Analysis Date2015-07-27 09:15:18
MD5e1822590466cba7675ce4817828848b9
SHA1b202e83750d4e52961e8817e2be79b4f06a79993

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 65d2f20c3cf61740dbf4661059c2a1fa sha1: 5e3fb0d326bbf6863d0c713083ad369a894cb526 size: 155136
Section.rdata md5: a98ea0794774cf13ab92f20ce14ea902 sha1: dd1c03db9c181c7e37989dc64961293192eda306 size: 38400
Section.data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168
Timestamp2015-03-13 09:11:43
PackerMicrosoft Visual C++ ?.?
PEhash925c3cae40a36486f9b0832e476a971d41b9bcb2
IMPhashe921a65fc9b7860831fbf9ef211d9384
AVTwisterTrojan.Scar.iyes.fkks
AVPadvishno_virus
AVGrisoft (avg)Win32/Cryptor
AVAd-AwareGen:Variant.Rodecap.1
AVCAT (quickheal)Trojan.Scar.r3
AVVirusBlokAda (vba32)Trojan.Scar
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVK7Trojan ( 004bda2e1 )
AVDr. WebTrojan.DownLoader13.13228
AVFortinetW32/Rodecap.BJ!tr
AVMalwareBytesTrojan.Agent
AVCA (E-Trust Ino)no_virus
AVEset (nod32)Win32/Rodecap.BJ
AVAvira (antivir)TR/Spy.ZBot.xbbeoiq
AVF-SecureGen:Variant.Rodecap.1
AVMcafeeTrojan-FEVX!E1822590466C
AVEmsisoftGen:Variant.Rodecap.1
AVBitDefenderGen:Variant.Rodecap.1
AVFrisk (f-prot)no_virus
AVZillya!Trojan.Scar.Win32.88823
AVIkarusTrojan.Win32.Rodecap
AVSymantecDownloader.Upatre!g15
AVRisingno_virus
AVBullGuardGen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVAlwil (avast)Kryptik-PDK [Trj]

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jexggqizgraiwd\lnio6zfq
Creates FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates FileC:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe
Deletes FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates ProcessC:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe

Process
↳ C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Notification Ordering ➝
C:\jexggqizgraiwd\iopzdmr.exe
Creates FileC:\jexggqizgraiwd\ojrglh
Creates FileC:\jexggqizgraiwd\lnio6zfq
Creates FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates FileC:\jexggqizgraiwd\iopzdmr.exe
Deletes FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates ProcessC:\jexggqizgraiwd\iopzdmr.exe
Creates ServiceBluetooth PC Config Play Counter - C:\jexggqizgraiwd\iopzdmr.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1104

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1864

Process
↳ Pid 1148

Process
↳ C:\jexggqizgraiwd\iopzdmr.exe

Creates FileC:\jexggqizgraiwd\ojrglh
Creates Filepipe\net\NtControlPipe10
Creates FileC:\jexggqizgraiwd\lnio6zfq
Creates FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates FileC:\jexggqizgraiwd\ykcxxsx
Creates FileC:\jexggqizgraiwd\kotytif.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Creates Processynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe"

Process
↳ C:\jexggqizgraiwd\iopzdmr.exe

Creates FileC:\jexggqizgraiwd\lnio6zfq
Creates FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Deletes FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq

Process
↳ ynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe"

Creates FileC:\jexggqizgraiwd\lnio6zfq
Creates FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq
Deletes FileC:\WINDOWS\jexggqizgraiwd\lnio6zfq

Network Details:

DNSsweetfancy.net
Type: A
184.168.221.40
DNSsweetfriend.net
Type: A
66.96.147.156
DNSmaterialconsider.net
Type: A
208.91.197.241
DNSsimplesafety.net
Type: A
199.59.82.80
DNSmountainsafety.net
Type: A
184.168.221.12
DNSpossiblesafety.net
Type: A
95.211.230.75
DNSwindowsafety.net
Type: A
184.168.221.55
DNSsweetsmell.net
Type: A
54.246.123.138
DNSsubjectfancy.net
Type: A
DNSwinterconsider.net
Type: A
DNSsubjectconsider.net
Type: A
DNSwinterfriend.net
Type: A
DNSsubjectfriend.net
Type: A
DNSfinishlaughter.net
Type: A
DNSleavelaughter.net
Type: A
DNSfinishfancy.net
Type: A
DNSleavefancy.net
Type: A
DNSfinishconsider.net
Type: A
DNSleaveconsider.net
Type: A
DNSfinishfriend.net
Type: A
DNSleavefriend.net
Type: A
DNSsweetlaughter.net
Type: A
DNSprobablylaughter.net
Type: A
DNSprobablyfancy.net
Type: A
DNSsweetconsider.net
Type: A
DNSprobablyconsider.net
Type: A
DNSprobablyfriend.net
Type: A
DNSseverallaughter.net
Type: A
DNSmateriallaughter.net
Type: A
DNSseveralfancy.net
Type: A
DNSmaterialfancy.net
Type: A
DNSseveralconsider.net
Type: A
DNSseveralfriend.net
Type: A
DNSmaterialfriend.net
Type: A
DNSseverasmell.net
Type: A
DNSlaughsmell.net
Type: A
DNSseveraearly.net
Type: A
DNSlaughearly.net
Type: A
DNSseverasafety.net
Type: A
DNSlaughsafety.net
Type: A
DNSseverafuture.net
Type: A
DNSlaughfuture.net
Type: A
DNSsimplesmell.net
Type: A
DNSmothersmell.net
Type: A
DNSsimpleearly.net
Type: A
DNSmotherearly.net
Type: A
DNSmothersafety.net
Type: A
DNSsimplefuture.net
Type: A
DNSmotherfuture.net
Type: A
DNSmountainsmell.net
Type: A
DNSpossiblesmell.net
Type: A
DNSmountainearly.net
Type: A
DNSpossibleearly.net
Type: A
DNSmountainfuture.net
Type: A
DNSpossiblefuture.net
Type: A
DNSperhapssmell.net
Type: A
DNSwindowsmell.net
Type: A
DNSperhapsearly.net
Type: A
DNSwindowearly.net
Type: A
DNSperhapssafety.net
Type: A
DNSperhapsfuture.net
Type: A
DNSwindowfuture.net
Type: A
DNSwintersmell.net
Type: A
DNSsubjectsmell.net
Type: A
DNSwinterearly.net
Type: A
DNSsubjectearly.net
Type: A
DNSwintersafety.net
Type: A
DNSsubjectsafety.net
Type: A
DNSwinterfuture.net
Type: A
DNSsubjectfuture.net
Type: A
DNSfinishsmell.net
Type: A
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
DNSprobablysafety.net
Type: A
DNSsweetfuture.net
Type: A
DNSprobablyfuture.net
Type: A
HTTP GEThttp://sweetfancy.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetfriend.net/index.php?method&len
User-Agent:
HTTP GEThttp://materialconsider.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplesafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainsafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://possiblesafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowsafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetsmell.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1032 ➝ 66.96.147.156:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 199.59.82.80:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.12:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1038 ➝ 54.246.123.138:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657466   se..Host: sweetf
0x00000050 (00080)   616e6379 2e6e6574 0d0a0d0a            ancy.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657466   se..Host: sweetf
0x00000050 (00080)   7269656e 642e6e65 740d0a0d 0a         riend.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d61 74657269   se..Host: materi
0x00000050 (00080)   616c636f 6e736964 65722e6e 65740d0a   alconsider.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   73616665 74792e6e 65740d0a 0d0a0d0a   safety.net......
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000050 (00080)   696e7361 66657479 2e6e6574 0d0a0d0a   insafety.net....
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20706f 73736962   se..Host: possib
0x00000050 (00080)   6c657361 66657479 2e6e6574 0d0a0d0a   lesafety.net....
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   73616665 74792e6e 65740d0a 0d0a0d0a   safety.net......
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657473   se..Host: sweets
0x00000050 (00080)   6d656c6c 2e6e6574 0d0a0d0a 0d0a0d0a   mell.net........
0x00000060 (00096)   0d0a                                  ..


Strings