Analysis Date2015-09-30 17:35:49
MD54be58440dcfb4009c2917aba54f37574
SHA115a4ae24d2f33886106ab5c976975fbd61c3ff97

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 43c656e28b742520bdae8b5e1d2be842 sha1: deecf201f74ab42ed9e621f780a36cb73fff3f8d size: 224768
Section.data md5: ae534068c86819693806eef0058c47c9 sha1: d3b6d59b3ae5f07281e6db36fdd60a6c8e27e465 size: 20480
Section.rdata md5: c21f0140c1699ed218492e4339d4e6df sha1: 503f0ac8ab3434d9ca35319690b0f810e6fbaf65 size: 39936
Section.eh_fram md5: 1b08521427ab6aa5dd713365889ffb72 sha1: 6083d87f5339b239ad4f0da295c9f4b00e6db4ca size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 45d024b2c3f183329bda6ffe5d737141 sha1: ae26b766338ecc20c0a58054b69500726677173d size: 6656
Section.CRT md5: 22ea46cbd9f86b8a13383fc88b857229 sha1: 9f2348112edbf1138aa34671338e504e51d54e2d size: 512
Section.tls md5: 0ce6abcd4a239e467a3f7c1eae57b7ac sha1: 517a855bd75ab3981304fca2766a949050841c60 size: 512
Timestamp2015-03-05 05:58:35
PEhash6ae4dc915e50b59fcb57d0ac7f4f401d4bf0bbb3
IMPhash7b8acf6dc7f892a31dfcd84ecdf2bd91
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FGOJ!4BE58440DCFB
AVAvira (antivir)TR/ATRAPS.A.8154
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.51758
AVAlwil (avast)no_virus
AVEset (nod32)Win32/Agent.XDQ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g16
AVFortinetW32/Agent.XDQ!tr
AVBitDefenderGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMalwareBytesno_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Agent
AVEmsisoftGen:Variant.Symmi.51758
AVZillya!no_virus
AVKasperskyTrojan.Win32.Scar.llkn
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVClamAVno_virus
AVDr. WebTrojan.DownLoader16.26004
AVF-SecureGen:Variant.Symmi.51758

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\wedy4jb1l0ycxreolarcb.exe
Deletes FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates ProcessC:\lrkiocjlxoiex\wedy4jb1l0ycxreolarcb.exe

Process
↳ C:\lrkiocjlxoiex\wedy4jb1l0ycxreolarcb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Cache Function CNG iSCSI Storage DHCP Location ➝
C:\lrkiocjlxoiex\hjj0uyt9ja.exe
Creates FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\pu8zfjsj
Creates FileC:\lrkiocjlxoiex\comez3fezk
Creates FilePIPE\lsarpc
Creates FileC:\lrkiocjlxoiex\hjj0uyt9ja.exe
Deletes FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates ProcessC:\lrkiocjlxoiex\hjj0uyt9ja.exe
Creates ServiceVideo Base Center UserMode - C:\lrkiocjlxoiex\hjj0uyt9ja.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1144

Process
↳ C:\lrkiocjlxoiex\hjj0uyt9ja.exe

Creates FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates Filepipe\net\NtControlPipe10
Creates FileC:\lrkiocjlxoiex\pu8zfjsj
Creates FileC:\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\iiecxdmxyml.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\lrkiocjlxoiex\ndwpwan
Deletes FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates Processolyqwa0ydvy9 "c:\lrkiocjlxoiex\hjj0uyt9ja.exe"

Process
↳ C:\lrkiocjlxoiex\hjj0uyt9ja.exe

Creates FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\comez3fezk
Deletes FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk

Process
↳ olyqwa0ydvy9 "c:\lrkiocjlxoiex\hjj0uyt9ja.exe"

Creates FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk
Creates FileC:\lrkiocjlxoiex\comez3fezk
Deletes FileC:\WINDOWS\lrkiocjlxoiex\comez3fezk

Network Details:

DNSgranvillechastity.net
Type: A
195.22.26.231
DNSgranvillechastity.net
Type: A
195.22.26.252
DNSgranvillechastity.net
Type: A
195.22.26.253
DNSgranvillechastity.net
Type: A
195.22.26.254
DNSkimberleyanderson.net
Type: A
50.63.202.54
DNSgwendolynmillicent.net
Type: A
DNSharriettetennyson.net
Type: A
DNSgwendolyntennyson.net
Type: A
DNSjeannetteernestine.net
Type: A
DNSkimberleyernestine.net
Type: A
DNSjeannettechastity.net
Type: A
DNSkimberleychastity.net
Type: A
DNSjeannettemillicent.net
Type: A
DNSkimberleymillicent.net
Type: A
DNSjeannettetennyson.net
Type: A
DNSkimberleytennyson.net
Type: A
DNSmagdaleneernestine.net
Type: A
DNSgranvilleernestine.net
Type: A
DNSmagdalenechastity.net
Type: A
DNSmagdalenemillicent.net
Type: A
DNSgranvillemillicent.net
Type: A
DNSmagdalenetennyson.net
Type: A
DNSgranvilletennyson.net
Type: A
DNSsimonetteernestine.net
Type: A
DNSstephaniaernestine.net
Type: A
DNSsimonettechastity.net
Type: A
DNSstephaniachastity.net
Type: A
DNSsimonettemillicent.net
Type: A
DNSstephaniamillicent.net
Type: A
DNSsimonettetennyson.net
Type: A
DNSstephaniatennyson.net
Type: A
DNSmeriwetherbernadine.net
Type: A
DNScatharinebernadine.net
Type: A
DNSmeriwethercharisma.net
Type: A
DNScatharinecharisma.net
Type: A
DNSmeriwetheranastacia.net
Type: A
DNScatharineanastacia.net
Type: A
DNSmeriwetheranderson.net
Type: A
DNScatharineanderson.net
Type: A
DNSmaybellinebernadine.net
Type: A
DNSjosephinebernadine.net
Type: A
DNSmaybellinecharisma.net
Type: A
DNSjosephinecharisma.net
Type: A
DNSmaybellineanastacia.net
Type: A
DNSjosephineanastacia.net
Type: A
DNSmaybellineanderson.net
Type: A
DNSjosephineanderson.net
Type: A
DNSwinnifredbernadine.net
Type: A
DNSsylvesterbernadine.net
Type: A
DNSwinnifredcharisma.net
Type: A
DNSsylvestercharisma.net
Type: A
DNSwinnifredanastacia.net
Type: A
DNSsylvesteranastacia.net
Type: A
DNSwinnifredanderson.net
Type: A
DNSsylvesteranderson.net
Type: A
DNSkatherinabernadine.net
Type: A
DNSbrooklynnbernadine.net
Type: A
DNSkatherinacharisma.net
Type: A
DNSbrooklynncharisma.net
Type: A
DNSkatherinaanastacia.net
Type: A
DNSbrooklynnanastacia.net
Type: A
DNSkatherinaanderson.net
Type: A
DNSbrooklynnanderson.net
Type: A
DNSharriettebernadine.net
Type: A
DNSgwendolynbernadine.net
Type: A
DNSharriettecharisma.net
Type: A
DNSgwendolyncharisma.net
Type: A
DNSharrietteanastacia.net
Type: A
DNSgwendolynanastacia.net
Type: A
DNSharrietteanderson.net
Type: A
DNSgwendolynanderson.net
Type: A
DNSjeannettebernadine.net
Type: A
DNSkimberleybernadine.net
Type: A
DNSjeannettecharisma.net
Type: A
DNSkimberleycharisma.net
Type: A
DNSjeannetteanastacia.net
Type: A
DNSkimberleyanastacia.net
Type: A
DNSjeannetteanderson.net
Type: A
DNSmagdalenebernadine.net
Type: A
DNSgranvillebernadine.net
Type: A
DNSmagdalenecharisma.net
Type: A
DNSgranvillecharisma.net
Type: A
DNSmagdaleneanastacia.net
Type: A
DNSgranvilleanastacia.net
Type: A
DNSmagdaleneanderson.net
Type: A
DNSgranvilleanderson.net
Type: A
DNSsimonettebernadine.net
Type: A
DNSstephaniabernadine.net
Type: A
HTTP GEThttp://granvillechastity.net/index.php
User-Agent:
HTTP GEThttp://kimberleyanderson.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.54:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2067   : close..Host: g
0x00000040 (00064)   72616e76 696c6c65 63686173 74697479   ranvillechastity
0x00000050 (00080)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   696d6265 726c6579 616e6465 72736f6e   imberleyanderson
0x00000050 (00080)   2e6e6574 0d0a0d0a                     .net....


Strings