Analysis Date2015-11-19 14:01:13
MD5c5a92f2ab5a8fe63178a75efa2d30e91
SHA16312f6758e5ba30d4e286add3fd4e05620621093

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d1047f690907dc1aa4368b985f0a879 sha1: 49a6ecf4d88d9ab3fba7a6b01889bdc26a22d634 size: 105984
Section.rdata md5: 5887d1999db782109d95fa8984dfe20f sha1: dc69c6be46d2e0360790c98aecdcc8df400406bd size: 40448
Section.data md5: e6229114f56e1306d51b1502efa1be95 sha1: 96327bc0ad0d0df0469dc2e22177816fa1371587 size: 36352
Section.rsrc md5: 1118b18d80b477db8dd8b0b4fe8a034d sha1: 3338a77aad50d4978503fd063a8fc3991df8fc74 size: 114688
Timestamp2015-10-20 06:15:36
PackerMicrosoft Visual C++ ?.?
PEhashae3d003c5799c851bc16d71ab3c88dbd2e1be873
IMPhashcb35d99b60ee323408304066fa5ae749
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeGamarue-FDC!C5A92F2AB5A8
AVAvira (antivir)TR/Crypt.ZPACK.197005
AVTwisterno_virus
AVAd-AwareTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AFL
AVSymantecno_virus
AVFortinetW32/Kryptik.EASA!tr
AVBitDefenderTrojan.GenericKDZ.30724
AVK7Trojan ( 004aef8a1 )
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.GenericKDZ.30724
AVZillya!no_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aamm
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVPadvishno_virus
AVBullGuardTrojan.GenericKDZ.30724
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVClamAVWin.Trojan.Generickdz-2333
AVDr. WebTrojan.Inject1.43628
AVF-SecureTrojan.GenericKDZ.30724
AVRisingno_virus
AVMcafeeGamarue-FDC!C5A92F2AB5A8
AVAvira (antivir)TR/Crypt.ZPACK.197005
AVTwisterno_virus
AVAd-AwareTrojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVEset (nod32)Win32/Injector.BNHS
AVGrisoft (avg)Crypt_r.AFL
AVSymantecno_virus
AVFortinetW32/Kryptik.EASA!tr
AVBitDefenderTrojan.GenericKDZ.30724
AVK7Trojan ( 004aef8a1 )
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSobjetivografico.es
Winsock DNSbono.by
Winsock DNSdivinemodels.ru
Winsock DNSshugrmedia.com
Winsock DNSpositivefxstudio.co.uk
Winsock DNSaye2zee.biz
Winsock DNSdkforma.ru
Winsock DNSsoftware-select.nl
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpamperedpetsgroomingacademy.co.uk
Winsock DNSxn--80auckeg1db2a.xn--p1ai
Winsock DNSpeegas.ru
Winsock DNSz-en.ru
Winsock DNSvoteforbrendan.us
Winsock DNSbestinyourtown.info
Winsock DNSmyexternalip.com
Winsock DNSberattv.com.tr
Winsock DNSbursauygulamaoteli.com
Winsock DNSip-addr.es
Winsock DNSqrcp.us
Winsock DNSathleticequine.org.nz
Winsock DNSgarlanddeli.com
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSmartinelacasse.ca
Winsock DNSdirecttrailer.us
Winsock DNSproductprovider.nl
Winsock DNSvoteforbrendan.info
Winsock DNSmetroloto.ru
Winsock DNSopportunitycup.com
Winsock DNSrostbiznesa.ru
Winsock DNSvoteforbrendan.biz
Winsock DNScapodimonte.ua
Winsock DNSvoteforbrendan.me
Winsock DNSelectrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSz-en.ru
Type: A
185.58.207.147
DNSathleticequine.org.nz
Type: A
182.50.130.37
DNSbursauygulamaoteli.com
Type: A
89.106.12.62
DNSpeegas.ru
Type: A
176.57.216.209
DNSshugrmedia.com
Type: A
184.168.193.215
DNSvoteforbrendan.info
Type: A
67.23.254.89
DNSdkforma.ru
Type: A
91.218.228.115
DNScapodimonte.ua
Type: A
188.95.154.41
DNSvoteforbrendan.me
Type: A
67.23.254.89
DNSqrcp.us
Type: A
64.74.223.34
DNSelectrosim.ro
Type: A
37.156.37.11
DNSberattv.com.tr
Type: A
185.33.128.131
DNSaye2zee.biz
Type: A
192.185.198.153
DNSproductprovider.nl
Type: A
37.153.204.79
DNSmetroloto.ru
Type: A
89.207.89.233
DNSpamperedpetsgroomingacademy.co.uk
Type: A
192.254.187.55
DNSdivinemodels.ru
Type: A
5.9.23.71
DNSifloresti.ro
Type: A
176.126.201.10
DNSbono.by
Type: A
91.149.157.185
DNSobjetivografico.es
Type: A
192.185.14.142
DNSvoteforbrendan.mobi
Type: A
67.23.254.89
DNSmartinelacasse.ca
Type: A
192.185.79.75
DNSpositivefxstudio.co.uk
Type: A
88.208.252.82
DNSopportunitycup.com
Type: A
192.185.29.132
DNSrostbiznesa.ru
Type: A
92.53.114.211
DNSvoteforbrendan.us
Type: A
67.23.254.89
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSgarlanddeli.com
Type: A
192.185.48.207
DNSsoftware-select.nl
Type: A
37.128.147.21
DNSdirecttrailer.us
Type: A
69.89.31.160
DNSnewconsult.by
Type: A
93.125.99.68
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
194.85.61.76
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
109.70.26.37
DNSbestinyourtown.info
Type: A
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?f=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?c=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?m=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?c=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?a=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?e=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?z=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?b=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?e=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?u=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?v=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?u=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?g=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?c=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?g=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?l=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?h=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?n=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/4BWtIF.php?j=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?r=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?d=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?s=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?w=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?k=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?d=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?q=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?t=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://software-select.nl/wp-content/themes/genesis/qMfFUp.php?b=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?x=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?o=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?m=wnm63wtw70f0u
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 185.58.207.147:80
Flows TCP192.168.1.1:1035 ➝ 182.50.130.37:80
Flows TCP192.168.1.1:1036 ➝ 89.106.12.62:80
Flows TCP192.168.1.1:1037 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1038 ➝ 184.168.193.215:80
Flows TCP192.168.1.1:1039 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1040 ➝ 91.218.228.115:80
Flows TCP192.168.1.1:1041 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1042 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1043 ➝ 64.74.223.34:80
Flows TCP192.168.1.1:1044 ➝ 37.156.37.11:80
Flows TCP192.168.1.1:1045 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1046 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1047 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1048 ➝ 192.185.198.153:80
Flows TCP192.168.1.1:1049 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1050 ➝ 89.207.89.233:80
Flows TCP192.168.1.1:1051 ➝ 192.254.187.55:80
Flows TCP192.168.1.1:1052 ➝ 5.9.23.71:80
Flows TCP192.168.1.1:1053 ➝ 176.126.201.10:80
Flows TCP192.168.1.1:1054 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1055 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1056 ➝ 192.185.14.142:80
Flows TCP192.168.1.1:1057 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1058 ➝ 192.185.79.75:80
Flows TCP192.168.1.1:1059 ➝ 88.208.252.82:80
Flows TCP192.168.1.1:1060 ➝ 192.185.29.132:80
Flows TCP192.168.1.1:1061 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1062 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1063 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1064 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1065 ➝ 192.185.48.207:80
Flows TCP192.168.1.1:1066 ➝ 37.128.147.21:80
Flows TCP192.168.1.1:1067 ➝ 69.89.31.160:80
Flows TCP192.168.1.1:1068 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1069 ➝ 194.85.61.76:80

Raw Pcap

Strings