Analysis Date2015-10-01 01:02:05
MD505f00a606c9d37112a602d0f592061ae
SHA12212233c42644d12dbe74db79d775097509b4fd9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 97af1749a0b94d95228a5b9e9fb87774 sha1: b896bf8c65c85bd449248e9df9e7d4f6eca27568 size: 226816
Section.data md5: fa05a6d8e0c20bdc43424d6e4219d71f sha1: 99ed3d1b3c25978a2a1017f6ed4720ea7a410936 size: 20480
Section.rdata md5: 056b93a49e29c510c178c3e330afeee9 sha1: 90cefc1f9f335034a2362b245f10c57766cbd238 size: 40448
Section.eh_fram md5: 677f120d0cc8d4a53069b5aee1d7cbc6 sha1: db4eaac85afa3deea0a3d49af13692361e745fbc size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 00e0ae1e488c8c73d8ef3f94e989dace sha1: 3bca80496741c8ad2c78ddfcbd5c464c9187af22 size: 6656
Section.CRT md5: 43d510d538f331ef8647932de7798b6a sha1: b6ffe89ed74c154e47444a372c11588a95ed611c size: 512
Section.tls md5: bb26d9c5aefc6c61ade45477c4a18756 sha1: a12bdb7979d4d623e99c865ceac89938b586550d size: 512
Timestamp2015-03-05 06:31:19
PEhash3ea640afbcbada0eb84a3e3b111603a14c371328
IMPhashcec3d41b191366f4911cecd6a11d22c6
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51758
AVDr. WebTrojan.DownLoader14.44341
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVBullGuardGen:Variant.Symmi.51758
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.kiwp
AVZillya!Trojan.Scar.Win32.92770
AVEmsisoftGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Staser
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004c988e1 )
AVBitDefenderGen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVSymantecDownloader.Upatre!g16
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.XDQ
AVAlwil (avast)Agent-AZPC [Trj]
AVAd-AwareGen:Variant.Symmi.51758
AVTwisterno_virus
AVAvira (antivir)TR/ATRAPS.A.8315
AVMcafeeTrojan-FGOJ!05F00A606C9D
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gmptfjlcp\mdzyk5klpv
Creates FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates FileC:\gmptfjlcp\p0rdf1b1kxwwodgwqjvi.exe
Deletes FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates ProcessC:\gmptfjlcp\p0rdf1b1kxwwodgwqjvi.exe

Process
↳ C:\gmptfjlcp\p0rdf1b1kxwwodgwqjvi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Parental Sharing Management Volume ➝
C:\gmptfjlcp\lbvuqb38.exe
Creates FileC:\gmptfjlcp\lbvuqb38.exe
Creates FileC:\gmptfjlcp\fsfizbvr
Creates FileC:\gmptfjlcp\mdzyk5klpv
Creates FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates ProcessC:\gmptfjlcp\lbvuqb38.exe
Creates ServiceWired Tunneling Presentation SPP - C:\gmptfjlcp\lbvuqb38.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1844

Process
↳ Pid 1128

Process
↳ C:\gmptfjlcp\lbvuqb38.exe

Creates FileC:\gmptfjlcp\wglfhwnagldj
Creates FileC:\gmptfjlcp\fsfizbvr
Creates Filepipe\net\NtControlPipe10
Creates FileC:\gmptfjlcp\sv0ovbn.exe
Creates FileC:\gmptfjlcp\mdzyk5klpv
Creates FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Creates Processawkqpbczhmrw "c:\gmptfjlcp\lbvuqb38.exe"

Process
↳ C:\gmptfjlcp\lbvuqb38.exe

Creates FileC:\gmptfjlcp\mdzyk5klpv
Creates FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Deletes FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv

Process
↳ awkqpbczhmrw "c:\gmptfjlcp\lbvuqb38.exe"

Creates FileC:\gmptfjlcp\mdzyk5klpv
Creates FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv
Deletes FileC:\WINDOWS\gmptfjlcp\mdzyk5klpv

Network Details:

DNSkimberleyanderson.net
Type: A
50.63.202.54
DNScatharineanthonyson.net
Type: A
195.22.26.253
DNScatharineanthonyson.net
Type: A
195.22.26.254
DNScatharineanthonyson.net
Type: A
195.22.26.231
DNScatharineanthonyson.net
Type: A
195.22.26.252
DNSgwendolynbernadine.net
Type: A
DNSharriettecharisma.net
Type: A
DNSgwendolyncharisma.net
Type: A
DNSharrietteanastacia.net
Type: A
DNSgwendolynanastacia.net
Type: A
DNSharrietteanderson.net
Type: A
DNSgwendolynanderson.net
Type: A
DNSjeannettebernadine.net
Type: A
DNSkimberleybernadine.net
Type: A
DNSjeannettecharisma.net
Type: A
DNSkimberleycharisma.net
Type: A
DNSjeannetteanastacia.net
Type: A
DNSkimberleyanastacia.net
Type: A
DNSjeannetteanderson.net
Type: A
DNSmagdalenebernadine.net
Type: A
DNSgranvillebernadine.net
Type: A
DNSmagdalenecharisma.net
Type: A
DNSgranvillecharisma.net
Type: A
DNSmagdaleneanastacia.net
Type: A
DNSgranvilleanastacia.net
Type: A
DNSmagdaleneanderson.net
Type: A
DNSgranvilleanderson.net
Type: A
DNSsimonettebernadine.net
Type: A
DNSstephaniabernadine.net
Type: A
DNSsimonettecharisma.net
Type: A
DNSstephaniacharisma.net
Type: A
DNSsimonetteanastacia.net
Type: A
DNSstephaniaanastacia.net
Type: A
DNSsimonetteanderson.net
Type: A
DNSstephaniaanderson.net
Type: A
DNSmeriwetherbrassington.net
Type: A
DNScatharinebrassington.net
Type: A
DNSmeriwetherecclestone.net
Type: A
DNScatharineecclestone.net
Type: A
DNSmeriwetherchamberlain.net
Type: A
DNScatharinechamberlain.net
Type: A
DNSmeriwetheranthonyson.net
Type: A
DNSmaybellinebrassington.net
Type: A
DNSjosephinebrassington.net
Type: A
DNSmaybellineecclestone.net
Type: A
DNSjosephineecclestone.net
Type: A
DNSmaybellinechamberlain.net
Type: A
DNSjosephinechamberlain.net
Type: A
DNSmaybellineanthonyson.net
Type: A
DNSjosephineanthonyson.net
Type: A
DNSwinnifredbrassington.net
Type: A
DNSsylvesterbrassington.net
Type: A
DNSwinnifredecclestone.net
Type: A
DNSsylvesterecclestone.net
Type: A
DNSwinnifredchamberlain.net
Type: A
DNSsylvesterchamberlain.net
Type: A
DNSwinnifredanthonyson.net
Type: A
DNSsylvesteranthonyson.net
Type: A
DNSkatherinabrassington.net
Type: A
DNSbrooklynnbrassington.net
Type: A
DNSkatherinaecclestone.net
Type: A
DNSbrooklynnecclestone.net
Type: A
DNSkatherinachamberlain.net
Type: A
DNSbrooklynnchamberlain.net
Type: A
DNSkatherinaanthonyson.net
Type: A
DNSbrooklynnanthonyson.net
Type: A
DNSharriettebrassington.net
Type: A
DNSgwendolynbrassington.net
Type: A
DNSharrietteecclestone.net
Type: A
DNSgwendolynecclestone.net
Type: A
DNSharriettechamberlain.net
Type: A
DNSgwendolynchamberlain.net
Type: A
DNSharrietteanthonyson.net
Type: A
DNSgwendolynanthonyson.net
Type: A
DNSjeannettebrassington.net
Type: A
DNSkimberleybrassington.net
Type: A
DNSjeannetteecclestone.net
Type: A
DNSkimberleyecclestone.net
Type: A
DNSjeannettechamberlain.net
Type: A
DNSkimberleychamberlain.net
Type: A
DNSjeannetteanthonyson.net
Type: A
DNSkimberleyanthonyson.net
Type: A
DNSmagdalenebrassington.net
Type: A
DNSgranvillebrassington.net
Type: A
DNSmagdaleneecclestone.net
Type: A
DNSgranvilleecclestone.net
Type: A
DNSmagdalenechamberlain.net
Type: A
DNSgranvillechamberlain.net
Type: A
HTTP GEThttp://kimberleyanderson.net/index.php
User-Agent:
HTTP GEThttp://catharineanthonyson.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.54:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.253:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206b   : close..Host: k
0x00000040 (00064)   696d6265 726c6579 616e6465 72736f6e   imberleyanderson
0x00000050 (00080)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000040 (00064)   61746861 72696e65 616e7468 6f6e7973   atharineanthonys
0x00000050 (00080)   6f6e2e6e 65740d0a 0d0a                on.net....


Strings