Analysis Date2015-09-16 07:34:24
MD5d08397a154b1db8b2165df95c023a38c
SHA14f8e614915b1b3faecdd1fb06291d7e21e63d56d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 653154cfd4e92e9f7fcb7aa1ae8804d4 sha1: c824297cba196e70e86d3c57e3e8b7b0e8ff7d2f size: 285696
Section.rdata md5: 29ed3c8780724c124b451027026e007d sha1: d7ddde5e2220d1e10f75225b4a8a616c3c486c31 size: 42496
Section.data md5: 85799e5cbbb82d0bf8584e38dbafe0ba sha1: 5c7b2baa67095f34c5c6360908d17d3359a8d3b1 size: 7168
Section.reloc md5: be9203248dc374d1b9cf18cfe321a7f4 sha1: d356e274b4a53a9e74aa56f38666b12c796880b3 size: 23040
Timestamp2015-05-21 04:13:54
PackerMicrosoft Visual C++ ?.?
PEhashe72e53294d35fc7112e992dcfe2585dfcb94b1c9
IMPhash2ae51f1557eda2454761b41b9f1331ee
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Diley.1
AVDr. WebTrojan.DownLoader15.60009
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Diley.1
AVBullGuardGen:Variant.Diley.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.jwfu
AVZillya!no_virus
AVEmsisoftGen:Variant.Diley.1
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.V.gen!Eldorado
AVMalwareBytesTrojan.Agent.KVTGen
AVMicroWorld (escan)Gen:Variant.Diley.1
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Diley.1
AVFortinetW32/Babrob.Y!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Generic36.BYBY
AVEset (nod32)Win32/Bayrob.Y
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Diley.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.53031
AVMcafeeTrojan-FGIJ!D08397A154B1
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\hlaq1lvcsaigmdq5ej.exe
Deletes FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates ProcessC:\ukeoxsd\hlaq1lvcsaigmdq5ej.exe

Process
↳ C:\ukeoxsd\hlaq1lvcsaigmdq5ej.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protocol Tracking Backup Themes PC ➝
C:\ukeoxsd\xgnjejlqd.exe
Creates FileC:\ukeoxsd\cbbwqmyhxsgk
Creates FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\xgnjejlqd.exe
Creates FilePIPE\lsarpc
Creates FileC:\ukeoxsd\bsq3zqrdhep
Deletes FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates ProcessC:\ukeoxsd\xgnjejlqd.exe
Creates ServicePublication NetBIOS Background Visual SSDP Policy - C:\ukeoxsd\xgnjejlqd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1148

Process
↳ C:\ukeoxsd\xgnjejlqd.exe

Creates FileC:\ukeoxsd\cbbwqmyhxsgk
Creates Filepipe\net\NtControlPipe10
Creates FileC:\ukeoxsd\meclbxmmi
Creates FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates File\Device\Afd\Endpoint
Creates FileC:\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\qthsrugyeoeh.exe
Deletes FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates Processzydfvopwrzzp "c:\ukeoxsd\xgnjejlqd.exe"

Process
↳ C:\ukeoxsd\xgnjejlqd.exe

Creates FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\bsq3zqrdhep
Deletes FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep

Process
↳ zydfvopwrzzp "c:\ukeoxsd\xgnjejlqd.exe"

Creates FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep
Creates FileC:\ukeoxsd\bsq3zqrdhep
Deletes FileC:\WINDOWS\ukeoxsd\bsq3zqrdhep

Network Details:

DNSwomanservice.net
Type: A
31.31.204.59
DNSpartyservice.net
Type: A
176.28.54.20
DNSfreshshare.net
Type: A
184.168.221.32
DNSfreshshare.net
Type: A
216.239.32.21
DNSfreshshare.net
Type: A
216.239.34.21
DNSfreshshare.net
Type: A
216.239.36.21
DNSfreshshare.net
Type: A
216.239.38.21
DNSexperienceshare.net
Type: A
50.63.202.60
DNSmembershare.net
Type: A
173.236.228.75
DNSsummershare.net
Type: A
74.208.61.248
DNScrowdshare.net
Type: A
72.52.4.91
DNSthoughtshare.net
Type: A
184.168.221.61
DNSsmokehappen.net
Type: A
95.211.230.75
DNSpartyshare.net
Type: A
217.114.220.100
DNSfreshproduce.net
Type: A
50.63.202.104
DNSwomanmister.net
Type: A
DNSsmokemister.net
Type: A
DNSwomansuppose.net
Type: A
DNSsmokesuppose.net
Type: A
DNSsmokeservice.net
Type: A
DNSwomanriver.net
Type: A
DNSsmokeriver.net
Type: A
DNSpartymister.net
Type: A
DNSfightmister.net
Type: A
DNSpartysuppose.net
Type: A
DNSfightsuppose.net
Type: A
DNSfightservice.net
Type: A
DNSpartyriver.net
Type: A
DNSfightriver.net
Type: A
DNSfreshnearly.net
Type: A
DNSexperiencenearly.net
Type: A
DNSfreshhappen.net
Type: A
DNSexperiencehappen.net
Type: A
DNSfreshshake.net
Type: A
DNSexperienceshake.net
Type: A
DNSgentlemannearly.net
Type: A
DNSalreadynearly.net
Type: A
DNSgentlemanhappen.net
Type: A
DNSalreadyhappen.net
Type: A
DNSgentlemanshake.net
Type: A
DNSalreadyshake.net
Type: A
DNSgentlemanshare.net
Type: A
DNSalreadyshare.net
Type: A
DNSfollownearly.net
Type: A
DNSmembernearly.net
Type: A
DNSfollowhappen.net
Type: A
DNSmemberhappen.net
Type: A
DNSfollowshake.net
Type: A
DNSmembershake.net
Type: A
DNSfollowshare.net
Type: A
DNSbeginnearly.net
Type: A
DNSknownnearly.net
Type: A
DNSbeginhappen.net
Type: A
DNSknownhappen.net
Type: A
DNSbeginshake.net
Type: A
DNSknownshake.net
Type: A
DNSbeginshare.net
Type: A
DNSknownshare.net
Type: A
DNSsummernearly.net
Type: A
DNScrowdnearly.net
Type: A
DNSsummerhappen.net
Type: A
DNScrowdhappen.net
Type: A
DNSsummershake.net
Type: A
DNScrowdshake.net
Type: A
DNSthoughtnearly.net
Type: A
DNSwaternearly.net
Type: A
DNSthoughthappen.net
Type: A
DNSwaterhappen.net
Type: A
DNSthoughtshake.net
Type: A
DNSwatershake.net
Type: A
DNSwatershare.net
Type: A
DNSwomannearly.net
Type: A
DNSsmokenearly.net
Type: A
DNSwomanhappen.net
Type: A
DNSwomanshake.net
Type: A
DNSsmokeshake.net
Type: A
DNSwomanshare.net
Type: A
DNSsmokeshare.net
Type: A
DNSpartynearly.net
Type: A
DNSfightnearly.net
Type: A
DNSpartyhappen.net
Type: A
DNSfighthappen.net
Type: A
DNSpartyshake.net
Type: A
DNSfightshake.net
Type: A
DNSfightshare.net
Type: A
DNSfreshsucceed.net
Type: A
DNSexperiencesucceed.net
Type: A
DNSfreshbetween.net
Type: A
DNSexperiencebetween.net
Type: A
HTTP GEThttp://womanservice.net/index.php
User-Agent:
HTTP GEThttp://partyservice.net/index.php
User-Agent:
HTTP GEThttp://freshshare.net/index.php
User-Agent:
HTTP GEThttp://experienceshare.net/index.php
User-Agent:
HTTP GEThttp://membershare.net/index.php
User-Agent:
HTTP GEThttp://summershare.net/index.php
User-Agent:
HTTP GEThttp://crowdshare.net/index.php
User-Agent:
HTTP GEThttp://thoughtshare.net/index.php
User-Agent:
HTTP GEThttp://smokehappen.net/index.php
User-Agent:
HTTP GEThttp://partyshare.net/index.php
User-Agent:
HTTP GEThttp://freshproduce.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 31.31.204.59:80
Flows TCP192.168.1.1:1032 ➝ 176.28.54.20:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.32:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.60:80
Flows TCP192.168.1.1:1035 ➝ 173.236.228.75:80
Flows TCP192.168.1.1:1036 ➝ 74.208.61.248:80
Flows TCP192.168.1.1:1037 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.61:80
Flows TCP192.168.1.1:1039 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1040 ➝ 217.114.220.100:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.104:80

Raw Pcap

Strings