Analysis Date | 2015-10-30 07:07:47 |
---|---|
MD5 | 05d4b5f5d1d644934d789b7f68d4ea12 |
SHA1 | 71e7af40613099d7b83820f2137c4978d89d1be5 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 62eae76e7a3f8f0608ada86723a3f3a6 sha1: f7ff744536871c4264ca616b276b904d07e32d6d size: 105984 | |
Section | .rdata md5: c71bb52f20b2ea55de8f347467be7052 sha1: e52bf98ab7297be7d6d34a3369f3c014f8d38370 size: 40448 | |
Section | .data md5: 6b8e71bd0e88577b56ff65124f7c861f sha1: 241239757e753af9d7e73219094703a1c29ed50b size: 36352 | |
Section | .rsrc md5: 383feebc8fd8b20a8b5df3bff00bcd41 sha1: 4054d22b3c720e37e03f5847c60cd64c721f81c7 size: 116224 | |
Timestamp | 2015-10-20 09:52:21 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | d9a32b9f186b9ca6bd2ab590fb9779c55bf4230b | |
IMPhash | 61169341108e3c5723f9c4f3b06bf2e9 | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Trojan.GenericKD.2811394 |
AV | Dr. Web | Trojan.DownLoad3.35944 |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Trojan.GenericKD.2811394 |
AV | BullGuard | Trojan.GenericKD.2811394 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | Backdoor.Androm |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan-Ransom.Win32.Cryptodef.aahc |
AV | Zillya! | no_virus |
AV | Emsisoft | Trojan.GenericKD.2811394 |
AV | Ikarus | Trojan.Win32.Crypt |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Agent.XL.gen!Eldorado |
AV | MalwareBytes | Ransom.CryptoWall |
AV | MicroWorld (escan) | Trojan.GenericKD.2811394 |
AV | Microsoft Security Essentials | VirTool:Win32/CeeInject.LJ |
AV | K7 | Trojan ( 004cef571 ) |
AV | BitDefender | Trojan.GenericKD.2811394 |
AV | Fortinet | W32/Kryptik.EASA!tr |
AV | Symantec | no_virus |
AV | Grisoft (avg) | Crypt_r.AFK |
AV | Eset (nod32) | Win32/Injector.BNHS |
AV | Alwil (avast) | Androp [Drp] |
AV | Ad-Aware | Trojan.GenericKD.2811394 |
AV | Rising | no_virus |
AV | Twister | no_virus |
AV | Avira (antivir) | TR/Crypt.ZPACK.196051 |
AV | Mcafee | Gamarue-FDC!05D4B5F5D1D6 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates Process | C:\WINDOWS\explorer.exe |
---|
Process
↳ C:\WINDOWS\explorer.exe
Creates File | C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe |
---|---|
Creates File | C:\6ff06165\6ff06165.exe |
Creates File | C:\Documents and Settings\Administrator\Application Data\6ff06165.exe |
Creates Process | -k netsvcs |
Creates Process | vssadmin.exe Delete Shadows /All /Quiet |
Process
↳ -k netsvcs
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Winsock DNS | objetivografico.es |
Winsock DNS | bono.by |
Winsock DNS | shugrmedia.com |
Winsock DNS | divinemodels.ru |
Winsock DNS | aye2zee.biz |
Winsock DNS | positivefxstudio.co.uk |
Winsock DNS | dkforma.ru |
Winsock DNS | software-select.nl |
Winsock DNS | ifloresti.ro |
Winsock DNS | curlmyip.com |
Winsock DNS | pamperedpetsgroomingacademy.co.uk |
Winsock DNS | xn--80auckeg1db2a.xn--p1ai |
Winsock DNS | peegas.ru |
Winsock DNS | z-en.ru |
Winsock DNS | voteforbrendan.us |
Winsock DNS | bestinyourtown.info |
Winsock DNS | berattv.com.tr |
Winsock DNS | myexternalip.com |
Winsock DNS | bursauygulamaoteli.com |
Winsock DNS | qrcp.us |
Winsock DNS | ip-addr.es |
Winsock DNS | athleticequine.org.nz |
Winsock DNS | garlanddeli.com |
Winsock DNS | newconsult.by |
Winsock DNS | voteforbrendan.mobi |
Winsock DNS | martinelacasse.ca |
Winsock DNS | directtrailer.us |
Winsock DNS | productprovider.nl |
Winsock DNS | voteforbrendan.info |
Winsock DNS | metroloto.ru |
Winsock DNS | rostbiznesa.ru |
Winsock DNS | opportunitycup.com |
Winsock DNS | voteforbrendan.biz |
Winsock DNS | capodimonte.ua |
Winsock DNS | voteforbrendan.me |
Winsock DNS | electrosim.ro |
Process
↳ vssadmin.exe Delete Shadows /All /Quiet
Creates File | PIPE\lsarpc |
---|
Network Details:
DNS | ip-addr.es Type: A 188.165.164.184 |
---|---|
DNS | myexternalip.com Type: A 78.47.139.102 |
DNS | curlmyip.com Type: A 184.106.112.172 |
DNS | rostbiznesa.ru Type: A 92.53.114.211 |
DNS | electrosim.ro Type: A 37.156.37.11 |
DNS | peegas.ru Type: A 176.57.216.209 |
DNS | xn--80auckeg1db2a.xn--p1ai Type: A 194.85.61.76 |
DNS | xn--80auckeg1db2a.xn--p1ai Type: A 109.70.26.37 |
DNS | pamperedpetsgroomingacademy.co.uk Type: A 192.254.187.55 |
DNS | opportunitycup.com Type: A 192.185.29.132 |
DNS | productprovider.nl Type: A 37.153.204.79 |
DNS | athleticequine.org.nz Type: A 182.50.130.37 |
DNS | divinemodels.ru Type: A 5.9.23.71 |
DNS | voteforbrendan.me Type: A 67.23.254.89 |
DNS | bestinyourtown.info Type: A 192.185.157.29 |
DNS | metroloto.ru Type: A 89.207.89.233 |
DNS | objetivografico.es Type: A 192.185.14.142 |
DNS | positivefxstudio.co.uk Type: A 88.208.252.82 |
DNS | berattv.com.tr Type: A 185.33.128.131 |
DNS | bono.by Type: A 91.149.157.185 |
DNS | dkforma.ru Type: A 195.19.214.27 |
DNS | voteforbrendan.biz Type: A 67.23.254.89 |
DNS | software-select.nl Type: A 37.128.147.21 |
DNS | ifloresti.ro Type: A 176.126.201.10 |
DNS | voteforbrendan.info Type: A 67.23.254.89 |
DNS | voteforbrendan.mobi Type: A 67.23.254.89 |
DNS | martinelacasse.ca Type: A 192.185.79.75 |
DNS | capodimonte.ua Type: A 188.95.154.41 |
DNS | aye2zee.biz Type: A 192.185.198.153 |
DNS | voteforbrendan.us Type: A 67.23.254.89 |
DNS | bursauygulamaoteli.com Type: A 89.106.12.62 |
DNS | garlanddeli.com Type: A 192.185.48.207 |
DNS | shugrmedia.com Type: A 184.168.193.215 |
DNS | z-en.ru Type: A 185.58.207.147 |
DNS | newconsult.by Type: A 93.125.99.68 |
DNS | directtrailer.us Type: A 69.89.31.160 |
DNS | qrcp.us Type: A 198.57.246.6 |
HTTP GET | http://ip-addr.es/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://myexternalip.com/raw User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP GET | http://curlmyip.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?g=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?g=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?p=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?k=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?k=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?o=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?n=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?e=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?s=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?u=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://bono.by/wp-content/plugins/akismet/O_xjRv.php?l=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?q=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?t=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://software-select.nl/wp-content/themes/genesis/qMfFUp.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?c=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?h=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?r=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?w=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?z=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?d=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?d=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?v=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?b=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?i=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?x=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?n=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://bono.by/wp-content/plugins/akismet/4BWtIF.php?j=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?f=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
HTTP POST | http://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?p=gsgxs36kuqck User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) |
Flows TCP | 192.168.1.1:1031 ➝ 188.165.164.184:80 |
Flows TCP | 192.168.1.1:1032 ➝ 78.47.139.102:80 |
Flows TCP | 192.168.1.1:1033 ➝ 184.106.112.172:80 |
Flows TCP | 192.168.1.1:1034 ➝ 92.53.114.211:80 |
Flows TCP | 192.168.1.1:1035 ➝ 37.156.37.11:80 |
Flows TCP | 192.168.1.1:1036 ➝ 176.57.216.209:80 |
Flows TCP | 192.168.1.1:1037 ➝ 92.53.114.211:80 |
Flows TCP | 192.168.1.1:1038 ➝ 194.85.61.76:80 |
Flows TCP | 192.168.1.1:1039 ➝ 192.254.187.55:80 |
Flows TCP | 192.168.1.1:1040 ➝ 192.185.29.132:80 |
Flows TCP | 192.168.1.1:1041 ➝ 37.153.204.79:80 |
Flows TCP | 192.168.1.1:1042 ➝ 182.50.130.37:80 |
Flows TCP | 192.168.1.1:1043 ➝ 5.9.23.71:80 |
Flows TCP | 192.168.1.1:1044 ➝ 67.23.254.89:80 |
Flows TCP | 192.168.1.1:1045 ➝ 192.185.157.29:80 |
Flows TCP | 192.168.1.1:1046 ➝ 176.57.216.209:80 |
Flows TCP | 192.168.1.1:1047 ➝ 89.207.89.233:80 |
Flows TCP | 192.168.1.1:1048 ➝ 192.185.14.142:80 |
Flows TCP | 192.168.1.1:1049 ➝ 88.208.252.82:80 |
Flows TCP | 192.168.1.1:1050 ➝ 185.33.128.131:80 |
Flows TCP | 192.168.1.1:1051 ➝ 91.149.157.185:80 |
Flows TCP | 192.168.1.1:1052 ➝ 195.19.214.27:80 |
Flows TCP | 192.168.1.1:1053 ➝ 67.23.254.89:80 |
Flows TCP | 192.168.1.1:1054 ➝ 37.128.147.21:80 |
Flows TCP | 192.168.1.1:1055 ➝ 176.126.201.10:80 |
Flows TCP | 192.168.1.1:1056 ➝ 67.23.254.89:80 |
Flows TCP | 192.168.1.1:1057 ➝ 67.23.254.89:80 |
Flows TCP | 192.168.1.1:1058 ➝ 192.185.79.75:80 |
Flows TCP | 192.168.1.1:1059 ➝ 188.95.154.41:80 |
Flows TCP | 192.168.1.1:1060 ➝ 192.185.198.153:80 |
Flows TCP | 192.168.1.1:1061 ➝ 67.23.254.89:80 |
Flows TCP | 192.168.1.1:1062 ➝ 89.106.12.62:80 |
Flows TCP | 192.168.1.1:1063 ➝ 192.185.48.207:80 |
Flows TCP | 192.168.1.1:1064 ➝ 184.168.193.215:80 |
Flows TCP | 192.168.1.1:1065 ➝ 185.58.207.147:80 |
Flows TCP | 192.168.1.1:1066 ➝ 93.125.99.68:80 |
Flows TCP | 192.168.1.1:1067 ➝ 69.89.31.160:80 |
Flows TCP | 192.168.1.1:1068 ➝ 91.149.157.185:80 |
Flows TCP | 192.168.1.1:1069 ➝ 198.57.246.6:80 |
Flows TCP | 192.168.1.1:1070 ➝ 188.95.154.41:80 |
Raw Pcap
Strings