Analysis | #totalhash

Analysis Date	2015-10-30 07:07:47
MD5	05d4b5f5d1d644934d789b7f68d4ea12
SHA1	71e7af40613099d7b83820f2137c4978d89d1be5

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 62eae76e7a3f8f0608ada86723a3f3a6 sha1: f7ff744536871c4264ca616b276b904d07e32d6d size: 105984
Section	.rdata md5: c71bb52f20b2ea55de8f347467be7052 sha1: e52bf98ab7297be7d6d34a3369f3c014f8d38370 size: 40448
Section	.data md5: 6b8e71bd0e88577b56ff65124f7c861f sha1: 241239757e753af9d7e73219094703a1c29ed50b size: 36352
Section	.rsrc md5: 383feebc8fd8b20a8b5df3bff00bcd41 sha1: 4054d22b3c720e37e03f5847c60cd64c721f81c7 size: 116224
Timestamp	2015-10-20 09:52:21
Packer	Microsoft Visual C++ ?.?
PEhash	d9a32b9f186b9ca6bd2ab590fb9779c55bf4230b
IMPhash	61169341108e3c5723f9c4f3b06bf2e9
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Trojan.GenericKD.2811394
AV	Dr. Web	Trojan.DownLoad3.35944
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Trojan.GenericKD.2811394
AV	BullGuard	Trojan.GenericKD.2811394
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	Backdoor.Androm
AV	CAT (quickheal)	no_virus
AV	Trend Micro	no_virus
AV	Kaspersky	Trojan-Ransom.Win32.Cryptodef.aahc
AV	Zillya!	no_virus
AV	Emsisoft	Trojan.GenericKD.2811394
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/Agent.XL.gen!Eldorado
AV	MalwareBytes	Ransom.CryptoWall
AV	MicroWorld (escan)	Trojan.GenericKD.2811394
AV	Microsoft Security Essentials	VirTool:Win32/CeeInject.LJ
AV	K7	Trojan ( 004cef571 )
AV	BitDefender	Trojan.GenericKD.2811394
AV	Fortinet	W32/Kryptik.EASA!tr
AV	Symantec	no_virus
AV	Grisoft (avg)	Crypt_r.AFK
AV	Eset (nod32)	Win32/Injector.BNHS
AV	Alwil (avast)	Androp [Drp]
AV	Ad-Aware	Trojan.GenericKD.2811394
AV	Rising	no_virus
AV	Twister	no_virus
AV	Avira (antivir)	TR/Crypt.ZPACK.196051
AV	Mcafee	Gamarue-FDC!05D4B5F5D1D6

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process	C:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates File	C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates File	C:\6ff06165\6ff06165.exe
Creates File	C:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Process	-k netsvcs
Creates Process	vssadmin.exe Delete Shadows /All /Quiet

Process
↳ -k netsvcs

Registry	HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL
Registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1
Creates File	C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File	C:\Documents and Settings\Administrator\Cookies\index.dat
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex	c:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex	c:!documents and settings!administrator!cookies!
Creates Mutex	c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS	objetivografico.es
Winsock DNS	bono.by
Winsock DNS	shugrmedia.com
Winsock DNS	divinemodels.ru
Winsock DNS	aye2zee.biz
Winsock DNS	positivefxstudio.co.uk
Winsock DNS	dkforma.ru
Winsock DNS	software-select.nl
Winsock DNS	ifloresti.ro
Winsock DNS	curlmyip.com
Winsock DNS	pamperedpetsgroomingacademy.co.uk
Winsock DNS	xn--80auckeg1db2a.xn--p1ai
Winsock DNS	peegas.ru
Winsock DNS	z-en.ru
Winsock DNS	voteforbrendan.us
Winsock DNS	bestinyourtown.info
Winsock DNS	berattv.com.tr
Winsock DNS	myexternalip.com
Winsock DNS	bursauygulamaoteli.com
Winsock DNS	qrcp.us
Winsock DNS	ip-addr.es
Winsock DNS	athleticequine.org.nz
Winsock DNS	garlanddeli.com
Winsock DNS	newconsult.by
Winsock DNS	voteforbrendan.mobi
Winsock DNS	martinelacasse.ca
Winsock DNS	directtrailer.us
Winsock DNS	productprovider.nl
Winsock DNS	voteforbrendan.info
Winsock DNS	metroloto.ru
Winsock DNS	rostbiznesa.ru
Winsock DNS	opportunitycup.com
Winsock DNS	voteforbrendan.biz
Winsock DNS	capodimonte.ua
Winsock DNS	voteforbrendan.me
Winsock DNS	electrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates File	PIPE\lsarpc

Network Details:

DNS	ip-addr.es Type: A 188.165.164.184
DNS	myexternalip.com Type: A 78.47.139.102
DNS	curlmyip.com Type: A 184.106.112.172
DNS	rostbiznesa.ru Type: A 92.53.114.211
DNS	electrosim.ro Type: A 37.156.37.11
DNS	peegas.ru Type: A 176.57.216.209
DNS	xn--80auckeg1db2a.xn--p1ai Type: A 194.85.61.76
DNS	xn--80auckeg1db2a.xn--p1ai Type: A 109.70.26.37
DNS	pamperedpetsgroomingacademy.co.uk Type: A 192.254.187.55
DNS	opportunitycup.com Type: A 192.185.29.132
DNS	productprovider.nl Type: A 37.153.204.79
DNS	athleticequine.org.nz Type: A 182.50.130.37
DNS	divinemodels.ru Type: A 5.9.23.71
DNS	voteforbrendan.me Type: A 67.23.254.89
DNS	bestinyourtown.info Type: A 192.185.157.29
DNS	metroloto.ru Type: A 89.207.89.233
DNS	objetivografico.es Type: A 192.185.14.142
DNS	positivefxstudio.co.uk Type: A 88.208.252.82
DNS	berattv.com.tr Type: A 185.33.128.131
DNS	bono.by Type: A 91.149.157.185
DNS	dkforma.ru Type: A 195.19.214.27
DNS	voteforbrendan.biz Type: A 67.23.254.89
DNS	software-select.nl Type: A 37.128.147.21
DNS	ifloresti.ro Type: A 176.126.201.10
DNS	voteforbrendan.info Type: A 67.23.254.89
DNS	voteforbrendan.mobi Type: A 67.23.254.89
DNS	martinelacasse.ca Type: A 192.185.79.75
DNS	capodimonte.ua Type: A 188.95.154.41
DNS	aye2zee.biz Type: A 192.185.198.153
DNS	voteforbrendan.us Type: A 67.23.254.89
DNS	bursauygulamaoteli.com Type: A 89.106.12.62
DNS	garlanddeli.com Type: A 192.185.48.207
DNS	shugrmedia.com Type: A 184.168.193.215
DNS	z-en.ru Type: A 185.58.207.147
DNS	newconsult.by Type: A 93.125.99.68
DNS	directtrailer.us Type: A 69.89.31.160
DNS	qrcp.us Type: A 198.57.246.6
HTTP GET	http://ip-addr.es/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://myexternalip.com/raw User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GET	http://curlmyip.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?g=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?g=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?p=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?k=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?k=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?o=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?n=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?e=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?s=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?u=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://bono.by/wp-content/plugins/akismet/O_xjRv.php?l=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?q=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?t=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://software-select.nl/wp-content/themes/genesis/qMfFUp.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?c=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?h=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?r=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?w=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?z=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?d=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?d=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?i=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?x=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?n=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://bono.by/wp-content/plugins/akismet/4BWtIF.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POST	http://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?p=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP	192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP	192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP	192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP	192.168.1.1:1034 ➝ 92.53.114.211:80
Flows TCP	192.168.1.1:1035 ➝ 37.156.37.11:80
Flows TCP	192.168.1.1:1036 ➝ 176.57.216.209:80
Flows TCP	192.168.1.1:1037 ➝ 92.53.114.211:80
Flows TCP	192.168.1.1:1038 ➝ 194.85.61.76:80
Flows TCP	192.168.1.1:1039 ➝ 192.254.187.55:80
Flows TCP	192.168.1.1:1040 ➝ 192.185.29.132:80
Flows TCP	192.168.1.1:1041 ➝ 37.153.204.79:80
Flows TCP	192.168.1.1:1042 ➝ 182.50.130.37:80
Flows TCP	192.168.1.1:1043 ➝ 5.9.23.71:80
Flows TCP	192.168.1.1:1044 ➝ 67.23.254.89:80
Flows TCP	192.168.1.1:1045 ➝ 192.185.157.29:80
Flows TCP	192.168.1.1:1046 ➝ 176.57.216.209:80
Flows TCP	192.168.1.1:1047 ➝ 89.207.89.233:80
Flows TCP	192.168.1.1:1048 ➝ 192.185.14.142:80
Flows TCP	192.168.1.1:1049 ➝ 88.208.252.82:80
Flows TCP	192.168.1.1:1050 ➝ 185.33.128.131:80
Flows TCP	192.168.1.1:1051 ➝ 91.149.157.185:80
Flows TCP	192.168.1.1:1052 ➝ 195.19.214.27:80
Flows TCP	192.168.1.1:1053 ➝ 67.23.254.89:80
Flows TCP	192.168.1.1:1054 ➝ 37.128.147.21:80
Flows TCP	192.168.1.1:1055 ➝ 176.126.201.10:80
Flows TCP	192.168.1.1:1056 ➝ 67.23.254.89:80
Flows TCP	192.168.1.1:1057 ➝ 67.23.254.89:80
Flows TCP	192.168.1.1:1058 ➝ 192.185.79.75:80
Flows TCP	192.168.1.1:1059 ➝ 188.95.154.41:80
Flows TCP	192.168.1.1:1060 ➝ 192.185.198.153:80
Flows TCP	192.168.1.1:1061 ➝ 67.23.254.89:80
Flows TCP	192.168.1.1:1062 ➝ 89.106.12.62:80
Flows TCP	192.168.1.1:1063 ➝ 192.185.48.207:80
Flows TCP	192.168.1.1:1064 ➝ 184.168.193.215:80
Flows TCP	192.168.1.1:1065 ➝ 185.58.207.147:80
Flows TCP	192.168.1.1:1066 ➝ 93.125.99.68:80
Flows TCP	192.168.1.1:1067 ➝ 69.89.31.160:80
Flows TCP	192.168.1.1:1068 ➝ 91.149.157.185:80
Flows TCP	192.168.1.1:1069 ➝ 198.57.246.6:80
Flows TCP	192.168.1.1:1070 ➝ 188.95.154.41:80

Raw Pcap

Strings