Analysis Date2014-06-26 00:18:20
MD565438c4637486e412af264fca565a997
SHA13ed126eda5f524ff4d372c9cbf6c3cf1ad39085e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 77d8a50a161f846bbb6af3ffafac4f6e sha1: 29c04b66290a9c50152f2c004f70a5974573d570 size: 120832
Section.rdata md5: 43a1634ff1a3f089c1b027e1f4fdc1cb sha1: c72f867e6c76847589df19b35686dde5aaf8763e size: 16384
Section.data md5: 5118d904ec495aa24972dc993e3c6e87 sha1: c6cb1f00e25569ba6fa6a84dbedc6994915ad0f1 size: 16896
Timestamp2014-01-22 06:52:38
PackerMicrosoft Visual C++ ?.?
PEhash47b1fa308356fa8a4c374d64adfd9c5e40c7188f
IMPhash75824e242157ffe054c0a38939b81e1d

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Human Block Search Wired Support Link ➝
C:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\dvzemztdt.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.hvfh
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\kjopplzuqdlvrm\nalexusm.exe"

Network Details:

DNSdoctordifferent.net
Type: A
184.168.221.43
DNSprettydifferent.net
Type: A
23.236.62.147
DNSmachineclean.net
Type: A
208.109.181.40
DNSforeignwomen.net
Type: A
184.168.221.59
DNSrightclean.net
Type: A
192.232.250.174
DNSrightcourse.net
Type: A
173.201.216.15
DNSwhetherwomen.net
Type: A
209.95.150.78
DNSpicturepaint.net
Type: A
50.63.202.53
DNSdoctorletter.net
Type: A
DNSprettyletter.net
Type: A
DNSfellowsurprise.net
Type: A
DNSdoublesurprise.net
Type: A
DNSfellowbeside.net
Type: A
DNSdoublebeside.net
Type: A
DNSfellowletter.net
Type: A
DNSdoubleletter.net
Type: A
DNSfellowdifferent.net
Type: A
DNSdoubledifferent.net
Type: A
DNSbrokensurprise.net
Type: A
DNSresultsurprise.net
Type: A
DNSbrokenbeside.net
Type: A
DNSresultbeside.net
Type: A
DNSbrokenletter.net
Type: A
DNSresultletter.net
Type: A
DNSbrokendifferent.net
Type: A
DNSresultdifferent.net
Type: A
DNSpreparesurprise.net
Type: A
DNSdesiresurprise.net
Type: A
DNSpreparebeside.net
Type: A
DNSdesirebeside.net
Type: A
DNSprepareletter.net
Type: A
DNSdesireletter.net
Type: A
DNSpreparedifferent.net
Type: A
DNSdesiredifferent.net
Type: A
DNSstrengthsurprise.net
Type: A
DNSstillsurprise.net
Type: A
DNSstrengthbeside.net
Type: A
DNSstillbeside.net
Type: A
DNSstrengthletter.net
Type: A
DNSstillletter.net
Type: A
DNSstrengthdifferent.net
Type: A
DNSstilldifferent.net
Type: A
DNSexpectclean.net
Type: A
DNSbecauseclean.net
Type: A
DNSexpectpaint.net
Type: A
DNSbecausepaint.net
Type: A
DNSexpectcourse.net
Type: A
DNSbecausecourse.net
Type: A
DNSexpectwomen.net
Type: A
DNSbecausewomen.net
Type: A
DNSpersonclean.net
Type: A
DNSpersonpaint.net
Type: A
DNSmachinepaint.net
Type: A
DNSpersoncourse.net
Type: A
DNSmachinecourse.net
Type: A
DNSpersonwomen.net
Type: A
DNSmachinewomen.net
Type: A
DNSsuddenclean.net
Type: A
DNSforeignclean.net
Type: A
DNSsuddenpaint.net
Type: A
DNSforeignpaint.net
Type: A
DNSsuddencourse.net
Type: A
DNSforeigncourse.net
Type: A
DNSsuddenwomen.net
Type: A
DNSwhetherclean.net
Type: A
DNSwhetherpaint.net
Type: A
DNSrightpaint.net
Type: A
DNSwhethercourse.net
Type: A
DNSrightwomen.net
Type: A
DNSfigureclean.net
Type: A
DNSthoughclean.net
Type: A
DNSfigurepaint.net
Type: A
DNSthoughpaint.net
Type: A
DNSfigurecourse.net
Type: A
DNSthoughcourse.net
Type: A
DNSfigurewomen.net
Type: A
DNSthoughwomen.net
Type: A
DNSpictureclean.net
Type: A
DNScigaretteclean.net
Type: A
DNScigarettepaint.net
Type: A
DNSpicturecourse.net
Type: A
DNScigarettecourse.net
Type: A
DNSpicturewomen.net
Type: A
DNScigarettewomen.net
Type: A
DNSchildrenclean.net
Type: A
HTTP GEThttp://doctordifferent.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://prettydifferent.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://machineclean.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://foreignwomen.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://rightclean.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://rightcourse.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://whetherwomen.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
HTTP GEThttp://picturepaint.net/forum/search.php?email=matt_buchanan85@yahoo.com&method=post
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.43:80
Flows TCP192.168.1.1:1032 ➝ 23.236.62.147:80
Flows TCP192.168.1.1:1033 ➝ 208.109.181.40:80
Flows TCP192.168.1.1:1034 ➝ 184.168.221.59:80
Flows TCP192.168.1.1:1035 ➝ 192.232.250.174:80
Flows TCP192.168.1.1:1036 ➝ 173.201.216.15:80
Flows TCP192.168.1.1:1037 ➝ 209.95.150.78:80
Flows TCP192.168.1.1:1038 ➝ 50.63.202.53:80

Raw Pcap

Strings