Analysis Date2016-02-13 03:42:20
MD5c3684bd6f5c910b9d8d8f821d11abc76
SHA1e40d6fa1dd482c3bd36a4878b588ed154a120881

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7fa0e63a1e0bab741f2312a9329def19 sha1: db4c455938010c212fa25e296b737ccd7425f4b7 size: 545280
Section.rdata md5: 90a9f9dd9f23114129859b23a38082d9 sha1: 506b04738ed96e83a8f4e151b75ddc4a96301ede size: 307712
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 1a01860b47d657e6c33ac5644d6d1dd6 sha1: ab3a5f6f5d75e105334d054997e246c3fe0807a3 size: 87040
Timestamp2015-12-29 20:40:45
PEhashb03704491ab47c587323c837c6bb003150f58890
IMPhashbee93e5a449eef452acaafa119fb5bcf
AVCA (E-Trust Ino)Gen:Variant.Razy.13381
AVF-SecureGen:Variant.Razy.13381
AVDr. WebTrojan.DownLoader19.26704
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Variant.Razy.13381
AVBullGuardGen:Variant.Razy.13381
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVTrend MicroNo Virus
AVKasperskyTrojan.Win32.Agent.netvok
AVZillya!Trojan.Agent.Win32.630704
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)Error Scanning File
AVEmsisoftGen:Variant.Razy.13381
AVAuthentiumW32/Trojan.EDQG-4648
AVMalwareBytesNo Virus
AVMicroWorld (escan)Gen:Variant.Razy.13381
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVK7Trojan ( 004db0c61 )
AVBitDefenderGen:Variant.Razy.13381
AVFortinetW32/Bayrob.AS!tr
AVSymantecNo Virus
AVGrisoft (avg)Generic37.YVX
AVEset (nod32)Win32/Bayrob.AS
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Variant.Razy.13381
AVTwisterNo Virus
AVAvira (antivir)TR/Crypt.Xpack.446603
AVMcafeeTrojan-FHOH!C3684BD6F5C9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\o5coabxtrkt72juh25pbfshlb.exe
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\o5coabxtrkt72juh25pbfshlb.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\o5coabxtrkt72juh25pbfshlb.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\IKE Video Helper Authentication Source ➝
C:\WINDOWS\system32\cuqpktvc.exe
Creates FileC:\WINDOWS\system32\cuqpktvc.exe
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\lck
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\tst
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\cuqpktvc.exe
Creates ServiceProtected Publication Program Procedure - C:\WINDOWS\system32\cuqpktvc.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\cuqpktvc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\lck
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\run
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\tst
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\o5coabxtrwi5fjuh25.exe
Creates FileC:\WINDOWS\system32\scukjed.exe
Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\rng
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\cuqpktvc.exe"
Creates ProcessC:\WINDOWS\TEMP\o5coabxtrwi5fjuh25.exe -r 42001 tcp

Process
↳ C:\WINDOWS\system32\cuqpktvc.exe

Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\tst
Creates FilePIPE\lsarpc

Process
↳ WATCHDOGPROC "c:\windows\system32\cuqpktvc.exe"

Creates FileC:\WINDOWS\system32\unjfpxqcglwxr\tst

Process
↳ C:\WINDOWS\TEMP\o5coabxtrwi5fjuh25.exe -r 42001 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSriddenstorm.net
Type: A
66.147.240.171
DNSdoubleobject.net
Type: A
DNSbrokenthird.net
Type: A
DNSmightspecial.net
Type: A
DNSdulcibellamartinson.net
Type: A
DNSmariabellabotwright.net
Type: A
DNSsimonettesherisse.net
Type: A
DNSdecidebetween.net
Type: A
DNSaloneneighbor.net
Type: A
DNSgentleangry.net
Type: A
DNSgwendolynhuddleston.net
Type: A
DNSsimonettedwerryhouse.net
Type: A
DNSseasonstrong.net
Type: A
DNSoftensurprise.net
Type: A
DNSchiefanother.net
Type: A
DNSmorningduring.net
Type: A
DNSwifeabout.net
Type: A
DNScasestep.net
Type: A
HTTP GEThttp://riddenstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1038 ➝ 66.147.240.171:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2072   : close..Host: r
0x00000040 (00064)   69646465 6e73746f 726d2e6e 65740d0a   iddenstorm.net..
0x00000050 (00080)   0d0a                                  ..


Strings