Analysis Date2015-09-28 09:00:36
MD58af1791ffe4d07334ed0fefcec167acb
SHA1a68d72e9442d4b518bed2e05a13d310b30dad34b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c171075379ba0dea6c15ce44a42110a6 sha1: 41c37f8c6c019a86561c091a9ff4aaa4da1c14ae size: 161280
Section.rdata md5: 94c64a645445d60e664efe63f37a1ee9 sha1: 03cf66f692b98379d6b98b772765879b565f4e8c size: 39424
Section.data md5: 5dad50e04b4224ff999d37c6084c0fd1 sha1: 594903a466f199de40fa22ac10c0235f14c6a141 size: 6656
Timestamp2015-03-13 09:09:58
PackerMicrosoft Visual C++ ?.?
PEhash69363c50c934004f54d750d22f88630f1da78c5e
IMPhash96d52157e9a0a9769c64cd9ef4353df0
AVAd-AwareGen:Variant.Rodecap.1
AVGrisoft (avg)Win32/Cryptor
AVCAT (quickheal)no_virus
AVIkarusTrojan-Spy.Win32.Nivdort
AVAvira (antivir)TR/Crypt.ZPACK.145627
AVK7Trojan ( 004bdb0b1 )
AVClamAVno_virus
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVDr. WebTrojan.DownLoader13.18330
AVMcafeeTrojan-FEVX!8AF1791FFE4D
AVBitDefenderGen:Variant.Rodecap.1
AVMicrosoft Security Essentialsno_virus
AVEmsisoftGen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVPadvishno_virus
AVEset (nod32)Win32/Rodecap.BJ
AVRisingno_virus
AVBullGuardGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVTrend MicroTROJ_GE.DC0E8EE9
AVFrisk (f-prot)no_virus
AVTwisterTrojan.Scar.ixkb.ffjb
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVZillya!Trojan.Rodecap.Win32.2162

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\xlqihbcfbb\nqsbgq1xzst
Creates FileC:\xlqihbcfbb\vuvq1m5rysqdhauzst.exe
Creates FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Deletes FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Creates ProcessC:\xlqihbcfbb\vuvq1m5rysqdhauzst.exe

Process
↳ C:\xlqihbcfbb\vuvq1m5rysqdhauzst.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Task Modules Support Transaction ➝
C:\xlqihbcfbb\yzyodysqhqa.exe
Creates FileC:\xlqihbcfbb\nqsbgq1xzst
Creates FileC:\xlqihbcfbb\yzyodysqhqa.exe
Creates FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Creates FileC:\xlqihbcfbb\jim3muu
Deletes FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Creates ProcessC:\xlqihbcfbb\yzyodysqhqa.exe
Creates ServiceTPM Time Security Store Defender - C:\xlqihbcfbb\yzyodysqhqa.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1144

Process
↳ C:\xlqihbcfbb\yzyodysqhqa.exe

Creates FileC:\xlqihbcfbb\nqsbgq1xzst
Creates Filepipe\net\NtControlPipe10
Creates FileC:\xlqihbcfbb\yhteufmjhql.exe
Creates FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Creates File\Device\Afd\Endpoint
Creates FileC:\xlqihbcfbb\yt0jpfhkmmov
Creates FileC:\xlqihbcfbb\jim3muu
Deletes FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Creates Processrqwdbpyijumx "c:\xlqihbcfbb\yzyodysqhqa.exe"

Process
↳ C:\xlqihbcfbb\yzyodysqhqa.exe

Creates FileC:\xlqihbcfbb\nqsbgq1xzst
Creates FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Deletes FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst

Process
↳ rqwdbpyijumx "c:\xlqihbcfbb\yzyodysqhqa.exe"

Creates FileC:\xlqihbcfbb\nqsbgq1xzst
Creates FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst
Deletes FileC:\WINDOWS\xlqihbcfbb\nqsbgq1xzst

Network Details:

DNSeffortadvance.net
Type: A
95.211.230.75
DNSchairproblem.net
Type: A
95.211.230.75
DNSdestroyadvance.net
Type: A
DNSlittleadvance.net
Type: A
DNSdestroystranger.net
Type: A
DNSlittlestranger.net
Type: A
DNSdestroygoodbye.net
Type: A
DNSlittlegoodbye.net
Type: A
DNSdestroyfortieth.net
Type: A
DNSlittlefortieth.net
Type: A
DNSriddenadvance.net
Type: A
DNSbelongadvance.net
Type: A
DNSriddenstranger.net
Type: A
DNSbelongstranger.net
Type: A
DNSriddengoodbye.net
Type: A
DNSbelonggoodbye.net
Type: A
DNSriddenfortieth.net
Type: A
DNSbelongfortieth.net
Type: A
DNSchairadvance.net
Type: A
DNSthoseadvance.net
Type: A
DNSchairstranger.net
Type: A
DNSthosestranger.net
Type: A
DNSchairgoodbye.net
Type: A
DNSthosegoodbye.net
Type: A
DNSchairfortieth.net
Type: A
DNSthosefortieth.net
Type: A
DNSwithinadvance.net
Type: A
DNSsufferadvance.net
Type: A
DNSwithinstranger.net
Type: A
DNSsufferstranger.net
Type: A
DNSwithingoodbye.net
Type: A
DNSsuffergoodbye.net
Type: A
DNSwithinfortieth.net
Type: A
DNSsufferfortieth.net
Type: A
DNSthroughadvance.net
Type: A
DNSeffortstranger.net
Type: A
DNSthroughstranger.net
Type: A
DNSeffortgoodbye.net
Type: A
DNSthroughgoodbye.net
Type: A
DNSeffortfortieth.net
Type: A
DNSthroughfortieth.net
Type: A
DNSforgetadvance.net
Type: A
DNSincreaseadvance.net
Type: A
DNSforgetstranger.net
Type: A
DNSincreasestranger.net
Type: A
DNSforgetgoodbye.net
Type: A
DNSincreasegoodbye.net
Type: A
DNSforgetfortieth.net
Type: A
DNSincreasefortieth.net
Type: A
DNSwouldadvance.net
Type: A
DNSrememberadvance.net
Type: A
DNSwouldstranger.net
Type: A
DNSrememberstranger.net
Type: A
DNSwouldgoodbye.net
Type: A
DNSremembergoodbye.net
Type: A
DNSwouldfortieth.net
Type: A
DNSrememberfortieth.net
Type: A
DNSjourneyescape.net
Type: A
DNShusbandescape.net
Type: A
DNSjourneyanimal.net
Type: A
DNShusbandanimal.net
Type: A
DNSjourneyproblem.net
Type: A
DNShusbandproblem.net
Type: A
DNSjourneymodern.net
Type: A
DNShusbandmodern.net
Type: A
DNSdestroyescape.net
Type: A
DNSlittleescape.net
Type: A
DNSdestroyanimal.net
Type: A
DNSlittleanimal.net
Type: A
DNSdestroyproblem.net
Type: A
DNSlittleproblem.net
Type: A
DNSdestroymodern.net
Type: A
DNSlittlemodern.net
Type: A
DNSriddenescape.net
Type: A
DNSbelongescape.net
Type: A
DNSriddenanimal.net
Type: A
DNSbelonganimal.net
Type: A
DNSriddenproblem.net
Type: A
DNSbelongproblem.net
Type: A
DNSriddenmodern.net
Type: A
DNSbelongmodern.net
Type: A
DNSchairescape.net
Type: A
DNSthoseescape.net
Type: A
DNSchairanimal.net
Type: A
DNSthoseanimal.net
Type: A
HTTP GEThttp://effortadvance.net/index.php?method&len
User-Agent:
HTTP GEThttp://chairproblem.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80

Raw Pcap

Strings