Analysis Date | 2015-08-11 21:24:29 |
---|---|
MD5 | 46454228346820ccedeb4aa949177750 |
SHA1 | 952008ba7ad7afd09f248236a93ce6c7e2cf7dd5 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: d0e0e53d63a78b710b62b255f8a2706d sha1: 610bd879cc83be5ae9d76deef8e882b633eba57d size: 160768 | |
Section | .rdata md5: f2f670b5d1eb53e66bedae70c8a21dae sha1: f87ee5a381e38ae385345456e8bd3b9bb5ad049a size: 37376 | |
Section | .data md5: 0963bbee21d87ece92518e1b5d096d08 sha1: c834b18b8c24f38c44c9e1d913ba1359db253e5a size: 6656 | |
Timestamp | 2015-03-13 09:09:54 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | b52b72073e4bd80faabe95b69d3d0c8bc075cfab | |
IMPhash | 64c3deae224546056c9d0ab2a5cb52be | |
AV | CA (E-Trust Ino) | no_virus |
AV | Ad-Aware | Gen:Variant.Rodecap.1 |
AV | CAT (quickheal) | Trojan.Scar.r3 |
AV | Avira (antivir) | TR/Crypt.ZPACK.147147 |
AV | Trend Micro | no_virus |
AV | Arcabit (arcavir) | Error Scanning File |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Ikarus | Trojan-Spy.Win32.Nivdort |
AV | Emsisoft | Gen:Variant.Rodecap.1 |
AV | BitDefender | Gen:Variant.Rodecap.1 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort!rfn |
AV | Fortinet | W32/Rodecap.BJ!tr |
AV | VirusBlokAda (vba32) | no_virus |
AV | Mcafee | Trojan-FEVX!464542283468 |
AV | MalwareBytes | Trojan.Agent |
AV | MicroWorld (escan) | Gen:Variant.Rodecap.1 |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | BullGuard | Gen:Variant.Rodecap.1 |
AV | ClamAV | no_virus |
AV | Zillya! | no_virus |
AV | Dr. Web | Trojan.DownLoader13.12494 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | F-Secure | Gen:Variant.Rodecap.1 |
AV | Eset (nod32) | Win32/Rodecap.BJ |
AV | Twister | W32.Rodecap.BJ.feyp |
AV | Frisk (f-prot) | no_virus |
AV | Padvish | no_virus |
AV | K7 | Trojan ( 004bda2e1 ) |
AV | Rising | no_virus |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\kaxpyoaryrsnlt\fenlwgwr |
---|---|
Creates File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Creates File | C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe |
Deletes File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Creates Process | C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe |
Process
↳ C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Foundation Protection Tracking Themes ➝ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe |
---|---|
Creates File | C:\kaxpyoaryrsnlt\fenlwgwr |
Creates File | C:\kaxpyoaryrsnlt\gkygyq |
Creates File | C:\kaxpyoaryrsnlt\aptbzwsprvn.exe |
Creates File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Deletes File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Creates Process | C:\kaxpyoaryrsnlt\aptbzwsprvn.exe |
Creates Service | Thread Spooler Visual Manager Registrar Level - C:\kaxpyoaryrsnlt\aptbzwsprvn.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | pipe\PCHFaultRepExecPipe |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1884
Process
↳ Pid 1172
Process
↳ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe
Creates File | C:\kaxpyoaryrsnlt\fenlwgwr |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\kaxpyoaryrsnlt\nbkfjpdt.exe |
Creates File | C:\kaxpyoaryrsnlt\gkygyq |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\kaxpyoaryrsnlt\bnovojp2 |
Creates File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Deletes File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Creates Process | yzerxcpawz1j "c:\kaxpyoaryrsnlt\aptbzwsprvn.exe" |
Process
↳ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe
Creates File | C:\kaxpyoaryrsnlt\fenlwgwr |
---|---|
Creates File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Deletes File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Process
↳ yzerxcpawz1j "c:\kaxpyoaryrsnlt\aptbzwsprvn.exe"
Creates File | C:\kaxpyoaryrsnlt\fenlwgwr |
---|---|
Creates File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Deletes File | C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr |
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20646f 63746f72 se..Host: doctor 0x00000050 (00080) 74726169 6e696e67 2e6e6574 0d0a0d0a training.net.... 0x00000060 (00096) 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20646f 63746f72 se..Host: doctor 0x00000050 (00080) 73746f72 6d2e6e65 740d0a0d 0a0a0d0a storm.net....... 0x00000060 (00096) 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207265 73756c74 se..Host: result 0x00000050 (00080) 73746f72 6d2e6e65 740d0a0d 0a0a0d0a storm.net....... 0x00000060 (00096) 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206465 73697265 se..Host: desire 0x00000050 (00080) 73746f72 6d2e6e65 740d0a0d 0a0a0d0a storm.net....... 0x00000060 (00096) 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207374 72656e67 se..Host: streng 0x00000050 (00080) 74687472 61696e69 6e672e6e 65740d0a thtraining.net.. 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207374 72656e67 se..Host: streng 0x00000050 (00080) 74687374 6f726d2e 6e65740d 0a0d0a0a thstorm.net..... 0x00000060 (00096) 0d0a ..
Strings