| Analysis Date | 2015-07-27 09:15:18 |
|---|---|
| MD5 | e1822590466cba7675ce4817828848b9 |
| SHA1 | b202e83750d4e52961e8817e2be79b4f06a79993 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 65d2f20c3cf61740dbf4661059c2a1fa sha1: 5e3fb0d326bbf6863d0c713083ad369a894cb526 size: 155136 | |
| Section | .rdata md5: a98ea0794774cf13ab92f20ce14ea902 sha1: dd1c03db9c181c7e37989dc64961293192eda306 size: 38400 | |
| Section | .data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168 | |
| Timestamp | 2015-03-13 09:11:43 | |
| Packer | Microsoft Visual C++ ?.? | |
| PEhash | 925c3cae40a36486f9b0832e476a971d41b9bcb2 | |
| IMPhash | e921a65fc9b7860831fbf9ef211d9384 | |
| AV | Twister | Trojan.Scar.iyes.fkks |
| AV | Padvish | no_virus |
| AV | Grisoft (avg) | Win32/Cryptor |
| AV | Ad-Aware | Gen:Variant.Rodecap.1 |
| AV | CAT (quickheal) | Trojan.Scar.r3 |
| AV | VirusBlokAda (vba32) | Trojan.Scar |
| AV | Kaspersky | Trojan.Win32.Generic |
| AV | Trend Micro | no_virus |
| AV | K7 | Trojan ( 004bda2e1 ) |
| AV | Dr. Web | Trojan.DownLoader13.13228 |
| AV | Fortinet | W32/Rodecap.BJ!tr |
| AV | MalwareBytes | Trojan.Agent |
| AV | CA (E-Trust Ino) | no_virus |
| AV | Eset (nod32) | Win32/Rodecap.BJ |
| AV | Avira (antivir) | TR/Spy.ZBot.xbbeoiq |
| AV | F-Secure | Gen:Variant.Rodecap.1 |
| AV | Mcafee | Trojan-FEVX!E1822590466C |
| AV | Emsisoft | Gen:Variant.Rodecap.1 |
| AV | BitDefender | Gen:Variant.Rodecap.1 |
| AV | Frisk (f-prot) | no_virus |
| AV | Zillya! | Trojan.Scar.Win32.88823 |
| AV | Ikarus | Trojan.Win32.Rodecap |
| AV | Symantec | Downloader.Upatre!g15 |
| AV | Rising | no_virus |
| AV | BullGuard | Gen:Variant.Rodecap.1 |
| AV | MicroWorld (escan) | Gen:Variant.Rodecap.1 |
| AV | Arcabit (arcavir) | Gen:Variant.Rodecap.1 |
| AV | ClamAV | no_virus |
| AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.Y |
| AV | Authentium | W32/Nivdort.A.gen!Eldorado |
| AV | Alwil (avast) | Kryptik-PDK [Trj] |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates File | C:\jexggqizgraiwd\lnio6zfq |
|---|---|
| Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates File | C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe |
| Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates Process | C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe |
Process
↳ C:\jexggqizgraiwd\jya221ldzyqokqxlinfx.exe
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Notification Ordering ➝ C:\jexggqizgraiwd\iopzdmr.exe |
|---|---|
| Creates File | C:\jexggqizgraiwd\ojrglh |
| Creates File | C:\jexggqizgraiwd\lnio6zfq |
| Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates File | C:\jexggqizgraiwd\iopzdmr.exe |
| Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates Process | C:\jexggqizgraiwd\iopzdmr.exe |
| Creates Service | Bluetooth PC Config Play Counter - C:\jexggqizgraiwd\iopzdmr.exe |
Process
↳ Pid 804
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Process
↳ Pid 1104
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Process
↳ Pid 1864
Process
↳ Pid 1148
Process
↳ C:\jexggqizgraiwd\iopzdmr.exe
| Creates File | C:\jexggqizgraiwd\ojrglh |
|---|---|
| Creates File | pipe\net\NtControlPipe10 |
| Creates File | C:\jexggqizgraiwd\lnio6zfq |
| Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates File | C:\jexggqizgraiwd\ykcxxsx |
| Creates File | C:\jexggqizgraiwd\kotytif.exe |
| Creates File | \Device\Afd\Endpoint |
| Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Creates Process | ynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe" |
Process
↳ C:\jexggqizgraiwd\iopzdmr.exe
| Creates File | C:\jexggqizgraiwd\lnio6zfq |
|---|---|
| Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Process
↳ ynlbumluxkga "c:\jexggqizgraiwd\iopzdmr.exe"
| Creates File | C:\jexggqizgraiwd\lnio6zfq |
|---|---|
| Creates File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
| Deletes File | C:\WINDOWS\jexggqizgraiwd\lnio6zfq |
Network Details:
| DNS | sweetfancy.net Type: A 184.168.221.40 |
|---|---|
| DNS | sweetfriend.net Type: A 66.96.147.156 |
| DNS | materialconsider.net Type: A 208.91.197.241 |
| DNS | simplesafety.net Type: A 199.59.82.80 |
| DNS | mountainsafety.net Type: A 184.168.221.12 |
| DNS | possiblesafety.net Type: A 95.211.230.75 |
| DNS | windowsafety.net Type: A 184.168.221.55 |
| DNS | sweetsmell.net Type: A 54.246.123.138 |
| DNS | subjectfancy.net Type: A |
| DNS | winterconsider.net Type: A |
| DNS | subjectconsider.net Type: A |
| DNS | winterfriend.net Type: A |
| DNS | subjectfriend.net Type: A |
| DNS | finishlaughter.net Type: A |
| DNS | leavelaughter.net Type: A |
| DNS | finishfancy.net Type: A |
| DNS | leavefancy.net Type: A |
| DNS | finishconsider.net Type: A |
| DNS | leaveconsider.net Type: A |
| DNS | finishfriend.net Type: A |
| DNS | leavefriend.net Type: A |
| DNS | sweetlaughter.net Type: A |
| DNS | probablylaughter.net Type: A |
| DNS | probablyfancy.net Type: A |
| DNS | sweetconsider.net Type: A |
| DNS | probablyconsider.net Type: A |
| DNS | probablyfriend.net Type: A |
| DNS | severallaughter.net Type: A |
| DNS | materiallaughter.net Type: A |
| DNS | severalfancy.net Type: A |
| DNS | materialfancy.net Type: A |
| DNS | severalconsider.net Type: A |
| DNS | severalfriend.net Type: A |
| DNS | materialfriend.net Type: A |
| DNS | severasmell.net Type: A |
| DNS | laughsmell.net Type: A |
| DNS | severaearly.net Type: A |
| DNS | laughearly.net Type: A |
| DNS | severasafety.net Type: A |
| DNS | laughsafety.net Type: A |
| DNS | severafuture.net Type: A |
| DNS | laughfuture.net Type: A |
| DNS | simplesmell.net Type: A |
| DNS | mothersmell.net Type: A |
| DNS | simpleearly.net Type: A |
| DNS | motherearly.net Type: A |
| DNS | mothersafety.net Type: A |
| DNS | simplefuture.net Type: A |
| DNS | motherfuture.net Type: A |
| DNS | mountainsmell.net Type: A |
| DNS | possiblesmell.net Type: A |
| DNS | mountainearly.net Type: A |
| DNS | possibleearly.net Type: A |
| DNS | mountainfuture.net Type: A |
| DNS | possiblefuture.net Type: A |
| DNS | perhapssmell.net Type: A |
| DNS | windowsmell.net Type: A |
| DNS | perhapsearly.net Type: A |
| DNS | windowearly.net Type: A |
| DNS | perhapssafety.net Type: A |
| DNS | perhapsfuture.net Type: A |
| DNS | windowfuture.net Type: A |
| DNS | wintersmell.net Type: A |
| DNS | subjectsmell.net Type: A |
| DNS | winterearly.net Type: A |
| DNS | subjectearly.net Type: A |
| DNS | wintersafety.net Type: A |
| DNS | subjectsafety.net Type: A |
| DNS | winterfuture.net Type: A |
| DNS | subjectfuture.net Type: A |
| DNS | finishsmell.net Type: A |
| DNS | leavesmell.net Type: A |
| DNS | finishearly.net Type: A |
| DNS | leaveearly.net Type: A |
| DNS | finishsafety.net Type: A |
| DNS | leavesafety.net Type: A |
| DNS | finishfuture.net Type: A |
| DNS | leavefuture.net Type: A |
| DNS | probablysmell.net Type: A |
| DNS | sweetearly.net Type: A |
| DNS | probablyearly.net Type: A |
| DNS | sweetsafety.net Type: A |
| DNS | probablysafety.net Type: A |
| DNS | sweetfuture.net Type: A |
| DNS | probablyfuture.net Type: A |
| HTTP GET | http://sweetfancy.net/index.php?method&len User-Agent: |
| HTTP GET | http://sweetfriend.net/index.php?method&len User-Agent: |
| HTTP GET | http://materialconsider.net/index.php?method&len User-Agent: |
| HTTP GET | http://simplesafety.net/index.php?method&len User-Agent: |
| HTTP GET | http://mountainsafety.net/index.php?method&len User-Agent: |
| HTTP GET | http://possiblesafety.net/index.php?method&len User-Agent: |
| HTTP GET | http://windowsafety.net/index.php?method&len User-Agent: |
| HTTP GET | http://sweetsmell.net/index.php?method&len User-Agent: |
| Flows TCP | 192.168.1.1:1031 ➝ 184.168.221.40:80 |
| Flows TCP | 192.168.1.1:1032 ➝ 66.96.147.156:80 |
| Flows TCP | 192.168.1.1:1033 ➝ 208.91.197.241:80 |
| Flows TCP | 192.168.1.1:1034 ➝ 199.59.82.80:80 |
| Flows TCP | 192.168.1.1:1035 ➝ 184.168.221.12:80 |
| Flows TCP | 192.168.1.1:1036 ➝ 95.211.230.75:80 |
| Flows TCP | 192.168.1.1:1037 ➝ 184.168.221.55:80 |
| Flows TCP | 192.168.1.1:1038 ➝ 54.246.123.138:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 616e6379 2e6e6574 0d0a0d0a ancy.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 7269656e 642e6e65 740d0a0d 0a riend.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d61 74657269 se..Host: materi 0x00000050 (00080) 616c636f 6e736964 65722e6e 65740d0a alconsider.net.. 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207369 6d706c65 se..Host: simple 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d6f 756e7461 se..Host: mounta 0x00000050 (00080) 696e7361 66657479 2e6e6574 0d0a0d0a insafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20706f 73736962 se..Host: possib 0x00000050 (00080) 6c657361 66657479 2e6e6574 0d0a0d0a lesafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207769 6e646f77 se..Host: window 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657473 se..Host: sweets 0x00000050 (00080) 6d656c6c 2e6e6574 0d0a0d0a 0d0a0d0a mell.net........ 0x00000060 (00096) 0d0a ..
Strings