Analysis Date2015-05-12 23:10:11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4f379e00fabd418d3a2af997dce6ec5f sha1: 334a86cf7043fa8c5f6784aa8e6fd06ef7640a4b size: 297472
Section.rdata md5: 117780639e5bba7707cd487c5531bb1c sha1: 7386e34a01ec01bd8e2e78d64fad8a4fe0379c60 size: 32768 md5: aa960300a6c3e9e516201674f29a316e sha1: 569d67134b383b27443bdf300d20635e366b0678 size: 95232
Timestamp2014-10-30 10:05:30
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Filtering UPnP Defragmenter Function Defender ➝
C:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe

↳ C:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.kbovn
Creates FileC:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\ydkgstosdla.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\voyvkyqivvk\phasahz.exe"

Network Details:
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000070 (00112)   72616465 73657474 6c652e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 74646576 6963652e 6e65740d
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000070 (00112)   65747465 72646576 6963652e 6e65740d
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000070 (00112)   6c696572 6265666f 72652e6e 65740d0a
0x00000080 (00128)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000070 (00112)   69676874 73707269 6e672e6e 65740d0a
0x00000080 (00128)   0d0a0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000070 (00112)   61707461 696e7375 63636573 732e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000070 (00112)   6c656374 72696373 7072696e 672e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000070 (00112)   72616465 73707269 6e672e6e 65740d0a
0x00000080 (00128)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 74737563 63657373 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 7462616e 6b65722e 6e65740d
0x00000080 (00128)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626c75 655f6275 62626c65   mail=blue_bubble
0x00000020 (00032)   32393936 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000070 (00112)   65747465 72737563 63657373 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a                           .....

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j hh	E
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
