Analysis Date2015-08-12 03:08:34
MD56de6321a4a80572aac277a9136075d8c
SHA1612ca6b0bf769a15e0252cc4eba37ef7f4bf60de

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41fd62c5c2c732a4206063a445252f54 sha1: 8d940425bb2ba586bfb0dc7c313ecbf75f97f84b size: 161280
Section.rdata md5: 0da9ceab0ba6a8af030a3a242b3fc078 sha1: e72732cccc32137b0f4866ea74101d7737fea691 size: 39936
Section.data md5: aee2119f5a4bc24d8d379158b7a83cfa sha1: 6c9ad86a818eb5c181dc20ce3d56de17f8cf98df size: 7168
Timestamp2015-03-13 09:26:37
PackerMicrosoft Visual C++ ?.?
PEhasha4b432f22495691aeb9db6531fd08529db3f912e
IMPhashd29446a09275467c1386df60d7edf4ef
AVCA (E-Trust Ino)no_virus
AVRising0x58e8bb09
AVMcafeeTrojan-FEVX!6DE6321A4A80
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Rodecap.BJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Trojan ( 004bda2e1 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Rodecap
AVEmsisoftGen:Variant.Rodecap.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader14.729
AVF-SecureGen:Variant.Rodecap.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\cbncsyoiyogog\wmqdt1ldjyqiyl0osgwr.exe
Creates FileC:\cbncsyoiyogog\ycjf8lc7v
Creates FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Deletes FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Creates ProcessC:\cbncsyoiyogog\wmqdt1ldjyqiyl0osgwr.exe

Process
↳ C:\cbncsyoiyogog\wmqdt1ldjyqiyl0osgwr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\File Connections Port Detection ➝
C:\cbncsyoiyogog\shguwkpjlz.exe
Creates FileC:\cbncsyoiyogog\ycjf8lc7v
Creates FileC:\cbncsyoiyogog\caapfxd
Creates FileC:\cbncsyoiyogog\shguwkpjlz.exe
Creates FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Deletes FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Creates ProcessC:\cbncsyoiyogog\shguwkpjlz.exe
Creates ServiceRPC Copy Image Ordering Shell - C:\cbncsyoiyogog\shguwkpjlz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1880

Process
↳ Pid 1184

Process
↳ C:\cbncsyoiyogog\shguwkpjlz.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\cbncsyoiyogog\rweubgt.exe
Creates FileC:\cbncsyoiyogog\ycjf8lc7v
Creates File\Device\Afd\Endpoint
Creates FileC:\cbncsyoiyogog\uxvi3rji
Creates FileC:\cbncsyoiyogog\caapfxd
Creates FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Deletes FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Creates Processn0m3vs2uqgxb "c:\cbncsyoiyogog\shguwkpjlz.exe"

Process
↳ C:\cbncsyoiyogog\shguwkpjlz.exe

Creates FileC:\cbncsyoiyogog\ycjf8lc7v
Creates FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Deletes FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v

Process
↳ n0m3vs2uqgxb "c:\cbncsyoiyogog\shguwkpjlz.exe"

Creates FileC:\cbncsyoiyogog\ycjf8lc7v
Creates FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v
Deletes FileC:\WINDOWS\cbncsyoiyogog\ycjf8lc7v

Network Details:

DNSoutsideperiod.net
Type: A
DNSmovementhowever.net
Type: A
DNSoutsidehowever.net
Type: A
DNSbuildingchoose.net
Type: A
DNSeveningchoose.net
Type: A
DNSbuildingalthough.net
Type: A
DNSeveningalthough.net
Type: A
DNSbuildingperiod.net
Type: A
DNSeveningperiod.net
Type: A
DNSbuildinghowever.net
Type: A
DNSeveninghowever.net
Type: A
DNSstorechoose.net
Type: A
DNSmightchoose.net
Type: A
DNSstorealthough.net
Type: A
DNSmightalthough.net
Type: A
DNSstoreperiod.net
Type: A
DNSmightperiod.net
Type: A
DNSstorehowever.net
Type: A
DNSmighthowever.net
Type: A
DNSdoctorchoose.net
Type: A
DNSprettychoose.net
Type: A
DNSdoctoralthough.net
Type: A
DNSprettyalthough.net
Type: A
DNSdoctorperiod.net
Type: A
DNSprettyperiod.net
Type: A
DNSdoctorhowever.net
Type: A
DNSprettyhowever.net
Type: A
DNSfellowchoose.net
Type: A
DNSdoublechoose.net
Type: A
DNSfellowalthough.net
Type: A
DNSdoublealthough.net
Type: A
DNSfellowperiod.net
Type: A
DNSdoubleperiod.net
Type: A
DNSfellowhowever.net
Type: A
DNSdoublehowever.net
Type: A
DNSbrokenchoose.net
Type: A
DNSresultchoose.net
Type: A
DNSbrokenalthough.net
Type: A
DNSresultalthough.net
Type: A
DNSbrokenperiod.net
Type: A
DNSresultperiod.net
Type: A
DNSbrokenhowever.net
Type: A
DNSresulthowever.net
Type: A
DNSpreparechoose.net
Type: A
DNSdesirechoose.net
Type: A
DNSpreparealthough.net
Type: A
DNSdesirealthough.net
Type: A
DNSprepareperiod.net
Type: A
DNSdesireperiod.net
Type: A
DNSpreparehowever.net
Type: A
DNSdesirehowever.net
Type: A
DNSstrengthchoose.net
Type: A
DNSstillchoose.net
Type: A
DNSstrengthalthough.net
Type: A
DNSstillalthough.net
Type: A
DNSstrengthperiod.net
Type: A
DNSstillperiod.net
Type: A
DNSstrengthhowever.net
Type: A
DNSstillhowever.net
Type: A
DNSmovementsingle.net
Type: A
DNSoutsidesingle.net
Type: A
DNSmovementcharge.net
Type: A
DNSoutsidecharge.net
Type: A
DNSmovementdifference.net
Type: A
DNSoutsidedifference.net
Type: A
DNSmovementevery.net
Type: A
DNSoutsideevery.net
Type: A
DNSbuildingsingle.net
Type: A
DNSeveningsingle.net
Type: A
DNSbuildingcharge.net
Type: A
DNSeveningcharge.net
Type: A
DNSbuildingdifference.net
Type: A
DNSeveningdifference.net
Type: A
DNSbuildingevery.net
Type: A
DNSeveningevery.net
Type: A
DNSstoresingle.net
Type: A
DNSmightsingle.net
Type: A
DNSstorecharge.net
Type: A
DNSmightcharge.net
Type: A
DNSstoredifference.net
Type: A
DNSmightdifference.net
Type: A
DNSstoreevery.net
Type: A
DNSmightevery.net
Type: A
DNSdoctorsingle.net
Type: A
DNSprettysingle.net
Type: A

Raw Pcap



Strings