Analysis Date2015-08-27 15:46:46
MD533685ae4d82d7d9a4c43c3a848a59d99
SHA1da6ee962a5e1d96fea46ccb45e052f52ee13e080

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fba13847a1ff367dca30158f479f6c91 sha1: 073882f6ac8dcf5aad64145c6794bbb0c59bd545 size: 161280
Section.rdata md5: cdf1be8a8fa39919f92a40d704e06aca sha1: 1af3547fd19b0eafa9ac752f3b6b052b04a82fd0 size: 38400
Section.data md5: caa6633d86576586ef01eb44c41eb58a sha1: 173e4cc986d92612c12406e67ec82eee6c54fbe6 size: 7168
Timestamp2015-03-13 09:36:08
PackerMicrosoft Visual C++ ?.?
PEhashf10c21168e1384612d548cb38df4dee645e80461
IMPhash73486cc6db4d95028125b5db95ce961b
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader13.32771
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Rodecap.Win32.1962
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan-Spy.Win32.Nivdort
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVTwisterTrojan.Generic.krju
AVAvira (antivir)no_virus
AVMcafeeTrojan-FEVX!33685AE4D82D
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\irkevxx\wi7fjiu
Creates FileC:\WINDOWS\irkevxx\wi7fjiu
Creates FileC:\irkevxx\d8wiq1m8civ7fwfiuqo.exe
Deletes FileC:\WINDOWS\irkevxx\wi7fjiu
Creates ProcessC:\irkevxx\d8wiq1m8civ7fwfiuqo.exe

Process
↳ C:\irkevxx\d8wiq1m8civ7fwfiuqo.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Receiver Video Isolation ➝
C:\irkevxx\eknmbvrsbnh.exe
Creates FileC:\irkevxx\wi7fjiu
Creates FileC:\WINDOWS\irkevxx\wi7fjiu
Creates FileC:\irkevxx\eknmbvrsbnh.exe
Creates FileC:\irkevxx\cjecrjtlebrv
Deletes FileC:\WINDOWS\irkevxx\wi7fjiu
Creates ProcessC:\irkevxx\eknmbvrsbnh.exe
Creates ServiceSecure Video Builder Config Proxy - C:\irkevxx\eknmbvrsbnh.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1900

Process
↳ Pid 1204

Process
↳ C:\irkevxx\eknmbvrsbnh.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\irkevxx\wi7fjiu
Creates FileC:\WINDOWS\irkevxx\wi7fjiu
Creates File\Device\Afd\Endpoint
Creates FileC:\irkevxx\cjecrjtlebrv
Creates FileC:\irkevxx\wnhpjks8lu
Creates FileC:\irkevxx\tgxnmnzdoha.exe
Deletes FileC:\WINDOWS\irkevxx\wi7fjiu
Creates Processwjzalwpxieqg "c:\irkevxx\eknmbvrsbnh.exe"

Process
↳ C:\irkevxx\eknmbvrsbnh.exe

Creates FileC:\irkevxx\wi7fjiu
Creates FileC:\WINDOWS\irkevxx\wi7fjiu
Deletes FileC:\WINDOWS\irkevxx\wi7fjiu

Process
↳ wjzalwpxieqg "c:\irkevxx\eknmbvrsbnh.exe"

Creates FileC:\irkevxx\wi7fjiu
Creates FileC:\WINDOWS\irkevxx\wi7fjiu
Deletes FileC:\WINDOWS\irkevxx\wi7fjiu

Network Details:

DNSseveradifference.net
Type: A
95.211.230.75
DNSsimpledifference.net
Type: A
31.22.4.18
DNSbuildingvalue.net
Type: A
50.63.202.2
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
DNSwintersingle.net
Type: A
DNSsubjectsingle.net
Type: A
DNSwintercharge.net
Type: A
DNSsubjectcharge.net
Type: A
DNSwinterdifference.net
Type: A
DNSsubjectdifference.net
Type: A
DNSwinterevery.net
Type: A
DNSsubjectevery.net
Type: A
DNSfinishsingle.net
Type: A
DNSleavesingle.net
Type: A
DNSfinishcharge.net
Type: A
DNSleavecharge.net
Type: A
DNSfinishdifference.net
Type: A
DNSleavedifference.net
Type: A
DNSfinishevery.net
Type: A
DNSleaveevery.net
Type: A
DNSsweetsingle.net
Type: A
DNSprobablysingle.net
Type: A
DNSsweetcharge.net
Type: A
DNSprobablycharge.net
Type: A
DNSsweetdifference.net
Type: A
DNSprobablydifference.net
Type: A
DNSsweetevery.net
Type: A
DNSprobablyevery.net
Type: A
DNSseveralsingle.net
Type: A
DNSmaterialsingle.net
Type: A
DNSseveralcharge.net
Type: A
DNSmaterialcharge.net
Type: A
DNSseveraldifference.net
Type: A
DNSmaterialdifference.net
Type: A
DNSseveralevery.net
Type: A
DNSmaterialevery.net
Type: A
DNSmovementalmost.net
Type: A
DNSoutsidealmost.net
Type: A
DNSmovementreason.net
Type: A
DNSoutsidereason.net
Type: A
DNSmovementorderly.net
Type: A
DNSoutsideorderly.net
Type: A
DNSmovementvalue.net
Type: A
DNSoutsidevalue.net
Type: A
DNSbuildingalmost.net
Type: A
DNSeveningalmost.net
Type: A
DNSbuildingreason.net
Type: A
DNSeveningreason.net
Type: A
DNSbuildingorderly.net
Type: A
DNSeveningorderly.net
Type: A
DNSeveningvalue.net
Type: A
DNSstorealmost.net
Type: A
DNSmightalmost.net
Type: A
HTTP GEThttp://severadifference.net/index.php?method&len
User-Agent:
HTTP GEThttp://simpledifference.net/index.php?method&len
User-Agent:
HTTP GEThttp://buildingvalue.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 31.22.4.18:80
Flows TCP192.168.1.1:1033 ➝ 50.63.202.2:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207365 76657261   se..Host: severa
0x00000050 (00080)   64696666 6572656e 63652e6e 65740d0a   difference.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   64696666 6572656e 63652e6e 65740d0a   difference.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206275 696c6469   se..Host: buildi
0x00000050 (00080)   6e677661 6c75652e 6e65740d 0a0d0a0a   ngvalue.net.....
0x00000060 (00096)   0d0a                                  ..


Strings