Analysis Date2015-10-08 09:13:19
MD550c64d81aed3a823891081b864f3e3a1
SHA162c991c8c984f1e6620489b79762e8d97480d696

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 69601d13a71acfdfb7c7b9b844cdb90d sha1: cc19311667e1d7bf94d835f156cc127cd0acb377 size: 162816
Section.rdata md5: 6ac6dbf684b70e12da56fb0c872c2ded sha1: 38f2b9bdbad60dc46e69474ade39aec94efd1c72 size: 37888
Section.data md5: de90b591c9c44645a34e6ea194b2ca84 sha1: 3a311d964ada14b6bb02ca98e4cac88f2ca2bf4f size: 7168
Timestamp2015-03-13 09:09:46
PackerMicrosoft Visual C++ ?.?
PEhasheaa4b3cd0c24ed8c4abb0f5fbcb3418139da4285
IMPhashffc2123e64113eaba4842baef898f366
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader16.34611
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Rodecap.Win32.2181
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVK7Trojan ( 004bda2e1 )
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.64207
AVMcafeeTrojan-FEVX!50C64D81AED3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\zufvotjmtonjsyf\eql1khfmivzbmd2hm.exe
Creates FileC:\zufvotjmtonjsyf\eqakjoffbs
Creates FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Deletes FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Creates ProcessC:\zufvotjmtonjsyf\eql1khfmivzbmd2hm.exe

Process
↳ C:\zufvotjmtonjsyf\eql1khfmivzbmd2hm.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Card Redirector Tunneling Layer Internet ➝
C:\zufvotjmtonjsyf\dkvcohawso.exe
Creates FileC:\zufvotjmtonjsyf\dkvcohawso.exe
Creates FileC:\zufvotjmtonjsyf\jeovoh
Creates FileC:\zufvotjmtonjsyf\eqakjoffbs
Creates FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Deletes FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Creates ProcessC:\zufvotjmtonjsyf\dkvcohawso.exe
Creates ServiceMachine Visual Scheduler DLL Services - C:\zufvotjmtonjsyf\dkvcohawso.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1140

Process
↳ C:\zufvotjmtonjsyf\dkvcohawso.exe

Creates FileC:\zufvotjmtonjsyf\ebjvy5edshlu
Creates FileC:\zufvotjmtonjsyf\nloryom.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\zufvotjmtonjsyf\jeovoh
Creates FileC:\zufvotjmtonjsyf\eqakjoffbs
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Deletes FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Creates Processaewnyvkowjvq "c:\zufvotjmtonjsyf\dkvcohawso.exe"

Process
↳ C:\zufvotjmtonjsyf\dkvcohawso.exe

Creates FileC:\zufvotjmtonjsyf\eqakjoffbs
Creates FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Deletes FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs

Process
↳ aewnyvkowjvq "c:\zufvotjmtonjsyf\dkvcohawso.exe"

Creates FileC:\zufvotjmtonjsyf\eqakjoffbs
Creates FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs
Deletes FileC:\WINDOWS\zufvotjmtonjsyf\eqakjoffbs

Network Details:

DNSchiefneedle.net
Type: A
72.52.4.90
DNSaloneneedle.net
Type: A
208.100.26.234
DNSmiddlenature.net
Type: A
98.139.135.129
DNSstrangeenough.net
Type: A
93.115.38.30
DNSstrangegovern.net
Type: A
72.52.4.90
DNSthinkfurther.net
Type: A
207.148.248.143
DNSthinkbecome.net
Type: A
98.124.199.1
DNSpresentcompany.net
Type: A
85.233.160.70
DNScollegecover.net
Type: A
93.115.38.30
DNScollegecompany.net
Type: A
208.91.197.27
DNSalonefurther.net
Type: A
72.52.4.90
DNSthinkneedle.net
Type: A
DNSpresentneedle.net
Type: A
DNSthinkenough.net
Type: A
DNSpresentenough.net
Type: A
DNSthinkgovern.net
Type: A
DNSpresentgovern.net
Type: A
DNSchiefnature.net
Type: A
DNScollegenature.net
Type: A
DNScollegeneedle.net
Type: A
DNSchiefenough.net
Type: A
DNScollegeenough.net
Type: A
DNSchiefgovern.net
Type: A
DNScollegegovern.net
Type: A
DNSoftennature.net
Type: A
DNSalonenature.net
Type: A
DNSoftenneedle.net
Type: A
DNSoftenenough.net
Type: A
DNSaloneenough.net
Type: A
DNSoftengovern.net
Type: A
DNSalonegovern.net
Type: A
DNStwelvenature.net
Type: A
DNSmiddleneedle.net
Type: A
DNStwelveneedle.net
Type: A
DNSmiddleenough.net
Type: A
DNStwelveenough.net
Type: A
DNSmiddlegovern.net
Type: A
DNStwelvegovern.net
Type: A
DNSrathernature.net
Type: A
DNSmorningnature.net
Type: A
DNSratherneedle.net
Type: A
DNSmorningneedle.net
Type: A
DNSratherenough.net
Type: A
DNSmorningenough.net
Type: A
DNSrathergovern.net
Type: A
DNSmorninggovern.net
Type: A
DNSstrangenature.net
Type: A
DNShistorynature.net
Type: A
DNSstrangeneedle.net
Type: A
DNShistoryneedle.net
Type: A
DNShistoryenough.net
Type: A
DNShistorygovern.net
Type: A
DNSamountnature.net
Type: A
DNSweathernature.net
Type: A
DNSamountneedle.net
Type: A
DNSweatherneedle.net
Type: A
DNSamountenough.net
Type: A
DNSweatherenough.net
Type: A
DNSamountgovern.net
Type: A
DNSweathergovern.net
Type: A
DNSthicknature.net
Type: A
DNSclassnature.net
Type: A
DNSthickneedle.net
Type: A
DNSclassneedle.net
Type: A
DNSthickenough.net
Type: A
DNSclassenough.net
Type: A
DNSthickgovern.net
Type: A
DNSclassgovern.net
Type: A
DNSpresentfurther.net
Type: A
DNSthinkcover.net
Type: A
DNSpresentcover.net
Type: A
DNSpresentbecome.net
Type: A
DNSthinkcompany.net
Type: A
DNSchieffurther.net
Type: A
DNScollegefurther.net
Type: A
DNSchiefcover.net
Type: A
DNSchiefbecome.net
Type: A
DNScollegebecome.net
Type: A
DNSchiefcompany.net
Type: A
DNSoftenfurther.net
Type: A
DNSoftencover.net
Type: A
DNSalonecover.net
Type: A
DNSoftenbecome.net
Type: A
DNSalonebecome.net
Type: A
DNSoftencompany.net
Type: A
HTTP GEThttp://chiefneedle.net/index.php?method&len
User-Agent:
HTTP GEThttp://aloneneedle.net/index.php?method&len
User-Agent:
HTTP GEThttp://middlenature.net/index.php?method&len
User-Agent:
HTTP GEThttp://strangeenough.net/index.php?method&len
User-Agent:
HTTP GEThttp://strangegovern.net/index.php?method&len
User-Agent:
HTTP GEThttp://thinkfurther.net/index.php?method&len
User-Agent:
HTTP GEThttp://thinkbecome.net/index.php?method&len
User-Agent:
HTTP GEThttp://presentcompany.net/index.php?method&len
User-Agent:
HTTP GEThttp://collegecover.net/index.php?method&len
User-Agent:
HTTP GEThttp://collegecompany.net/index.php?method&len
User-Agent:
HTTP GEThttp://alonefurther.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1034 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.90:80
Flows TCP192.168.1.1:1036 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1037 ➝ 98.124.199.1:80
Flows TCP192.168.1.1:1038 ➝ 85.233.160.70:80
Flows TCP192.168.1.1:1039 ➝ 93.115.38.30:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1041 ➝ 72.52.4.90:80

Raw Pcap

Strings