Analysis Date2015-08-02 01:43:36
MD5ce13599527769a18f155cda31e2f22a9
SHA1cdf74f63f6e1fc0d8ffa24a9be2429b7765071e0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 01db6bfa963b396c62359d9ec2d36163 sha1: 94b056c5d4fb7ab9fefa8057fede965dc934b30a size: 161792
Section.rdata md5: 6310ebc41e8c20f13bd470a19243c48f sha1: 47ac601ef61d45b3366b47286cea840c2f17d2a5 size: 37888
Section.data md5: eb034238b91783d38d3e93afd7370adf sha1: 79710eba445ae929684d0537d73d9ee597751ae3 size: 7168
Timestamp2015-03-13 09:23:31
PackerMicrosoft Visual C++ ?.?
PEhash24109b4fbb051e373d723b59ecc40f6388879f4f
IMPhash2857d28b4abbcb4d232e7bd5f8e114e9
AVAd-AwareGen:Variant.Rodecap.1
AVPadvishno_virus
AVFortinetW32/Rodecap.BJ!tr
AVMalwareBytesTrojan.Agent
AVClamAVno_virus
AVEset (nod32)Win32/Rodecap.BJ
AVEmsisoftGen:Variant.Rodecap.1
AVCAT (quickheal)TrojanSpy.Nivdort.r3
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVK7Trojan ( 004bda2e1 )
AVZillya!no_virus
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVBullGuardGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVTwisterTrojan.Generic.jgjr
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.10191
AVFrisk (f-prot)no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVMcafeeTrojan-FEVX!CE1359952776
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVSymantecDownloader.Upatre!g15
AVAvira (antivir)TR/Crypt.ZPACK.143174
AVGrisoft (avg)Win32/Cryptor
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVKasperskyTrojan.Win32.Generic

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\inidcmz\xmly1lf9f7ouxuzuds.exe
Creates FileC:\inidcmz\yp52xks
Creates FileC:\WINDOWS\inidcmz\yp52xks
Deletes FileC:\WINDOWS\inidcmz\yp52xks
Creates ProcessC:\inidcmz\xmly1lf9f7ouxuzuds.exe

Process
↳ C:\inidcmz\xmly1lf9f7ouxuzuds.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Reporting Store Protocol Workstation Fax ➝
C:\inidcmz\ycgjsstjv.exe
Creates FileC:\inidcmz\yp52xks
Creates FileC:\WINDOWS\inidcmz\yp52xks
Creates FileC:\inidcmz\ycgjsstjv.exe
Creates FileC:\inidcmz\u0ffdf
Deletes FileC:\WINDOWS\inidcmz\yp52xks
Creates ProcessC:\inidcmz\ycgjsstjv.exe
Creates ServiceVisual Registry Reports Logon - C:\inidcmz\ycgjsstjv.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1096

Process
↳ C:\inidcmz\ycgjsstjv.exe

Creates FileC:\inidcmz\yp52xks
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\inidcmz\yp52xks
Creates File\Device\Afd\Endpoint
Creates FileC:\inidcmz\lis6ubtut
Creates FileC:\inidcmz\rjbzzlq.exe
Creates FileC:\inidcmz\u0ffdf
Deletes FileC:\WINDOWS\inidcmz\yp52xks
Creates Processmnfy9tjtvhxg "c:\inidcmz\ycgjsstjv.exe"

Process
↳ C:\inidcmz\ycgjsstjv.exe

Creates FileC:\inidcmz\yp52xks
Creates FileC:\WINDOWS\inidcmz\yp52xks
Deletes FileC:\WINDOWS\inidcmz\yp52xks

Process
↳ mnfy9tjtvhxg "c:\inidcmz\ycgjsstjv.exe"

Creates FileC:\inidcmz\yp52xks
Creates FileC:\WINDOWS\inidcmz\yp52xks
Deletes FileC:\WINDOWS\inidcmz\yp52xks

Network Details:

DNSprofiles.dexknows.com
Type: A
204.133.117.26
DNSwinterbright.net
Type: A
67.231.253.49
DNSprobablybright.net
Type: A
95.211.230.75
DNSsweetinside.net
Type: A
208.91.197.241
DNSsimplepeople.net
Type: A
91.194.77.112
DNSmotherdaughter.net
Type: A
208.91.197.26
DNSwindowpeople.net
Type: A
208.93.105.60
DNSwinterready.net
Type: A
184.168.221.47
DNSperhapsinstead.net
Type: A
DNSwindowinstead.net
Type: A
DNSperhapsexplain.net
Type: A
DNSwindowexplain.net
Type: A
DNSperhapsbright.net
Type: A
DNSwindowbright.net
Type: A
DNSperhapsinside.net
Type: A
DNSwindowinside.net
Type: A
DNSwinterinstead.net
Type: A
DNSsubjectinstead.net
Type: A
DNSwinterexplain.net
Type: A
DNSsubjectexplain.net
Type: A
DNSsubjectbright.net
Type: A
DNSwinterinside.net
Type: A
DNSsubjectinside.net
Type: A
DNSfinishinstead.net
Type: A
DNSleaveinstead.net
Type: A
DNSfinishexplain.net
Type: A
DNSleaveexplain.net
Type: A
DNSfinishbright.net
Type: A
DNSleavebright.net
Type: A
DNSfinishinside.net
Type: A
DNSleaveinside.net
Type: A
DNSsweetinstead.net
Type: A
DNSprobablyinstead.net
Type: A
DNSsweetexplain.net
Type: A
DNSprobablyexplain.net
Type: A
DNSsweetbright.net
Type: A
DNSprobablyinside.net
Type: A
DNSseveralinstead.net
Type: A
DNSmaterialinstead.net
Type: A
DNSseveralexplain.net
Type: A
DNSmaterialexplain.net
Type: A
DNSseveralbright.net
Type: A
DNSmaterialbright.net
Type: A
DNSseveralinside.net
Type: A
DNSmaterialinside.net
Type: A
DNSseveraready.net
Type: A
DNSlaughready.net
Type: A
DNSseverabrown.net
Type: A
DNSlaughbrown.net
Type: A
DNSseverapeople.net
Type: A
DNSlaughpeople.net
Type: A
DNSseveradaughter.net
Type: A
DNSlaughdaughter.net
Type: A
DNSsimpleready.net
Type: A
DNSmotherready.net
Type: A
DNSsimplebrown.net
Type: A
DNSmotherbrown.net
Type: A
DNSmotherpeople.net
Type: A
DNSsimpledaughter.net
Type: A
DNSmountainready.net
Type: A
DNSpossibleready.net
Type: A
DNSmountainbrown.net
Type: A
DNSpossiblebrown.net
Type: A
DNSmountainpeople.net
Type: A
DNSpossiblepeople.net
Type: A
DNSmountaindaughter.net
Type: A
DNSpossibledaughter.net
Type: A
DNSperhapsready.net
Type: A
DNSwindowready.net
Type: A
DNSperhapsbrown.net
Type: A
DNSwindowbrown.net
Type: A
DNSperhapspeople.net
Type: A
DNSperhapsdaughter.net
Type: A
DNSwindowdaughter.net
Type: A
DNSsubjectready.net
Type: A
DNSwinterbrown.net
Type: A
DNSsubjectbrown.net
Type: A
DNSwinterpeople.net
Type: A
DNSsubjectpeople.net
Type: A
DNSwinterdaughter.net
Type: A
DNSsubjectdaughter.net
Type: A
DNSfinishready.net
Type: A
DNSleaveready.net
Type: A
DNSfinishbrown.net
Type: A
DNSleavebrown.net
Type: A
DNSfinishpeople.net
Type: A
HTTP GEThttp://windowbright.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterbright.net/index.php?method&len
User-Agent:
HTTP GEThttp://probablybright.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetinside.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplepeople.net/index.php?method&len
User-Agent:
HTTP GEThttp://motherdaughter.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowpeople.net/index.php?method&len
User-Agent:
HTTP GEThttp://winterready.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.133.117.26:80
Flows TCP192.168.1.1:1032 ➝ 67.231.253.49:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1035 ➝ 91.194.77.112:80
Flows TCP192.168.1.1:1036 ➝ 208.91.197.26:80
Flows TCP192.168.1.1:1037 ➝ 208.93.105.60:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.47:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   62726967 68742e6e 65740d0a 0d0a       bright.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e746572   se..Host: winter
0x00000050 (00080)   62726967 68742e6e 65740d0a 0d0a       bright.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207072 6f626162   se..Host: probab
0x00000050 (00080)   6c796272 69676874 2e6e6574 0d0a0d0a   lybright.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657469   se..Host: sweeti
0x00000050 (00080)   6e736964 652e6e65 740d0a0d 0a0a0d0a   nside.net.......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   70656f70 6c652e6e 65740d0a 0d0a0d0a   people.net......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 74686572   se..Host: mother
0x00000050 (00080)   64617567 68746572 2e6e6574 0d0a0d0a   daughter.net....
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   70656f70 6c652e6e 65740d0a 0d0a0d0a   people.net......
0x00000060 (00096)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e746572   se..Host: winter
0x00000050 (00080)   72656164 792e6e65 740d0a0d 0a0a0d0a   ready.net.......
0x00000060 (00096)                                         


Strings