Analysis Date2015-09-29 16:37:35
MD52541a64e9865d48afc2f73bfb2d71e31
SHA1f62c548206a576113322a8a5c45f5dc780f7a036

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 10bee2d034c9926e90b80660a33bf130 sha1: bdfaf30994ebfcdc73cd3401d8945a88eb36be95 size: 154112
Section.rdata md5: cf751d6bd17a99d3fb54d80184c141a7 sha1: 41763eb2fc7b007e3c46800ca93f20a20fb32018 size: 38400
Section.data md5: 7c21f078551311a5c9152a2f4d79acfa sha1: 0a8d27a10383d02920892aa20a7cc37a57a45fcd size: 6656
Timestamp2015-03-13 09:37:02
PackerMicrosoft Visual C++ ?.?
PEhashe5f8f2f3c28561288c5b4f8c84bb39c392d48db3
IMPhash42bb6aa5967b54e6842b31634cd6d8e5
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Rodecap.1
AVDr. WebTrojan.DownLoader14.730
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Rodecap.1
AVBullGuardGen:Variant.Rodecap.1
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Rodecap.Win32.2172
AVEmsisoftGen:Variant.Rodecap.1
AVIkarusTrojan.Win32.Rodecap
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Scar.U.gen!Eldorado
AVMalwareBytesTrojan.Agent
AVMicroWorld (escan)Gen:Variant.Rodecap.1
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AV
AVK7Trojan ( 004bdb0b1 )
AVBitDefenderGen:Variant.Rodecap.1
AVFortinetW32/Rodecap.BJ!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Rodecap.BJ
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Rodecap.1
AVRisingno_virus
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.ZPACK.72080
AVMcafeeTrojan-FEVX!2541A64E9865

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\gcvmworfo\llyzj4gpffo
Creates FileC:\gcvmworfo\ez1r1k6kwpqynkth3i.exe
Creates FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Deletes FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Creates ProcessC:\gcvmworfo\ez1r1k6kwpqynkth3i.exe

Process
↳ C:\gcvmworfo\ez1r1k6kwpqynkth3i.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft IPsec Encryption Accounts ➝
C:\gcvmworfo\myjlynhrr.exe
Creates FileC:\gcvmworfo\llyzj4gpffo
Creates FileC:\gcvmworfo\myjlynhrr.exe
Creates FileC:\gcvmworfo\us6fr3ixrgaw
Creates FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Deletes FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Creates ProcessC:\gcvmworfo\myjlynhrr.exe
Creates ServiceList HomeGroup Color Files - C:\gcvmworfo\myjlynhrr.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 820

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1148

Process
↳ C:\gcvmworfo\myjlynhrr.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\gcvmworfo\llyzj4gpffo
Creates FileC:\gcvmworfo\ygyxmpcj.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\gcvmworfo\ebce210qcis
Creates FileC:\gcvmworfo\us6fr3ixrgaw
Creates FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Deletes FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Creates Processwmxcox9qx6x6 "c:\gcvmworfo\myjlynhrr.exe"

Process
↳ C:\gcvmworfo\myjlynhrr.exe

Creates FileC:\gcvmworfo\llyzj4gpffo
Creates FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Deletes FileC:\WINDOWS\gcvmworfo\llyzj4gpffo

Process
↳ wmxcox9qx6x6 "c:\gcvmworfo\myjlynhrr.exe"

Creates FileC:\gcvmworfo\llyzj4gpffo
Creates FileC:\WINDOWS\gcvmworfo\llyzj4gpffo
Deletes FileC:\WINDOWS\gcvmworfo\llyzj4gpffo

Network Details:

DNSeffortadvance.net
Type: A
95.211.230.75
DNSchairproblem.net
Type: A
95.211.230.75
DNSthosegoodbye.net
Type: A
DNSchairfortieth.net
Type: A
DNSthosefortieth.net
Type: A
DNSwithinadvance.net
Type: A
DNSsufferadvance.net
Type: A
DNSwithinstranger.net
Type: A
DNSsufferstranger.net
Type: A
DNSwithingoodbye.net
Type: A
DNSsuffergoodbye.net
Type: A
DNSwithinfortieth.net
Type: A
DNSsufferfortieth.net
Type: A
DNSthroughadvance.net
Type: A
DNSeffortstranger.net
Type: A
DNSthroughstranger.net
Type: A
DNSeffortgoodbye.net
Type: A
DNSthroughgoodbye.net
Type: A
DNSeffortfortieth.net
Type: A
DNSthroughfortieth.net
Type: A
DNSforgetadvance.net
Type: A
DNSincreaseadvance.net
Type: A
DNSforgetstranger.net
Type: A
DNSincreasestranger.net
Type: A
DNSforgetgoodbye.net
Type: A
DNSincreasegoodbye.net
Type: A
DNSforgetfortieth.net
Type: A
DNSincreasefortieth.net
Type: A
DNSwouldadvance.net
Type: A
DNSrememberadvance.net
Type: A
DNSwouldstranger.net
Type: A
DNSrememberstranger.net
Type: A
DNSwouldgoodbye.net
Type: A
DNSremembergoodbye.net
Type: A
DNSwouldfortieth.net
Type: A
DNSrememberfortieth.net
Type: A
DNSjourneyescape.net
Type: A
DNShusbandescape.net
Type: A
DNSjourneyanimal.net
Type: A
DNShusbandanimal.net
Type: A
DNSjourneyproblem.net
Type: A
DNShusbandproblem.net
Type: A
DNSjourneymodern.net
Type: A
DNShusbandmodern.net
Type: A
DNSdestroyescape.net
Type: A
DNSlittleescape.net
Type: A
DNSdestroyanimal.net
Type: A
DNSlittleanimal.net
Type: A
DNSdestroyproblem.net
Type: A
DNSlittleproblem.net
Type: A
DNSdestroymodern.net
Type: A
DNSlittlemodern.net
Type: A
DNSriddenescape.net
Type: A
DNSbelongescape.net
Type: A
DNSriddenanimal.net
Type: A
DNSbelonganimal.net
Type: A
DNSriddenproblem.net
Type: A
DNSbelongproblem.net
Type: A
DNSriddenmodern.net
Type: A
DNSbelongmodern.net
Type: A
DNSchairescape.net
Type: A
DNSthoseescape.net
Type: A
DNSchairanimal.net
Type: A
DNSthoseanimal.net
Type: A
DNSthoseproblem.net
Type: A
DNSchairmodern.net
Type: A
DNSthosemodern.net
Type: A
DNSwithinescape.net
Type: A
DNSsufferescape.net
Type: A
DNSwithinanimal.net
Type: A
DNSsufferanimal.net
Type: A
DNSwithinproblem.net
Type: A
DNSsufferproblem.net
Type: A
DNSwithinmodern.net
Type: A
DNSsuffermodern.net
Type: A
DNSeffortescape.net
Type: A
DNSthroughescape.net
Type: A
DNSeffortanimal.net
Type: A
DNSthroughanimal.net
Type: A
DNSeffortproblem.net
Type: A
DNSthroughproblem.net
Type: A
DNSeffortmodern.net
Type: A
DNSthroughmodern.net
Type: A
DNSforgetescape.net
Type: A
DNSincreaseescape.net
Type: A
HTTP GEThttp://effortadvance.net/index.php?method&len
User-Agent:
HTTP GEThttp://chairproblem.net/index.php?method&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80

Raw Pcap

Strings