Analysis Date2015-08-19 19:37:49
MD5dcb1a5e54b86c973e8cb0b659ab90fb7
SHA147d233b1455bdafb7c0372b12ec4dc0a2591d2de

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ba7661960bdae6567c769657cecc610a sha1: c732015f97cfe7c49946f190a1fc3defa28208f3 size: 163328
Section.rdata md5: 6dd962660168dd642f7d69c3d8f6f209 sha1: 3c06e0dc027eb3dc89843a76dd672375fc445ad1 size: 37888
Section.data md5: 8275a5b77464311c32817c0a9b8484db sha1: 2072618e4b78e848f0c4568e5764746d063542ae size: 7168
Timestamp2015-03-13 09:09:15
PackerMicrosoft Visual C++ ?.?
PEhash69240b2c3176d92c5e1d134ae04a61b31369cc88
IMPhasha576a72a5cc533ec90cfd86ae351ecbe
AVRising0x58f20934
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.15140
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Rodecap
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVK7Trojan ( 004bda2e1 )
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterTrojan.Scar.iyzy.bcjy
AVAvira (antivir)TR/AD.Rodecap.Y.1
AVMcafeeTrojan-FEVX!DCB1A5E54B86

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hmsmersejxkkt\dfet1kycntgfeujcah.exe
Creates FileC:\hmsmersejxkkt\mhlfdffmcjuf
Creates FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Deletes FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Creates ProcessC:\hmsmersejxkkt\dfet1kycntgfeujcah.exe

Process
↳ C:\hmsmersejxkkt\dfet1kycntgfeujcah.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Volume Plug Quality Input Play ➝
C:\hmsmersejxkkt\gzsegavrcdoh.exe
Creates FileC:\hmsmersejxkkt\gzsegavrcdoh.exe
Creates FileC:\hmsmersejxkkt\miqjf9ts
Creates FileC:\hmsmersejxkkt\mhlfdffmcjuf
Creates FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Deletes FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Creates ProcessC:\hmsmersejxkkt\gzsegavrcdoh.exe
Creates ServiceRemoval UserMode Offline - C:\hmsmersejxkkt\gzsegavrcdoh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1172

Process
↳ C:\hmsmersejxkkt\gzsegavrcdoh.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hmsmersejxkkt\nxcrxvwxcxx.exe
Creates FileC:\hmsmersejxkkt\tmtegf
Creates FileC:\hmsmersejxkkt\miqjf9ts
Creates FileC:\hmsmersejxkkt\mhlfdffmcjuf
Creates FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Creates Processiwutvhqxudyj "c:\hmsmersejxkkt\gzsegavrcdoh.exe"

Process
↳ C:\hmsmersejxkkt\gzsegavrcdoh.exe

Creates FileC:\hmsmersejxkkt\mhlfdffmcjuf
Creates FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Deletes FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf

Process
↳ iwutvhqxudyj "c:\hmsmersejxkkt\gzsegavrcdoh.exe"

Creates FileC:\hmsmersejxkkt\mhlfdffmcjuf
Creates FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf
Deletes FileC:\WINDOWS\hmsmersejxkkt\mhlfdffmcjuf

Network Details:

DNSfinishstrong.net
Type: A
50.63.202.14
DNSsweettrouble.net
Type: A
50.31.0.103
DNSsimplewonder.net
Type: A
192.185.21.143
DNSmountainmaster.net
Type: A
209.17.116.7
DNSpossiblemaster.net
Type: A
95.211.230.75
DNSwindowmaster.net
Type: A
207.148.248.143
DNSwindowwonder.net
Type: A
50.63.202.13
DNSmountaintrouble.net
Type: A
DNSpossibletrouble.net
Type: A
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
DNSsubjecttrouble.net
Type: A
DNSwinterpresident.net
Type: A
DNSsubjectpresident.net
Type: A
DNSwintercaught.net
Type: A
DNSsubjectcaught.net
Type: A
DNSleavestrong.net
Type: A
DNSfinishtrouble.net
Type: A
DNSleavetrouble.net
Type: A
DNSfinishpresident.net
Type: A
DNSleavepresident.net
Type: A
DNSfinishcaught.net
Type: A
DNSleavecaught.net
Type: A
DNSsweetstrong.net
Type: A
DNSprobablystrong.net
Type: A
DNSprobablytrouble.net
Type: A
DNSsweetpresident.net
Type: A
DNSprobablypresident.net
Type: A
DNSsweetcaught.net
Type: A
DNSprobablycaught.net
Type: A
DNSseveralstrong.net
Type: A
DNSmaterialstrong.net
Type: A
DNSseveraltrouble.net
Type: A
DNSmaterialtrouble.net
Type: A
DNSseveralpresident.net
Type: A
DNSmaterialpresident.net
Type: A
DNSseveralcaught.net
Type: A
DNSmaterialcaught.net
Type: A
DNSseveracontinue.net
Type: A
DNSlaughcontinue.net
Type: A
DNSseveramaster.net
Type: A
DNSlaughmaster.net
Type: A
DNSseverawonder.net
Type: A
DNSlaughwonder.net
Type: A
DNSseveradiscover.net
Type: A
DNSlaughdiscover.net
Type: A
DNSsimplecontinue.net
Type: A
DNSmothercontinue.net
Type: A
DNSsimplemaster.net
Type: A
DNSmothermaster.net
Type: A
DNSmotherwonder.net
Type: A
DNSsimplediscover.net
Type: A
DNSmotherdiscover.net
Type: A
DNSmountaincontinue.net
Type: A
DNSpossiblecontinue.net
Type: A
DNSmountainwonder.net
Type: A
DNSpossiblewonder.net
Type: A
DNSmountaindiscover.net
Type: A
DNSpossiblediscover.net
Type: A
DNSperhapscontinue.net
Type: A
DNSwindowcontinue.net
Type: A
DNSperhapsmaster.net
Type: A
DNSperhapswonder.net
Type: A
DNSperhapsdiscover.net
Type: A
DNSwindowdiscover.net
Type: A
DNSwintercontinue.net
Type: A
DNSsubjectcontinue.net
Type: A
DNSwintermaster.net
Type: A
DNSsubjectmaster.net
Type: A
DNSwinterwonder.net
Type: A
DNSsubjectwonder.net
Type: A
DNSwinterdiscover.net
Type: A
HTTP GEThttp://finishstrong.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweettrouble.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplewonder.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainmaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://possiblemaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowmaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowwonder.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.14:80
Flows TCP192.168.1.1:1032 ➝ 50.31.0.103:80
Flows TCP192.168.1.1:1033 ➝ 192.185.21.143:80
Flows TCP192.168.1.1:1034 ➝ 209.17.116.7:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.13:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206669 6e697368   se..Host: finish
0x00000050 (00080)   7374726f 6e672e6e 65740d0a 0d0a       strong.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657474   se..Host: sweett
0x00000050 (00080)   726f7562 6c652e6e 65740d0a 0d0a       rouble.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   776f6e64 65722e6e 65740d0a 0d0a       wonder.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000050 (00080)   696e6d61 73746572 2e6e6574 0d0a0d0a   inmaster.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20706f 73736962   se..Host: possib
0x00000050 (00080)   6c656d61 73746572 2e6e6574 0d0a0d0a   lemaster.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   6d617374 65722e6e 65740d0a 0d0a0d0a   master.net......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   776f6e64 65722e6e 65740d0a 0d0a0d0a   wonder.net......
0x00000060 (00096)                                         


Strings