Analysis Date2015-09-27 08:00:26
MD573dbbc8291f5a0e180994e23627629b9
SHA1d0cbea1a3029d7df021bf379c385c01a2132a2c3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e7ee58875c96586a052e332544da4323 sha1: 89ee9beed19d87493fe604cbeebc34cc1e29c2f8 size: 164352
Section.rdata md5: c2838d07864c0c8eef32ccc8f9b543f6 sha1: e783f99cf4ddf32fbea2d7cffbf78764081d7fcf size: 38912
Section.data md5: 77830042a91fe8633398ef1767bd7523 sha1: 587635fb9957b51ec4a26aba83b7347d0ffedfcc size: 7168
Timestamp2015-03-13 09:37:04
PackerMicrosoft Visual C++ ?.?
PEhashb005f53c051e62dfdfea068716ebccc33ddb6c09
IMPhashc3173cc30ce8416db1aa2cce7ad3965d
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVEmsisoftGen:Variant.Rodecap.1
AVDr. Webno_virus
AVMalwareBytesTrojan.Agent
AVMcafeeTrojan-FEVX!73DBBC8291F5
AVZillya!no_virus
AVTrend Microno_virus
AVClamAVno_virus
AVF-SecureGen:Variant.Rodecap.1
AVCA (E-Trust Ino)no_virus
AVGrisoft (avg)Win32/Cryptor
AVAvira (antivir)TR/Crypt.ZPACK.184258
AVBullGuardGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVK7no_virus
AVTwisterW32.Rodecap.BJ.osrm
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVSymantecDownloader.Upatre!g15
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Rodecap.BJ
AVAd-AwareGen:Variant.Rodecap.1
AVRisingno_virus
AVPadvishno_virus
AVCAT (quickheal)TrojanSpy.Nivdort.r3
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\scfnirhrulhc\f3ck11nvmjbyfcusztzqd.exe
Creates FileC:\scfnirhrulhc\moxhq6n
Creates FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Deletes FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Creates ProcessC:\scfnirhrulhc\f3ck11nvmjbyfcusztzqd.exe

Process
↳ C:\scfnirhrulhc\f3ck11nvmjbyfcusztzqd.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Input Networking Secure Interactive ➝
C:\scfnirhrulhc\ddqhrqlmy.exe
Creates FileC:\scfnirhrulhc\moxhq6n
Creates FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Creates FileC:\scfnirhrulhc\ddqhrqlmy.exe
Creates FileC:\scfnirhrulhc\dbqkneicmb
Deletes FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Creates ProcessC:\scfnirhrulhc\ddqhrqlmy.exe
Creates ServiceBrowser Source Trap Security - C:\scfnirhrulhc\ddqhrqlmy.exe

Process
↳ Pid 812

Process
↳ Pid 860

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\DDQHRQLMY.EXE-23DE66A5.pf
Creates FileC:\WINDOWS\Prefetch\LXKXZWGWTRGT.EXE-0D970ABC.pf
Creates FileC:\WINDOWS\Prefetch\F3CK11NVMJBYFCUSZTZQD.EXE-360B23A6.pf
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1120

Process
↳ Pid 1216

Process
↳ Pid 1308

Process
↳ Pid 1868

Process
↳ Pid 1560

Process
↳ C:\scfnirhrulhc\ddqhrqlmy.exe

Process
↳ C:\scfnirhrulhc\ddqhrqlmy.exe

Creates FileC:\scfnirhrulhc\ayljiuysuv
Creates FileC:\scfnirhrulhc\moxhq6n
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Creates File\Device\Afd\Endpoint
Creates FileC:\scfnirhrulhc\lxkxzwgwtrgt.exe
Creates FileC:\scfnirhrulhc\dbqkneicmb
Deletes FileC:\scfnirhrulhc\f3ck11nvmjbyfcusztzqd.exe
Deletes FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Creates Processqvoraup8ghhw "c:\scfnirhrulhc\ddqhrqlmy.exe"

Process
↳ qvoraup8ghhw "c:\scfnirhrulhc\ddqhrqlmy.exe"

Creates FileC:\scfnirhrulhc\moxhq6n
Creates FileC:\WINDOWS\scfnirhrulhc\moxhq6n
Deletes FileC:\WINDOWS\scfnirhrulhc\moxhq6n

Network Details:

DNSheavyfinger.net
Type: A
72.13.81.186
DNSjourneybeyond.net
Type: A
50.87.199.62
DNSincreasebeing.net
Type: A
95.211.230.75
DNSrememberforever.net
Type: A
188.40.1.55
DNSlittleflower.net
Type: A
62.116.130.8
DNSgentleshoulder.net
Type: A
DNSgentlefinger.net
Type: A
DNSvariousuntil.net
Type: A
DNSreturnuntil.net
Type: A
DNSvariousabove.net
Type: A
DNSreturnabove.net
Type: A
DNSvariousshoulder.net
Type: A
DNSreturnshoulder.net
Type: A
DNSvariousfinger.net
Type: A
DNSreturnfinger.net
Type: A
DNShusbandbeyond.net
Type: A
DNSjourneybeing.net
Type: A
DNShusbandbeing.net
Type: A
DNSjourneyforever.net
Type: A
DNShusbandforever.net
Type: A
DNSjourneybottom.net
Type: A
DNShusbandbottom.net
Type: A
DNSdestroybeyond.net
Type: A
DNSlittlebeyond.net
Type: A
DNSdestroybeing.net
Type: A
DNSlittlebeing.net
Type: A
DNSdestroyforever.net
Type: A
DNSlittleforever.net
Type: A
DNSdestroybottom.net
Type: A
DNSlittlebottom.net
Type: A
DNSriddenbeyond.net
Type: A
DNSbelongbeyond.net
Type: A
DNSriddenbeing.net
Type: A
DNSbelongbeing.net
Type: A
DNSriddenforever.net
Type: A
DNSbelongforever.net
Type: A
DNSriddenbottom.net
Type: A
DNSbelongbottom.net
Type: A
DNSchairbeyond.net
Type: A
DNSthosebeyond.net
Type: A
DNSchairbeing.net
Type: A
DNSthosebeing.net
Type: A
DNSchairforever.net
Type: A
DNSthoseforever.net
Type: A
DNSchairbottom.net
Type: A
DNSthosebottom.net
Type: A
DNSwithinbeyond.net
Type: A
DNSsufferbeyond.net
Type: A
DNSwithinbeing.net
Type: A
DNSsufferbeing.net
Type: A
DNSwithinforever.net
Type: A
DNSsufferforever.net
Type: A
DNSwithinbottom.net
Type: A
DNSsufferbottom.net
Type: A
DNSeffortbeyond.net
Type: A
DNSthroughbeyond.net
Type: A
DNSeffortbeing.net
Type: A
DNSthroughbeing.net
Type: A
DNSeffortforever.net
Type: A
DNSthroughforever.net
Type: A
DNSeffortbottom.net
Type: A
DNSthroughbottom.net
Type: A
DNSforgetbeyond.net
Type: A
DNSincreasebeyond.net
Type: A
DNSforgetbeing.net
Type: A
DNSforgetforever.net
Type: A
DNSincreaseforever.net
Type: A
DNSforgetbottom.net
Type: A
DNSincreasebottom.net
Type: A
DNSwouldbeyond.net
Type: A
DNSrememberbeyond.net
Type: A
DNSwouldbeing.net
Type: A
DNSrememberbeing.net
Type: A
DNSwouldforever.net
Type: A
DNSwouldbottom.net
Type: A
DNSrememberbottom.net
Type: A
DNSjourneyflower.net
Type: A
DNShusbandflower.net
Type: A
DNSjourneyminute.net
Type: A
DNShusbandminute.net
Type: A
DNSjourneyspecial.net
Type: A
DNShusbandspecial.net
Type: A
DNSjourneycorner.net
Type: A
DNShusbandcorner.net
Type: A
DNSdestroyflower.net
Type: A
HTTP GEThttp://heavyfinger.net/index.php?method&len
User-Agent:
HTTP GEThttp://journeybeyond.net/index.php?method&len
User-Agent:
HTTP GEThttp://increasebeing.net/index.php?method&len
User-Agent:
HTTP GEThttp://rememberforever.net/index.php?method&len
User-Agent:
HTTP GEThttp://littleflower.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.13.81.186:80
Flows TCP192.168.1.1:1032 ➝ 50.87.199.62:80
Flows TCP192.168.1.1:1033 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1034 ➝ 188.40.1.55:80
Flows TCP192.168.1.1:1035 ➝ 62.116.130.8:80

Raw Pcap

Strings