Analysis Date2016-03-08 04:41:29
MD5747e8de7e57d1acfec270bae56c35e2b
SHA1295663629ceab23f5f063e15964b330104d65a6c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 47234ebb1cb628a158a7dc0c87dfd679 sha1: 5d23e2e1987735bdc015d40901a1120ac05c73fd size: 160768
Section.rdata md5: 0cd651527a4dc762fb04984ffb0097fa sha1: 6706204ce58f202c793cdab265968c6a8a809215 size: 38400
Section.data md5: 8c65ba6bb94c869ed8c1e3e1e15d96b0 sha1: ad9e259374fd27353baa8e268a14c016e0967959 size: 6656
Timestamp2015-03-13 09:08:50
PackerMicrosoft Visual C++ ?.?
PEhash9da19ed97f6810e19b499308199ee5c21d1a2dfc
IMPhashf1b69b5d2e3b445273f2a76acbfabba7
AVCA (E-Trust Ino)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BI
AVRisingNo Virus
AVMcafeeTrojan-FEVX!747E8DE7E57D
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)No Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEmsisoftGen:Variant.Rodecap.1
AVTwisterNo Virus
AVAd-AwareGen:Variant.Rodecap.1
AVZillya!Trojan.Agent.Win32.667141
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Kryptik-PDK [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)TrojanSpy.Nivdort.OL4
AVVirusBlokAda (vba32)No Virus
AVSymantecDownloader.Upatre!g15
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader19.40638
AVK7No Virus
AVF-SecureGen:Variant.Rodecap.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tazmusmcydm\kyx1r4kckeyefkirv0.exe
Creates FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\eq6aerkn
Deletes FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates ProcessC:\tazmusmcydm\kyx1r4kckeyefkirv0.exe

Process
↳ C:\tazmusmcydm\kyx1r4kckeyefkirv0.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Routing Acquisition Interactive Log ➝
C:\tazmusmcydm\jkzntmzplxe.exe
Creates FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\jkzntmzplxe.exe
Creates FileC:\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\xkl8gbedjb5b
Deletes FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates ProcessC:\tazmusmcydm\jkzntmzplxe.exe
Creates ServiceCardSpace Class Visual Font - C:\tazmusmcydm\jkzntmzplxe.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1164

Process
↳ C:\tazmusmcydm\jkzntmzplxe.exe

Creates FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tazmusmcydm\corfgrra.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\zz4ehdc
Creates FileC:\tazmusmcydm\xkl8gbedjb5b
Deletes FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates Processwth0f9ud0lav "c:\tazmusmcydm\jkzntmzplxe.exe"

Process
↳ C:\tazmusmcydm\jkzntmzplxe.exe

Creates FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\eq6aerkn
Deletes FileC:\WINDOWS\tazmusmcydm\eq6aerkn

Process
↳ wth0f9ud0lav "c:\tazmusmcydm\jkzntmzplxe.exe"

Creates FileC:\WINDOWS\tazmusmcydm\eq6aerkn
Creates FileC:\tazmusmcydm\eq6aerkn
Deletes FileC:\WINDOWS\tazmusmcydm\eq6aerkn

Network Details:

DNSwindowthrown.net
Type: A
208.100.26.234
DNSwinterstorm.net
Type: A
64.91.240.250
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSpossibleperiod.net
Type: A
192.64.119.216
DNSpossiblestorm.net
Type: A
DNSmountainthrown.net
Type: A
DNSpossiblethrown.net
Type: A
DNSperhapshunger.net
Type: A
DNSwindowhunger.net
Type: A
DNSperhapstraining.net
Type: A
DNSwindowtraining.net
Type: A
DNSperhapsstorm.net
Type: A
DNSwindowstorm.net
Type: A
DNSperhapsthrown.net
Type: A
DNSwinterhunger.net
Type: A
DNSsubjecthunger.net
Type: A
DNSwintertraining.net
Type: A
DNSsubjecttraining.net
Type: A
DNSsubjectstorm.net
Type: A
DNSwinterthrown.net
Type: A
DNSsubjectthrown.net
Type: A
DNSfinishhunger.net
Type: A
DNSleavehunger.net
Type: A
DNSfinishtraining.net
Type: A
DNSleavetraining.net
Type: A
DNSfinishstorm.net
Type: A
DNSleavestorm.net
Type: A
DNSfinishthrown.net
Type: A
DNSleavethrown.net
Type: A
DNSsweethunger.net
Type: A
DNSprobablyhunger.net
Type: A
DNSsweettraining.net
Type: A
DNSprobablytraining.net
Type: A
DNSsweetstorm.net
Type: A
DNSprobablystorm.net
Type: A
DNSsweetthrown.net
Type: A
DNSprobablythrown.net
Type: A
DNSseveralhunger.net
Type: A
DNSmaterialhunger.net
Type: A
DNSseveraltraining.net
Type: A
DNSmaterialtraining.net
Type: A
DNSseveralstorm.net
Type: A
DNSmaterialstorm.net
Type: A
DNSseveralthrown.net
Type: A
DNSmaterialthrown.net
Type: A
DNSseverachoose.net
Type: A
DNSlaughchoose.net
Type: A
DNSseveraalthough.net
Type: A
DNSlaughalthough.net
Type: A
DNSseveraperiod.net
Type: A
DNSlaughperiod.net
Type: A
DNSseverahowever.net
Type: A
DNSlaughhowever.net
Type: A
DNSsimplechoose.net
Type: A
DNSmotherchoose.net
Type: A
DNSsimplealthough.net
Type: A
DNSmotheralthough.net
Type: A
DNSsimpleperiod.net
Type: A
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
HTTP GEThttp://windowthrown.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterstorm.net/index.php?method&len
User-Agent:
HTTP GEThttp://finishhunger.net/index.php?method&len
User-Agent:
HTTP GEThttp://possibleperiod.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 64.91.240.250:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1034 ➝ 192.64.119.216:80

Raw Pcap

Strings