Analysis Date2015-07-30 22:58:04
MD5a02265db0847500a5c136699bac255c4
SHA12eab42b8cf2987f4a3b120a9e13c26be1a132d78

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8180cda4f4fcdd5e62180e592a548683 sha1: 178f0a1e8a5ae31f6cd8033715fd249722d91814 size: 157184
Section.rdata md5: 7779d0100ea5af888ac11711270f12aa sha1: b6aa0a222979b6b18100186981429e35c728ed6f size: 37888
Section.data md5: ce250feab34e798b0fb5c85e23997138 sha1: d1b0f53d2c22966a9f964421140125f885d20478 size: 6656
Timestamp2015-03-13 09:37:49
PackerMicrosoft Visual C++ ?.?
PEhashcd7ce59694f1b5e87bd896e3af742ddd8c9a526d
IMPhashc770dacb9eb1e8d48bfb159c528cde0c
AVTrend Microno_virus
AVBullGuardTrojan.Spy.Agent.OLA
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)Trojan.Scar.r3
AVEmsisoftTrojan.Spy.Agent.OLA
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVZillya!Trojan.Scar.Win32.91819
AVFortinetW32/Rodecap.BJ!tr
AVIkarusTrojan-Spy.Win32.Nivdort
AVMcafeeTrojan-FEVX!A02265DB0847
AVAvira (antivir)TR/Crypt.ZPACK.20849
AVClamAVno_virus
AVK7Trojan ( 004bdb0b1 )
AVAlwil (avast)Kryptik-PDK [Trj]
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)Win32/Rodecap.BJ
AVArcabit (arcavir)Trojan.Spy.Agent.OLA
AVF-SecureTrojan.Spy.Agent.OLA
AVPadvishno_virus
AVBitDefenderTrojan.Spy.Agent.OLA
AVAd-AwareTrojan.Spy.Agent.OLA
AVCA (E-Trust Ino)no_virus
AVDr. WebTrojan.DownLoader14.29149
AVRisingno_virus
AVTwisterno_virus
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Trojan.Spy.Agent.OLA
AVFrisk (f-prot)no_virus
AVKasperskyTrojan.Win32.Generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ehncsaaskkxjx\dh1lmnuycqi0kyqrx.exe
Creates FileC:\ehncsaaskkxjx\naamobk
Creates FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Deletes FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Creates ProcessC:\ehncsaaskkxjx\dh1lmnuycqi0kyqrx.exe

Process
↳ C:\ehncsaaskkxjx\dh1lmnuycqi0kyqrx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Publication Foundation Socket ➝
C:\ehncsaaskkxjx\ymnszyhx.exe
Creates FileC:\ehncsaaskkxjx\ymnszyhx.exe
Creates FileC:\ehncsaaskkxjx\naamobk
Creates FileC:\ehncsaaskkxjx\a1abuhbryu
Creates FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Deletes FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Creates ProcessC:\ehncsaaskkxjx\ymnszyhx.exe
Creates ServiceRemote Intelligent Certificate Spooler - C:\ehncsaaskkxjx\ymnszyhx.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1156

Process
↳ C:\ehncsaaskkxjx\ymnszyhx.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ehncsaaskkxjx\naamobk
Creates FileC:\ehncsaaskkxjx\a1abuhbryu
Creates FileC:\ehncsaaskkxjx\it0rezk
Creates FileC:\ehncsaaskkxjx\shtpobclws.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Deletes FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Creates Processv8kaacxwcst0 "c:\ehncsaaskkxjx\ymnszyhx.exe"

Process
↳ C:\ehncsaaskkxjx\ymnszyhx.exe

Creates FileC:\ehncsaaskkxjx\naamobk
Creates FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Deletes FileC:\WINDOWS\ehncsaaskkxjx\naamobk

Process
↳ v8kaacxwcst0 "c:\ehncsaaskkxjx\ymnszyhx.exe"

Creates FileC:\ehncsaaskkxjx\naamobk
Creates FileC:\WINDOWS\ehncsaaskkxjx\naamobk
Deletes FileC:\WINDOWS\ehncsaaskkxjx\naamobk

Network Details:

DNSsmokecondition.net
Type: A
208.91.197.241
DNSpartynation.net
Type: A
72.52.4.91
DNSpartyplease.net
Type: A
209.157.71.176
DNSfreshpower.net
Type: A
195.149.84.100
DNSfreshpower.net
Type: A
195.149.84.101
DNScrowdfamous.net
Type: A
95.211.230.75
DNScrowdpower.net
Type: A
162.244.253.60
DNSthoughtpower.net
Type: A
23.229.204.192
DNSwaterpower.net
Type: A
72.52.4.120
DNSwomanpower.net
Type: A
72.52.4.120
DNSpartypower.net
Type: A
66.151.181.49
DNSfightpower.net
Type: A
64.99.80.30
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfightcountry.net
Type: A
184.168.221.55
DNSwomancondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSmemberfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNSsummerpower.net
Type: A
DNSsummercountry.net
Type: A
DNScrowdcountry.net
Type: A
DNSthoughtcentury.net
Type: A
DNSwatercentury.net
Type: A
DNSthoughtfamous.net
Type: A
DNSwaterfamous.net
Type: A
DNSthoughtcountry.net
Type: A
DNSwatercountry.net
Type: A
DNSwomancentury.net
Type: A
DNSsmokecentury.net
Type: A
DNSwomanfamous.net
Type: A
DNSsmokefamous.net
Type: A
DNSsmokepower.net
Type: A
DNSwomancountry.net
Type: A
DNSsmokecountry.net
Type: A
DNSpartycentury.net
Type: A
DNSfightcentury.net
Type: A
DNSpartyfamous.net
Type: A
DNSfightfamous.net
Type: A
DNSpartycountry.net
Type: A
DNSfreshsurprise.net
Type: A
DNSexperiencesurprise.net
Type: A
DNSfreshbeside.net
Type: A
DNSexperiencebeside.net
Type: A
DNSfreshletter.net
Type: A
DNSexperienceletter.net
Type: A
DNSfreshdifferent.net
Type: A
DNSexperiencedifferent.net
Type: A
DNSgentlemansurprise.net
Type: A
DNSalreadysurprise.net
Type: A
DNSgentlemanbeside.net
Type: A
HTTP GEThttp://smokecondition.net/index.php?method&len
User-Agent:
HTTP GEThttp://partynation.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyplease.net/index.php?method&len
User-Agent:
HTTP GEThttp://freshpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdfamous.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://thoughtpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://waterpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://womanpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://partypower.net/index.php?method&len
User-Agent:
HTTP GEThttp://fightpower.net/index.php?method&len
User-Agent:
HTTP GEThttp://partycountry.net/index.php?method&len
User-Agent:
HTTP GEThttp://fightcountry.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1033 ➝ 209.157.71.176:80
Flows TCP192.168.1.1:1034 ➝ 195.149.84.100:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 162.244.253.60:80
Flows TCP192.168.1.1:1037 ➝ 23.229.204.192:80
Flows TCP192.168.1.1:1038 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1039 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1040 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1041 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.55:80

Raw Pcap

Strings