Analysis Date2016-03-01 00:27:31
MD571f52eecbc72dffaa0b11fa590f6063b
SHA15e61f6777863aa044eecc3383ef31f5c23dfc09d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41dcc9d702bb790cbae02d308cf349b4 sha1: 08ddd5ccebf114f74585f623a82d1172101a5bd6 size: 160768
Section.rdata md5: 6b168219afcc5432ec15e6d3ef5819a0 sha1: b42a0ceb99fef5e6f795c25144fb66538868e85a size: 38400
Section.data md5: 8c65ba6bb94c869ed8c1e3e1e15d96b0 sha1: ad9e259374fd27353baa8e268a14c016e0967959 size: 6656
Timestamp2015-03-13 09:08:50
PackerMicrosoft Visual C++ ?.?
PEhash9da19ed97f6810e19b499308199ee5c21d1a2dfc
IMPhashf1b69b5d2e3b445273f2a76acbfabba7
AVF-SecureGen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)TrojanSpy.Nivdort.OL4
AVIkarusTrojan-Spy.Win32.Nivdort
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVK7No Virus
AVClamAVNo Virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVDr. WebNo Virus
AVMcafeeTrojan-FEVX!71F52EECBC72
AVBitDefenderGen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BI
AVEmsisoftGen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVAlwil (avast)Kryptik-PDK [Trj]
AVRisingNo Virus
AVEset (nod32)Win32/Agent.VNC
AVBullGuardGen:Variant.Rodecap.1
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVTrend MicroNo Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVTwisterNo Virus
AVFrisk (f-prot)No Virus
AVVirusBlokAda (vba32)No Virus
AVCA (E-Trust Ino)Gen:Variant.Rodecap.1
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jqlgjxxjsebdzi\gpbp0ezbx
Creates FileC:\jqlgjxxjsebdzi\miqt1ln3gqbktiuu3n7i.exe
Creates FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Deletes FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Creates ProcessC:\jqlgjxxjsebdzi\miqt1ln3gqbktiuu3n7i.exe

Process
↳ C:\jqlgjxxjsebdzi\miqt1ln3gqbktiuu3n7i.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Print Defragmenter Distributed ➝
C:\jqlgjxxjsebdzi\lvhyxcutosz.exe
Creates FileC:\jqlgjxxjsebdzi\zgbfeimjs
Creates FileC:\jqlgjxxjsebdzi\gpbp0ezbx
Creates FileC:\jqlgjxxjsebdzi\lvhyxcutosz.exe
Creates FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Deletes FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Creates ProcessC:\jqlgjxxjsebdzi\lvhyxcutosz.exe
Creates ServiceProcess Coordinator Plug Gateway - C:\jqlgjxxjsebdzi\lvhyxcutosz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1840

Process
↳ Pid 1136

Process
↳ C:\jqlgjxxjsebdzi\lvhyxcutosz.exe

Creates FileC:\jqlgjxxjsebdzi\wxzsxronvj
Creates Filepipe\net\NtControlPipe10
Creates FileC:\jqlgjxxjsebdzi\zgbfeimjs
Creates FileC:\jqlgjxxjsebdzi\gpbp0ezbx
Creates File\Device\Afd\Endpoint
Creates FileC:\jqlgjxxjsebdzi\mpcgrlt.exe
Creates FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Deletes FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Creates Processtcbrd4tgnlgo "c:\jqlgjxxjsebdzi\lvhyxcutosz.exe"

Process
↳ C:\jqlgjxxjsebdzi\lvhyxcutosz.exe

Creates FileC:\jqlgjxxjsebdzi\gpbp0ezbx
Creates FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Deletes FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx

Process
↳ tcbrd4tgnlgo "c:\jqlgjxxjsebdzi\lvhyxcutosz.exe"

Creates FileC:\jqlgjxxjsebdzi\gpbp0ezbx
Creates FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx
Deletes FileC:\WINDOWS\jqlgjxxjsebdzi\gpbp0ezbx

Network Details:

DNSfinishstrong.net
Type: A
50.63.202.14
DNSsweettrouble.net
Type: A
50.31.0.103
DNSlaughcontinue.net
Type: A
195.22.26.248
DNSseveramaster.net
Type: A
208.100.26.234
DNSsimplewonder.net
Type: A
66.96.149.32
DNSmotherwonder.net
Type: A
50.87.148.196
DNSmountainmaster.net
Type: A
209.17.116.7
DNSwindowmaster.net
Type: A
207.148.248.143
DNSwindowwonder.net
Type: A
50.63.202.13
DNSperhapsdiscover.net
Type: A
195.22.28.196
DNSperhapsdiscover.net
Type: A
195.22.28.197
DNSperhapsdiscover.net
Type: A
195.22.28.198
DNSperhapsdiscover.net
Type: A
195.22.28.199
DNSmountainpresident.net
Type: A
DNSpossiblepresident.net
Type: A
DNSmountaincaught.net
Type: A
DNSpossiblecaught.net
Type: A
DNSperhapsstrong.net
Type: A
DNSwindowstrong.net
Type: A
DNSperhapstrouble.net
Type: A
DNSwindowtrouble.net
Type: A
DNSperhapspresident.net
Type: A
DNSwindowpresident.net
Type: A
DNSperhapscaught.net
Type: A
DNSwindowcaught.net
Type: A
DNSwinterstrong.net
Type: A
DNSsubjectstrong.net
Type: A
DNSwintertrouble.net
Type: A
DNSsubjecttrouble.net
Type: A
DNSwinterpresident.net
Type: A
DNSsubjectpresident.net
Type: A
DNSwintercaught.net
Type: A
DNSsubjectcaught.net
Type: A
DNSleavestrong.net
Type: A
DNSfinishtrouble.net
Type: A
DNSleavetrouble.net
Type: A
DNSfinishpresident.net
Type: A
DNSleavepresident.net
Type: A
DNSfinishcaught.net
Type: A
DNSleavecaught.net
Type: A
DNSsweetstrong.net
Type: A
DNSprobablystrong.net
Type: A
DNSprobablytrouble.net
Type: A
DNSsweetpresident.net
Type: A
DNSprobablypresident.net
Type: A
DNSsweetcaught.net
Type: A
DNSprobablycaught.net
Type: A
DNSseveralstrong.net
Type: A
DNSmaterialstrong.net
Type: A
DNSseveraltrouble.net
Type: A
DNSmaterialtrouble.net
Type: A
DNSseveralpresident.net
Type: A
DNSmaterialpresident.net
Type: A
DNSseveralcaught.net
Type: A
DNSmaterialcaught.net
Type: A
DNSseveracontinue.net
Type: A
DNSlaughmaster.net
Type: A
DNSseverawonder.net
Type: A
DNSlaughwonder.net
Type: A
DNSseveradiscover.net
Type: A
DNSlaughdiscover.net
Type: A
DNSsimplecontinue.net
Type: A
DNSmothercontinue.net
Type: A
DNSsimplemaster.net
Type: A
DNSmothermaster.net
Type: A
DNSsimplediscover.net
Type: A
DNSmotherdiscover.net
Type: A
DNSmountaincontinue.net
Type: A
DNSpossiblecontinue.net
Type: A
DNSpossiblemaster.net
Type: A
DNSmountainwonder.net
Type: A
DNSpossiblewonder.net
Type: A
DNSmountaindiscover.net
Type: A
DNSpossiblediscover.net
Type: A
DNSperhapscontinue.net
Type: A
DNSwindowcontinue.net
Type: A
DNSperhapsmaster.net
Type: A
DNSperhapswonder.net
Type: A
DNSwindowdiscover.net
Type: A
DNSwintercontinue.net
Type: A
DNSsubjectcontinue.net
Type: A
DNSwintermaster.net
Type: A
DNSsubjectmaster.net
Type: A
DNSwinterwonder.net
Type: A
DNSsubjectwonder.net
Type: A
DNSwinterdiscover.net
Type: A
DNSsubjectdiscover.net
Type: A
DNSfinishcontinue.net
Type: A
HTTP GEThttp://finishstrong.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweettrouble.net/index.php?method&len
User-Agent:
HTTP GEThttp://laughcontinue.net/index.php?method&len
User-Agent:
HTTP GEThttp://severamaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplewonder.net/index.php?method&len
User-Agent:
HTTP GEThttp://motherwonder.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainmaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowmaster.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowwonder.net/index.php?method&len
User-Agent:
HTTP GEThttp://perhapsdiscover.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.14:80
Flows TCP192.168.1.1:1032 ➝ 50.31.0.103:80
Flows TCP192.168.1.1:1033 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 66.96.149.32:80
Flows TCP192.168.1.1:1036 ➝ 50.87.148.196:80
Flows TCP192.168.1.1:1037 ➝ 209.17.116.7:80
Flows TCP192.168.1.1:1038 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1039 ➝ 50.63.202.13:80
Flows TCP192.168.1.1:1040 ➝ 195.22.28.196:80

Raw Pcap

Strings