Analysis Date2015-09-28 03:01:08
MD567cfa59f397d2e19798002661a50335b
SHA15b649e3f74ac6c7c6b61d226435bb5285840d73b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bc6b61cbb608387ff528842fbf579014 sha1: 72b8d59b9ef506630fea71320e5df6bb8da2e3a6 size: 164864
Section.rdata md5: a955988c620388a98ef8ef6350732869 sha1: e547f292b5b63f4cc361a0721de36c13fa85493a size: 39936
Section.data md5: daddc214c4b202370f0921d5bc610fca sha1: 7fce81f1c260f5a0a743fdaa955afd76b59e752c size: 7168
Timestamp2015-03-13 09:17:16
PackerMicrosoft Visual C++ ?.?
PEhash079091a4b2edb9080d033db72492952061107da5
IMPhashfc3efcfa2a30f83d68d119e2e11e402b
AVBitDefenderGen:Variant.Rodecap.1
AVEset (nod32)Win32/Rodecap.BJ
AVEmsisoftGen:Variant.Rodecap.1
AVF-SecureGen:Variant.Rodecap.1
AVCAT (quickheal)Trojan.Scar.r3
AVVirusBlokAda (vba32)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVAd-AwareGen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVMcafeeRDN/Generic.dx!drc
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.20593
AVTrend MicroTROJ_GE.30E50BA3
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVSymantecDownloader.Upatre!g15
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVTwisterno_virus
AVPadvishno_virus
AVMalwareBytesTrojan.Agent
AVClamAVno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVKasperskyTrojan.Win32.Generic
AVAuthentiumW32/Scar.U.gen!Eldorado
AVFortinetW32/Rodecap.BJ!tr
AVZillya!no_virus
AVK7Trojan ( 004bdb0b1 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\qyajaam\hegddppogiao
Creates FileC:\qyajaam\esk2e23wghszj0ottqng.exe
Creates FileC:\qyajaam\hegddppogiao
Deletes FileC:\WINDOWS\qyajaam\hegddppogiao
Creates ProcessC:\qyajaam\esk2e23wghszj0ottqng.exe

Process
↳ C:\qyajaam\esk2e23wghszj0ottqng.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Interactive Launcher Power ➝
C:\qyajaam\xguuvtiinw.exe
Creates FileC:\WINDOWS\qyajaam\hegddppogiao
Creates FileC:\qyajaam\xguuvtiinw.exe
Creates FileC:\qyajaam\hegddppogiao
Creates FileC:\qyajaam\xhwrke
Deletes FileC:\WINDOWS\qyajaam\hegddppogiao
Creates ProcessC:\qyajaam\xguuvtiinw.exe
Creates ServicePresentation Background - C:\qyajaam\xguuvtiinw.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\5B649E3F74AC6C7C6B61D226435BB-19981B83.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\FUDEGCOBFF.EXE-00A72B04.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\XGUUVTIINW.EXE-0F238120.pf
Creates FileC:\WINDOWS\Prefetch\ESK2E23WGHSZJ0OTTQNG.EXE-24358F68.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ Pid 1320

Process
↳ Pid 1864

Process
↳ Pid 264

Process
↳ C:\qyajaam\xguuvtiinw.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\qyajaam\fudegcobff.exe
Creates FileC:\WINDOWS\qyajaam\hegddppogiao
Creates File\Device\Afd\Endpoint
Creates FileC:\qyajaam\hegddppogiao
Creates FileC:\qyajaam\tvzuvogmwxgr
Creates FileC:\qyajaam\xhwrke
Deletes FileC:\WINDOWS\qyajaam\hegddppogiao
Creates Processbtfhu6clijft "c:\qyajaam\xguuvtiinw.exe"

Process
↳ C:\qyajaam\xguuvtiinw.exe

Creates FileC:\WINDOWS\qyajaam\hegddppogiao
Creates FileC:\qyajaam\hegddppogiao
Deletes FileC:\WINDOWS\qyajaam\hegddppogiao

Process
↳ btfhu6clijft "c:\qyajaam\xguuvtiinw.exe"

Creates FileC:\WINDOWS\qyajaam\hegddppogiao
Creates FileC:\qyajaam\hegddppogiao
Deletes FileC:\WINDOWS\qyajaam\hegddppogiao

Network Details:

DNSincreasebeing.net
Type: A
95.211.230.75
DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSlittleminute.net
Type: A
74.220.199.8
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
DNSdestroyminute.net
Type: A
DNSdestroyspecial.net
Type: A
DNSlittlespecial.net
Type: A
DNSdestroycorner.net
Type: A
DNSlittlecorner.net
Type: A
DNSriddenflower.net
Type: A
DNSbelongflower.net
Type: A
DNSriddenminute.net
Type: A
DNSbelongminute.net
Type: A
DNSriddenspecial.net
Type: A
DNSbelongspecial.net
Type: A
DNSriddencorner.net
Type: A
DNSbelongcorner.net
Type: A
DNSchairflower.net
Type: A
DNSthoseflower.net
Type: A
DNSchairminute.net
Type: A
DNSthoseminute.net
Type: A
DNSchairspecial.net
Type: A
DNSthosespecial.net
Type: A
DNSchaircorner.net
Type: A
DNSthosecorner.net
Type: A
DNSwithinflower.net
Type: A
DNSsufferflower.net
Type: A
DNSwithinminute.net
Type: A
DNSsufferminute.net
Type: A
DNSwithinspecial.net
Type: A
DNSsufferspecial.net
Type: A
DNSwithincorner.net
Type: A
DNSsuffercorner.net
Type: A
DNSeffortflower.net
Type: A
DNSthroughflower.net
Type: A
DNSeffortminute.net
Type: A
DNSthroughminute.net
Type: A
DNSeffortspecial.net
Type: A
DNSthroughspecial.net
Type: A
DNSeffortcorner.net
Type: A
DNSthroughcorner.net
Type: A
DNSforgetflower.net
Type: A
DNSincreaseflower.net
Type: A
DNSforgetminute.net
Type: A
DNSincreaseminute.net
Type: A
DNSforgetspecial.net
Type: A
DNSincreasespecial.net
Type: A
HTTP GEThttp://increasebeing.net/index.php?method&len
User-Agent:
HTTP GEThttp://rememberforever.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleflower.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleminute.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1033 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1034 ➝ 74.220.199.8:80

Raw Pcap

Strings