Analysis Date2015-09-16 00:52:22
MD5efeed9ef959d400dfd24313dfcc16485
SHA166bf781854bbed2746626d0d5ad4606d49b97503

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: cd0f3fef13d9aba6e567ec3e47fa8d51 sha1: 3dc13a93e894cde3e20b5b404bbefb4f47c60185 size: 161792
Section.rdata md5: 89bb4804935d251b18be9eb240c23e8f sha1: 6afa60733d058d423bba46ff1b5b53a9bb769b22 size: 39936
Section.data md5: 42cf31a265bf98a98b309a11cc9c9905 sha1: d22af5750808e38e923260f6bf795126dfe30a5f size: 6656
Timestamp2015-03-13 09:26:59
PackerMicrosoft Visual C++ ?.?
PEhash3af71c27974941bee0e46a64ed66aa46a5881a83
IMPhashccc7d251a1753d70645f00658a13711b
AVAvira (antivir)TR/Crypt.ZPACK.145629
AVBullGuardGen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVMalwareBytesTrojan.Agent
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)Trojan.Scar.r3
AVGrisoft (avg)Win32/Cryptor
AVPadvishno_virus
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVRisingno_virus
AVVirusBlokAda (vba32)no_virus
AVSymantecDownloader.Upatre!g15
AVEmsisoftGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVZillya!no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVEset (nod32)Win32/Rodecap.BJ
AVTrend MicroTROJ_GE.30E50BA3
AVK7Trojan ( 004bdb0b1 )
AVF-SecureGen:Variant.Rodecap.1
AVBitDefenderGen:Variant.Rodecap.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVTwisterno_virus
AVMcafeeTrojan-FEVX!EFEED9EF959D
AVDr. Webno_virus
AVClamAVno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\vebvjspd\gi7hz4d3
Creates FileC:\vebvjspd\rwal1kahdxxsc0grwv.exe
Creates FileC:\WINDOWS\vebvjspd\gi7hz4d3
Deletes FileC:\WINDOWS\vebvjspd\gi7hz4d3
Creates ProcessC:\vebvjspd\rwal1kahdxxsc0grwv.exe

Process
↳ C:\vebvjspd\rwal1kahdxxsc0grwv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Intelligent Counter ➝
C:\vebvjspd\uitjgdwonjn.exe
Creates FileC:\vebvjspd\gi7hz4d3
Creates FileC:\vebvjspd\o3ksqdzxrfww
Creates FileC:\WINDOWS\vebvjspd\gi7hz4d3
Creates FileC:\vebvjspd\uitjgdwonjn.exe
Deletes FileC:\WINDOWS\vebvjspd\gi7hz4d3
Creates ProcessC:\vebvjspd\uitjgdwonjn.exe
Creates ServiceKtmRm Receiver Connectivity COM - C:\vebvjspd\uitjgdwonjn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1848

Process
↳ Pid 1152

Process
↳ C:\vebvjspd\uitjgdwonjn.exe

Creates FileC:\vebvjspd\gi7hz4d3
Creates Filepipe\net\NtControlPipe10
Creates FileC:\vebvjspd\o3ksqdzxrfww
Creates FileC:\vebvjspd\yqsg5x
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\vebvjspd\gi7hz4d3
Creates FileC:\vebvjspd\ipbrywwsgog.exe
Deletes FileC:\WINDOWS\vebvjspd\gi7hz4d3
Creates Processmxhl1kygyovh "c:\vebvjspd\uitjgdwonjn.exe"

Process
↳ C:\vebvjspd\uitjgdwonjn.exe

Creates FileC:\vebvjspd\gi7hz4d3
Creates FileC:\WINDOWS\vebvjspd\gi7hz4d3
Deletes FileC:\WINDOWS\vebvjspd\gi7hz4d3

Process
↳ mxhl1kygyovh "c:\vebvjspd\uitjgdwonjn.exe"

Creates FileC:\vebvjspd\gi7hz4d3
Creates FileC:\WINDOWS\vebvjspd\gi7hz4d3
Deletes FileC:\WINDOWS\vebvjspd\gi7hz4d3

Network Details:

DNSfreshservice.net
Type: A
104.28.13.142
DNSfreshservice.net
Type: A
104.28.12.142
DNSbeginservice.net
Type: A
195.22.26.253
DNSbeginservice.net
Type: A
195.22.26.254
DNSbeginservice.net
Type: A
195.22.26.231
DNSbeginservice.net
Type: A
195.22.26.252
DNSknownservice.net
Type: A
108.160.154.105
DNSbeginriver.net
Type: A
95.211.230.75
DNScrowdservice.net
Type: A
166.78.103.6
DNSwatermister.net
Type: A
192.185.5.125
DNSwaterservice.net
Type: A
207.148.248.143
DNSwomanservice.net
Type: A
31.31.204.59
DNSpartyservice.net
Type: A
176.28.54.20
DNSfreshshare.net
Type: A
216.239.34.21
DNSfreshshare.net
Type: A
216.239.36.21
DNSfreshshare.net
Type: A
216.239.38.21
DNSfreshshare.net
Type: A
184.168.221.32
DNSfreshshare.net
Type: A
216.239.32.21
DNSexperienceshare.net
Type: A
50.63.202.60
DNSfreshmister.net
Type: A
DNSexperiencemister.net
Type: A
DNSfreshsuppose.net
Type: A
DNSexperiencesuppose.net
Type: A
DNSexperienceservice.net
Type: A
DNSfreshriver.net
Type: A
DNSexperienceriver.net
Type: A
DNSgentlemanmister.net
Type: A
DNSalreadymister.net
Type: A
DNSgentlemansuppose.net
Type: A
DNSalreadysuppose.net
Type: A
DNSgentlemanservice.net
Type: A
DNSalreadyservice.net
Type: A
DNSgentlemanriver.net
Type: A
DNSalreadyriver.net
Type: A
DNSfollowmister.net
Type: A
DNSmembermister.net
Type: A
DNSfollowsuppose.net
Type: A
DNSmembersuppose.net
Type: A
DNSfollowservice.net
Type: A
DNSmemberservice.net
Type: A
DNSfollowriver.net
Type: A
DNSmemberriver.net
Type: A
DNSbeginmister.net
Type: A
DNSknownmister.net
Type: A
DNSbeginsuppose.net
Type: A
DNSknownsuppose.net
Type: A
DNSknownriver.net
Type: A
DNSsummermister.net
Type: A
DNScrowdmister.net
Type: A
DNSsummersuppose.net
Type: A
DNScrowdsuppose.net
Type: A
DNSsummerservice.net
Type: A
DNSsummerriver.net
Type: A
DNScrowdriver.net
Type: A
DNSthoughtmister.net
Type: A
DNSthoughtsuppose.net
Type: A
DNSwatersuppose.net
Type: A
DNSthoughtservice.net
Type: A
DNSthoughtriver.net
Type: A
DNSwaterriver.net
Type: A
DNSwomanmister.net
Type: A
DNSsmokemister.net
Type: A
DNSwomansuppose.net
Type: A
DNSsmokesuppose.net
Type: A
DNSsmokeservice.net
Type: A
DNSwomanriver.net
Type: A
DNSsmokeriver.net
Type: A
DNSpartymister.net
Type: A
DNSfightmister.net
Type: A
DNSpartysuppose.net
Type: A
DNSfightsuppose.net
Type: A
DNSfightservice.net
Type: A
DNSpartyriver.net
Type: A
DNSfightriver.net
Type: A
DNSfreshnearly.net
Type: A
DNSexperiencenearly.net
Type: A
DNSfreshhappen.net
Type: A
DNSexperiencehappen.net
Type: A
DNSfreshshake.net
Type: A
DNSexperienceshake.net
Type: A
DNSgentlemannearly.net
Type: A
DNSalreadynearly.net
Type: A
DNSgentlemanhappen.net
Type: A
DNSalreadyhappen.net
Type: A
DNSgentlemanshake.net
Type: A
DNSalreadyshake.net
Type: A
DNSgentlemanshare.net
Type: A
DNSalreadyshare.net
Type: A
DNSfollownearly.net
Type: A
DNSmembernearly.net
Type: A
DNSfollowhappen.net
Type: A
DNSmemberhappen.net
Type: A
DNSfollowshake.net
Type: A
HTTP GEThttp://freshservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://beginservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://knownservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://beginriver.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://watermister.net/index.php?method&len
User-Agent:
HTTP GEThttp://waterservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://womanservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://freshshare.net/index.php?method&len
User-Agent:
HTTP GEThttp://experienceshare.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.28.13.142:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1033 ➝ 108.160.154.105:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1035 ➝ 166.78.103.6:80
Flows TCP192.168.1.1:1036 ➝ 192.185.5.125:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 31.31.204.59:80
Flows TCP192.168.1.1:1039 ➝ 176.28.54.20:80
Flows TCP192.168.1.1:1040 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.60:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206672 65736873   se..Host: freshs
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206265 67696e73   se..Host: begins
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206b6e 6f776e73   se..Host: knowns
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206265 67696e72   se..Host: beginr
0x00000050 (00080)   69766572 2e6e6574 0d0a0d0a 0d0a       iver.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206372 6f776473   se..Host: crowds
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207761 7465726d   se..Host: waterm
0x00000050 (00080)   69737465 722e6e65 740d0a0d 0a0a       ister.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207761 74657273   se..Host: waters
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20776f 6d616e73   se..Host: womans
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747973   se..Host: partys
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206672 65736873   se..Host: freshs
0x00000050 (00080)   68617265 2e6e6574 0d0a0d0a 0d0a       hare.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206578 70657269   se..Host: experi
0x00000050 (00080)   656e6365 73686172 652e6e65 740d0a0d   enceshare.net...
0x00000060 (00096)   0a                                    .


Strings