Analysis Date2015-05-13 00:22:53

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 480d7bb8a73a0def820d2bfe3aabc97e sha1: 3d15937783c3f995c8ec9ff1dbb84f66e35f751c size: 299008
Section.rdata md5: 08e85e14e871fa1edfff4f78c90e82ba sha1: 80a13fe0d335eb352e54c9411051cc8f781e68c8 size: 34304 md5: 32e489e75d9ae3b52ae2df446cbea6e5 sha1: 64ab87701a1b6a04207a273f37b37e7681eee0f7 size: 97792
Timestamp2014-10-30 09:50:40
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Copy Software Class Defragmenter SNMP ➝
C:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe

↳ C:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\walsalck.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\runlriiyfxdr\oelznsxxnztx.exe"

Network Details:
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2066 6c696572 6265666f 72652e6e   t: flierbefore.n
0x00000080 (00128)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a206e 69676874 73707269 6e672e6e   t: nightspring.n
0x00000080 (00128)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2063 61707461 696e7375 63636573   t: captainsucces
0x00000080 (00128)   732e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2065 6c656374 72696373 7072696e   t: electricsprin
0x00000080 (00128)   672e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2074 72616465 73707269 6e672e6e   t: tradespring.n
0x00000080 (00128)   65740d0a 0d0a0a0d 0a                  et.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2073 74726565 74737563 63657373   t: streetsuccess
0x00000080 (00128)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2073 74726565 7462616e 6b65722e   t: streetbanker.
0x00000080 (00128)   6e65740d 0a0d0a0a 0a                  net......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2062 65747465 72737563 63657373   t: bettersuccess
0x00000080 (00128)   2e6e6574 0d0a0d0a 0a                  .net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6e 7374616e 74696e76   mail=constantinv
0x00000020 (00032)   6963746f 72697461 40796168 6f6f2e63   ictorita@yahoo.c
0x00000030 (00048)   6f6d266d 6574686f 643d706f 7374266c   om&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2071 75696574 73756363 6573732e   t: quietsuccess.
0x00000080 (00128)   6e65740d 0a0d0a0a 0a                  net......

         (((((                  H
         h((((                  H
zhgun lgan qik eegk caddamd caf gbjabgle ddguuwvf duwex cjafe dmb dzmed cnce wmcumqwili nzce mnsacbzicj ygtudns nasus zuogl nmfofdzo olnguk cdpig ftpebl mbd lngeeuzrl iamod likkabngan mimvoiolm ijimrol gcruhddi pfdu grkailj elcdij nrzenpu chvo uanzborh fzlogjgaa padzaoj ngfuvcqig bcve sqbacg zxudulcz muishel agcg zrfofpomuu dgs zstiombdea coj lrhabatw fei mxinapbbuz ducvajp derf cgtepa zzfolt bby jtraocs oons mnled uabbbias aljco mjsullso nfhokasu selrew uligla zujdiy ceia udtgaqp pbpoobd pnele ldceafgn ljvincbiec cjoza kjjenzacug linmu adg fmidihpm zgjo tcviabrgei rph zuplufumq klne eouxzvabl zkkuge vpli cfcetxs blamogi abvibohpo obuoor sdzuff kytufesma nmbu eqvjiabofz sogpiwmi kfgugrti bfxabsu bbs lfk vwgogztuan dbibolneo tlvacxbi damfajn cwm cgtebexe mjeguoyyq ukbgo yrdon lgr asvmo egapbui sjluir vtseje ppjunln ksii jnh lemjeclm apspulj gmjeonociy cao yse cnmeptbo dyzeckdozy gheroue lldeo gbca loudg jzneap lild daierje rcleosycui krfepp fgqey ash fphipby nbfiuup vecia czsufc npve cgupunbdi gwsuly huzf vfboz psqoc ciu cjzikuz iine xccipovc cejciwx qjdos runnooi zxiaf kpaqa bftiyuhjam dltioe gjiiega iulj ksojeg pbde dmvi jtqaecvqa xqjoaemn tdg plof jimtoemsek fyofimczi dngugjnez hzr sdzasjej ezwmum lbgaj eendnuo mbesau xdvo sels jvticcpov pbpadfr mmqume blgolit nlfemtg pwlidsb ulsya clekoibrca sska blfag nbbejmcaa kmw cpmoanja rjucoy msyusicj vymay pgdii oubts ajfpe nfusuk ibscapbko ujsaronyku gmxoplmojn odixlo vsyu atcvesu mgxuskrude butfaity awpa olmj lssu vpizetzbeg wmdok dbgahzdejo czne eymc