Analysis Date2015-09-15 23:46:53
MD52a133ae6285d65fd27cf8ec577306305
SHA16e41bc6af0caf639def4c89dc8819eac14958691

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1e0460911d061dda4a7a2122e0bb7459 sha1: 7109a3aa0ca3f8fd30e7ae255ea1a87a516176e2 size: 163328
Section.rdata md5: a165b98a61aa98ef41695545e8d0b471 sha1: 414234e97b70c4d1dfcca09873b64905dc3d8312 size: 38400
Section.data md5: 178439584cf7ffd5da766956b0279c8a sha1: 6846bc95546878e4c08e40ef7a26f03a30254d78 size: 7168
Timestamp2015-03-13 09:39:28
PackerMicrosoft Visual C++ ?.?
PEhash2b415e3bc27c914a0b982c974f5ad2d521fbb4aa
IMPhash3887d01cee45353be2bdd113cdc80604
AVRisingno_virus
AVMcafeeTrojan-FEVX!2A133AE6285D
AVAvira (antivir)TR/AD.Rodecap.Y.6
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Rodecap.BJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Trojan ( 004bda2e1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVEmsisoftGen:Variant.Rodecap.1
AVZillya!Trojan.Rodecap.Win32.1946
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader13.12031
AVF-SecureGen:Variant.Rodecap.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\snedjnh\psay55luld
Creates FileC:\WINDOWS\snedjnh\psay55luld
Creates FileC:\snedjnh\j1x1k02tnqeqfgzyo.exe
Deletes FileC:\WINDOWS\snedjnh\psay55luld
Creates ProcessC:\snedjnh\j1x1k02tnqeqfgzyo.exe

Process
↳ C:\snedjnh\j1x1k02tnqeqfgzyo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PC Center Experience Function Remote Bus ➝
C:\snedjnh\jeipncjxwkvr.exe
Creates FileC:\snedjnh\ya4ebr
Creates FileC:\snedjnh\psay55luld
Creates FileC:\WINDOWS\snedjnh\psay55luld
Creates FileC:\snedjnh\jeipncjxwkvr.exe
Deletes FileC:\WINDOWS\snedjnh\psay55luld
Creates ProcessC:\snedjnh\jeipncjxwkvr.exe
Creates ServiceWinHTTP Cache Routing Play - C:\snedjnh\jeipncjxwkvr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1056

Process
↳ C:\snedjnh\jeipncjxwkvr.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\snedjnh\ya4ebr
Creates FileC:\snedjnh\psay55luld
Creates FileC:\snedjnh\cynbzdizck4i
Creates FileC:\WINDOWS\snedjnh\psay55luld
Creates File\Device\Afd\Endpoint
Creates FileC:\snedjnh\regntbtvzvjn.exe
Deletes FileC:\WINDOWS\snedjnh\psay55luld
Creates Processtusmucqoajpj "c:\snedjnh\jeipncjxwkvr.exe"

Process
↳ C:\snedjnh\jeipncjxwkvr.exe

Creates FileC:\snedjnh\psay55luld
Creates FileC:\WINDOWS\snedjnh\psay55luld
Deletes FileC:\WINDOWS\snedjnh\psay55luld

Process
↳ tusmucqoajpj "c:\snedjnh\jeipncjxwkvr.exe"

Creates FileC:\snedjnh\psay55luld
Creates FileC:\WINDOWS\snedjnh\psay55luld
Deletes FileC:\WINDOWS\snedjnh\psay55luld

Network Details:

DNSfreshservice.net
Type: A
104.28.13.142
DNSfreshservice.net
Type: A
104.28.12.142
DNSbeginservice.net
Type: A
195.22.26.252
DNSbeginservice.net
Type: A
195.22.26.253
DNSbeginservice.net
Type: A
195.22.26.254
DNSbeginservice.net
Type: A
195.22.26.231
DNSknownservice.net
Type: A
108.160.154.105
DNSbeginriver.net
Type: A
95.211.230.75
DNScrowdservice.net
Type: A
166.78.103.6
DNSwatermister.net
Type: A
192.185.5.125
DNSwaterservice.net
Type: A
207.148.248.143
DNSwomanservice.net
Type: A
31.31.204.59
DNSpartyservice.net
Type: A
176.28.54.20
DNSfreshshare.net
Type: A
216.239.32.21
DNSfreshshare.net
Type: A
184.168.221.32
DNSfreshshare.net
Type: A
216.239.38.21
DNSfreshshare.net
Type: A
216.239.36.21
DNSfreshshare.net
Type: A
216.239.34.21
DNSexperienceshare.net
Type: A
50.63.202.60
DNSexperiencemister.net
Type: A
DNSfreshsuppose.net
Type: A
DNSexperiencesuppose.net
Type: A
DNSexperienceservice.net
Type: A
DNSfreshriver.net
Type: A
DNSexperienceriver.net
Type: A
DNSgentlemanmister.net
Type: A
DNSalreadymister.net
Type: A
DNSgentlemansuppose.net
Type: A
DNSalreadysuppose.net
Type: A
DNSgentlemanservice.net
Type: A
DNSalreadyservice.net
Type: A
DNSgentlemanriver.net
Type: A
DNSalreadyriver.net
Type: A
DNSfollowmister.net
Type: A
DNSmembermister.net
Type: A
DNSfollowsuppose.net
Type: A
DNSmembersuppose.net
Type: A
DNSfollowservice.net
Type: A
DNSmemberservice.net
Type: A
DNSfollowriver.net
Type: A
DNSmemberriver.net
Type: A
DNSbeginmister.net
Type: A
DNSknownmister.net
Type: A
DNSbeginsuppose.net
Type: A
DNSknownsuppose.net
Type: A
DNSknownriver.net
Type: A
DNSsummermister.net
Type: A
DNScrowdmister.net
Type: A
DNSsummersuppose.net
Type: A
DNScrowdsuppose.net
Type: A
DNSsummerservice.net
Type: A
DNSsummerriver.net
Type: A
DNScrowdriver.net
Type: A
DNSthoughtmister.net
Type: A
DNSthoughtsuppose.net
Type: A
DNSwatersuppose.net
Type: A
DNSthoughtservice.net
Type: A
DNSthoughtriver.net
Type: A
DNSwaterriver.net
Type: A
DNSwomanmister.net
Type: A
DNSsmokemister.net
Type: A
DNSwomansuppose.net
Type: A
DNSsmokesuppose.net
Type: A
DNSsmokeservice.net
Type: A
DNSwomanriver.net
Type: A
DNSsmokeriver.net
Type: A
DNSpartymister.net
Type: A
DNSfightmister.net
Type: A
DNSpartysuppose.net
Type: A
DNSfightsuppose.net
Type: A
DNSfightservice.net
Type: A
DNSpartyriver.net
Type: A
DNSfightriver.net
Type: A
DNSfreshnearly.net
Type: A
DNSexperiencenearly.net
Type: A
DNSfreshhappen.net
Type: A
DNSexperiencehappen.net
Type: A
DNSfreshshake.net
Type: A
DNSexperienceshake.net
Type: A
DNSgentlemannearly.net
Type: A
DNSalreadynearly.net
Type: A
DNSgentlemanhappen.net
Type: A
DNSalreadyhappen.net
Type: A
DNSgentlemanshake.net
Type: A
DNSalreadyshake.net
Type: A
DNSgentlemanshare.net
Type: A
DNSalreadyshare.net
Type: A
DNSfollownearly.net
Type: A
DNSmembernearly.net
Type: A
DNSfollowhappen.net
Type: A
DNSmemberhappen.net
Type: A
DNSfollowshake.net
Type: A
DNSmembershake.net
Type: A
HTTP GEThttp://freshservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://beginservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://knownservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://beginriver.net/index.php?method&len
User-Agent:
HTTP GEThttp://crowdservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://watermister.net/index.php?method&len
User-Agent:
HTTP GEThttp://waterservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://womanservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://partyservice.net/index.php?method&len
User-Agent:
HTTP GEThttp://freshshare.net/index.php?method&len
User-Agent:
HTTP GEThttp://experienceshare.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.28.13.142:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1033 ➝ 108.160.154.105:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1035 ➝ 166.78.103.6:80
Flows TCP192.168.1.1:1036 ➝ 192.185.5.125:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 31.31.204.59:80
Flows TCP192.168.1.1:1039 ➝ 176.28.54.20:80
Flows TCP192.168.1.1:1040 ➝ 216.239.32.21:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.60:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206672 65736873   se..Host: freshs
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206265 67696e73   se..Host: begins
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206b6e 6f776e73   se..Host: knowns
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206265 67696e72   se..Host: beginr
0x00000050 (00080)   69766572 2e6e6574 0d0a0d0a 0d0a       iver.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206372 6f776473   se..Host: crowds
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207761 7465726d   se..Host: waterm
0x00000050 (00080)   69737465 722e6e65 740d0a0d 0a0a       ister.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207761 74657273   se..Host: waters
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20776f 6d616e73   se..Host: womans
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207061 72747973   se..Host: partys
0x00000050 (00080)   65727669 63652e6e 65740d0a 0d0a       ervice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206672 65736873   se..Host: freshs
0x00000050 (00080)   68617265 2e6e6574 0d0a0d0a 0d0a       hare.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206578 70657269   se..Host: experi
0x00000050 (00080)   656e6365 73686172 652e6e65 740d0a0d   enceshare.net...
0x00000060 (00096)   0a                                    .


Strings