Analysis Date2015-09-28 07:02:16
MD5824d1d01d0a72b6bc7b52578abb8f7f2
SHA18cebf24d454cbdccd6692d7f048cd366e2ad4066

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f5cbf4ad07d2e7035c22898b879e754a sha1: eb8ca2a08188c2e3aa3bd0c4e724b28067ef135a size: 163328
Section.rdata md5: 9527b377993457783409e7dd9d28d425 sha1: 94accb3e569396470761cd6245787be3c8b8a0ae size: 37888
Section.data md5: 352e361f646e66546d78b149b4970f58 sha1: eb0df18a136090606e2629416d3ae351ff1b7ef8 size: 7168
Timestamp2015-03-13 09:08:18
PackerMicrosoft Visual C++ ?.?
PEhash69240b2c3176d92c5e1d134ae04a61b31369cc88
IMPhash1de3bff4fda11a90876beb7ae598379e
AVVirusBlokAda (vba32)no_virus
AVFortinetW32/Rodecap.BJ!tr
AVK7Trojan ( 004bdb0b1 )
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVMalwareBytesTrojan.RodeCap
AVRisingno_virus
AVTwisterno_virus
AVMcafeeTrojan-FEVX!824D1D01D0A7
AVZillya!Trojan.Scar.Win32.89736
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVTrend MicroTROJ_GE.30E50BA3
AVFrisk (f-prot)no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.12902
AVKasperskyTrojan.Win32.Scar.iyhd
AVIkarusTrojan-Spy.Win32.Nivdort
AVAvira (antivir)TR/Crypt.ZPACK.145701
AVCAT (quickheal)Trojan.Scar.r3
AVBitDefenderGen:Variant.Rodecap.1
AVEset (nod32)Win32/Rodecap.BJ
AVEmsisoftGen:Variant.Rodecap.1
AVF-SecureGen:Variant.Rodecap.1
AVAuthentiumW32/Nivdort.A.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\okdbyhbtytrv\opnv1m9ndlffboovlv.exe
Creates FileC:\okdbyhbtytrv\lwjnbk5m
Creates FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Deletes FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Creates ProcessC:\okdbyhbtytrv\opnv1m9ndlffboovlv.exe

Process
↳ C:\okdbyhbtytrv\opnv1m9ndlffboovlv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IPsec PNRP Tracking Netlogon Biometric Font ➝
C:\okdbyhbtytrv\xwxrsybelad.exe
Creates FileC:\okdbyhbtytrv\lwjnbk5m
Creates FileC:\okdbyhbtytrv\qnnj9p
Creates FileC:\okdbyhbtytrv\xwxrsybelad.exe
Creates FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Deletes FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Creates ProcessC:\okdbyhbtytrv\xwxrsybelad.exe
Creates ServiceDriver Routing Multimedia - C:\okdbyhbtytrv\xwxrsybelad.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1864

Process
↳ Pid 1180

Process
↳ C:\okdbyhbtytrv\xwxrsybelad.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\okdbyhbtytrv\nuqru6gcy
Creates FileC:\okdbyhbtytrv\lwjnbk5m
Creates FileC:\okdbyhbtytrv\qnnj9p
Creates File\Device\Afd\Endpoint
Creates FileC:\okdbyhbtytrv\dioyfgrj.exe
Creates FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Deletes FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Creates Processhwdwzjh9xjnl "c:\okdbyhbtytrv\xwxrsybelad.exe"

Process
↳ C:\okdbyhbtytrv\xwxrsybelad.exe

Creates FileC:\okdbyhbtytrv\lwjnbk5m
Creates FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Deletes FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m

Process
↳ hwdwzjh9xjnl "c:\okdbyhbtytrv\xwxrsybelad.exe"

Creates FileC:\okdbyhbtytrv\lwjnbk5m
Creates FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m
Deletes FileC:\WINDOWS\okdbyhbtytrv\lwjnbk5m

Network Details:

DNSincreasebeing.net
Type: A
95.211.230.75
DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSlittleminute.net
Type: A
74.220.199.8
DNSbelongbottom.net
Type: A
DNSchairbeyond.net
Type: A
DNSthosebeyond.net
Type: A
DNSchairbeing.net
Type: A
DNSthosebeing.net
Type: A
DNSchairforever.net
Type: A
DNSthoseforever.net
Type: A
DNSchairbottom.net
Type: A
DNSthosebottom.net
Type: A
DNSwithinbeyond.net
Type: A
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
DNSdestroyminute.net
Type: A
DNSdestroyspecial.net
Type: A
DNSlittlespecial.net
Type: A
DNSdestroycorner.net
Type: A
DNSlittlecorner.net
Type: A
DNSriddenflower.net
Type: A
DNSbelongflower.net
Type: A
DNSriddenminute.net
Type: A
DNSbelongminute.net
Type: A
DNSriddenspecial.net
Type: A
DNSbelongspecial.net
Type: A
DNSriddencorner.net
Type: A
DNSbelongcorner.net
Type: A
DNSchairflower.net
Type: A
DNSthoseflower.net
Type: A
DNSchairminute.net
Type: A
DNSthoseminute.net
Type: A
DNSchairspecial.net
Type: A
DNSthosespecial.net
Type: A
DNSchaircorner.net
Type: A
DNSthosecorner.net
Type: A
DNSwithinflower.net
Type: A
DNSsufferflower.net
Type: A
DNSwithinminute.net
Type: A
DNSsufferminute.net
Type: A
DNSwithinspecial.net
Type: A
DNSsufferspecial.net
Type: A
DNSwithincorner.net
Type: A
DNSsuffercorner.net
Type: A
DNSeffortflower.net
Type: A
DNSthroughflower.net
Type: A
DNSeffortminute.net
Type: A
DNSthroughminute.net
Type: A
HTTP GEThttp://increasebeing.net/index.php?method&len
User-Agent:
HTTP GEThttp://rememberforever.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleflower.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleminute.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1033 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1034 ➝ 74.220.199.8:80

Raw Pcap

Strings