Analysis Date2015-11-01 06:27:48
MD564c61fbc2ade4efcb6f2a3233cfe4b92
SHA1bc589fc656fb1378dad256936abece967caca8a5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 104b2c55271137376e6f96f0b41fbe9a sha1: 7977c211d601863ff8e6824be9142e20bd8e773f size: 105984
Section.rdata md5: 8f76f19fa8abc97f725ccd3d0fc22fcd sha1: aaf730e2f15f120f97ab7b005995af39ef532a10 size: 40448
Section.data md5: e555e73523f389ffd9c1ad8bf793aca1 sha1: b95a5fc1a7b5922b4e8d9f1dfcdcba8797b967b0 size: 36352
Section.rsrc md5: b6069d0b9717efceea253f211dfdbd96 sha1: 07183cb9a6fd81a8b52645852fc2c0992e7ebc0a size: 115200
Timestamp2015-10-20 09:52:37
PackerMicrosoft Visual C++ ?.?
PEhash116c59b0da11b347d0df9a4eb3cc56bd7a374716
IMPhash1d197cdf83b2e3f99b60f6b0b5399019
AVAd-AwareTrojan.GenericKDZ.30724
AVGrisoft (avg)Crypt_r.AFM
AVCAT (quickheal)no_virus
AVIkarusTrojan.Win32.Injector
AVAvira (antivir)TR/AD.Crowti.Y.457
AVK7Trojan ( 004cef571 )
AVClamAVno_virus
AVKasperskyTrojan-Ransom.Win32.Cryptodef.aaev
AVArcabit (arcavir)Trojan.GenericKDZ.30724
AVMalwareBytesRansom.CryptoWall
AVDr. WebTrojan.DownLoad3.35944
AVMcafeeGamarue-FDC!64C61FBC2ADE
AVBitDefenderTrojan.GenericKDZ.30724
AVMicrosoft Security EssentialsRansom:Win32/Crowti
AVEmsisoftTrojan.GenericKDZ.30724
AVMicroWorld (escan)Trojan.GenericKDZ.30724
AVAlwil (avast)Androp [Drp]
AVPadvishno_virus
AVEset (nod32)Win32/Injector.BNHS
AVRisingno_virus
AVBullGuardTrojan.GenericKDZ.30724
AVFortinetW32/Kryptik.EASA!tr
AVSymantecno_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVTrend Microno_virus
AVFrisk (f-prot)no_virus
AVTwisterno_virus
AVCA (E-Trust Ino)no_virus
AVVirusBlokAda (vba32)Backdoor.Androm
AVF-SecureTrojan.GenericKDZ.30724
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Processvssadmin.exe Delete Shadows /All /Quiet
Creates Process-k netsvcs

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSobjetivografico.es
Winsock DNSbono.by
Winsock DNSdivinemodels.ru
Winsock DNSshugrmedia.com
Winsock DNSpositivefxstudio.co.uk
Winsock DNSaye2zee.biz
Winsock DNSdkforma.ru
Winsock DNSsoftware-select.nl
Winsock DNSifloresti.ro
Winsock DNScurlmyip.com
Winsock DNSpamperedpetsgroomingacademy.co.uk
Winsock DNSxn--80auckeg1db2a.xn--p1ai
Winsock DNSpeegas.ru
Winsock DNSz-en.ru
Winsock DNSvoteforbrendan.us
Winsock DNSbestinyourtown.info
Winsock DNSberattv.com.tr
Winsock DNSmyexternalip.com
Winsock DNSbursauygulamaoteli.com
Winsock DNSqrcp.us
Winsock DNSip-addr.es
Winsock DNSathleticequine.org.nz
Winsock DNSgarlanddeli.com
Winsock DNSnewconsult.by
Winsock DNSvoteforbrendan.mobi
Winsock DNSmartinelacasse.ca
Winsock DNSdirecttrailer.us
Winsock DNSproductprovider.nl
Winsock DNSvoteforbrendan.info
Winsock DNSmetroloto.ru
Winsock DNSrostbiznesa.ru
Winsock DNSopportunitycup.com
Winsock DNSvoteforbrendan.biz
Winsock DNScapodimonte.ua
Winsock DNSvoteforbrendan.me
Winsock DNSelectrosim.ro

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
188.165.164.184
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSifloresti.ro
Type: A
176.126.201.10
DNSpamperedpetsgroomingacademy.co.uk
Type: A
192.254.187.55
DNSaye2zee.biz
Type: A
192.185.198.153
DNSvoteforbrendan.info
Type: A
67.23.254.89
DNSbono.by
Type: A
91.149.157.185
DNSgarlanddeli.com
Type: A
192.185.48.207
DNSpeegas.ru
Type: A
176.57.216.209
DNSbestinyourtown.info
Type: A
192.185.157.29
DNSelectrosim.ro
Type: A
37.156.37.11
DNSz-en.ru
Type: A
185.58.207.147
DNSmartinelacasse.ca
Type: A
192.185.79.75
DNSshugrmedia.com
Type: A
184.168.193.215
DNSpositivefxstudio.co.uk
Type: A
88.208.252.82
DNSberattv.com.tr
Type: A
185.33.128.131
DNSdivinemodels.ru
Type: A
5.9.23.71
DNSrostbiznesa.ru
Type: A
92.53.114.211
DNSproductprovider.nl
Type: A
37.153.204.79
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
194.85.61.76
DNSxn--80auckeg1db2a.xn--p1ai
Type: A
109.70.26.37
DNSobjetivografico.es
Type: A
192.185.14.142
DNSbursauygulamaoteli.com
Type: A
89.106.12.62
DNSopportunitycup.com
Type: A
192.185.29.132
DNSathleticequine.org.nz
Type: A
182.50.130.37
DNSvoteforbrendan.us
Type: A
67.23.254.89
DNSdirecttrailer.us
Type: A
69.89.31.160
DNScapodimonte.ua
Type: A
188.95.154.41
DNSsoftware-select.nl
Type: A
37.128.147.21
DNSvoteforbrendan.mobi
Type: A
67.23.254.89
DNSqrcp.us
Type: A
198.57.246.6
DNSvoteforbrendan.biz
Type: A
67.23.254.89
DNSmetroloto.ru
Type: A
89.207.89.233
DNSdkforma.ru
Type: A
195.19.214.27
DNSnewconsult.by
Type: A
93.125.99.68
DNSvoteforbrendan.me
Type: A
67.23.254.89
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ifloresti.ro/wp-content/plugins/navayan-subscribe/SYbJT9.php?t=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pamperedpetsgroomingacademy.co.uk/wp-content/plugins/slideshow-jquery-image-gallery/7sinRu.php?h=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://aye2zee.biz/wp-content/plugins/max-banner-ads-pro/5Yfhdr.php?l=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.info/wp-content/themes/genesis/t58Esq.php?z=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/4BWtIF.php?z=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://garlanddeli.com/media/editors/tinymce/jscripts/tiny_mce/plugins/paste/GbWzVt.php?u=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/uQYbdq.php?h=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bestinyourtown.info/wp-content/themes/toommoreltheme/_pH5Ck.php?w=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://electrosim.ro/wp-content/plugins/contact-form-7/CwR04H.php?n=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://z-en.ru/wp-content/plugins/wp-lightbox-2/107iNE.php?e=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://martinelacasse.ca/wp-content/plugins/symple-shortcodes/EmATUG.php?z=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://shugrmedia.com/wp-content/uploads/2015/09/9rjMyJ.php?c=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://positivefxstudio.co.uk/wp-content/themes/spacious/DiJv3L.php?j=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://berattv.com.tr/wp-content/plugins/newsletter/4dMplH.php?z=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://divinemodels.ru/tmp/install_534f08d496bdb/tinymce/js/tinymce/plugins/bbcode/GAwCYO.php?c=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/ILEKUM.php?n=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://productprovider.nl/wp-content/uploads/genesis-extender/plugin/images/HaryfG.php?b=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--80auckeg1db2a.xn--p1ai/wp-content/plugins/shortcodes-ultimate/hntNzB.php?w=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://objetivografico.es/wp-content/themes/book-store%20backup/BhRfIp.php?w=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bursauygulamaoteli.com/wp-content/themes/welcome_inn-parent/framework/extensions/contactform/static/VNtDfl.php?a=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://opportunitycup.com/media/editors/tinymce/jscripts/tiny_mce/plugins/contextmenu/InyfWv.php?k=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://peegas.ru/wp-content/themes/twentytwelve/6x_nV5.php?a=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://athleticequine.org.nz/wp-content/themes/poloraytheme/functions/HdIC_W.php?o=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.us/wp-content/plugins/wordpress-importer/NyUkLc.php?k=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://directtrailer.us/wp-content/plugins/advanced-excerpt/1VtP3W.php?c=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/D3sOjY.php?q=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://software-select.nl/wp-content/themes/genesis/qMfFUp.php?b=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://capodimonte.ua/wp-content/plugins/cherry-plugin/PLlfEN.php?m=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.mobi/wp-content/plugins/contact-form-7/t1TrNk.php?a=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rostbiznesa.ru/wp-content/plugins/tw-recent-posts-widget/d30UGa.php?w=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://qrcp.us/wp-content/themes/twentyfifteen/Bamzho.php?p=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bono.by/wp-content/plugins/akismet/O_xjRv.php?e=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.biz/wp-content/themes/twentyfifteen/pLXtNm.php?k=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://metroloto.ru/wp-content/themes/Velluce/IzOSnD.php?q=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://dkforma.ru/wp-content/themes/dk/Sp6u0B.php?r=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://newconsult.by/wp-content/plugins/all-in-one-seo-pack/JqT9Ls.php?i=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://voteforbrendan.me/wp-content/themes/twentyfourteen/pYE7yW.php?p=gahuccurh5qufo
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 188.165.164.184:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 176.126.201.10:80
Flows TCP192.168.1.1:1035 ➝ 192.254.187.55:80
Flows TCP192.168.1.1:1036 ➝ 192.185.198.153:80
Flows TCP192.168.1.1:1037 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1038 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1039 ➝ 192.185.48.207:80
Flows TCP192.168.1.1:1040 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1041 ➝ 192.185.157.29:80
Flows TCP192.168.1.1:1042 ➝ 37.156.37.11:80
Flows TCP192.168.1.1:1043 ➝ 185.58.207.147:80
Flows TCP192.168.1.1:1044 ➝ 192.185.79.75:80
Flows TCP192.168.1.1:1045 ➝ 184.168.193.215:80
Flows TCP192.168.1.1:1046 ➝ 88.208.252.82:80
Flows TCP192.168.1.1:1047 ➝ 185.33.128.131:80
Flows TCP192.168.1.1:1048 ➝ 5.9.23.71:80
Flows TCP192.168.1.1:1049 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1050 ➝ 37.153.204.79:80
Flows TCP192.168.1.1:1051 ➝ 194.85.61.76:80
Flows TCP192.168.1.1:1052 ➝ 192.185.14.142:80
Flows TCP192.168.1.1:1053 ➝ 89.106.12.62:80
Flows TCP192.168.1.1:1054 ➝ 192.185.29.132:80
Flows TCP192.168.1.1:1055 ➝ 176.57.216.209:80
Flows TCP192.168.1.1:1056 ➝ 182.50.130.37:80
Flows TCP192.168.1.1:1057 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1058 ➝ 69.89.31.160:80
Flows TCP192.168.1.1:1059 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1060 ➝ 37.128.147.21:80
Flows TCP192.168.1.1:1061 ➝ 188.95.154.41:80
Flows TCP192.168.1.1:1062 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1063 ➝ 92.53.114.211:80
Flows TCP192.168.1.1:1064 ➝ 198.57.246.6:80
Flows TCP192.168.1.1:1065 ➝ 91.149.157.185:80
Flows TCP192.168.1.1:1066 ➝ 67.23.254.89:80
Flows TCP192.168.1.1:1067 ➝ 89.207.89.233:80
Flows TCP192.168.1.1:1068 ➝ 195.19.214.27:80
Flows TCP192.168.1.1:1069 ➝ 93.125.99.68:80
Flows TCP192.168.1.1:1070 ➝ 67.23.254.89:80

Raw Pcap

Strings