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?s=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?p=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?j=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?g=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?d=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?m=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?x=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?o=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?r=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/4BWtIF.php?p=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?j=pgcmjp74ynamwk8
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 184.168.193.215:80
Flows TCP192.168.1.1:1035 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1036 ➝ 192.185.157.29:80
Flows TCP192.168.1.1:1037 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1038 ➝ 195.19.214.27:80
Flows TCP192.168.1.1:1039 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1040 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1041 ➝ 192.185.29.132:80
Flows TCP192.168.1.1:1042 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1043 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1044 ➝ 37.128.147.21:80
Flows TCP192.168.1.1:1045 ➝ 5.9.23.71:80
Flows TCP192.168.1.1:1046 ➝ 192.185.198.153:80
Flows TCP192.168.1.1:1047 ➝ 198.57.246.6:80
Flows TCP192.168.1.1:1048 ➝ 192.185.48.207:80
Flows TCP192.168.1.1:1049 ➝ 88.208.252.82:80
Flows TCP192.168.1.1:1050 ➝ 192.185.79.75:80
Flows TCP192.168.1.1:1051 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1052 ➝ 89.106.12.62:80
Flows TCP192.168.1.1:1053 ➝ 89.207.89.233:80
Flows TCP192.168.1.1:1054 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1055 ➝ 182.50.130.37:80
Flows TCP192.168.1.1:1056 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1057 ➝ 37.156.37.11:80
Flows TCP192.168.1.1:1058 ➝ 185.58.207.147:80
Flows TCP192.168.1.1:1059 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1060 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1061 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1062 ➝ 176.126.201.10:80
Flows TCP192.168.1.1:1063 ➝ 69.89.31.160:80
Flows TCP192.168.1.1:1064 ➝ 192.185.14.142:80
Flows TCP192.168.1.1:1065 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1066 ➝ 192.254.187.55:80
Flows TCP192.168.1.1:1067 ➝ 109.70.26.37:80
Flows TCP192.168.1.1:1068 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1069 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1070 ➝ 91.149.157.185:80

Raw Pcap

Strings