Analysis Date2015-09-28 14:01:01
MD5a43c63ec5fd034f878a1cd1592e7be20
SHA17e944821c9d91bdd08a505a4b64060184a45a102

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 679538cf055aa7474f1b864f0a2c7517 sha1: a2c4a1628aba1391c56b4b5bd4851eea3320b1c0 size: 161280
Section.rdata md5: 74314fd2543c080ef56248f572ccdd52 sha1: 8a89f5d698d1c9d7e7a07bec51ffa5b3521d90a7 size: 36352
Section.data md5: 1cc75cf50498a799b861ea99a752c0a6 sha1: 178cd045a1ca9b924d6b17368a142a4861837605 size: 6656
Timestamp2015-03-13 09:40:14
PackerMicrosoft Visual C++ ?.?
PEhashd3bd8b84bc17371d183025a1544dda3ab36a8516
IMPhashf97a5dee6c7ec61ae4399f67fd333b6f
AVGrisoft (avg)Win32/Cryptor
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.146091
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVCA (E-Trust Ino)no_virus
AVIkarusTrojan.Win32.Rodecap
AVDr. WebTrojan.DownLoader13.48818
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVTrend Microno_virus
AVPadvishno_virus
AVK7Trojan ( 004bdb0b1 )
AVZillya!no_virus
AVAuthentiumW32/Scar.U.gen!Eldorado
AVFortinetW32/Rodecap.BJ!tr
AVMalwareBytesTrojan.Agent
AVEmsisoftGen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVEset (nod32)Win32/Rodecap.BJ
AVBitDefenderGen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVVirusBlokAda (vba32)no_virus
AVMcafeeTrojan-FEVX!A43C63EC5FD0
AVF-SecureGen:Variant.Rodecap.1
AVRisingno_virus
AVKasperskyTrojan.Win32.Generic
AVCAT (quickheal)Trojan.Scar.r3
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVClamAVno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\pvieiopgirrxhpj0s.exe
Deletes FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates ProcessC:\oqlwhsr\pvieiopgirrxhpj0s.exe

Process
↳ C:\oqlwhsr\pvieiopgirrxhpj0s.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WLAN Portable Certificate Encrypting Framework ➝
C:\oqlwhsr\ftkyjawcze.exe
Creates FileC:\oqlwhsr\ftkyjawcze.exe
Creates FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\csv2ncgmo
Deletes FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates ProcessC:\oqlwhsr\ftkyjawcze.exe
Creates ServiceStorage Extensible Network - C:\oqlwhsr\ftkyjawcze.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\DhcpNameServer ➝
192.168.254.254\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Parameters\Tcpip\DhcpDefaultGateway ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer ➝
192.168.254.254\\x00
Creates FileC:\WINDOWS\Prefetch\SVBTSWU.EXE-12E603AA.pf
Creates FileC:\WINDOWS\Prefetch\PVIEIOPGIRRXHPJ0S.EXE-00DFC611.pf
Creates FileNDIS
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\7E944821C9D91BDD08A505A4B6406-1E986811.pf
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\Prefetch\FTKYJAWCZE.EXE-0AAA6DAE.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1312

Process
↳ Pid 1876

Process
↳ Pid 148

Process
↳ C:\oqlwhsr\ftkyjawcze.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\oqlwhsr\svbtswu.exe
Creates FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates File\Device\Afd\Endpoint
Creates FileC:\oqlwhsr\pvvikflma
Creates FileC:\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\csv2ncgmo
Deletes FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates Processcvskzgqghytn "c:\oqlwhsr\ftkyjawcze.exe"

Process
↳ C:\oqlwhsr\ftkyjawcze.exe

Creates FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\cilfxrspw
Deletes FileC:\WINDOWS\oqlwhsr\cilfxrspw

Process
↳ cvskzgqghytn "c:\oqlwhsr\ftkyjawcze.exe"

Creates FileC:\WINDOWS\oqlwhsr\cilfxrspw
Creates FileC:\oqlwhsr\cilfxrspw
Deletes FileC:\WINDOWS\oqlwhsr\cilfxrspw

Network Details:

DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSlittleminute.net
Type: A
74.220.199.8
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
DNSdestroyminute.net
Type: A
DNSdestroyspecial.net
Type: A
DNSlittlespecial.net
Type: A
DNSdestroycorner.net
Type: A
DNSlittlecorner.net
Type: A
DNSriddenflower.net
Type: A
DNSbelongflower.net
Type: A
DNSriddenminute.net
Type: A
DNSbelongminute.net
Type: A
DNSriddenspecial.net
Type: A
DNSbelongspecial.net
Type: A
DNSriddencorner.net
Type: A
DNSbelongcorner.net
Type: A
DNSchairflower.net
Type: A
DNSthoseflower.net
Type: A
DNSchairminute.net
Type: A
DNSthoseminute.net
Type: A
DNSchairspecial.net
Type: A
DNSthosespecial.net
Type: A
DNSchaircorner.net
Type: A
DNSthosecorner.net
Type: A
DNSwithinflower.net
Type: A
DNSsufferflower.net
Type: A
DNSwithinminute.net
Type: A
DNSsufferminute.net
Type: A
DNSwithinspecial.net
Type: A
DNSsufferspecial.net
Type: A
DNSwithincorner.net
Type: A
DNSsuffercorner.net
Type: A
DNSeffortflower.net
Type: A
DNSthroughflower.net
Type: A
DNSeffortminute.net
Type: A
DNSthroughminute.net
Type: A
DNSeffortspecial.net
Type: A
DNSthroughspecial.net
Type: A
DNSeffortcorner.net
Type: A
DNSthroughcorner.net
Type: A
DNSforgetflower.net
Type: A
DNSincreaseflower.net
Type: A
DNSforgetminute.net
Type: A
DNSincreaseminute.net
Type: A
DNSforgetspecial.net
Type: A
DNSincreasespecial.net
Type: A
DNSforgetcorner.net
Type: A
DNSincreasecorner.net
Type: A
DNSwouldflower.net
Type: A
DNSrememberflower.net
Type: A
DNSwouldminute.net
Type: A
DNSrememberminute.net
Type: A
DNSwouldspecial.net
Type: A
DNSrememberspecial.net
Type: A
DNSwouldcorner.net
Type: A
DNSremembercorner.net
Type: A
DNSjourneyadvance.net
Type: A
DNShusbandadvance.net
Type: A
DNSjourneystranger.net
Type: A
DNShusbandstranger.net
Type: A
DNSjourneygoodbye.net
Type: A
DNShusbandgoodbye.net
Type: A
DNSjourneyfortieth.net
Type: A
DNShusbandfortieth.net
Type: A
DNSdestroyadvance.net
Type: A
DNSlittleadvance.net
Type: A
DNSdestroystranger.net
Type: A
DNSlittlestranger.net
Type: A
DNSdestroygoodbye.net
Type: A
HTTP GEThttp://rememberforever.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleflower.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleminute.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1032 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1033 ➝ 74.220.199.8:80

Raw Pcap

Strings