Analysis Date2014-09-19 03:53:50

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 97b594c2bc27997fe69b34a4ae7ae067 sha1: c99148f49b7f7595e130a0e25442a1541345e1d9 size: 298496
Section.rdata md5: 1ccce4278c9700b5699b52493c9e1ec4 sha1: 25f90134d1395113938e7a6e80eb7aad536f97b7 size: 34304 md5: e65c16945ed7f501686f936725712bd5 sha1: f3efdac258bcf9a46b2195cb8b8aa0613b24d4f0 size: 101376
Timestamp2014-07-24 05:35:11
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Counter Center Driver UPnP DNS Upgrade ➝
C:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe

↳ C:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.dqz
Creates FileC:\Documents and Settings\Administrator\Application Data\bfopekrkk\ksvlcqzm.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\bfopekrkk\bskwqtxa.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 71756965 74737061   ..Host: quietspa
0x00000070 (00112)   63652e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7468696e 6b626579   ..Host: thinkbey
0x00000070 (00112)   6f6e642e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 70726573 656e7462   ..Host: presentb
0x00000070 (00112)   65696e67 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 63686965 66626569   ..Host: chiefbei
0x00000070 (00112)   6e672e6e 65740d0a 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7477656c 7665666f   ..Host: twelvefo
0x00000070 (00112)   72657665 722e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 68697374 6f727966   ..Host: historyf
0x00000070 (00112)   6f726576 65722e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 77656174 68657266   ..Host: weatherf
0x00000070 (00112)   6f726576 65722e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 636c6173 73626579   ..Host: classbey
0x00000070 (00112)   6f6e642e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7468696e 6b666c6f   ..Host: thinkflo
0x00000070 (00112)   7765722e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d637261 7a796375 62616e35   mail=crazycuban5
0x00000020 (00032)   34407961 686f6f2e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 70726573 656e7466   ..Host: presentf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0a

