Analysis Date2015-07-27 09:15:57
MD5e0a40d9a7a4cca97d43f9bda73a0fae9
SHA1f4cb4e97a103b710ac6153df8264859daa790050

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0dce5071e9f1a3c89dc75e4b49caf3da sha1: 69cd6a4ca8cdf100df84ee8e2c7aee46fe84bc29 size: 155136
Section.rdata md5: 8927646d35d1c0591495e5c4f9746a72 sha1: 0f638018efa79a970e956855fc0938d08c32a9a6 size: 38400
Section.data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168
Timestamp2015-03-13 09:11:43
PackerMicrosoft Visual C++ ?.?
PEhash925c3cae40a36486f9b0832e476a971d41b9bcb2
IMPhashe921a65fc9b7860831fbf9ef211d9384
AVAlwil (avast)Kryptik-PDK [Trj]
AVBullGuardGen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Y
AVZillya!Trojan.Scar.Win32.88823
AVFrisk (f-prot)no_virus
AVBitDefenderGen:Variant.Rodecap.1
AVEmsisoftGen:Variant.Rodecap.1
AVCAT (quickheal)Trojan.Scar.r3
AVK7Trojan ( 004bda2e1 )
AVDr. WebTrojan.DownLoader13.13228
AVPadvishno_virus
AVEset (nod32)Win32/Rodecap.BJ
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Scar
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVAd-AwareGen:Variant.Rodecap.1
AVKasperskyTrojan.Win32.Generic
AVClamAVno_virus
AVCA (E-Trust Ino)no_virus
AVMalwareBytesTrojan.Agent
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVMcafeeTrojan-FEVX!E0A40D9A7A4C
AVTwisterTrojan.Scar.iyes.fkks
AVAvira (antivir)TR/Spy.ZBot.xbbeoiq
AVF-SecureGen:Variant.Rodecap.1
AVIkarusTrojan.Win32.Rodecap
AVRisingno_virus
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVAuthentiumW32/Nivdort.A.gen!Eldorado

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\tclsdcmtkkhop\q7tnhdhlkv
Creates FileC:\tclsdcmtkkhop\uxw1mkxynxsccde.exe
Creates FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Deletes FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Creates ProcessC:\tclsdcmtkkhop\uxw1mkxynxsccde.exe

Process
↳ C:\tclsdcmtkkhop\uxw1mkxynxsccde.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Detection IP Drive Support ➝
C:\tclsdcmtkkhop\upiyneemlcy.exe
Creates FileC:\tclsdcmtkkhop\q7tnhdhlkv
Creates FileC:\tclsdcmtkkhop\uejfsp
Creates FileC:\tclsdcmtkkhop\upiyneemlcy.exe
Creates FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Deletes FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Creates ProcessC:\tclsdcmtkkhop\upiyneemlcy.exe
Creates ServiceIsolation PC Defender UPnP - C:\tclsdcmtkkhop\upiyneemlcy.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1148

Process
↳ C:\tclsdcmtkkhop\upiyneemlcy.exe

Creates FileC:\tclsdcmtkkhop\q7tnhdhlkv
Creates Filepipe\net\NtControlPipe10
Creates FileC:\tclsdcmtkkhop\qwkhpbvoxpzt.exe
Creates FileC:\tclsdcmtkkhop\uejfsp
Creates File\Device\Afd\Endpoint
Creates FileC:\tclsdcmtkkhop\hfsjks
Creates FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Deletes FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Creates Processne2npdyodtr2 "c:\tclsdcmtkkhop\upiyneemlcy.exe"

Process
↳ C:\tclsdcmtkkhop\upiyneemlcy.exe

Creates FileC:\tclsdcmtkkhop\q7tnhdhlkv
Creates FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Deletes FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv

Process
↳ ne2npdyodtr2 "c:\tclsdcmtkkhop\upiyneemlcy.exe"

Creates FileC:\tclsdcmtkkhop\q7tnhdhlkv
Creates FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv
Deletes FileC:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv

Network Details:

DNSsweetfancy.net
Type: A
184.168.221.40
DNSsweetfriend.net
Type: A
66.96.147.156
DNSmaterialconsider.net
Type: A
208.91.197.241
DNSsimplesafety.net
Type: A
199.59.82.80
DNSmountainsafety.net
Type: A
184.168.221.12
DNSpossiblesafety.net
Type: A
95.211.230.75
DNSwindowsafety.net
Type: A
184.168.221.55
DNSsweetsmell.net
Type: A
54.246.123.138
DNSwinterlaughter.net
Type: A
DNSsubjectlaughter.net
Type: A
DNSwinterfancy.net
Type: A
DNSsubjectfancy.net
Type: A
DNSwinterconsider.net
Type: A
DNSsubjectconsider.net
Type: A
DNSwinterfriend.net
Type: A
DNSsubjectfriend.net
Type: A
DNSfinishlaughter.net
Type: A
DNSleavelaughter.net
Type: A
DNSfinishfancy.net
Type: A
DNSleavefancy.net
Type: A
DNSfinishconsider.net
Type: A
DNSleaveconsider.net
Type: A
DNSfinishfriend.net
Type: A
DNSleavefriend.net
Type: A
DNSsweetlaughter.net
Type: A
DNSprobablylaughter.net
Type: A
DNSprobablyfancy.net
Type: A
DNSsweetconsider.net
Type: A
DNSprobablyconsider.net
Type: A
DNSprobablyfriend.net
Type: A
DNSseverallaughter.net
Type: A
DNSmateriallaughter.net
Type: A
DNSseveralfancy.net
Type: A
DNSmaterialfancy.net
Type: A
DNSseveralconsider.net
Type: A
DNSseveralfriend.net
Type: A
DNSmaterialfriend.net
Type: A
DNSseverasmell.net
Type: A
DNSlaughsmell.net
Type: A
DNSseveraearly.net
Type: A
DNSlaughearly.net
Type: A
DNSseverasafety.net
Type: A
DNSlaughsafety.net
Type: A
DNSseverafuture.net
Type: A
DNSlaughfuture.net
Type: A
DNSsimplesmell.net
Type: A
DNSmothersmell.net
Type: A
DNSsimpleearly.net
Type: A
DNSmotherearly.net
Type: A
DNSmothersafety.net
Type: A
DNSsimplefuture.net
Type: A
DNSmotherfuture.net
Type: A
DNSmountainsmell.net
Type: A
DNSpossiblesmell.net
Type: A
DNSmountainearly.net
Type: A
DNSpossibleearly.net
Type: A
DNSmountainfuture.net
Type: A
DNSpossiblefuture.net
Type: A
DNSperhapssmell.net
Type: A
DNSwindowsmell.net
Type: A
DNSperhapsearly.net
Type: A
DNSwindowearly.net
Type: A
DNSperhapssafety.net
Type: A
DNSperhapsfuture.net
Type: A
DNSwindowfuture.net
Type: A
DNSwintersmell.net
Type: A
DNSsubjectsmell.net
Type: A
DNSwinterearly.net
Type: A
DNSsubjectearly.net
Type: A
DNSwintersafety.net
Type: A
DNSsubjectsafety.net
Type: A
DNSwinterfuture.net
Type: A
DNSsubjectfuture.net
Type: A
DNSfinishsmell.net
Type: A
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
HTTP GEThttp://sweetfancy.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetfriend.net/index.php?method&len
User-Agent:
HTTP GEThttp://materialconsider.net/index.php?method&len
User-Agent:
HTTP GEThttp://simplesafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://mountainsafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://possiblesafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://windowsafety.net/index.php?method&len
User-Agent:
HTTP GEThttp://sweetsmell.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.40:80
Flows TCP192.168.1.1:1032 ➝ 66.96.147.156:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 199.59.82.80:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.12:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.55:80
Flows TCP192.168.1.1:1038 ➝ 54.246.123.138:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657466   se..Host: sweetf
0x00000050 (00080)   616e6379 2e6e6574 0d0a0d0a            ancy.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657466   se..Host: sweetf
0x00000050 (00080)   7269656e 642e6e65 740d0a0d 0a         riend.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d61 74657269   se..Host: materi
0x00000050 (00080)   616c636f 6e736964 65722e6e 65740d0a   alconsider.net..
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207369 6d706c65   se..Host: simple
0x00000050 (00080)   73616665 74792e6e 65740d0a 0d0a0d0a   safety.net......
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a206d6f 756e7461   se..Host: mounta
0x00000050 (00080)   696e7361 66657479 2e6e6574 0d0a0d0a   insafety.net....
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a20706f 73736962   se..Host: possib
0x00000050 (00080)   6c657361 66657479 2e6e6574 0d0a0d0a   lesafety.net....
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207769 6e646f77   se..Host: window
0x00000050 (00080)   73616665 74792e6e 65740d0a 0d0a0d0a   safety.net......
0x00000060 (00096)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 64266c65 6e204854 54502f31   ethod&len HTTP/1
0x00000020 (00032)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000030 (00048)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000040 (00064)   73650d0a 486f7374 3a207377 65657473   se..Host: sweets
0x00000050 (00080)   6d656c6c 2e6e6574 0d0a0d0a 0d0a0d0a   mell.net........
0x00000060 (00096)   0d0a                                  ..

Strings