Analysis Date2015-07-29 16:38:32
MD5592e78b91a37f32b9dd33e7d9b698480
SHA124b88a2247c9b30c80c27ab488aeb39e749a39e8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3342d27c45dcb9b5a5240fb4ea7638b2 sha1: 828ca1040321a2f46bbe2f948a5c7d419968ac6c size: 155648
Section.rdata md5: 8d9965a2f052380e06dcc455a000b349 sha1: 9af4eeb0dd856e34a88144ecfe7e9513e33a2b2c size: 37376
Section.data md5: e19a953a4e6870cc25b2fed95c9ef507 sha1: 9544b1afdbac2efbbcc2ab668fb25670540c14ea size: 7168
Timestamp2015-03-13 09:17:44
PackerMicrosoft Visual C++ ?.?
PEhash3d034d18d5cbbac9037ade9457021672fb1a11e8
IMPhashf7928922fe5b4ebe9a2eece60c892d4d
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.iyid
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Rodecap
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVK7no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterTrojan.Agent.VNS.jpdg.mg
AVAvira (antivir)TR/AD.Nivdort.M.3
AVMcafeeTrojan-FEVX!592E78B91A37
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\yy1kuflkujrquxp61k.exe
Creates FileC:\wmurxtbzypmxmaw\ihoabfugd
Deletes FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates ProcessC:\wmurxtbzypmxmaw\yy1kuflkujrquxp61k.exe

Process
↳ C:\wmurxtbzypmxmaw\yy1kuflkujrquxp61k.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX Protected Interface PNRP IPsec Disk Driver ➝
C:\wmurxtbzypmxmaw\kcennzxnyttk.exe
Creates FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\mxpsjl8m
Creates FileC:\wmurxtbzypmxmaw\kcennzxnyttk.exe
Deletes FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates ProcessC:\wmurxtbzypmxmaw\kcennzxnyttk.exe
Creates ServiceBackup Helper PC Key Play Center - C:\wmurxtbzypmxmaw\kcennzxnyttk.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1916

Process
↳ Pid 1336

Process
↳ C:\wmurxtbzypmxmaw\kcennzxnyttk.exe

Creates FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates Filepipe\net\NtControlPipe10
Creates FileC:\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\olzyxd
Creates File\Device\Afd\Endpoint
Creates FileC:\wmurxtbzypmxmaw\mxpsjl8m
Creates FileC:\wmurxtbzypmxmaw\giipbkyivbh.exe
Deletes FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates Processm8g5vopodpmo "c:\wmurxtbzypmxmaw\kcennzxnyttk.exe"

Process
↳ C:\wmurxtbzypmxmaw\kcennzxnyttk.exe

Creates FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\ihoabfugd
Deletes FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd

Process
↳ m8g5vopodpmo "c:\wmurxtbzypmxmaw\kcennzxnyttk.exe"

Creates FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd
Creates FileC:\wmurxtbzypmxmaw\ihoabfugd
Deletes FileC:\WINDOWS\wmurxtbzypmxmaw\ihoabfugd

Network Details:

DNSwaterbusiness.net
Type: A
192.185.77.17
DNSwomanbusiness.net
Type: A
184.168.221.52
DNSpartybusiness.net
Type: A
50.62.253.1
DNSpartyappear.net
Type: A
208.91.197.241
DNSsmokeinside.net
Type: A
50.63.202.34
DNSpartyexplain.net
Type: A
95.211.230.75
DNSpartybright.net
Type: A
50.63.202.44
DNSwatermanner.net
Type: A
DNSthoughtanother.net
Type: A
DNSwateranother.net
Type: A
DNSthoughtbusiness.net
Type: A
DNSthoughtappear.net
Type: A
DNSwaterappear.net
Type: A
DNSwomanmanner.net
Type: A
DNSsmokemanner.net
Type: A
DNSwomananother.net
Type: A
DNSsmokeanother.net
Type: A
DNSsmokebusiness.net
Type: A
DNSwomanappear.net
Type: A
DNSsmokeappear.net
Type: A
DNSpartymanner.net
Type: A
DNSfightmanner.net
Type: A
DNSpartyanother.net
Type: A
DNSfightanother.net
Type: A
DNSfightbusiness.net
Type: A
DNSfightappear.net
Type: A
DNSfreshinstead.net
Type: A
DNSexperienceinstead.net
Type: A
DNSfreshexplain.net
Type: A
DNSexperienceexplain.net
Type: A
DNSfreshbright.net
Type: A
DNSexperiencebright.net
Type: A
DNSfreshinside.net
Type: A
DNSexperienceinside.net
Type: A
DNSgentlemaninstead.net
Type: A
DNSalreadyinstead.net
Type: A
DNSgentlemanexplain.net
Type: A
DNSalreadyexplain.net
Type: A
DNSgentlemanbright.net
Type: A
DNSalreadybright.net
Type: A
DNSgentlemaninside.net
Type: A
DNSalreadyinside.net
Type: A
DNSfollowinstead.net
Type: A
DNSmemberinstead.net
Type: A
DNSfollowexplain.net
Type: A
DNSmemberexplain.net
Type: A
DNSfollowbright.net
Type: A
DNSmemberbright.net
Type: A
DNSfollowinside.net
Type: A
DNSmemberinside.net
Type: A
DNSbegininstead.net
Type: A
DNSknowninstead.net
Type: A
DNSbeginexplain.net
Type: A
DNSknownexplain.net
Type: A
DNSbeginbright.net
Type: A
DNSknownbright.net
Type: A
DNSbegininside.net
Type: A
DNSknowninside.net
Type: A
DNSsummerinstead.net
Type: A
DNScrowdinstead.net
Type: A
DNSsummerexplain.net
Type: A
DNScrowdexplain.net
Type: A
DNSsummerbright.net
Type: A
DNScrowdbright.net
Type: A
DNSsummerinside.net
Type: A
DNScrowdinside.net
Type: A
DNSthoughtinstead.net
Type: A
DNSwaterinstead.net
Type: A
DNSthoughtexplain.net
Type: A
DNSwaterexplain.net
Type: A
DNSthoughtbright.net
Type: A
DNSwaterbright.net
Type: A
DNSthoughtinside.net
Type: A
DNSwaterinside.net
Type: A
DNSwomaninstead.net
Type: A
DNSsmokeinstead.net
Type: A
DNSwomanexplain.net
Type: A
DNSsmokeexplain.net
Type: A
DNSwomanbright.net
Type: A
DNSsmokebright.net
Type: A
DNSwomaninside.net
Type: A
DNSpartyinstead.net
Type: A
DNSfightinstead.net
Type: A
DNSfightexplain.net
Type: A
DNSfightbright.net
Type: A
HTTP GEThttp://waterbusiness.net/index.php?method&len
User-Agent:
HTTP GEThttp://womanbusiness.net/index.php?method&len
User-Agent:
HTTP GEThttp://partybusiness.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyappear.net/index.php?method&len
User-Agent:
HTTP GEThttp://smokeinside.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyexplain.net/index.php?method&len
User-Agent:
HTTP GEThttp://partybright.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.185.77.17:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1033 ➝ 50.62.253.1:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 50.63.202.34:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207761 74657262   se..Host: waterb
0x00000050 (00080)   7573696e 6573732e 6e65740d 0a0d0a     usiness.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20776f 6d616e62   se..Host: womanb
0x00000050 (00080)   7573696e 6573732e 6e65740d 0a0d0a     usiness.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747962   se..Host: partyb
0x00000050 (00080)   7573696e 6573732e 6e65740d 0a0d0a     usiness.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747961   se..Host: partya
0x00000050 (00080)   70706561 722e6e65 740d0a0d 0a0d0a     ppear.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20736d 6f6b6569   se..Host: smokei
0x00000050 (00080)   6e736964 652e6e65 740d0a0d 0a0d0a     nside.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747965   se..Host: partye
0x00000050 (00080)   78706c61 696e2e6e 65740d0a 0d0a0a     xplain.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747962   se..Host: partyb
0x00000050 (00080)   72696768 742e6e65 740d0a0d 0a0a0a     right.net......


Strings