Analysis Date2015-08-27 08:52:35
MD57d1f68285b750d113fa8e95055d75da8
SHA1577dee7a93d7042f58c81cb9e59ceeffe37bdf5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b95b6963d829d86ff1ff1e6a709e5a84 sha1: 58964b58071e6d75ab250b099e5e8f7a34ba0f8d size: 164352
Section.rdata md5: 6fb08ed8e00197043a3e4e869400529a sha1: b089460ce8661c3e955d6d6f3716224780919a03 size: 38912
Section.data md5: 7fdbc444c341b68266d0dc5ec4f83ce7 sha1: 33dc25877a590dd333e77bc5b8535669fffdd17f size: 6656
Timestamp2015-03-13 09:18:49
PackerMicrosoft Visual C++ ?.?
PEhashe4380e316cf07915d51a2c52b73606ff656651bf
IMPhash2fb9417073e5885dce4c383a8f8d8044
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.8239
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyno_virus
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security Essentialsno_virus
AVK7Trojan ( 004bdb0b1 )
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterno_virus
AVAvira (antivir)TR/AD.Rodecap.Y.4
AVMcafeeTrojan-FEVX!7D1F68285B75

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hnxipxxuehsuls\igzf5dl
Creates FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Creates FileC:\hnxipxxuehsuls\mzne1mh1bpke1z7ws.exe
Deletes FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Creates ProcessC:\hnxipxxuehsuls\mzne1mh1bpke1z7ws.exe

Process
↳ C:\hnxipxxuehsuls\mzne1mh1bpke1z7ws.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Protection Controls Coordinator ➝
C:\hnxipxxuehsuls\kxqdaqcb.exe
Creates FileC:\hnxipxxuehsuls\igzf5dl
Creates FileC:\hnxipxxuehsuls\kxqdaqcb.exe
Creates FileC:\hnxipxxuehsuls\xkajcpulam
Creates FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Deletes FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Creates ProcessC:\hnxipxxuehsuls\kxqdaqcb.exe
Creates ServiceBackground Gateway Brightness NetBIOS - C:\hnxipxxuehsuls\kxqdaqcb.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1184

Process
↳ C:\hnxipxxuehsuls\kxqdaqcb.exe

Creates FileC:\hnxipxxuehsuls\pbkevqtw
Creates FileC:\hnxipxxuehsuls\igzf5dl
Creates Filepipe\net\NtControlPipe10
Creates FileC:\hnxipxxuehsuls\xkajcpulam
Creates FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Creates File\Device\Afd\Endpoint
Creates FileC:\hnxipxxuehsuls\tgsbvrprjpef.exe
Deletes FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Creates Processllmno11cncjz "c:\hnxipxxuehsuls\kxqdaqcb.exe"

Process
↳ C:\hnxipxxuehsuls\kxqdaqcb.exe

Creates FileC:\hnxipxxuehsuls\igzf5dl
Creates FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Deletes FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl

Process
↳ llmno11cncjz "c:\hnxipxxuehsuls\kxqdaqcb.exe"

Creates FileC:\hnxipxxuehsuls\igzf5dl
Creates FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl
Deletes FileC:\WINDOWS\hnxipxxuehsuls\igzf5dl

Network Details:

DNSpossibleperiod.net
Type: A
192.64.119.216
DNSfinishperiod.net
Type: A
50.63.202.32
DNSseveradifference.net
Type: A
95.211.230.75
DNSsimpledifference.net
Type: A
31.22.4.18
DNSmotherperiod.net
Type: A
DNSsimplehowever.net
Type: A
DNSmotherhowever.net
Type: A
DNSmountainchoose.net
Type: A
DNSpossiblechoose.net
Type: A
DNSmountainalthough.net
Type: A
DNSpossiblealthough.net
Type: A
DNSmountainperiod.net
Type: A
DNSmountainhowever.net
Type: A
DNSpossiblehowever.net
Type: A
DNSperhapschoose.net
Type: A
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
DNSwintersingle.net
Type: A
DNSsubjectsingle.net
Type: A
HTTP GEThttp://possibleperiod.net/index.php?method&len
User-Agent:
HTTP GEThttp://finishperiod.net/index.php?method&len
User-Agent:
HTTP GEThttp://severadifference.net/index.php?method&len
User-Agent:
HTTP GEThttp://simpledifference.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 192.64.119.216:80
Flows TCP192.168.1.1:1032 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 31.22.4.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20706f 73736962   se..Host: possib
0x00000050 (00080)   6c657065 72696f64 2e6e6574 0d0a0d0a   leperiod.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206669 6e697368   se..Host: finish
0x00000050 (00080)   70657269 6f642e6e 65740d0a 0d0a0d0a   period.net......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207365 76657261   se..Host: severa
0x00000050 (00080)   64696666 6572656e 63652e6e 65740d0a   difference.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   64696666 6572656e 63652e6e 65740d0a   difference.net..
0x00000060 (00096)   0d0a                                  ..


Strings