Analysis Date | 2015-07-27 09:15:57 |
---|---|
MD5 | e0a40d9a7a4cca97d43f9bda73a0fae9 |
SHA1 | f4cb4e97a103b710ac6153df8264859daa790050 |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 0dce5071e9f1a3c89dc75e4b49caf3da sha1: 69cd6a4ca8cdf100df84ee8e2c7aee46fe84bc29 size: 155136 | |
Section | .rdata md5: 8927646d35d1c0591495e5c4f9746a72 sha1: 0f638018efa79a970e956855fc0938d08c32a9a6 size: 38400 | |
Section | .data md5: 0b5b49fa4d319626c72af6eb97f435df sha1: de46bb150edf8909f24a3ca4da0e52c1b8f31b08 size: 7168 | |
Timestamp | 2015-03-13 09:11:43 | |
Packer | Microsoft Visual C++ ?.? | |
PEhash | 925c3cae40a36486f9b0832e476a971d41b9bcb2 | |
IMPhash | e921a65fc9b7860831fbf9ef211d9384 | |
AV | Alwil (avast) | Kryptik-PDK [Trj] |
AV | BullGuard | Gen:Variant.Rodecap.1 |
AV | Microsoft Security Essentials | TrojanSpy:Win32/Nivdort.Y |
AV | Zillya! | Trojan.Scar.Win32.88823 |
AV | Frisk (f-prot) | no_virus |
AV | BitDefender | Gen:Variant.Rodecap.1 |
AV | Emsisoft | Gen:Variant.Rodecap.1 |
AV | CAT (quickheal) | Trojan.Scar.r3 |
AV | K7 | Trojan ( 004bda2e1 ) |
AV | Dr. Web | Trojan.DownLoader13.13228 |
AV | Padvish | no_virus |
AV | Eset (nod32) | Win32/Rodecap.BJ |
AV | Trend Micro | no_virus |
AV | VirusBlokAda (vba32) | Trojan.Scar |
AV | MicroWorld (escan) | Gen:Variant.Rodecap.1 |
AV | Fortinet | W32/Rodecap.BJ!tr |
AV | Ad-Aware | Gen:Variant.Rodecap.1 |
AV | Kaspersky | Trojan.Win32.Generic |
AV | ClamAV | no_virus |
AV | CA (E-Trust Ino) | no_virus |
AV | MalwareBytes | Trojan.Agent |
AV | Arcabit (arcavir) | Gen:Variant.Rodecap.1 |
AV | Mcafee | Trojan-FEVX!E0A40D9A7A4C |
AV | Twister | Trojan.Scar.iyes.fkks |
AV | Avira (antivir) | TR/Spy.ZBot.xbbeoiq |
AV | F-Secure | Gen:Variant.Rodecap.1 |
AV | Ikarus | Trojan.Win32.Rodecap |
AV | Rising | no_virus |
AV | Symantec | Downloader.Upatre!g15 |
AV | Grisoft (avg) | Win32/Cryptor |
AV | Authentium | W32/Nivdort.A.gen!Eldorado |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Creates File | C:\tclsdcmtkkhop\q7tnhdhlkv |
---|---|
Creates File | C:\tclsdcmtkkhop\uxw1mkxynxsccde.exe |
Creates File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Deletes File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Creates Process | C:\tclsdcmtkkhop\uxw1mkxynxsccde.exe |
Process
↳ C:\tclsdcmtkkhop\uxw1mkxynxsccde.exe
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Detection IP Drive Support ➝ C:\tclsdcmtkkhop\upiyneemlcy.exe |
---|---|
Creates File | C:\tclsdcmtkkhop\q7tnhdhlkv |
Creates File | C:\tclsdcmtkkhop\uejfsp |
Creates File | C:\tclsdcmtkkhop\upiyneemlcy.exe |
Creates File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Deletes File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Creates Process | C:\tclsdcmtkkhop\upiyneemlcy.exe |
Creates Service | Isolation PC Defender UPnP - C:\tclsdcmtkkhop\upiyneemlcy.exe |
Process
↳ C:\WINDOWS\system32\svchost.exe
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1868
Process
↳ Pid 1148
Process
↳ C:\tclsdcmtkkhop\upiyneemlcy.exe
Creates File | C:\tclsdcmtkkhop\q7tnhdhlkv |
---|---|
Creates File | pipe\net\NtControlPipe10 |
Creates File | C:\tclsdcmtkkhop\qwkhpbvoxpzt.exe |
Creates File | C:\tclsdcmtkkhop\uejfsp |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\tclsdcmtkkhop\hfsjks |
Creates File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Deletes File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Creates Process | ne2npdyodtr2 "c:\tclsdcmtkkhop\upiyneemlcy.exe" |
Process
↳ C:\tclsdcmtkkhop\upiyneemlcy.exe
Creates File | C:\tclsdcmtkkhop\q7tnhdhlkv |
---|---|
Creates File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Deletes File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Process
↳ ne2npdyodtr2 "c:\tclsdcmtkkhop\upiyneemlcy.exe"
Creates File | C:\tclsdcmtkkhop\q7tnhdhlkv |
---|---|
Creates File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Deletes File | C:\WINDOWS\tclsdcmtkkhop\q7tnhdhlkv |
Network Details:
DNS | sweetfancy.net Type: A 184.168.221.40 |
---|---|
DNS | sweetfriend.net Type: A 66.96.147.156 |
DNS | materialconsider.net Type: A 208.91.197.241 |
DNS | simplesafety.net Type: A 199.59.82.80 |
DNS | mountainsafety.net Type: A 184.168.221.12 |
DNS | possiblesafety.net Type: A 95.211.230.75 |
DNS | windowsafety.net Type: A 184.168.221.55 |
DNS | sweetsmell.net Type: A 54.246.123.138 |
DNS | winterlaughter.net Type: A |
DNS | subjectlaughter.net Type: A |
DNS | winterfancy.net Type: A |
DNS | subjectfancy.net Type: A |
DNS | winterconsider.net Type: A |
DNS | subjectconsider.net Type: A |
DNS | winterfriend.net Type: A |
DNS | subjectfriend.net Type: A |
DNS | finishlaughter.net Type: A |
DNS | leavelaughter.net Type: A |
DNS | finishfancy.net Type: A |
DNS | leavefancy.net Type: A |
DNS | finishconsider.net Type: A |
DNS | leaveconsider.net Type: A |
DNS | finishfriend.net Type: A |
DNS | leavefriend.net Type: A |
DNS | sweetlaughter.net Type: A |
DNS | probablylaughter.net Type: A |
DNS | probablyfancy.net Type: A |
DNS | sweetconsider.net Type: A |
DNS | probablyconsider.net Type: A |
DNS | probablyfriend.net Type: A |
DNS | severallaughter.net Type: A |
DNS | materiallaughter.net Type: A |
DNS | severalfancy.net Type: A |
DNS | materialfancy.net Type: A |
DNS | severalconsider.net Type: A |
DNS | severalfriend.net Type: A |
DNS | materialfriend.net Type: A |
DNS | severasmell.net Type: A |
DNS | laughsmell.net Type: A |
DNS | severaearly.net Type: A |
DNS | laughearly.net Type: A |
DNS | severasafety.net Type: A |
DNS | laughsafety.net Type: A |
DNS | severafuture.net Type: A |
DNS | laughfuture.net Type: A |
DNS | simplesmell.net Type: A |
DNS | mothersmell.net Type: A |
DNS | simpleearly.net Type: A |
DNS | motherearly.net Type: A |
DNS | mothersafety.net Type: A |
DNS | simplefuture.net Type: A |
DNS | motherfuture.net Type: A |
DNS | mountainsmell.net Type: A |
DNS | possiblesmell.net Type: A |
DNS | mountainearly.net Type: A |
DNS | possibleearly.net Type: A |
DNS | mountainfuture.net Type: A |
DNS | possiblefuture.net Type: A |
DNS | perhapssmell.net Type: A |
DNS | windowsmell.net Type: A |
DNS | perhapsearly.net Type: A |
DNS | windowearly.net Type: A |
DNS | perhapssafety.net Type: A |
DNS | perhapsfuture.net Type: A |
DNS | windowfuture.net Type: A |
DNS | wintersmell.net Type: A |
DNS | subjectsmell.net Type: A |
DNS | winterearly.net Type: A |
DNS | subjectearly.net Type: A |
DNS | wintersafety.net Type: A |
DNS | subjectsafety.net Type: A |
DNS | winterfuture.net Type: A |
DNS | subjectfuture.net Type: A |
DNS | finishsmell.net Type: A |
DNS | leavesmell.net Type: A |
DNS | finishearly.net Type: A |
DNS | leaveearly.net Type: A |
DNS | finishsafety.net Type: A |
DNS | leavesafety.net Type: A |
DNS | finishfuture.net Type: A |
DNS | leavefuture.net Type: A |
DNS | probablysmell.net Type: A |
DNS | sweetearly.net Type: A |
DNS | probablyearly.net Type: A |
DNS | sweetsafety.net Type: A |
HTTP GET | http://sweetfancy.net/index.php?method&len User-Agent: |
HTTP GET | http://sweetfriend.net/index.php?method&len User-Agent: |
HTTP GET | http://materialconsider.net/index.php?method&len User-Agent: |
HTTP GET | http://simplesafety.net/index.php?method&len User-Agent: |
HTTP GET | http://mountainsafety.net/index.php?method&len User-Agent: |
HTTP GET | http://possiblesafety.net/index.php?method&len User-Agent: |
HTTP GET | http://windowsafety.net/index.php?method&len User-Agent: |
HTTP GET | http://sweetsmell.net/index.php?method&len User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 184.168.221.40:80 |
Flows TCP | 192.168.1.1:1032 ➝ 66.96.147.156:80 |
Flows TCP | 192.168.1.1:1033 ➝ 208.91.197.241:80 |
Flows TCP | 192.168.1.1:1034 ➝ 199.59.82.80:80 |
Flows TCP | 192.168.1.1:1035 ➝ 184.168.221.12:80 |
Flows TCP | 192.168.1.1:1036 ➝ 95.211.230.75:80 |
Flows TCP | 192.168.1.1:1037 ➝ 184.168.221.55:80 |
Flows TCP | 192.168.1.1:1038 ➝ 54.246.123.138:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 616e6379 2e6e6574 0d0a0d0a ancy.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657466 se..Host: sweetf 0x00000050 (00080) 7269656e 642e6e65 740d0a0d 0a riend.net.... 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d61 74657269 se..Host: materi 0x00000050 (00080) 616c636f 6e736964 65722e6e 65740d0a alconsider.net.. 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207369 6d706c65 se..Host: simple 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a206d6f 756e7461 se..Host: mounta 0x00000050 (00080) 696e7361 66657479 2e6e6574 0d0a0d0a insafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a20706f 73736962 se..Host: possib 0x00000050 (00080) 6c657361 66657479 2e6e6574 0d0a0d0a lesafety.net.... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207769 6e646f77 se..Host: window 0x00000050 (00080) 73616665 74792e6e 65740d0a 0d0a0d0a safety.net...... 0x00000060 (00096) 0d0a .. 0x00000000 (00000) 47455420 2f696e64 65782e70 68703f6d GET /index.php?m 0x00000010 (00016) 6574686f 64266c65 6e204854 54502f31 ethod&len HTTP/1 0x00000020 (00032) 2e300d0a 41636365 70743a20 2a2f2a0d .0..Accept: */*. 0x00000030 (00048) 0a436f6e 6e656374 696f6e3a 20636c6f .Connection: clo 0x00000040 (00064) 73650d0a 486f7374 3a207377 65657473 se..Host: sweets 0x00000050 (00080) 6d656c6c 2e6e6574 0d0a0d0a 0d0a0d0a mell.net........ 0x00000060 (00096) 0d0a ..
Strings