Analysis Date2015-09-28 04:30:06
MD570faf96a52b5f4b58c6f24d14e7fec83
SHA18ccec534ffdfcac17d4a5c13fb86ee1e797eeaa8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7b47b1f915936854d51c04ec42c3cbc0 sha1: 1f620b6cbc64f10cf49376493320ca54a4a6c8a0 size: 161280
Section.rdata md5: b3b994d1f97bfdf8134e8bd20dc1fc7e sha1: ca5b9e3630a85ec901368f38edb81c2dc1f9d841 size: 38912
Section.data md5: 72fe718b2ae84d3b44bde0c96faa1272 sha1: 1fbc269b839cd1a00858a6be2ebaf44b703e6e60 size: 6656
Timestamp2015-03-13 09:26:06
PackerMicrosoft Visual C++ ?.?
PEhashb42a4caebbb644382f60b08363e66e8b928d4ee4
IMPhashf4b014698b3534ab6fed55506d606355
AVRisingno_virus
AVMcafeeTrojan-FEVX!70FAF96A52B5
AVAvira (antivir)TR/Crypt.ZPACK.150872
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Rodecap.BJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Riskware ( 0040eff71 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AO
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVEmsisoftGen:Variant.Rodecap.1
AVZillya!Trojan.Rodecap.Win32.1908
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanPWS.Crypt.08849
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader12.62121
AVF-SecureGen:Variant.Rodecap.1
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\uszjhpjoj\idc111gx7jmu3bken9gd7.exe
Creates FileC:\uszjhpjoj\brhbjgx6aena
Creates FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Deletes FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Creates ProcessC:\uszjhpjoj\idc111gx7jmu3bken9gd7.exe

Process
↳ C:\uszjhpjoj\idc111gx7jmu3bken9gd7.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Telephony Tablet Location ➝
C:\uszjhpjoj\mgyuotiwgfhf.exe
Creates FileC:\uszjhpjoj\brhbjgx6aena
Creates FileC:\uszjhpjoj\mgyuotiwgfhf.exe
Creates FileC:\uszjhpjoj\tiefftyg
Creates FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Deletes FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Creates ProcessC:\uszjhpjoj\mgyuotiwgfhf.exe
Creates ServiceUser-mode Bluetooth Tunneling - C:\uszjhpjoj\mgyuotiwgfhf.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\MGYUOTIWGFHF.EXE-2C5E662F.pf
Creates FileC:\WINDOWS\Prefetch\8CCEC534FFDFCAC17D4A5C13FB86E-05AAB3E4.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\IDC111GX7JMU3BKEN9GD7.EXE-2EF011BE.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\RIZCBCZ.EXE-347E8B92.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ Pid 1324

Process
↳ Pid 1856

Process
↳ Pid 1044

Process
↳ C:\uszjhpjoj\mgyuotiwgfhf.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\uszjhpjoj\brhbjgx6aena
Creates FileC:\uszjhpjoj\tzhaw1w
Creates File\Device\Afd\Endpoint
Creates FileC:\uszjhpjoj\rizcbcz.exe
Creates FileC:\uszjhpjoj\tiefftyg
Creates FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Deletes FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Creates Processawtcdgmgj5lq "c:\uszjhpjoj\mgyuotiwgfhf.exe"

Process
↳ C:\uszjhpjoj\mgyuotiwgfhf.exe

Creates FileC:\uszjhpjoj\brhbjgx6aena
Creates FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Deletes FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena

Process
↳ awtcdgmgj5lq "c:\uszjhpjoj\mgyuotiwgfhf.exe"

Creates FileC:\uszjhpjoj\brhbjgx6aena
Creates FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena
Deletes FileC:\WINDOWS\uszjhpjoj\brhbjgx6aena

Network Details:

DNSeffortadvance.net
Type: A
95.211.230.75
DNSforgetcorner.net
Type: A
DNSincreasecorner.net
Type: A
DNSwouldflower.net
Type: A
DNSrememberflower.net
Type: A
DNSwouldminute.net
Type: A
DNSrememberminute.net
Type: A
DNSwouldspecial.net
Type: A
DNSrememberspecial.net
Type: A
DNSwouldcorner.net
Type: A
DNSremembercorner.net
Type: A
DNSjourneyadvance.net
Type: A
DNShusbandadvance.net
Type: A
DNSjourneystranger.net
Type: A
DNShusbandstranger.net
Type: A
DNSjourneygoodbye.net
Type: A
DNShusbandgoodbye.net
Type: A
DNSjourneyfortieth.net
Type: A
DNShusbandfortieth.net
Type: A
DNSdestroyadvance.net
Type: A
DNSlittleadvance.net
Type: A
DNSdestroystranger.net
Type: A
DNSlittlestranger.net
Type: A
DNSdestroygoodbye.net
Type: A
DNSlittlegoodbye.net
Type: A
DNSdestroyfortieth.net
Type: A
DNSlittlefortieth.net
Type: A
DNSriddenadvance.net
Type: A
DNSbelongadvance.net
Type: A
DNSriddenstranger.net
Type: A
DNSbelongstranger.net
Type: A
DNSriddengoodbye.net
Type: A
DNSbelonggoodbye.net
Type: A
DNSriddenfortieth.net
Type: A
DNSbelongfortieth.net
Type: A
DNSchairadvance.net
Type: A
DNSthoseadvance.net
Type: A
DNSchairstranger.net
Type: A
DNSthosestranger.net
Type: A
DNSchairgoodbye.net
Type: A
DNSthosegoodbye.net
Type: A
DNSchairfortieth.net
Type: A
DNSthosefortieth.net
Type: A
DNSwithinadvance.net
Type: A
DNSsufferadvance.net
Type: A
DNSwithinstranger.net
Type: A
DNSsufferstranger.net
Type: A
DNSwithingoodbye.net
Type: A
DNSsuffergoodbye.net
Type: A
DNSwithinfortieth.net
Type: A
DNSsufferfortieth.net
Type: A
DNSthroughadvance.net
Type: A
DNSeffortstranger.net
Type: A
DNSthroughstranger.net
Type: A
DNSeffortgoodbye.net
Type: A
DNSthroughgoodbye.net
Type: A
DNSeffortfortieth.net
Type: A
DNSthroughfortieth.net
Type: A
DNSforgetadvance.net
Type: A
DNSincreaseadvance.net
Type: A
DNSforgetstranger.net
Type: A
DNSincreasestranger.net
Type: A
DNSforgetgoodbye.net
Type: A
DNSincreasegoodbye.net
Type: A
DNSforgetfortieth.net
Type: A
DNSincreasefortieth.net
Type: A
DNSwouldadvance.net
Type: A
DNSrememberadvance.net
Type: A
DNSwouldstranger.net
Type: A
DNSrememberstranger.net
Type: A
DNSwouldgoodbye.net
Type: A
DNSremembergoodbye.net
Type: A
DNSwouldfortieth.net
Type: A
DNSrememberfortieth.net
Type: A
DNSjourneyescape.net
Type: A
DNShusbandescape.net
Type: A
DNSjourneyanimal.net
Type: A
DNShusbandanimal.net
Type: A
DNSjourneyproblem.net
Type: A
DNShusbandproblem.net
Type: A
DNSjourneymodern.net
Type: A
DNShusbandmodern.net
Type: A
DNSdestroyescape.net
Type: A
DNSlittleescape.net
Type: A
DNSdestroyanimal.net
Type: A
HTTP GEThttp://effortadvance.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80

Raw Pcap

Strings