Analysis Date2015-08-01 22:51:29
MD549490186c8292fde866cf5a68e49dbf8
SHA19502cba6ae42d4d3293132e8dcaf2838a0c3b559

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0589c4b90c7c04e8371925649a1c71cc sha1: 386daaf1c133191f390c38b7098cc4190576c5be size: 163328
Section.rdata md5: 8125eae1c197f0ea63d6225f382d299c sha1: 0a550596730117905241631940b5f9fb017c77d7 size: 37376
Section.data md5: e87f9d6da7c93f78e49a2cc9df816b10 sha1: 683ac852e46a2fc961ca84e94b116389a69916cf size: 7168
Timestamp2015-03-13 09:11:50
PackerMicrosoft Visual C++ ?.?
PEhash5e483449cf30d574e7b57900fb2a895f5d4e8240
IMPhash0e7489b95915cd273f9d35edd2fea2ec
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVMalwareBytesTrojan.Agent
AVKasperskyTrojan.Win32.Scar.iwey
AVZillya!Trojan.Scar.Win32.88480
AVRisingno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVTwisterTrojan.Scar.iwey.jals
AVIkarusTrojan.Win32.Rodecap
AVCA (E-Trust Ino)no_virus
AVSymantecDownloader.Upatre!g15
AVPadvishno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVGrisoft (avg)Win32/Cryptor
AVDr. WebTrojan.DownLoader13.15730
AVAvira (antivir)TR/Crypt.ZPACK.143100
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVAd-AwareGen:Variant.Rodecap.1
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVEset (nod32)Win32/Rodecap.BJ
AVBullGuardGen:Variant.Rodecap.1
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVMcafeeTrojan-FEVX!49490186C829
AVBitDefenderGen:Variant.Rodecap.1
AVCAT (quickheal)Trojan.Scar.r3
AVEmsisoftGen:Variant.Rodecap.1
AVK7Trojan ( 004bda2e1 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\ooluwgrwpkd\rfmfe1kxhyktkrhemvh2.exe
Creates FileC:\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Deletes FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Creates ProcessC:\ooluwgrwpkd\rfmfe1kxhyktkrhemvh2.exe

Process
↳ C:\ooluwgrwpkd\rfmfe1kxhyktkrhemvh2.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\DHCP Services Service Socket Font Policy ➝
C:\ooluwgrwpkd\hxfzvmtm.exe
Creates FileC:\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\ooluwgrwpkd\hxfzvmtm.exe
Creates FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\ooluwgrwpkd\vq2slxtt
Deletes FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Creates ProcessC:\ooluwgrwpkd\hxfzvmtm.exe
Creates ServicePerformance Connection Keying DNS - C:\ooluwgrwpkd\hxfzvmtm.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1132

Process
↳ C:\ooluwgrwpkd\hxfzvmtm.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\ooluwgrwpkd\brqkwagdtso
Creates FileC:\ooluwgrwpkd\cfjpzzrbzc.exe
Creates FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Creates File\Device\Afd\Endpoint
Creates FileC:\ooluwgrwpkd\vq2slxtt
Deletes FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Creates Processk7bnaz0jrujd "c:\ooluwgrwpkd\hxfzvmtm.exe"

Process
↳ C:\ooluwgrwpkd\hxfzvmtm.exe

Creates FileC:\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Deletes FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd

Process
↳ k7bnaz0jrujd "c:\ooluwgrwpkd\hxfzvmtm.exe"

Creates FileC:\ooluwgrwpkd\ggcozfacsxcd
Creates FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd
Deletes FileC:\WINDOWS\ooluwgrwpkd\ggcozfacsxcd

Network Details:

DNSprofiles.dexknows.com
Type: A
204.133.117.26
DNSwinterbright.net
Type: A
67.231.253.49
DNSprobablybright.net
Type: A
95.211.230.75
DNSsweetinside.net
Type: A
208.91.197.241
DNSsimplepeople.net
Type: A
91.194.77.112
DNSmotherdaughter.net
Type: A
208.91.197.26
DNSseverainside.net
Type: A
DNSlaughinside.net
Type: A
DNSsimpleinstead.net
Type: A
DNSmotherinstead.net
Type: A
DNSsimpleexplain.net
Type: A
DNSmotherexplain.net
Type: A
DNSsimplebright.net
Type: A
DNSmotherbright.net
Type: A
DNSsimpleinside.net
Type: A
DNSmotherinside.net
Type: A
DNSmountaininstead.net
Type: A
DNSpossibleinstead.net
Type: A
DNSmountainexplain.net
Type: A
DNSpossibleexplain.net
Type: A
DNSmountainbright.net
Type: A
DNSpossiblebright.net
Type: A
DNSmountaininside.net
Type: A
DNSpossibleinside.net
Type: A
DNSperhapsinstead.net
Type: A
DNSwindowinstead.net
Type: A
DNSperhapsexplain.net
Type: A
DNSwindowexplain.net
Type: A
DNSperhapsbright.net
Type: A
DNSwindowbright.net
Type: A
DNSperhapsinside.net
Type: A
DNSwindowinside.net
Type: A
DNSwinterinstead.net
Type: A
DNSsubjectinstead.net
Type: A
DNSwinterexplain.net
Type: A
DNSsubjectexplain.net
Type: A
DNSsubjectbright.net
Type: A
DNSwinterinside.net
Type: A
DNSsubjectinside.net
Type: A
DNSfinishinstead.net
Type: A
DNSleaveinstead.net
Type: A
DNSfinishexplain.net
Type: A
DNSleaveexplain.net
Type: A
DNSfinishbright.net
Type: A
DNSleavebright.net
Type: A
DNSfinishinside.net
Type: A
DNSleaveinside.net
Type: A
DNSsweetinstead.net
Type: A
DNSprobablyinstead.net
Type: A
DNSsweetexplain.net
Type: A
DNSprobablyexplain.net
Type: A
DNSsweetbright.net
Type: A
DNSprobablyinside.net
Type: A
DNSseveralinstead.net
Type: A
DNSmaterialinstead.net
Type: A
DNSseveralexplain.net
Type: A
DNSmaterialexplain.net
Type: A
DNSseveralbright.net
Type: A
DNSmaterialbright.net
Type: A
DNSseveralinside.net
Type: A
DNSmaterialinside.net
Type: A
DNSseveraready.net
Type: A
DNSlaughready.net
Type: A
DNSseverabrown.net
Type: A
DNSlaughbrown.net
Type: A
DNSseverapeople.net
Type: A
DNSlaughpeople.net
Type: A
DNSseveradaughter.net
Type: A
DNSlaughdaughter.net
Type: A
DNSsimpleready.net
Type: A
DNSmotherready.net
Type: A
DNSsimplebrown.net
Type: A
DNSmotherbrown.net
Type: A
DNSmotherpeople.net
Type: A
DNSsimpledaughter.net
Type: A
DNSmountainready.net
Type: A
DNSpossibleready.net
Type: A
DNSmountainbrown.net
Type: A
DNSpossiblebrown.net
Type: A
DNSmountainpeople.net
Type: A
DNSpossiblepeople.net
Type: A
DNSmountaindaughter.net
Type: A
DNSpossibledaughter.net
Type: A
DNSperhapsready.net
Type: A
DNSwindowready.net
Type: A
DNSperhapsbrown.net
Type: A
HTTP GEThttp://windowbright.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterbright.net/index.php?method&len
User-Agent:
HTTP GEThttp://probablybright.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetinside.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplepeople.net/index.php?method&len
User-Agent:
HTTP GEThttp://motherdaughter.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.133.117.26:80
Flows TCP192.168.1.1:1032 ➝ 67.231.253.49:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 91.194.77.112:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   62726967 68742e6e 65740d0a 0d0a       bright.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e746572   se..Host: winter
0x00000050 (00080)   62726967 68742e6e 65740d0a 0d0a       bright.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207072 6f626162   se..Host: probab
0x00000050 (00080)   6c796272 69676874 2e6e6574 0d0a0d0a   lybright.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657469   se..Host: sweeti
0x00000050 (00080)   6e736964 652e6e65 740d0a0d 0a0a0d0a   nside.net.......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   70656f70 6c652e6e 65740d0a 0d0a0d0a   people.net......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 74686572   se..Host: mother
0x00000050 (00080)   64617567 68746572 2e6e6574 0d0a0d0a   daughter.net....
0x00000060 (00096)                                         


Strings