Analysis Date2015-07-23 18:52:04
MD50a34f5aca121d9006804aec1e2b3dbb0
SHA1496d11616c1fca2d23e9956dfe740ff3fe4ac5be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7e11f0c034c7652aca6ed0ca76235b74 sha1: 2021a77f7c5bce887f11b2018151fe8299f659be size: 293376
Section.rdata md5: f0a6626a9b79ec85707fc825ae8fefb9 sha1: eef5f0b7991eddfc091a72d72b72aac7a234f1b4 size: 34816
Section.data md5: 46200416f21176a521acf0e98f0df15a sha1: b505244ed68e66a352acc25195f9bcc1b1f9f078 size: 105472
Timestamp2014-10-30 10:06:40
PackerMicrosoft Visual C++ ?.?
PEhash40e7441da3f0df02ebe0c6fe2c2eef1d9c4850ea
IMPhashf3dd5532ed721e2ca8b49b7dc8e4b37f
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.22722
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVBullGuardGen:Variant.Symmi.22722
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVTrend MicroTSPY_NIVDORT.SMB
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVIkarusTrojan.FBAccountLock
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVMalwareBytesTrojan.Zbot.WHE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVK7no_virus
AVBitDefenderGen:Variant.Symmi.22722
AVFortinetW32/Agent.VNC!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.VNC
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Symmi.22722
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAvira (antivir)TR/Crypt.Xpack.256913
AVMcafeeTrojan-FEMT!0A34F5ACA121

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DHCP Profile Program Telephony WebClient ➝
C:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.qqi
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\wuhlmzgxkrg.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ocdjwhmfptjcfv\enllnjhf.exe"

Network Details:

DNSmembersystem.net
Type: A
85.13.128.193
DNSfollowtrust.net
Type: A
68.178.232.100
DNSthoughtsystem.net
Type: A
213.171.195.105
DNSwatersystem.net
Type: A
199.59.243.120
DNSwatertrust.net
Type: A
208.91.197.27
DNSpartysystem.net
Type: A
82.165.73.79
DNSfreshfriend.net
Type: A
95.211.230.75
DNSsmokereceive.net
Type: A
DNSwomanquarter.net
Type: A
DNSsmokequarter.net
Type: A
DNSpartybranch.net
Type: A
DNSfightbranch.net
Type: A
DNSpartybelieve.net
Type: A
DNSfightbelieve.net
Type: A
DNSpartyreceive.net
Type: A
DNSfightreceive.net
Type: A
DNSpartyquarter.net
Type: A
DNSfightquarter.net
Type: A
DNSfreshhonor.net
Type: A
DNSexperiencehonor.net
Type: A
DNSfreshneither.net
Type: A
DNSexperienceneither.net
Type: A
DNSfreshsystem.net
Type: A
DNSexperiencesystem.net
Type: A
DNSfreshtrust.net
Type: A
DNSexperiencetrust.net
Type: A
DNSgentlemanhonor.net
Type: A
DNSalreadyhonor.net
Type: A
DNSgentlemanneither.net
Type: A
DNSalreadyneither.net
Type: A
DNSgentlemansystem.net
Type: A
DNSalreadysystem.net
Type: A
DNSgentlemantrust.net
Type: A
DNSalreadytrust.net
Type: A
DNSfollowhonor.net
Type: A
DNSmemberhonor.net
Type: A
DNSfollowneither.net
Type: A
DNSmemberneither.net
Type: A
DNSfollowsystem.net
Type: A
DNSmembertrust.net
Type: A
DNSbeginhonor.net
Type: A
DNSknownhonor.net
Type: A
DNSbeginneither.net
Type: A
DNSknownneither.net
Type: A
DNSbeginsystem.net
Type: A
DNSknownsystem.net
Type: A
DNSbegintrust.net
Type: A
DNSknowntrust.net
Type: A
DNSsummerhonor.net
Type: A
DNScrowdhonor.net
Type: A
DNSsummerneither.net
Type: A
DNScrowdneither.net
Type: A
DNSsummersystem.net
Type: A
DNScrowdsystem.net
Type: A
DNSsummertrust.net
Type: A
DNScrowdtrust.net
Type: A
DNSthoughthonor.net
Type: A
DNSwaterhonor.net
Type: A
DNSthoughtneither.net
Type: A
DNSwaterneither.net
Type: A
DNSthoughttrust.net
Type: A
DNSwomanhonor.net
Type: A
DNSsmokehonor.net
Type: A
DNSwomanneither.net
Type: A
DNSsmokeneither.net
Type: A
DNSwomansystem.net
Type: A
DNSsmokesystem.net
Type: A
DNSwomantrust.net
Type: A
DNSsmoketrust.net
Type: A
DNSpartyhonor.net
Type: A
DNSfighthonor.net
Type: A
DNSpartyneither.net
Type: A
DNSfightneither.net
Type: A
DNSfightsystem.net
Type: A
DNSpartytrust.net
Type: A
DNSfighttrust.net
Type: A
DNSfreshlaughter.net
Type: A
DNSexperiencelaughter.net
Type: A
DNSfreshfancy.net
Type: A
DNSexperiencefancy.net
Type: A
DNSfreshconsider.net
Type: A
DNSexperienceconsider.net
Type: A
DNSexperiencefriend.net
Type: A
DNSgentlemanlaughter.net
Type: A
DNSalreadylaughter.net
Type: A
HTTP GEThttp://membersystem.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://followtrust.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://thoughtsystem.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://watersystem.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://watertrust.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://partysystem.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
HTTP GEThttp://freshfriend.net/index.php?email=stephaneg@foxmail.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 85.13.128.193:80
Flows TCP192.168.1.1:1032 ➝ 68.178.232.100:80
Flows TCP192.168.1.1:1033 ➝ 213.171.195.105:80
Flows TCP192.168.1.1:1034 ➝ 199.59.243.120:80
Flows TCP192.168.1.1:1035 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1036 ➝ 82.165.73.79:80
Flows TCP192.168.1.1:1037 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 656d6265   ose..Host: membe
0x00000070 (00112)   72737973 74656d2e 6e65740d 0a0d0a     rsystem.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 6f6c6c6f   ose..Host: follo
0x00000070 (00112)   77747275 73742e6e 65740d0a 0d0a0a     wtrust.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 686f7567   ose..Host: thoug
0x00000070 (00112)   68747379 7374656d 2e6e6574 0d0a0d0a   htsystem.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 61746572   ose..Host: water
0x00000070 (00112)   73797374 656d2e6e 65740d0a 0d0a0d0a   system.net......
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 61746572   ose..Host: water
0x00000070 (00112)   74727573 742e6e65 740d0a0d 0a0a0d0a   trust.net.......
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2070 61727479   ose..Host: party
0x00000070 (00112)   73797374 656d2e6e 65740d0a 0d0a0d0a   system.net......
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d737465 7068616e 65674066   mail=stephaneg@f
0x00000020 (00032)   6f786d61 696c2e63 6f6d266d 6574686f   oxmail.com&metho
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 72657368   ose..Host: fresh
0x00000070 (00112)   66726965 6e642e6e 65740d0a 0d0a0d0a   friend.net......
0x00000080 (00128)                                         


Strings