Analysis Date | 2015-07-27 09:15:18 |
---|---|
MD5 | e1822590466cba7675ce4817828848b9 |
SHA1 | b202e83750d4e52961e8817e2be79b4f06a79993 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 65d2f20c3cf61740dbf4661059c2a1fa sha1: 5e3fb0d326bbf6863d0c713083ad369a894cb526 size: 155136 | |
Section | .rdata md5: a98ea0794774cf13ab92f20ce14ea902 sha1: dd1c03db9c181c7e37989dc64961293192eda306 size: 38400 | |
Section | .data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168 | |
Timestamp | 2015-03-13 09:11:43 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 925c3cae40a36486f9b0832e476a971d41b9bcb2 | |
IMPhash | e921a65fc9b7860831fbf9ef211d9384 | |
AV | Twister | Trojan.Scar.iyes.fkks |
AV | Padvish | no_virus |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Ad-Aware | Gen:Variant.Rodecap.1 |
AV | CAT (quickheal) | Trojan.Scar.r3 |
AV | VirusBlokAda (vba32) | Trojan.Scar |
AV | Kaspersky | Trojan.Win32.Generic |
AV | Trend Micro | no_virus |
AV | K7 | Trojan ( 004bda2e1 ) |
AV | Dr. Web | Trojan.DownLoader13.13228 |
AV | Fortinet | W32/Rodecap.BJ!tr |
AV | MalwareBytes | Trojan.Agent |
AV | CA (E-Trust Ino) | no_virus |
AV | Eset (nod32) | Win32/Rodecap.BJ |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeoiq |
AV | F-Secure | Gen:Variant.Rodecap.1 |
AV | Mcafee | Trojan-FEVX!E1822590466C |
AV | Emsisoft | Gen:Variant.Rodecap.1 |
AV | BitDefender | Gen:Variant.Rodecap.1 |
AV | Frisk (f-prot) | no_virus |
AV | Zillya! | Trojan.Scar.Win32.88823 |
AV | Ikarus | Trojan.Win32.Rodecap |
AV | Symantec | Downloader.Upatre!g15 |
AV | Rising | no_virus |
AV | BullGuard | Gen:Variant.Rodecap.1 |
AV | MicroWorld (escan) | Gen:Variant.Rodecap.1 |
AV | Arcabit (arcavir) | Gen:Variant.Rodecap.1 |
AV | ClamAV | no_virus |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.Y |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
AV | Alwil (avast) | Kryptik-PDK [Trj] |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\jexggqizgraiwd\lnio6zfq |
---|---|
Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates File | C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe |
Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates Process | C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe |
Process
↳ C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Notification Ordering ➝ C:\jexggqizgraiwd\iopzdmr.exe |
---|---|
Creates File | C:\jexggqizgraiwd\ojrglh |
Creates File | C:\jexggqizgraiwd\lnio6zfq |
Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates File | C:\jexggqizgraiwd\iopzdmr.exe |
Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates Process | C:\jexggqizgraiwd\iopzdmr.exe |
Creates Service | Bluetooth PC Config Play Counter - C:\jexggqizgraiwd\iopzdmr.exe |
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Process
↳ Pid 1104
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1864
Process
↳ Pid 1148
Process
↳ C:\jexggqizgraiwd\iopzdmr.exe
Creates File | C:\jexggqizgraiwd\ojrglh |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\jexggqizgraiwd\lnio6zfq |
Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates File | C:\jexggqizgraiwd\ykcxxsx |
Creates File | C:\jexggqizgraiwd\kotytif.exe |
Creates File | \Device\Afd\Endpoint |
Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Creates Process | ynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe" |
Process
↳ C:\jexggqizgraiwd\iopzdmr.exe
Creates File | C:\jexggqizgraiwd\lnio6zfq |
---|---|
Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Process
↳ ynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe"
Creates File | C:\jexggqizgraiwd\lnio6zfq |
---|---|
Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Network Details:
DNS | sweetfancy.net Type: A 184.168.221.40 |
---|---|
DNS | sweetfriend.net Type: A 66.96.147.156 |
DNS | materialconsider.net Type: A 208.91.197.241 |
DNS | simplesafety.net Type: A 199.59.82.80 |
DNS | mountainsafety.net Type: A 184.168.221.12 |
DNS | possiblesafety.net Type: A 95.211.230.75 |
DNS | windowsafety.net Type: A 184.168.221.55 |
DNS | sweetsmell.net Type: A 54.246.123.138 |
DNS | subjectfancy.net Type: A |
DNS | winterconsider.net Type: A |
DNS | subjectconsider.net Type: A |
DNS | winterfriend.net Type: A |
DNS | subjectfriend.net Type: A |
DNS | finishlaughter.net Type: A |
DNS | leavelaughter.net Type: A |
DNS | finishfancy.net Type: A |
DNS | leavefancy.net Type: A |
DNS | finishconsider.net Type: A |
DNS | leaveconsider.net Type: A |
DNS | finishfriend.net Type: A |
DNS | leavefriend.net Type: A |
DNS | sweetlaughter.net Type: A |
DNS | probablylaughter.net Type: A |
DNS | probablyfancy.net Type: A |
DNS | sweetconsider.net Type: A |
DNS | probablyconsider.net Type: A |
DNS | probablyfriend.net Type: A |
DNS | severallaughter.net Type: A |
DNS | materiallaughter.net Type: A |
DNS | severalfancy.net Type: A |
DNS | materialfancy.net Type: A |
DNS | severalconsider.net Type: A |
DNS | severalfriend.net Type: A |
DNS | materialfriend.net Type: A |
DNS | severasmell.net Type: A |
DNS | laughsmell.net Type: A |
DNS | severaearly.net Type: A |
DNS | laughearly.net Type: A |
DNS | severasafety.net Type: A |
DNS | laughsafety.net Type: A |
DNS | severafuture.net Type: A |
DNS | laughfuture.net Type: A |
DNS | simplesmell.net Type: A |
DNS | mothersmell.net Type: A |
DNS | simpleearly.net Type: A |
DNS | motherearly.net Type: A |
DNS | mothersafety.net Type: A |
DNS | simplefuture.net Type: A |
DNS | motherfuture.net Type: A |
DNS | mountainsmell.net Type: A |
DNS | possiblesmell.net Type: A |
DNS | mountainearly.net Type: A |
DNS | possibleearly.net Type: A |
DNS | mountainfuture.net Type: A |
DNS | possiblefuture.net Type: A |
DNS | perhapssmell.net Type: A |
DNS | windowsmell.net Type: A |
DNS | perhapsearly.net Type: A |
DNS | windowearly.net Type: A |
DNS | perhapssafety.net Type: A |
DNS | perhapsfuture.net Type: A |
DNS | windowfuture.net Type: A |
DNS | wintersmell.net Type: A |
DNS | subjectsmell.net Type: A |
DNS | winterearly.net Type: A |
DNS | subjectearly.net Type: A |
DNS | wintersafety.net Type: A |
DNS | subjectsafety.net Type: A |
DNS | winterfuture.net Type: A |
DNS | subjectfuture.net Type: A |
DNS | finishsmell.net Type: A |
DNS | leavesmell.net Type: A |
DNS | finishearly.net Type: A |
DNS | leaveearly.net Type: A |
DNS | finishsafety.net Type: A |
DNS | leavesafety.net Type: A |
DNS | finishfuture.net Type: A |
DNS | leavefuture.net Type: A |
DNS | probablysmell.net Type: A |
DNS | sweetearly.net Type: A |
DNS | probablyearly.net Type: A |
DNS | sweetsafety.net Type: A |
DNS | probablysafety.net Type: A |
DNS | sweetfuture.net Type: A |
DNS | probablyfuture.net Type: A |
HTTP GET | http://sweetfancy.net/index.php?method&len User-Agent: |
HTTP GET | http://sweetfriend.net/index.php?method&len User-Agent: |
HTTP GET | http://materialconsider.net/index.php?method&len User-Agent: |
HTTP GET | http://simplesafety.net/index.php?method&len User-Agent: |
HTTP GET | http://mountainsafety.net/index.php?method&len User-Agent: |
HTTP GET | http://possiblesafety.net/index.php?method&len User-Agent: |
HTTP GET | http://windowsafety.net/index.php?method&len User-Agent: |
HTTP GET | http://sweetsmell.net/index.php?method&len User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 184.168.221.40:80 |
Flows TCP | 192.168.1.1:1032 ➝ 66.96.147.156:80 |
Flows TCP | 192.168.1.1:1033 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1034 ➝ 199.59.82.80:80 |
Flows TCP | 192.168.1.1:1035 ➝ 184.168.221.12:80 |
Flows TCP | 192.168.1.1:1036 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1037 ➝ 184.168.221.55:80 |
Flows TCP | 192.168.1.1:1038 ➝ 54.246.123.138:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 616e6379 2e6e6574 0d0a0d0a ancy.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 7269656e 642e6e65 740d0a0d 0a riend.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d61 74657269 se..Host: materi 0x00000050 (00080) 616c636f 6e736964 65722e6e 65740d0a alconsider.net.. 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207369 6d706c65 se..Host: simple 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d6f 756e7461 se..Host: mounta 0x00000050 (00080) 696e7361 66657479 2e6e6574 0d0a0d0a insafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20706f 73736962 se..Host: possib 0x00000050 (00080) 6c657361 66657479 2e6e6574 0d0a0d0a lesafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207769 6e646f77 se..Host: window 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657473 se..Host: sweets 0x00000050 (00080) 6d656c6c 2e6e6574 0d0a0d0a 0d0a0d0a mell.net........ 0x00000060 (00096) 0d0a ..
Strings