Analysis Date2015-10-13 11:09:24
MD5e4ee54c2d2872092e25e87c4d9442da6
SHA1c973dd0c009ae0aec61895e139ed2fda7f5881af

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2cf21a3882e6cb0bef48de5356847ec6 sha1: 45fc8c5cc0740a2575e9940496648911e509f9fb size: 227328
Section.data md5: ef19b6842f8bb85b066137682950e86e sha1: 000f7ec948c3b5d23bbd4cbfe50048a9bc9cdc03 size: 20992
Section.rdata md5: ba3c027412595228f5ce3972fb6cea76 sha1: 6ac058933450157e8b634547a2ffd17e1f5f5b6f size: 40448
Section.eh_fram md5: ada644d0f78ac99329537f355ed9999f sha1: 5eacbef4a423e895ef5a1dc2f60af727e08f0fc1 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 7dd7b284fc59598660212f5216633799 sha1: 8ad88f9d763dc981568aaa5135b678e411b5fa1e size: 6144
Section.CRT md5: 7f27927e00539198ee74df8a14e36a39 sha1: cba2b74ee1781e4234a657dc5650e03603865e1c size: 512
Section.tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512
Timestamp2015-03-05 06:29:38
PEhash1e5480635f4a88aac854851cb7cf2a6d25123d5a
IMPhasha9cad5432c073454fd999e237a4c7800
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51758
AVDr. Webno_virus
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVBullGuardGen:Variant.Symmi.51758
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Scar.lpvr
AVZillya!no_virus
AVEmsisoftGen:Variant.Symmi.51758
AVIkarusTrojan.Win32.Staser
AVFrisk (f-prot)no_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c988e1 )
AVBitDefenderGen:Variant.Symmi.51758
AVFortinetW32/Agent.XDQ!tr
AVSymantecDownloader.Upatre!g16
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Agent.XDQ
AVAlwil (avast)no_virus
AVAd-AwareGen:Variant.Symmi.51758
AVTwisterno_virus
AVAvira (antivir)TR/ATRAPS.A.9230
AVMcafeeTrojan-FGOJ!E4EE54C2D287

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\jhvnjntifn\iwwzbvj1ljmvzjrhmtbv4l.exe
Creates FileC:\jhvnjntifn\asv3odprzg8
Creates FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Deletes FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Creates ProcessC:\jhvnjntifn\iwwzbvj1ljmvzjrhmtbv4l.exe

Process
↳ C:\jhvnjntifn\iwwzbvj1ljmvzjrhmtbv4l.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Proxy Reports Peer Microsoft Windows IKE ➝
C:\jhvnjntifn\p6etjo9v6.exe
Creates FileC:\jhvnjntifn\lahl4ex29
Creates FileC:\jhvnjntifn\p6etjo9v6.exe
Creates FilePIPE\lsarpc
Creates FileC:\jhvnjntifn\asv3odprzg8
Creates FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Deletes FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Creates ProcessC:\jhvnjntifn\p6etjo9v6.exe
Creates ServiceOrdering Access Isolation Logs Adapter - C:\jhvnjntifn\p6etjo9v6.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1168

Process
↳ C:\jhvnjntifn\p6etjo9v6.exe

Creates FileC:\jhvnjntifn\p6fvd9qmjkr
Creates FileC:\jhvnjntifn\jjwnlki8g.exe
Creates FileC:\jhvnjntifn\lahl4ex29
Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates FileC:\jhvnjntifn\asv3odprzg8
Creates FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Deletes FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Creates Processyxdx5on7znxh "c:\jhvnjntifn\p6etjo9v6.exe"

Process
↳ C:\jhvnjntifn\p6etjo9v6.exe

Creates FileC:\jhvnjntifn\asv3odprzg8
Creates FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Deletes FileC:\WINDOWS\jhvnjntifn\asv3odprzg8

Process
↳ yxdx5on7znxh "c:\jhvnjntifn\p6etjo9v6.exe"

Creates FileC:\jhvnjntifn\asv3odprzg8
Creates FileC:\WINDOWS\jhvnjntifn\asv3odprzg8
Deletes FileC:\WINDOWS\jhvnjntifn\asv3odprzg8

Network Details:

DNSgenevieveanthonyson.net
Type: A
195.22.26.253
DNSgenevieveanthonyson.net
Type: A
195.22.26.254
DNSgenevieveanthonyson.net
Type: A
195.22.26.231
DNSgenevieveanthonyson.net
Type: A
195.22.26.252
DNScatherinewilliamson.net
Type: A
184.168.221.63
DNScatherinachamberlain.net
Type: A
DNScatherinechamberlain.net
Type: A
DNScatherinaanthonyson.net
Type: A
DNScatherineanthonyson.net
Type: A
DNSantonettebrassington.net
Type: A
DNSmadeleinebrassington.net
Type: A
DNSantonetteecclestone.net
Type: A
DNSmadeleineecclestone.net
Type: A
DNSantonettechamberlain.net
Type: A
DNSmadeleinechamberlain.net
Type: A
DNSantonetteanthonyson.net
Type: A
DNSmadeleineanthonyson.net
Type: A
DNScharlottebrassington.net
Type: A
DNSstephaniebrassington.net
Type: A
DNScharlotteecclestone.net
Type: A
DNSstephanieecclestone.net
Type: A
DNScharlottechamberlain.net
Type: A
DNSstephaniechamberlain.net
Type: A
DNScharlotteanthonyson.net
Type: A
DNSstephanieanthonyson.net
Type: A
DNSkimberlynbrassington.net
Type: A
DNSglanvillebrassington.net
Type: A
DNSkimberlynecclestone.net
Type: A
DNSglanvilleecclestone.net
Type: A
DNSkimberlynchamberlain.net
Type: A
DNSglanvillechamberlain.net
Type: A
DNSkimberlynanthonyson.net
Type: A
DNSglanvilleanthonyson.net
Type: A
DNSjessaminebrassington.net
Type: A
DNSgenevievebrassington.net
Type: A
DNSjessamineecclestone.net
Type: A
DNSgenevieveecclestone.net
Type: A
DNSjessaminechamberlain.net
Type: A
DNSgenevievechamberlain.net
Type: A
DNSjessamineanthonyson.net
Type: A
DNSzechariahbrassington.net
Type: A
DNSmarmadukebrassington.net
Type: A
DNSzechariahecclestone.net
Type: A
DNSmarmadukeecclestone.net
Type: A
DNSzechariahchamberlain.net
Type: A
DNSmarmadukechamberlain.net
Type: A
DNSzechariahanthonyson.net
Type: A
DNSmarmadukeanthonyson.net
Type: A
DNSkristopherwilliamson.net
Type: A
DNScassandrawilliamson.net
Type: A
DNSkristopherherbertson.net
Type: A
DNScassandraherbertson.net
Type: A
DNSkristopherwhittemore.net
Type: A
DNScassandrawhittemore.net
Type: A
DNSkristopherderrickson.net
Type: A
DNScassandraderrickson.net
Type: A
DNSmaximilianwilliamson.net
Type: A
DNSkimberleewilliamson.net
Type: A
DNSmaximilianherbertson.net
Type: A
DNSkimberleeherbertson.net
Type: A
DNSmaximilianwhittemore.net
Type: A
DNSkimberleewhittemore.net
Type: A
DNSmaximilianderrickson.net
Type: A
DNSkimberleederrickson.net
Type: A
DNScatherinawilliamson.net
Type: A
DNScatherinaherbertson.net
Type: A
DNScatherineherbertson.net
Type: A
DNScatherinawhittemore.net
Type: A
DNScatherinewhittemore.net
Type: A
DNScatherinaderrickson.net
Type: A
DNScatherinederrickson.net
Type: A
DNSantonettewilliamson.net
Type: A
DNSmadeleinewilliamson.net
Type: A
DNSantonetteherbertson.net
Type: A
DNSmadeleineherbertson.net
Type: A
DNSantonettewhittemore.net
Type: A
DNSmadeleinewhittemore.net
Type: A
DNSantonettederrickson.net
Type: A
DNSmadeleinederrickson.net
Type: A
DNScharlottewilliamson.net
Type: A
DNSstephaniewilliamson.net
Type: A
DNScharlotteherbertson.net
Type: A
DNSstephanieherbertson.net
Type: A
DNScharlottewhittemore.net
Type: A
DNSstephaniewhittemore.net
Type: A
DNScharlottederrickson.net
Type: A
DNSstephaniederrickson.net
Type: A
DNSkimberlynwilliamson.net
Type: A
HTTP GEThttp://genevieveanthonyson.net/index.php
User-Agent:
HTTP GEThttp://catherinewilliamson.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 195.22.26.253:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.63:80

Raw Pcap

Strings