Analysis Date2015-10-30 22:32:55
MD540ffff6282fb647cf2266ab111eb2b83
SHA1bac42253e4b9b4e5e6c61dc975b917b47adf7ae3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9521d1f698372f0de3c931b834595098 sha1: 86482c9b3d1cbfb021065a25d5fd8768ed81b621 size: 163840
Section.rdata md5: efb43d6729a176a76665f8d8b192bd0f sha1: 5cc9b15b13df45c284a646a2f3c3faf1c373f206 size: 37888
Section.data md5: 64d7f1e40731235d120be5ccb27c50d7 sha1: 0a66bdc8c5450fd55ec252fb13ef772bc71fad2a size: 6656
Timestamp2015-03-13 09:23:54
PackerMicrosoft Visual C++ ?.?
PEhasheef4e964ba95dda033f03c2129f907c1a7d7cbba
IMPhash5274711b65a0fd1dce047fa9d5037b1e
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeTrojan-FEVX!40FFFF6282FB
AVAvira (antivir)TR/AD.Rodecap.Y.14
AVTwisterno_virus
AVAd-AwareGen:Variant.Rodecap.1
AVAlwil (avast)Kryptik-PDJ [Trj]
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Rodecap.BJ!tr
AVBitDefenderGen:Variant.Rodecap.1
AVK7Trojan ( 004938ec1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMalwareBytesTrojan.Agent
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Rodecap
AVEmsisoftGen:Variant.Rodecap.1
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)TrojanPWS.Crypt.08849
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Rodecap.1
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVClamAVno_virus
AVDr. WebTrojan.DownLoader17.23581
AVF-SecureGen:Variant.Rodecap.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\xxvlxuymll\zws7p1lotxbc96fjlph.exe
Creates FileC:\xxvlxuymll\jxhfpfmzmkfp
Creates FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Deletes FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Creates ProcessC:\xxvlxuymll\zws7p1lotxbc96fjlph.exe

Process
↳ C:\xxvlxuymll\zws7p1lotxbc96fjlph.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reporting Resource Management ➝
C:\xxvlxuymll\qnvbykwgsq.exe
Creates FileC:\xxvlxuymll\jxhfpfmzmkfp
Creates FileC:\xxvlxuymll\qnvbykwgsq.exe
Creates FileC:\xxvlxuymll\bs7o4a9j
Creates FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Deletes FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Creates ProcessC:\xxvlxuymll\qnvbykwgsq.exe
Creates ServiceActiveX Process Coordinator Software Windows TP - C:\xxvlxuymll\qnvbykwgsq.exe

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1108

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ C:\xxvlxuymll\qnvbykwgsq.exe

Creates FileC:\xxvlxuymll\utpfclnnsjp.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\xxvlxuymll\zyfynhbh
Creates FileC:\xxvlxuymll\jxhfpfmzmkfp
Creates File\Device\Afd\Endpoint
Creates FileC:\xxvlxuymll\bs7o4a9j
Creates FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Deletes FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Creates Processip7qjv6vlsno "c:\xxvlxuymll\qnvbykwgsq.exe"

Process
↳ C:\xxvlxuymll\qnvbykwgsq.exe

Creates FileC:\xxvlxuymll\jxhfpfmzmkfp
Creates FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Deletes FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp

Process
↳ ip7qjv6vlsno "c:\xxvlxuymll\qnvbykwgsq.exe"

Creates FileC:\xxvlxuymll\jxhfpfmzmkfp
Creates FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp
Deletes FileC:\WINDOWS\xxvlxuymll\jxhfpfmzmkfp

Network Details:

DNSmorningduring.net
Type: A
98.139.135.129
DNSamountduring.net
Type: A
195.22.26.254
DNSamountduring.net
Type: A
195.22.26.231
DNSamountduring.net
Type: A
195.22.26.252
DNSamountduring.net
Type: A
195.22.26.253
DNSthinknorth.net
Type: A
184.168.221.58
DNSoftennorth.net
Type: A
208.100.26.234
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmiddlenorth.net
Type: A
64.99.80.30
DNStwelvenorth.net
Type: A
192.64.119.26
DNSoftenindeed.net
Type: A
DNSaloneindeed.net
Type: A
DNSoftenduring.net
Type: A
DNSaloneduring.net
Type: A
DNSmiddlelength.net
Type: A
DNStwelvelength.net
Type: A
DNSmiddlenotice.net
Type: A
DNStwelvenotice.net
Type: A
DNSmiddleindeed.net
Type: A
DNStwelveindeed.net
Type: A
DNSmiddleduring.net
Type: A
DNStwelveduring.net
Type: A
DNSratherlength.net
Type: A
DNSmorninglength.net
Type: A
DNSrathernotice.net
Type: A
DNSmorningnotice.net
Type: A
DNSratherindeed.net
Type: A
DNSmorningindeed.net
Type: A
DNSratherduring.net
Type: A
DNSstrangelength.net
Type: A
DNShistorylength.net
Type: A
DNSstrangenotice.net
Type: A
DNShistorynotice.net
Type: A
DNSstrangeindeed.net
Type: A
DNShistoryindeed.net
Type: A
DNSstrangeduring.net
Type: A
DNShistoryduring.net
Type: A
DNSamountlength.net
Type: A
DNSweatherlength.net
Type: A
DNSamountnotice.net
Type: A
DNSweathernotice.net
Type: A
DNSamountindeed.net
Type: A
DNSweatherindeed.net
Type: A
DNSweatherduring.net
Type: A
DNSthicklength.net
Type: A
DNSclasslength.net
Type: A
DNSthicknotice.net
Type: A
DNSclassnotice.net
Type: A
DNSthickindeed.net
Type: A
DNSclassindeed.net
Type: A
DNSthickduring.net
Type: A
DNSclassduring.net
Type: A
DNSthinkclear.net
Type: A
DNSpresentclear.net
Type: A
DNSthinkgeneral.net
Type: A
DNSpresentgeneral.net
Type: A
DNSthinkinclude.net
Type: A
DNSpresentinclude.net
Type: A
DNSpresentnorth.net
Type: A
DNSchiefclear.net
Type: A
DNScollegeclear.net
Type: A
DNSchiefgeneral.net
Type: A
DNScollegegeneral.net
Type: A
DNSchiefinclude.net
Type: A
DNScollegeinclude.net
Type: A
DNSchiefnorth.net
Type: A
DNScollegenorth.net
Type: A
DNSoftenclear.net
Type: A
DNSaloneclear.net
Type: A
DNSoftengeneral.net
Type: A
DNSalonegeneral.net
Type: A
DNSofteninclude.net
Type: A
DNSaloneinclude.net
Type: A
DNSalonenorth.net
Type: A
DNSmiddleclear.net
Type: A
DNStwelveclear.net
Type: A
DNSmiddlegeneral.net
Type: A
DNStwelvegeneral.net
Type: A
DNSmiddleinclude.net
Type: A
DNStwelveinclude.net
Type: A
DNSratherclear.net
Type: A
DNSmorningclear.net
Type: A
DNSrathergeneral.net
Type: A
DNSmorninggeneral.net
Type: A
DNSratherinclude.net
Type: A
DNSmorninginclude.net
Type: A
DNSrathernorth.net
Type: A
DNSmorningnorth.net
Type: A
DNSstrangeclear.net
Type: A
HTTP GEThttp://morningduring.net/index.php?method&len
User-Agent:
HTTP GEThttp://amountduring.net/index.php?method&len
User-Agent:
HTTP GEThttp://thinknorth.net/index.php?method&len
User-Agent:
HTTP GEThttp://oftennorth.net/index.php?method&len
User-Agent:
HTTP GEThttp://middlegeneral.net/index.php?method&len
User-Agent:
HTTP GEThttp://middlenorth.net/index.php?method&len
User-Agent:
HTTP GEThttp://twelvenorth.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.58:80
Flows TCP192.168.1.1:1034 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1035 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1036 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1037 ➝ 192.64.119.26:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 726e696e   se..Host: mornin
0x00000050 (00080)   67647572 696e672e 6e65740d 0a0d0a     gduring.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20616d 6f756e74   se..Host: amount
0x00000050 (00080)   64757269 6e672e6e 65740d0a 0d0a0a     during.net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207468 696e6b6e   se..Host: thinkn
0x00000050 (00080)   6f727468 2e6e6574 0d0a0d0a 0d0a0a     orth.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206f66 74656e6e   se..Host: oftenn
0x00000050 (00080)   6f727468 2e6e6574 0d0a0d0a 0d0a0a     orth.net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d69 64646c65   se..Host: middle
0x00000050 (00080)   67656e65 72616c2e 6e65740d 0a0d0a     general.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d69 64646c65   se..Host: middle
0x00000050 (00080)   6e6f7274 682e6e65 740d0a0d 0a0d0a     north.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207477 656c7665   se..Host: twelve
0x00000050 (00080)   6e6f7274 682e6e65 740d0a0d 0a0d0a     north.net......


Strings