Analysis Date2015-08-20 13:00:42
MD50f1232fc8bb1a278cd5a9445987ab22c
SHA1c2ef3c6164349eee1b0590c56abfbc72dd540d71

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 135edf15a69a7edffe8bbd3715063438 sha1: 2553cc277cd133ce05fbe5bea914c71ce514a0e5 size: 156160
Section.rdata md5: 275a936a5d712ce3794f0a299dc1e553 sha1: acaaf6f6c7405ede41f48661d33fd7c69427e2d6 size: 38400
Section.data md5: 51bb6be7a196467267445d8b3fb7d39b sha1: f5cd1f150897020e3aa281d4dd82b5ec575401e8 size: 6656
Timestamp2015-03-13 09:39:21
PackerMicrosoft Visual C++ ?.?
PEhashc271f3518f55b8f0aaea28ddade7dcf151a24031
IMPhash9746c0eed04d88d7c256a1152dcb8ae5
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader15.41263
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVK7Trojan ( 004bdb0b1 )
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.153381
AVMcafeeTrojan-FEVX!0F1232FC8BB1
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hnxipxxuehsuls\wx3fmyasrcbvspufq.exe
Creates FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\ycroyjhjc
Deletes FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates ProcessC:\hnxipxxuehsuls\wx3fmyasrcbvspufq.exe

Process
↳ C:\hnxipxxuehsuls\wx3fmyasrcbvspufq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Notification Upgrade Control ➝
C:\hnxipxxuehsuls\kxqdaqcb.exe
Creates FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\kxqdaqcb.exe
Creates FileC:\hnxipxxuehsuls\xkajcpulam
Creates FileC:\hnxipxxuehsuls\ycroyjhjc
Deletes FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates ProcessC:\hnxipxxuehsuls\kxqdaqcb.exe
Creates ServiceTelephony Block Interactive - C:\hnxipxxuehsuls\kxqdaqcb.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ Pid 1016

Process
↳ Pid 1208

Process
↳ Pid 1324

Process
↳ Pid 1872

Process
↳ Pid 1576

Process
↳ C:\hnxipxxuehsuls\kxqdaqcb.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hnxipxxuehsuls\jfvbnwkzq8b
Creates FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\xkajcpulam
Creates File\Device\Afd\Endpoint
Creates FileC:\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\tgsbvrprjpef.exe
Deletes FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates Processp6ujxnaigxjy "c:\hnxipxxuehsuls\kxqdaqcb.exe"

Process
↳ C:\hnxipxxuehsuls\kxqdaqcb.exe

Creates FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\ycroyjhjc
Deletes FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc

Process
↳ p6ujxnaigxjy "c:\hnxipxxuehsuls\kxqdaqcb.exe"

Creates FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc
Creates FileC:\hnxipxxuehsuls\ycroyjhjc
Deletes FileC:\WINDOWS\hnxipxxuehsuls\ycroyjhjc

Network Details:

DNSfinishbasket.net
Type: A
195.22.26.253
DNSfinishbasket.net
Type: A
195.22.26.254
DNSfinishbasket.net
Type: A
195.22.26.231
DNSfinishbasket.net
Type: A
195.22.26.252
DNSsweetindustry.net
Type: A
98.124.199.1
DNSsweetbasket.net
Type: A
210.157.19.51
DNSsimplelanguage.net
Type: A
82.165.126.64
DNSmountainlanguage.net
Type: A
184.168.221.27
DNSlaughbasket.net
Type: A
DNSsimpleindustry.net
Type: A
DNSmotherindustry.net
Type: A
DNSsimplebecame.net
Type: A
DNSmotherbecame.net
Type: A
DNSsimplecontain.net
Type: A
DNSmothercontain.net
Type: A
DNSsimplebasket.net
Type: A
DNSmotherbasket.net
Type: A
DNSmountainindustry.net
Type: A
DNSpossibleindustry.net
Type: A
DNSmountainbecame.net
Type: A
DNSpossiblebecame.net
Type: A
DNSmountaincontain.net
Type: A
DNSpossiblecontain.net
Type: A
DNSmountainbasket.net
Type: A
DNSpossiblebasket.net
Type: A
DNSperhapsindustry.net
Type: A
DNSwindowindustry.net
Type: A
DNSperhapsbecame.net
Type: A
DNSwindowbecame.net
Type: A
DNSperhapscontain.net
Type: A
DNSwindowcontain.net
Type: A
DNSperhapsbasket.net
Type: A
DNSwindowbasket.net
Type: A
DNSwinterindustry.net
Type: A
DNSsubjectindustry.net
Type: A
DNSwinterbecame.net
Type: A
DNSsubjectbecame.net
Type: A
DNSwintercontain.net
Type: A
DNSsubjectcontain.net
Type: A
DNSwinterbasket.net
Type: A
DNSsubjectbasket.net
Type: A
DNSfinishindustry.net
Type: A
DNSleaveindustry.net
Type: A
DNSfinishbecame.net
Type: A
DNSleavebecame.net
Type: A
DNSfinishcontain.net
Type: A
DNSleavecontain.net
Type: A
DNSleavebasket.net
Type: A
DNSprobablyindustry.net
Type: A
DNSsweetbecame.net
Type: A
DNSprobablybecame.net
Type: A
DNSsweetcontain.net
Type: A
DNSprobablycontain.net
Type: A
DNSprobablybasket.net
Type: A
DNSseveralindustry.net
Type: A
DNSmaterialindustry.net
Type: A
DNSseveralbecame.net
Type: A
DNSmaterialbecame.net
Type: A
DNSseveralcontain.net
Type: A
DNSmaterialcontain.net
Type: A
DNSseveralbasket.net
Type: A
DNSmaterialbasket.net
Type: A
DNSseverasettle.net
Type: A
DNSlaughsettle.net
Type: A
DNSseveralanguage.net
Type: A
DNSlaughlanguage.net
Type: A
DNSseveradevice.net
Type: A
DNSlaughdevice.net
Type: A
DNSseverabefore.net
Type: A
DNSlaughbefore.net
Type: A
DNSsimplesettle.net
Type: A
DNSmothersettle.net
Type: A
DNSmotherlanguage.net
Type: A
DNSsimpledevice.net
Type: A
DNSmotherdevice.net
Type: A
DNSsimplebefore.net
Type: A
DNSmotherbefore.net
Type: A
DNSmountainsettle.net
Type: A
DNSpossiblesettle.net
Type: A
DNSpossiblelanguage.net
Type: A
DNSmountaindevice.net
Type: A
DNSpossibledevice.net
Type: A
DNSmountainbefore.net
Type: A
DNSpossiblebefore.net
Type: A
DNSperhapssettle.net
Type: A
DNSwindowsettle.net
Type: A
DNSperhapslanguage.net
Type: A
DNSwindowlanguage.net
Type: A
HTTP GEThttp://finishbasket.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetindustry.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetbasket.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplelanguage.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainlanguage.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1032 ➝ 98.124.199.1:80
Flows TCP192.168.1.1:1033 ➝ 210.157.19.51:80
Flows TCP192.168.1.1:1034 ➝ 82.165.126.64:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.27:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206669 6e697368   se..Host: finish
0x00000050 (00080)   6261736b 65742e6e 65740d0a 0d0a       basket.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657469   se..Host: sweeti
0x00000050 (00080)   6e647573 7472792e 6e65740d 0a0d0a     ndustry.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657462   se..Host: sweetb
0x00000050 (00080)   61736b65 742e6e65 740d0a0d 0a0d0a     asket.net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   6c616e67 75616765 2e6e6574 0d0a0d0a   language.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000050 (00080)   696e6c61 6e677561 67652e6e 65740d0a   inlanguage.net..
0x00000060 (00096)   0d0a                                  ..


Strings