Analysis Date2015-11-23 02:02:44
MD54181319db87b66882b85853811c4af5b
SHA1080f4da15204232344f4e29cfedfbbc3bfa7f878

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9fba940a24df9a1a90ccc1f1c7cedb86 sha1: 63c8361fa75dfbb2beeac1bbcbd6ded356f88d40 size: 160768
Section.rdata md5: 0adada5efa1fc1396b64e7d3a8ee23b5 sha1: b078af403554744bf2ce454106678a6fd0926283 size: 38400
Section.data md5: e06ae9b04249258e13103f5818b4f5ea sha1: 4c75b98ae50c34741cbee337f41147b1676f2851 size: 7168
Timestamp2015-03-13 09:21:09
PackerMicrosoft Visual C++ ?.?
PEhashe5ebcf50447377098b82145b2908dab20527d93b
IMPhashff688b962c07adc75a2d8520190aaf40
AVRising0x59391a43
AVMcafeeTrojan-FEVX!4181319DB87B
AVAvira (antivir)TR/AD.Rodecap.Y.15
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Kryptik-PDK [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Trojan ( 004938ec1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BL
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Rodecap
AVEmsisoftGen:Variant.Rodecap.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.44317
AVF-SecureGen:Variant.Rodecap.1
AVCA (E-Trust Ino)no_virus
AVRising0x59391a43
AVMcafeeTrojan-FEVX!4181319DB87B
AVAvira (antivir)TR/AD.Rodecap.Y.15
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Kryptik-PDK [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Trojan ( 004938ec1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BL
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Rodecap

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\bvjgujpgc\ycu1knxxejbqf5oov.exe
Creates FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates FileC:\bvjgujpgc\agyeayj1vtnl
Deletes FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates ProcessC:\bvjgujpgc\ycu1knxxejbqf5oov.exe

Process
↳ C:\bvjgujpgc\ycu1knxxejbqf5oov.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Accounts Telephony Provider ➝
C:\bvjgujpgc\hisexauzxcp.exe
Creates FileC:\bvjgujpgc\hisexauzxcp.exe
Creates FileC:\bvjgujpgc\wvutzsaxo
Creates FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates FileC:\bvjgujpgc\agyeayj1vtnl
Deletes FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates ProcessC:\bvjgujpgc\hisexauzxcp.exe
Creates ServiceFunction NetBIOS WWAN Scheduler Grouping - C:\bvjgujpgc\hisexauzxcp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1884

Process
↳ Pid 1172

Process
↳ C:\bvjgujpgc\hisexauzxcp.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\bvjgujpgc\wvutzsaxo
Creates FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates File\Device\Afd\Endpoint
Creates FileC:\bvjgujpgc\xdwbozd
Creates FileC:\bvjgujpgc\cghdodnfc.exe
Creates FileC:\bvjgujpgc\agyeayj1vtnl
Deletes FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates Processojj3hyowydtf "c:\bvjgujpgc\hisexauzxcp.exe"

Process
↳ C:\bvjgujpgc\hisexauzxcp.exe

Creates FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates FileC:\bvjgujpgc\agyeayj1vtnl
Deletes FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl

Process
↳ ojj3hyowydtf "c:\bvjgujpgc\hisexauzxcp.exe"

Creates FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl
Creates FileC:\bvjgujpgc\agyeayj1vtnl
Deletes FileC:\WINDOWS\bvjgujpgc\agyeayj1vtnl

Network Details:

DNStradelanguage.net
Type: A
98.139.135.129
DNSbetterlanguage.net
Type: A
195.22.28.196
DNSbetterlanguage.net
Type: A
195.22.28.197
DNSbetterlanguage.net
Type: A
195.22.28.198
DNSbetterlanguage.net
Type: A
195.22.28.199
DNSbetterdevice.net
Type: A
184.168.221.104
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSseasonbefore.net
Type: A
208.100.26.234
DNSnightspring.net
Type: A
66.96.160.141
DNScaptainsuccess.net
Type: A
50.63.202.48
DNSelectricspring.net
Type: A
77.244.243.57
DNStradespring.net
Type: A
98.124.199.107
DNStradesuccess.net
Type: A
103.238.230.10
DNSstreetbanker.net
Type: A
208.91.197.27
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.208.74.215
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
54.174.31.254
DNStradesettle.net
Type: A
DNSstreetlanguage.net
Type: A
DNSstreetdevice.net
Type: A
DNStradedevice.net
Type: A
DNSstreetbefore.net
Type: A
DNStradebefore.net
Type: A
DNSbettersettle.net
Type: A
DNSgathersettle.net
Type: A
DNSgatherlanguage.net
Type: A
DNSgatherdevice.net
Type: A
DNSbetterbefore.net
Type: A
DNSgatherbefore.net
Type: A
DNSfliersettle.net
Type: A
DNSbreadsettle.net
Type: A
DNSflierlanguage.net
Type: A
DNSbreadlanguage.net
Type: A
DNSflierdevice.net
Type: A
DNSbreaddevice.net
Type: A
DNSflierbefore.net
Type: A
DNSbreadbefore.net
Type: A
DNSquietsettle.net
Type: A
DNSseasonsettle.net
Type: A
DNSquietlanguage.net
Type: A
DNSseasonlanguage.net
Type: A
DNSquietdevice.net
Type: A
DNSseasondevice.net
Type: A
DNSquietbefore.net
Type: A
DNSagainstfound.net
Type: A
DNSdoubtfound.net
Type: A
DNSagainstspring.net
Type: A
DNSdoubtspring.net
Type: A
DNSagainstsuccess.net
Type: A
DNSdoubtsuccess.net
Type: A
DNSagainstbanker.net
Type: A
DNSdoubtbanker.net
Type: A
DNSnightfound.net
Type: A
DNSdecidefound.net
Type: A
DNSdecidespring.net
Type: A
DNSnightsuccess.net
Type: A
DNSdecidesuccess.net
Type: A
DNSnightbanker.net
Type: A
DNSdecidebanker.net
Type: A
DNSlargefound.net
Type: A
DNScaptainfound.net
Type: A
DNSlargespring.net
Type: A
DNScaptainspring.net
Type: A
DNSlargesuccess.net
Type: A
DNSlargebanker.net
Type: A
DNScaptainbanker.net
Type: A
DNSrecordfound.net
Type: A
DNSelectricfound.net
Type: A
DNSrecordspring.net
Type: A
DNSrecordsuccess.net
Type: A
DNSelectricsuccess.net
Type: A
DNSrecordbanker.net
Type: A
DNSelectricbanker.net
Type: A
DNSstreetfound.net
Type: A
DNStradefound.net
Type: A
DNSstreetspring.net
Type: A
DNSstreetsuccess.net
Type: A
DNStradebanker.net
Type: A
DNSbetterfound.net
Type: A
DNSgatherfound.net
Type: A
DNSbetterspring.net
Type: A
DNSgatherspring.net
Type: A
DNSbettersuccess.net
Type: A
DNSgathersuccess.net
Type: A
DNSbetterbanker.net
Type: A
DNSgatherbanker.net
Type: A
DNSflierfound.net
Type: A
DNSbreadfound.net
Type: A
DNSflierspring.net
Type: A
DNSbreadspring.net
Type: A
DNSfliersuccess.net
Type: A
DNSbreadsuccess.net
Type: A
HTTP GEThttp://tradelanguage.net/index.php?method&len
User-Agent:
HTTP GEThttp://betterlanguage.net/index.php?method&len
User-Agent:
HTTP GEThttp://betterdevice.net/index.php?method&len
User-Agent:
HTTP GEThttp://flierbefore.net/index.php?method&len
User-Agent:
HTTP GEThttp://seasonbefore.net/index.php?method&len
User-Agent:
HTTP GEThttp://nightspring.net/index.php?method&len
User-Agent:
HTTP GEThttp://captainsuccess.net/index.php?method&len
User-Agent:
HTTP GEThttp://electricspring.net/index.php?method&len
User-Agent:
HTTP GEThttp://tradespring.net/index.php?method&len
User-Agent:
HTTP GEThttp://tradesuccess.net/index.php?method&len
User-Agent:
HTTP GEThttp://streetbanker.net/index.php?method&len
User-Agent:
HTTP GEThttp://bettersuccess.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1036 ➝ 66.96.160.141:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.48:80
Flows TCP192.168.1.1:1038 ➝ 77.244.243.57:80
Flows TCP192.168.1.1:1039 ➝ 98.124.199.107:80
Flows TCP192.168.1.1:1040 ➝ 103.238.230.10:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1042 ➝ 54.208.74.215:80

Raw Pcap

Strings