Analysis | #totalhash

Analysis Date	2015-08-11 21:24:29
MD5	46454228346820ccedeb4aa949177750
SHA1	952008ba7ad7afd09f248236a93ce6c7e2cf7dd5

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: d0e0e53d63a78b710b62b255f8a2706d sha1: 610bd879cc83be5ae9d76deef8e882b633eba57d size: 160768
Section	.rdata md5: f2f670b5d1eb53e66bedae70c8a21dae sha1: f87ee5a381e38ae385345456e8bd3b9bb5ad049a size: 37376
Section	.data md5: 0963bbee21d87ece92518e1b5d096d08 sha1: c834b18b8c24f38c44c9e1d913ba1359db253e5a size: 6656
Timestamp	2015-03-13 09:09:54
Packer	Microsoft Visual C++ ?.?
PEhash	b52b72073e4bd80faabe95b69d3d0c8bc075cfab
IMPhash	64c3deae224546056c9d0ab2a5cb52be
AV	CA (E-Trust Ino)	no_virus
AV	Ad-Aware	Gen:Variant.Rodecap.1
AV	CAT (quickheal)	Trojan.Scar.r3
AV	Avira (antivir)	TR/Crypt.ZPACK.147147
AV	Trend Micro	no_virus
AV	Arcabit (arcavir)	Error Scanning File
AV	Authentium	W32/Nivdort.A.gen!Eldorado
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Ikarus	Trojan-Spy.Win32.Nivdort
AV	Emsisoft	Gen:Variant.Rodecap.1
AV	BitDefender	Gen:Variant.Rodecap.1
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort!rfn
AV	Fortinet	W32/Rodecap.BJ!tr
AV	VirusBlokAda (vba32)	no_virus
AV	Mcafee	Trojan-FEVX!464542283468
AV	MalwareBytes	Trojan.Agent
AV	MicroWorld (escan)	Gen:Variant.Rodecap.1
AV	Alwil (avast)	Malware-gen:Win32:Malware-gen
AV	BullGuard	Gen:Variant.Rodecap.1
AV	ClamAV	no_virus
AV	Zillya!	no_virus
AV	Dr. Web	Trojan.DownLoader13.12494
AV	Kaspersky	Trojan.Win32.Generic
AV	F-Secure	Gen:Variant.Rodecap.1
AV	Eset (nod32)	Win32/Rodecap.BJ
AV	Twister	W32.Rodecap.BJ.feyp
AV	Frisk (f-prot)	no_virus
AV	Padvish	no_virus
AV	K7	Trojan ( 004bda2e1 )
AV	Rising	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\kaxpyoaryrsnlt\fenlwgwr
Creates File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Creates File	C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe
Deletes File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Creates Process	C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe

Process
↳ C:\kaxpyoaryrsnlt\yght1m1ugoqsv1wytojx.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Foundation Protection Tracking Themes ➝ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe
Creates File	C:\kaxpyoaryrsnlt\fenlwgwr
Creates File	C:\kaxpyoaryrsnlt\gkygyq
Creates File	C:\kaxpyoaryrsnlt\aptbzwsprvn.exe
Creates File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Deletes File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Creates Process	C:\kaxpyoaryrsnlt\aptbzwsprvn.exe
Creates Service	Thread Spooler Visual Manager Registrar Level - C:\kaxpyoaryrsnlt\aptbzwsprvn.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1884

Process
↳ Pid 1172

Process
↳ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe

Creates File	C:\kaxpyoaryrsnlt\fenlwgwr
Creates File	pipe\net\NtControlPipe10
Creates File	C:\kaxpyoaryrsnlt\nbkfjpdt.exe
Creates File	C:\kaxpyoaryrsnlt\gkygyq
Creates File	\Device\Afd\Endpoint
Creates File	C:\kaxpyoaryrsnlt\bnovojp2
Creates File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Deletes File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Creates Process	yzerxcpawz1j "c:\kaxpyoaryrsnlt\aptbzwsprvn.exe"

Process
↳ C:\kaxpyoaryrsnlt\aptbzwsprvn.exe

Creates File	C:\kaxpyoaryrsnlt\fenlwgwr
Creates File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Deletes File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr

Process
↳ yzerxcpawz1j "c:\kaxpyoaryrsnlt\aptbzwsprvn.exe"

Creates File	C:\kaxpyoaryrsnlt\fenlwgwr
Creates File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr
Deletes File	C:\WINDOWS\kaxpyoaryrsnlt\fenlwgwr

Network Details:

DNS	doctortraining.net Type: A 184.168.221.34
DNS	doctorstorm.net Type: A 72.21.91.60
DNS	resultstorm.net Type: A 98.139.135.129
DNS	desirestorm.net Type: A 195.22.26.253
DNS	desirestorm.net Type: A 195.22.26.254
DNS	desirestorm.net Type: A 195.22.26.231
DNS	desirestorm.net Type: A 195.22.26.252
DNS	strengthtraining.net Type: A 165.160.15.20
DNS	strengthtraining.net Type: A 165.160.13.20
DNS	strengthstorm.net Type: A 50.63.202.27
DNS	doctorhunger.net Type: A
DNS	prettyhunger.net Type: A
DNS	prettytraining.net Type: A
DNS	prettystorm.net Type: A
DNS	doctorthrown.net Type: A
DNS	prettythrown.net Type: A
DNS	fellowhunger.net Type: A
DNS	doublehunger.net Type: A
DNS	fellowtraining.net Type: A
DNS	doubletraining.net Type: A
DNS	fellowstorm.net Type: A
DNS	doublestorm.net Type: A
DNS	fellowthrown.net Type: A
DNS	doublethrown.net Type: A
DNS	brokenhunger.net Type: A
DNS	resulthunger.net Type: A
DNS	brokentraining.net Type: A
DNS	resulttraining.net Type: A
DNS	brokenstorm.net Type: A
DNS	brokenthrown.net Type: A
DNS	resultthrown.net Type: A
DNS	preparehunger.net Type: A
DNS	desirehunger.net Type: A
DNS	preparetraining.net Type: A
DNS	desiretraining.net Type: A
DNS	preparestorm.net Type: A
DNS	preparethrown.net Type: A
DNS	desirethrown.net Type: A
DNS	strengthhunger.net Type: A
DNS	stillhunger.net Type: A
DNS	stilltraining.net Type: A
DNS	stillstorm.net Type: A
DNS	strengththrown.net Type: A
DNS	stillthrown.net Type: A
DNS	movementchoose.net Type: A
DNS	outsidechoose.net Type: A
DNS	movementalthough.net Type: A
DNS	outsidealthough.net Type: A
DNS	movementperiod.net Type: A
DNS	outsideperiod.net Type: A
DNS	movementhowever.net Type: A
DNS	outsidehowever.net Type: A
DNS	buildingchoose.net Type: A
DNS	eveningchoose.net Type: A
DNS	buildingalthough.net Type: A
DNS	eveningalthough.net Type: A
DNS	buildingperiod.net Type: A
DNS	eveningperiod.net Type: A
DNS	buildinghowever.net Type: A
DNS	eveninghowever.net Type: A
DNS	storechoose.net Type: A
DNS	mightchoose.net Type: A
DNS	storealthough.net Type: A
DNS	mightalthough.net Type: A
DNS	storeperiod.net Type: A
DNS	mightperiod.net Type: A
DNS	storehowever.net Type: A
DNS	mighthowever.net Type: A
DNS	doctorchoose.net Type: A
DNS	prettychoose.net Type: A
DNS	doctoralthough.net Type: A
DNS	prettyalthough.net Type: A
DNS	doctorperiod.net Type: A
DNS	prettyperiod.net Type: A
DNS	doctorhowever.net Type: A
DNS	prettyhowever.net Type: A
DNS	fellowchoose.net Type: A
DNS	doublechoose.net Type: A
DNS	fellowalthough.net Type: A
DNS	doublealthough.net Type: A
DNS	fellowperiod.net Type: A
DNS	doubleperiod.net Type: A
DNS	fellowhowever.net Type: A
DNS	doublehowever.net Type: A
DNS	brokenchoose.net Type: A
DNS	resultchoose.net Type: A
DNS	brokenalthough.net Type: A
DNS	resultalthough.net Type: A
DNS	brokenperiod.net Type: A
HTTP GET	http://doctortraining.net/index.php?method&len User-Agent:
HTTP GET	http://doctorstorm.net/index.php?method&len User-Agent:
HTTP GET	http://resultstorm.net/index.php?method&len User-Agent:
HTTP GET	http://desirestorm.net/index.php?method&len User-Agent:
HTTP GET	http://strengthtraining.net/index.php?method&len User-Agent:
HTTP GET	http://strengthstorm.net/index.php?method&len User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 184.168.221.34:80
Flows TCP	192.168.1.1:1032 ➝ 72.21.91.60:80
Flows TCP	192.168.1.1:1033 ➝ 98.139.135.129:80
Flows TCP	192.168.1.1:1034 ➝ 195.22.26.253:80
Flows TCP	192.168.1.1:1035 ➝ 165.160.15.20:80
Flows TCP	192.168.1.1:1036 ➝ 50.63.202.27:80

Raw Pcap

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20646f 63746f72   se..Host: doctor
0x00000050 (00080)   74726169 6e696e67 2e6e6574 0d0a0d0a   training.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20646f 63746f72   se..Host: doctor
0x00000050 (00080)   73746f72 6d2e6e65 740d0a0d 0a0a0d0a   storm.net.......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207265 73756c74   se..Host: result
0x00000050 (00080)   73746f72 6d2e6e65 740d0a0d 0a0a0d0a   storm.net.......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206465 73697265   se..Host: desire
0x00000050 (00080)   73746f72 6d2e6e65 740d0a0d 0a0a0d0a   storm.net.......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207374 72656e67   se..Host: streng
0x00000050 (00080)   74687472 61696e69 6e672e6e 65740d0a   thtraining.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207374 72656e67   se..Host: streng
0x00000050 (00080)   74687374 6f726d2e 6e65740d 0a0d0a0a   thstorm.net.....
0x00000060 (00096)   0d0a                                  ..

Strings