Analysis Date2014-03-21 13:58:10
MD571fcb7f6bf9717d7b65c1ffb4e4a988e
SHA1952b783a2b4b04d1f0c1e2704c043c54e47782d3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5dc85dc65c2a90f7559ba95a005b4e32 sha1: 108efe8ff688e77408df4e51ad8d9bb1de279cbb size: 121856
Section.rdata md5: 4cd7da74606316f8520d9e9aa234f238 sha1: 00ba81b4a3300f5da188c31f4367af254a3de8dd size: 16384
Section.data md5: 8ce2b3552f722341b05a779595a7651b sha1: a0471c27be4fa989415df947e4e72acbb3da7b34 size: 17408
Timestamp2014-01-22 06:27:32
PackerMicrosoft Visual C++ ?.?
PEhash4b1b55db04a1b70b62d98952f4441b1af95564d6
IMPhashc49b107b66fdd4c8d29e94d881be84ab
AVavgGeneric_r.DMG
AVmcafeeGeneric-FAOV!71FCB7F6BF97

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Endpoint Removal Spooler Driver Source ➝
C:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\rvxpkqbt\fxwrxepokwfb.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.quipy
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rvxpkqbt\ljvufjydidx.exe"

Network Details:

DNSglassstream.net
Type: A
208.113.161.69
DNSglassbottle.net
Type: A
50.63.202.55
DNSleaderstream.net
Type: A
50.63.202.33
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSreturnstream.net
Type: A
50.63.202.81
DNSdegreebusiness.net
Type: A
82.98.86.164
DNSforwardbusiness.net
Type: A
50.63.202.60
DNSglassbusiness.net
Type: A
193.138.235.172
DNSdegreedivide.net
Type: A
DNSforwarddivide.net
Type: A
DNSanswerstream.net
Type: A
DNSanswernothing.net
Type: A
DNSglassnothing.net
Type: A
DNSanswerbottle.net
Type: A
DNSanswerdivide.net
Type: A
DNSglassdivide.net
Type: A
DNSdifficultstream.net
Type: A
DNSheardstream.net
Type: A
DNSdifficultnothing.net
Type: A
DNSheardnothing.net
Type: A
DNSdifficultbottle.net
Type: A
DNSheardbottle.net
Type: A
DNSdifficultdivide.net
Type: A
DNShearddivide.net
Type: A
DNSpleasantstream.net
Type: A
DNSnecessarystream.net
Type: A
DNSpleasantnothing.net
Type: A
DNSnecessarynothing.net
Type: A
DNSpleasantbottle.net
Type: A
DNSnecessarybottle.net
Type: A
DNSpleasantdivide.net
Type: A
DNSnecessarydivide.net
Type: A
DNSorderstream.net
Type: A
DNSrequirestream.net
Type: A
DNSordernothing.net
Type: A
DNSrequirenothing.net
Type: A
DNSorderbottle.net
Type: A
DNSrequirebottle.net
Type: A
DNSorderdivide.net
Type: A
DNSrequiredivide.net
Type: A
DNSheavenstream.net
Type: A
DNSleadernothing.net
Type: A
DNSheavennothing.net
Type: A
DNSleaderbottle.net
Type: A
DNSheavenbottle.net
Type: A
DNSleaderdivide.net
Type: A
DNSheavendivide.net
Type: A
DNSheavystream.net
Type: A
DNSgentlestream.net
Type: A
DNSheavynothing.net
Type: A
DNSgentlenothing.net
Type: A
DNSheavybottle.net
Type: A
DNSgentlebottle.net
Type: A
DNSheavydivide.net
Type: A
DNSgentledivide.net
Type: A
DNSvariousstream.net
Type: A
DNSvariousnothing.net
Type: A
DNSreturnnothing.net
Type: A
DNSvariousbottle.net
Type: A
DNSreturnbottle.net
Type: A
DNSvariousdivide.net
Type: A
DNSreturndivide.net
Type: A
DNSdegreemanner.net
Type: A
DNSforwardmanner.net
Type: A
DNSdegreeanother.net
Type: A
DNSforwardanother.net
Type: A
DNSdegreeappear.net
Type: A
DNSforwardappear.net
Type: A
DNSanswermanner.net
Type: A
DNSglassmanner.net
Type: A
DNSansweranother.net
Type: A
DNSglassanother.net
Type: A
DNSanswerbusiness.net
Type: A
DNSanswerappear.net
Type: A
DNSglassappear.net
Type: A
DNSdifficultmanner.net
Type: A
DNSheardmanner.net
Type: A
DNSdifficultanother.net
Type: A
DNSheardanother.net
Type: A
DNSdifficultbusiness.net
Type: A
DNSheardbusiness.net
Type: A
DNSdifficultappear.net
Type: A
DNSheardappear.net
Type: A
DNSpleasantmanner.net
Type: A
DNSnecessarymanner.net
Type: A
DNSpleasantanother.net
Type: A
HTTP GEThttp://glassstream.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://glassbottle.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://leaderstream.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://variousstream.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://returnstream.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://degreebusiness.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
HTTP GEThttp://forwardbusiness.net/forum/search.php?email=michalnad1@walla.com&method=post
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 208.113.161.69:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.55:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.33:80
Flows TCP192.168.1.1:1035 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.81:80
Flows TCP192.168.1.1:1037 ➝ 82.98.86.164:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.60:80
Flows TCP192.168.1.1:1039 ➝ 193.138.235.172:80

Raw Pcap

Strings