Analysis Date | 2015-08-15 02:05:11 |
---|---|
MD5 | 0ee863f257cb040261ecc348369d3cca |
SHA1 | 8e4f2c74fc2af77bc72b2a5880c865dfc33bd09f |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 3d716fd72edcff98e19f13a9dde26b5d sha1: 15936e56db5830ff309f9368d47113151a450781 size: 159744 | |
Section | .rdata md5: ad510f8fd96c16556895af5ba67007d4 sha1: 3358210dfdb06738be68c92f6ded6d3c5fdf3772 size: 37376 | |
Section | .data md5: 81606fd496638656b0a395ce4906c7f0 sha1: 22269b40ccf0b556d5566194cbfe205a29a53074 size: 7168 | |
Timestamp | 2015-03-13 09:19:34 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 14b35a1da7f80b281f5460b160c57daf9055071b | |
IMPhash | ff33b415ad6d5b1ce2746dc18157aa8f | |
AV | CA (E-Trust Ino) | no_virus |
AV | F-Secure | Gen:Variant.Rodecap.1 |
AV | Dr. Web | no_virus |
AV | ClamAV | no_virus |
AV | Arcabit (arcavir) | Gen:Variant.Rodecap.1 |
AV | BullGuard | Gen:Variant.Rodecap.1 |
AV | Padvish | no_virus |
AV | VirusBlokAda (vba32) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | Trend Micro | no_virus |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Zillya! | no_virus |
AV | Emsisoft | Gen:Variant.Rodecap.1 |
AV | Ikarus | Trojan-Spy.Win32.Nivdort |
AV | Frisk (f-prot) | no_virus |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | MalwareBytes | Trojan.Agent |
AV | MicroWorld (escan) | Gen:Variant.Rodecap.1 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort |
AV | K7 | no_virus |
AV | BitDefender | Gen:Variant.Rodecap.1 |
AV | Fortinet | W32/Rodecap.BJ!tr |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Eset (nod32) | Win32/Rodecap.BJ |
AV | Alwil (avast) | Evo-gen [Susp] |
AV | Ad-Aware | Gen:Variant.Rodecap.1 |
AV | Twister | no_virus |
AV | Avira (antivir) | no_virus |
AV | Mcafee | Trojan-FEVX!0EE863F257CB |
AV | Rising | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
---|---|
Creates File | C:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe |
Creates File | C:\itnjhijcvofg\atbcai6uxjb |
Deletes File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Creates Process | C:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe |
Process
↳ C:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Drive WMI Services Access Enumerator ➝ C:\itnjhijcvofg\dkpfolei.exe |
---|---|
Creates File | C:\itnjhijcvofg\dkpfolei.exe |
Creates File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Creates File | C:\itnjhijcvofg\tuvbgk |
Creates File | C:\itnjhijcvofg\atbcai6uxjb |
Deletes File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Creates Process | C:\itnjhijcvofg\dkpfolei.exe |
Creates Service | Cache Helper Resolution Name - C:\itnjhijcvofg\dkpfolei.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1836
Process
↳ Pid 1100
Process
↳ C:\itnjhijcvofg\dkpfolei.exe
Creates File | C:\itnjhijcvofg\qvwueofddta.exe |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\itnjhijcvofg\m6meiwepfo39 |
Creates File | C:\itnjhijcvofg\tuvbgk |
Creates File | C:\itnjhijcvofg\atbcai6uxjb |
Deletes File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Creates Process | hjhfykd6qtnk "c:\itnjhijcvofg\dkpfolei.exe" |
Process
↳ C:\itnjhijcvofg\dkpfolei.exe
Creates File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
---|---|
Creates File | C:\itnjhijcvofg\atbcai6uxjb |
Deletes File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Process
↳ hjhfykd6qtnk "c:\itnjhijcvofg\dkpfolei.exe"
Creates File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
---|---|
Creates File | C:\itnjhijcvofg\atbcai6uxjb |
Deletes File | C:\WINDOWS\itnjhijcvofg\atbcai6uxjb |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206369 67617265 se..Host: cigare 0x00000050 (00080) 74746568 756e6765 722e6e65 740d0a0d ttehunger.net... 0x00000060 (00096) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207069 63747572 se..Host: pictur 0x00000050 (00080) 6573746f 726d2e6e 65740d0a 0d0a0a0d estorm.net...... 0x00000060 (00096) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206661 6d696c79 se..Host: family 0x00000050 (00080) 74726169 6e696e67 2e6e6574 0d0a0d0a training.net.... 0x00000060 (00096) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20656e 676c6973 se..Host: englis 0x00000050 (00080) 68747261 696e696e 672e6e65 740d0a0d htraining.net... 0x00000060 (00096) 0a . 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206578 70656374 se..Host: expect 0x00000050 (00080) 686f7765 7665722e 6e65740d 0a0d0a0d however.net..... 0x00000060 (00096) 0a .
Strings