Analysis Date2015-08-15 02:05:11
MD50ee863f257cb040261ecc348369d3cca
SHA18e4f2c74fc2af77bc72b2a5880c865dfc33bd09f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3d716fd72edcff98e19f13a9dde26b5d sha1: 15936e56db5830ff309f9368d47113151a450781 size: 159744
Section.rdata md5: ad510f8fd96c16556895af5ba67007d4 sha1: 3358210dfdb06738be68c92f6ded6d3c5fdf3772 size: 37376
Section.data md5: 81606fd496638656b0a395ce4906c7f0 sha1: 22269b40ccf0b556d5566194cbfe205a29a53074 size: 7168
Timestamp2015-03-13 09:19:34
PackerMicrosoft Visual C++ ?.?
PEhash14b35a1da7f80b281f5460b160c57daf9055071b
IMPhashff33b415ad6d5b1ce2746dc18157aa8f
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVK7no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterno_virus
AVAvira (antivir)no_virus
AVMcafeeTrojan-FEVX!0EE863F257CB
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates FileC:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe
Creates FileC:\itnjhijcvofg\atbcai6uxjb
Deletes FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates ProcessC:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe

Process
↳ C:\itnjhijcvofg\nfdfl1lhguhycyaclzr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Drive WMI Services Access Enumerator ➝
C:\itnjhijcvofg\dkpfolei.exe
Creates FileC:\itnjhijcvofg\dkpfolei.exe
Creates FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates FileC:\itnjhijcvofg\tuvbgk
Creates FileC:\itnjhijcvofg\atbcai6uxjb
Deletes FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates ProcessC:\itnjhijcvofg\dkpfolei.exe
Creates ServiceCache Helper Resolution Name - C:\itnjhijcvofg\dkpfolei.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1836

Process
↳ Pid 1100

Process
↳ C:\itnjhijcvofg\dkpfolei.exe

Creates FileC:\itnjhijcvofg\qvwueofddta.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates File\Device\Afd\Endpoint
Creates FileC:\itnjhijcvofg\m6meiwepfo39
Creates FileC:\itnjhijcvofg\tuvbgk
Creates FileC:\itnjhijcvofg\atbcai6uxjb
Deletes FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates Processhjhfykd6qtnk "c:\itnjhijcvofg\dkpfolei.exe"

Process
↳ C:\itnjhijcvofg\dkpfolei.exe

Creates FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates FileC:\itnjhijcvofg\atbcai6uxjb
Deletes FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb

Process
↳ hjhfykd6qtnk "c:\itnjhijcvofg\dkpfolei.exe"

Creates FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb
Creates FileC:\itnjhijcvofg\atbcai6uxjb
Deletes FileC:\WINDOWS\itnjhijcvofg\atbcai6uxjb

Network Details:

DNScigarettehunger.net
Type: A
195.22.26.254
DNScigarettehunger.net
Type: A
195.22.26.231
DNScigarettehunger.net
Type: A
195.22.26.252
DNScigarettehunger.net
Type: A
195.22.26.253
DNSpicturestorm.net
Type: A
80.67.28.202
DNSfamilytraining.net
Type: A
199.34.228.55
DNSenglishtraining.net
Type: A
87.106.228.208
DNSexpecthowever.net
Type: A
95.211.230.75
DNSthoughtraining.net
Type: A
DNSfigurestorm.net
Type: A
DNSthoughstorm.net
Type: A
DNSfigurethrown.net
Type: A
DNSthoughthrown.net
Type: A
DNSpicturehunger.net
Type: A
DNSpicturetraining.net
Type: A
DNScigarettetraining.net
Type: A
DNScigarettestorm.net
Type: A
DNSpicturethrown.net
Type: A
DNScigarettethrown.net
Type: A
DNSchildrenhunger.net
Type: A
DNSfamilyhunger.net
Type: A
DNSchildrentraining.net
Type: A
DNSchildrenstorm.net
Type: A
DNSfamilystorm.net
Type: A
DNSchildrenthrown.net
Type: A
DNSfamilythrown.net
Type: A
DNSeitherhunger.net
Type: A
DNSenglishhunger.net
Type: A
DNSeithertraining.net
Type: A
DNSeitherstorm.net
Type: A
DNSenglishstorm.net
Type: A
DNSeitherthrown.net
Type: A
DNSenglishthrown.net
Type: A
DNSexpectchoose.net
Type: A
DNSbecausechoose.net
Type: A
DNSexpectalthough.net
Type: A
DNSbecausealthough.net
Type: A
DNSexpectperiod.net
Type: A
DNSbecauseperiod.net
Type: A
DNSbecausehowever.net
Type: A
DNSpersonchoose.net
Type: A
DNSmachinechoose.net
Type: A
DNSpersonalthough.net
Type: A
DNSmachinealthough.net
Type: A
DNSpersonperiod.net
Type: A
DNSmachineperiod.net
Type: A
DNSpersonhowever.net
Type: A
DNSmachinehowever.net
Type: A
DNSsuddenchoose.net
Type: A
DNSforeignchoose.net
Type: A
DNSsuddenalthough.net
Type: A
DNSforeignalthough.net
Type: A
DNSsuddenperiod.net
Type: A
DNSforeignperiod.net
Type: A
DNSsuddenhowever.net
Type: A
DNSforeignhowever.net
Type: A
DNSwhetherchoose.net
Type: A
DNSrightchoose.net
Type: A
DNSwhetheralthough.net
Type: A
DNSrightalthough.net
Type: A
DNSwhetherperiod.net
Type: A
DNSrightperiod.net
Type: A
DNSwhetherhowever.net
Type: A
DNSrighthowever.net
Type: A
DNSfigurechoose.net
Type: A
DNSthoughchoose.net
Type: A
DNSfigurealthough.net
Type: A
DNSthoughalthough.net
Type: A
DNSfigureperiod.net
Type: A
DNSthoughperiod.net
Type: A
DNSfigurehowever.net
Type: A
DNSthoughhowever.net
Type: A
DNSpicturechoose.net
Type: A
DNScigarettechoose.net
Type: A
DNSpicturealthough.net
Type: A
DNScigarettealthough.net
Type: A
DNSpictureperiod.net
Type: A
DNScigaretteperiod.net
Type: A
DNSpicturehowever.net
Type: A
DNScigarettehowever.net
Type: A
DNSchildrenchoose.net
Type: A
DNSfamilychoose.net
Type: A
DNSchildrenalthough.net
Type: A
DNSfamilyalthough.net
Type: A
DNSchildrenperiod.net
Type: A
DNSfamilyperiod.net
Type: A
DNSchildrenhowever.net
Type: A
DNSfamilyhowever.net
Type: A
HTTP GEThttp://cigarettehunger.net/index.php?method&len
User-Agent:
HTTP GEThttp://picturestorm.net/index.php?method&len
User-Agent:
HTTP GEThttp://familytraining.net/index.php?method&len
User-Agent:
HTTP GEThttp://englishtraining.net/index.php?method&len
User-Agent:
HTTP GEThttp://expecthowever.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1032 ➝ 80.67.28.202:80
Flows TCP192.168.1.1:1033 ➝ 199.34.228.55:80
Flows TCP192.168.1.1:1034 ➝ 87.106.228.208:80
Flows TCP192.168.1.1:1035 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206369 67617265   se..Host: cigare
0x00000050 (00080)   74746568 756e6765 722e6e65 740d0a0d   ttehunger.net...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207069 63747572   se..Host: pictur
0x00000050 (00080)   6573746f 726d2e6e 65740d0a 0d0a0a0d   estorm.net......
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206661 6d696c79   se..Host: family
0x00000050 (00080)   74726169 6e696e67 2e6e6574 0d0a0d0a   training.net....
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20656e 676c6973   se..Host: englis
0x00000050 (00080)   68747261 696e696e 672e6e65 740d0a0d   htraining.net...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206578 70656374   se..Host: expect
0x00000050 (00080)   686f7765 7665722e 6e65740d 0a0d0a0d   however.net.....
0x00000060 (00096)   0a                                    .

Strings