Analysis Date2015-08-15 02:26:25
MD544db4902c3024ccc3d1b2dad971e7a70
SHA1935ed3529d8387466e4965141fff0f592454f7d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c870179a73d92ca21c04087e65330fbb sha1: 550499f76d9c9d50a16377d6ae4802e9b56ff485 size: 154624
Section.rdata md5: 34cb5ea07ffbcc548a52004f18fa3bef sha1: ffdffbb395b62739655bc00d0903a2bcc449866f size: 37376
Section.data md5: 51fe5a52fa98bfb9b8ad18ff993eb065 sha1: 5c4568f15cd84f922d156c06dec42d2d9f735a06 size: 7168
Timestamp2015-03-13 09:26:26
PackerMicrosoft Visual C++ ?.?
PEhash630728e19e63b1cbb5ec70269839c844ec8cc9f6
IMPhash9f4bba6c2d2b49bfd05d075f9c653903
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.U.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort
AVK7no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterno_virus
AVAvira (antivir)no_virus
AVMcafeeTrojan-FEVX!44DB4902C302
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\xegiptc\xaevuwm
Creates FileC:\WINDOWS\xegiptc\xaevuwm
Creates FileC:\xegiptc\aui2c1lrvah3axordccld.exe
Deletes FileC:\WINDOWS\xegiptc\xaevuwm
Creates ProcessC:\xegiptc\aui2c1lrvah3axordccld.exe

Process
↳ C:\xegiptc\aui2c1lrvah3axordccld.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Trap Call Workstation Procedure ➝
C:\xegiptc\vdkgrtaswfp.exe
Creates FileC:\xegiptc\xaevuwm
Creates FileC:\WINDOWS\xegiptc\xaevuwm
Creates FileC:\xegiptc\vdkgrtaswfp.exe
Creates FileC:\xegiptc\fplto6cdu
Deletes FileC:\WINDOWS\xegiptc\xaevuwm
Creates ProcessC:\xegiptc\vdkgrtaswfp.exe
Creates ServicePNRP Access Drive Name Endpoint Foundation - C:\xegiptc\vdkgrtaswfp.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1216

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1188

Process
↳ C:\xegiptc\vdkgrtaswfp.exe

Creates FileC:\xegiptc\nwckmhzkpx
Creates FileC:\xegiptc\xaevuwm
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\xegiptc\xaevuwm
Creates FileC:\xegiptc\ntvqmgks.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\xegiptc\fplto6cdu
Deletes FileC:\WINDOWS\xegiptc\xaevuwm
Creates Processpctsr6g71sme "c:\xegiptc\vdkgrtaswfp.exe"

Process
↳ C:\xegiptc\vdkgrtaswfp.exe

Creates FileC:\xegiptc\xaevuwm
Creates FileC:\WINDOWS\xegiptc\xaevuwm
Deletes FileC:\WINDOWS\xegiptc\xaevuwm

Process
↳ pctsr6g71sme "c:\xegiptc\vdkgrtaswfp.exe"

Creates FileC:\xegiptc\xaevuwm
Creates FileC:\WINDOWS\xegiptc\xaevuwm
Deletes FileC:\WINDOWS\xegiptc\xaevuwm

Network Details:

DNSpicturestorm.net
Type: A
80.67.28.202
DNSfamilytraining.net
Type: A
199.34.228.55
DNSenglishtraining.net
Type: A
87.106.228.208
DNSexpecthowever.net
Type: A
95.211.230.75
DNScigarettetraining.net
Type: A
DNScigarettestorm.net
Type: A
DNSpicturethrown.net
Type: A
DNScigarettethrown.net
Type: A
DNSchildrenhunger.net
Type: A
DNSfamilyhunger.net
Type: A
DNSchildrentraining.net
Type: A
DNSchildrenstorm.net
Type: A
DNSfamilystorm.net
Type: A
DNSchildrenthrown.net
Type: A
DNSfamilythrown.net
Type: A
DNSeitherhunger.net
Type: A
DNSenglishhunger.net
Type: A
DNSeithertraining.net
Type: A
DNSeitherstorm.net
Type: A
DNSenglishstorm.net
Type: A
DNSeitherthrown.net
Type: A
DNSenglishthrown.net
Type: A
DNSexpectchoose.net
Type: A
DNSbecausechoose.net
Type: A
DNSexpectalthough.net
Type: A
DNSbecausealthough.net
Type: A
DNSexpectperiod.net
Type: A
DNSbecauseperiod.net
Type: A
DNSbecausehowever.net
Type: A
DNSpersonchoose.net
Type: A
DNSmachinechoose.net
Type: A
DNSpersonalthough.net
Type: A
DNSmachinealthough.net
Type: A
DNSpersonperiod.net
Type: A
DNSmachineperiod.net
Type: A
DNSpersonhowever.net
Type: A
DNSmachinehowever.net
Type: A
DNSsuddenchoose.net
Type: A
DNSforeignchoose.net
Type: A
DNSsuddenalthough.net
Type: A
DNSforeignalthough.net
Type: A
DNSsuddenperiod.net
Type: A
DNSforeignperiod.net
Type: A
DNSsuddenhowever.net
Type: A
DNSforeignhowever.net
Type: A
DNSwhetherchoose.net
Type: A
DNSrightchoose.net
Type: A
DNSwhetheralthough.net
Type: A
DNSrightalthough.net
Type: A
DNSwhetherperiod.net
Type: A
DNSrightperiod.net
Type: A
DNSwhetherhowever.net
Type: A
DNSrighthowever.net
Type: A
DNSfigurechoose.net
Type: A
DNSthoughchoose.net
Type: A
DNSfigurealthough.net
Type: A
DNSthoughalthough.net
Type: A
DNSfigureperiod.net
Type: A
DNSthoughperiod.net
Type: A
DNSfigurehowever.net
Type: A
DNSthoughhowever.net
Type: A
DNSpicturechoose.net
Type: A
DNScigarettechoose.net
Type: A
DNSpicturealthough.net
Type: A
DNScigarettealthough.net
Type: A
DNSpictureperiod.net
Type: A
DNScigaretteperiod.net
Type: A
DNSpicturehowever.net
Type: A
DNScigarettehowever.net
Type: A
DNSchildrenchoose.net
Type: A
DNSfamilychoose.net
Type: A
DNSchildrenalthough.net
Type: A
DNSfamilyalthough.net
Type: A
DNSchildrenperiod.net
Type: A
DNSfamilyperiod.net
Type: A
DNSchildrenhowever.net
Type: A
DNSfamilyhowever.net
Type: A
DNSeitherchoose.net
Type: A
DNSenglishchoose.net
Type: A
DNSeitheralthough.net
Type: A
DNSenglishalthough.net
Type: A
DNSeitherperiod.net
Type: A
DNSenglishperiod.net
Type: A
DNSeitherhowever.net
Type: A
DNSenglishhowever.net
Type: A
HTTP GEThttp://picturestorm.net/index.php?method&len
User-Agent:
HTTP GEThttp://familytraining.net/index.php?method&len
User-Agent:
HTTP GEThttp://englishtraining.net/index.php?method&len
User-Agent:
HTTP GEThttp://expecthowever.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 80.67.28.202:80
Flows TCP192.168.1.1:1032 ➝ 199.34.228.55:80
Flows TCP192.168.1.1:1033 ➝ 87.106.228.208:80
Flows TCP192.168.1.1:1034 ➝ 95.211.230.75:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207069 63747572   se..Host: pictur
0x00000050 (00080)   6573746f 726d2e6e 65740d0a 0d0a       estorm.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206661 6d696c79   se..Host: family
0x00000050 (00080)   74726169 6e696e67 2e6e6574 0d0a0d0a   training.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20656e 676c6973   se..Host: englis
0x00000050 (00080)   68747261 696e696e 672e6e65 740d0a0d   htraining.net...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206578 70656374   se..Host: expect
0x00000050 (00080)   686f7765 7665722e 6e65740d 0a0d0a0d   however.net.....
0x00000060 (00096)   0a                                    .


Strings