Analysis Date2015-11-01 07:33:21
MD5a755379c16b40ffa056f4dc4927aba67
SHA1872e071f72de8d402f8d461581a592e356fbc608

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41570873ea471c19106ab95fa9e7f806 sha1: 6da61d5c42f562ee1c8183dc3c76f0b3315264bd size: 105984
Section.rdata md5: f294015c8c7e52c2cde580767ee821cd sha1: 9b5f7b7eaad2638e2ef8568aae4a6fbaac246eac size: 40448
Section.data md5: 7f51e775f66dc886f76c033aea5bc288 sha1: 234199f9a1d5ecd062bd54e12db050922fa08281 size: 36352
Section.rsrc md5: 8d0347151530113e2b833f1775e88414 sha1: c02261e577a1261cd0c565c9d3d5713bd8e7c45a size: 118272
Timestamp2015-10-20 07:48:38
PackerMicrosoft Visual C++ ?.?
PEhash24f61e45f1023d938c0665cb297da0b7ea92f365
IMPhashe5f030838b9317b0ad549c187ba9d37e
AVClamAVno_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aaet
AVEmsisoftTrojan.GenericKDZ.30724
AVMalwareBytesBackdoor.Andromeda
AVFortinetW32/Kryptik.EASA!tr
AVRisingno_virus
AVDr. WebTrojan.Inject1.43628
AVGrisoft (avg)Crypt_r.AFO
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)Androp [Drp]
AVK7Trojan ( 004cef571 )
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVPadvishno_virus
AVTwisterno_virus
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVF-SecureTrojan.GenericKDZ.30724
AVAvira (antivir)TR/AD.Crowti.Y.458
AVTrend Microno_virus
AVSymantecno_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVZillya!no_virus
AVBullGuardTrojan.GenericKDZ.30724
AVCAT (quickheal)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVEset (nod32)Win32/Injector.BNHS
AVFrisk (f-prot)no_virus
AVMcafeeGamarue-FDC!A755379C16B4
AVAd-AwareTrojan.GenericKDZ.30724
AVBitDefenderTrojan.GenericKDZ.30724
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVIkarusTrojan.Win32.Injector

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Processvssadmin.exe Delete Shadows /All /Quiet
Creates Process-k netsvcs

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSobjetivografico.es
Winsock DNSbono.by
Winsock DNSshugrmedia.com
Winsock DNSdivinemodels.ru
Winsock DNSaye2zee.biz
Winsock DNSpositivefxstudio.co.uk
Winsock DNSdkforma.ru
Winsock DNSsoftware-select.nl
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpamperedpetsgroomingacademy.co.uk
Winsock DNSxn--80auckeg1db2a.xn--p1ai
Winsock DNSpeegas.ru
Winsock DNSz-en.ru
Winsock DNSbestinyourtown.info
Winsock DNSvoteforbrendan.us
Winsock DNSberattv.com.tr
Winsock DNSmyexternalip.com
Winsock DNSbursauygulamaoteli.com
Winsock DNSip-addr.es
Winsock DNSqrcp.us
Winsock DNSathleticequine.org.nz
Winsock DNSgarlanddeli.com
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSmartinelacasse.ca
Winsock DNSdirecttrailer.us
Winsock DNSproductprovider.nl
Winsock DNSvoteforbrendan.info
Winsock DNSmetroloto.ru
Winsock DNSvoteforbrendan.biz
Winsock DNSrostbiznesa.ru
Winsock DNSopportunitycup.com
Winsock DNScapodimonte.ua
Winsock DNSvoteforbrendan.me
Winsock DNSelectrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSberattv.com.tr
Type: A
185.33.128.131
DNSpeegas.ru
Type: A
176.57.216.209
DNSvoteforbrendan.us
Type: A
67.23.254.89
DNScapodimonte.ua
Type: A
188.95.154.41
DNSbono.by
Type: A
91.149.157.185
DNSpamperedpetsgroomingacademy.co.uk
Type: A
192.254.187.55
DNSvoteforbrendan.me
Type: A
67.23.254.89
DNSqrcp.us
Type: A
198.57.246.6
DNSnewconsult.by
Type: A
93.125.99.68
DNSpositivefxstudio.co.uk
Type: A
88.208.252.82
DNSobjetivografico.es
Type: A
192.185.14.142
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSgarlanddeli.com
Type: A
192.185.48.207
DNSmetroloto.ru
Type: A
89.207.89.233
DNSelectrosim.ro
Type: A
37.156.37.11
DNSrostbiznesa.ru
Type: A
92.53.114.211
DNSdirecttrailer.us
Type: A
69.89.31.160
DNSvoteforbrendan.mobi
Type: A
67.23.254.89
DNSdivinemodels.ru
Type: A
5.9.23.71
DNSdkforma.ru
Type: A
195.19.214.27
DNSmartinelacasse.ca
Type: A
192.185.79.75
DNSbestinyourtown.info
Type: A
192.185.157.29
DNSshugrmedia.com
Type: A
184.168.193.215
DNSsoftware-select.nl
Type: A
37.128.147.21
DNSathleticequine.org.nz
Type: A
182.50.130.37
DNSaye2zee.biz
Type: A
192.185.198.153
DNSz-en.ru
Type: A
185.58.207.147
DNSvoteforbrendan.info
Type: A
67.23.254.89
DNSopportunitycup.com
Type: A
192.185.29.132
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
194.85.61.76
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
109.70.26.37
DNSbursauygulamaoteli.com
Type: A
89.106.12.62
DNSproductprovider.nl
Type: A
37.153.204.79
DNSifloresti.ro
Type: A
176.126.201.10
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?j=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?g=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?b=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?u=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/4BWtIF.php?o=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?m=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?n=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?w=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?i=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?q=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?b=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?y=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?m=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?w=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?w=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?v=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?f=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?f=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?o=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?h=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?u=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?n=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?s=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?a=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?a=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?s=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://software-select.nl/wp-content/themes/genesis/qMfFUp.php?m=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?f=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?o=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?j=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?t=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?b=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?b=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?o=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?v=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?w=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?z=di5yc340811fqd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1035 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1036 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1037 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1038 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1039 ➝ 192.254.187.55:80
Flows TCP192.168.1.1:1040 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1041 ➝ 198.57.246.6:80
Flows TCP192.168.1.1:1042 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1043 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1044 ➝ 88.208.252.82:80
Flows TCP192.168.1.1:1045 ➝ 192.185.14.142:80
Flows TCP192.168.1.1:1046 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1047 ➝ 192.185.48.207:80
Flows TCP192.168.1.1:1048 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1049 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1050 ➝ 89.207.89.233:80
Flows TCP192.168.1.1:1051 ➝ 37.156.37.11:80
Flows TCP192.168.1.1:1052 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1053 ➝ 69.89.31.160:80
Flows TCP192.168.1.1:1054 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1055 ➝ 5.9.23.71:80
Flows TCP192.168.1.1:1056 ➝ 195.19.214.27:80
Flows TCP192.168.1.1:1057 ➝ 192.185.79.75:80
Flows TCP192.168.1.1:1058 ➝ 192.185.157.29:80
Flows TCP192.168.1.1:1059 ➝ 184.168.193.215:80
Flows TCP192.168.1.1:1060 ➝ 37.128.147.21:80
Flows TCP192.168.1.1:1061 ➝ 182.50.130.37:80
Flows TCP192.168.1.1:1062 ➝ 192.185.198.153:80
Flows TCP192.168.1.1:1063 ➝ 185.58.207.147:80
Flows TCP192.168.1.1:1064 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1065 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1066 ➝ 192.185.29.132:80
Flows TCP192.168.1.1:1067 ➝ 194.85.61.76:80
Flows TCP192.168.1.1:1068 ➝ 89.106.12.62:80
Flows TCP192.168.1.1:1069 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1070 ➝ 176.126.201.10:80

Raw Pcap

Strings