Analysis Date2014-06-28 18:23:07
MD53a1dcc660501487911a74bb52a43309b
SHA1090f0dba3a46b3f704c21fe2ec602b243249c572

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a345ec18061609f88088a4695c10ee0b sha1: ec632f69d9ebf9a9ca85e8b45d2779e049541e05 size: 512
Section.rdata md5: 574a86bf260ca82d675e0d62fd17d99d sha1: bdd0d5e9ed8f6f049060c7e155214887914b28a4 size: 1024
Section.data md5: 92cfd28f701cf198685b9921c78e87e0 sha1: 79a9a0eb9c0b8711d43a0e8e95b0db13c3f9eb07 size: 512
Sectionxcode md5: 04cd8d9bd4703a011ae78c10e148e775 sha1: d600ef4f7a5d2dce781adf59c338cb48a5617901 size: 512
Sectionwcode md5: 8ca8281466724535b6961b249471e986 sha1: 6317a724a6a57244d2feb4091eb1eda1ae1693d6 size: 512
Sectionrcode md5: 9a2668f1273c0ae02cb0e3ca147ee199 sha1: f8eaddbc956679a9480a044fa598bd7cc899328a size: 512
Section.rsrc md5: b717b8f504d15de22f5a468a98639984 sha1: 613b8583b666193523f5f6152a8ed96c1761c170 size: 64000
Timestamp2014-05-21 15:35:42
VersionLegalCopyright: Copyright (C) 2009
InternalName: recipe
FileVersion: 4,3,4,41
ProductName: recipe Application
ProductVersion: 4,4,1,48
FileDescription: recipe Application
OriginalFilename: recipe.exe
PEhash01d729761a7834717542b0147bc47fad7006bfa7
IMPhashe161bfdbb6be6056b8e2afa3c517316c
AV360 SafeTrojan.GenericKD.1691014
AVAd-AwareTrojan.GenericKD.1691014
AVAlwil (avast)Downloader-VIC [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.Xpack.67617
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.r7
AVClamAVno_virus
AVDr. WebTrojan.Inject1.42649
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CCNU
AVFortinetW32/Kryptik.CCNU!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1691014
AVGrisoft (avg)SHeur4.BVXP
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7Trojan ( 0049a9441 )
AVKasperskyTrojan-Downloader.Win32.Cutwail.i
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Downloader.x!kg
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Trojan.GenericKD.1691014
AVNormanwinpe/Troj_Generic.UDRUO
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dojapmeabutr ➝
C:\Documents and Settings\Administrator\dojapmeabutr.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\momonophoto[1].htm
Creates FileC:\Documents and Settings\Administrator\dojapmeabutr.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\combine.or[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kagu-hokuren[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kamaruka.vic.edu[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nd-evenementiel[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\pcpeds[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\solutioncorp[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\empordalia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eyggroup[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sdlp[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\structives[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\justconnect.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mattiussiecologia[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\redconeretreat[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\e-kagami[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\solutioncorp[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\structives[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sdlp[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\eyggroup[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\justconnect.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mattiussiecologia[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\combine.or[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\kagu-hokuren[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\redconeretreat[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\pcpeds[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\e-kagami[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexdojapmeabutr
Winsock DNSempordalia.com
Winsock DNSberkshirebusiness.org
Winsock DNSnd-evenementiel.com
Winsock DNSfruitspot.co.za
Winsock DNSpcpeds.com
Winsock DNSkagu-hokuren.com
Winsock DNSsdlp.ie
Winsock DNSdebtrescueusa.com
Winsock DNSkamaruka.vic.edu.au
Winsock DNSmattiussiecologia.com
Winsock DNSmomonophoto.com
Winsock DNScombine.or.id
Winsock DNSsolutioncorp.com
Winsock DNShifuken.com
Winsock DNSeyggroup.com
Winsock DNSstructives.org
Winsock DNSjustconnect.co.za
Winsock DNSredconeretreat.com
Winsock DNSe-kagami.com
Winsock DNSthedonaldsongroup.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsolutioncorp.com
Type: A
209.208.32.251
DNSkagu-hokuren.com
Type: A
180.37.186.131
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25

Raw Pcap

Strings
D
bH
.X

041904b0
4,3,4,41
4,4,1,48
97jS
9Rz"
abundance
&added enough
adequate
&admitted
&advantages course
against
agreeable couldnt
almost
alone efforts
&already
already odious dinner<believed perished because pressure particular staring beside
always offer having
&ambitious
America--six
&amusements hindrance
&another concerned
&another lordships
&answered appearance
anything
anywhere before account theyre success anywhere firmness
&apostle
appealed
&appealed during
&appeared
&appears
&appears spectacle
&appendages
&applicable
appreciation weekly material future
arrived esthetic
artists settle
&asked trying
aspects Project
&assistance
assuring
&attacking admiring
attention
#aW	
&away--away
&baronet
became
&became
&because little
&because Wouldnt
before
&before
&before friend
before possible
&behind 1.E.2
&behold
&being
&being artistically
&believed
&believed reason
better
between
&between
&branch
breathed
&brother
&brought
&business history
&business regards
carriage
&carriages universal
&carriage tribute
carried
&Carr??s
Carr??s divine
&Carteret
&Carteret comfortable
certain later--youll
&certainly accompanied
&chair
challenge supreme3certainly admonition ingenious stood ordered render5indiscreet; Dashwood acting presently position though&place; barbarous wouldnt Miriam womans
&changed certain
charge always
&chosen
&civilly couldnt
&clapped
&clasped
&clever
&clutch doings
&combination prowl
companion
&companion to-night
complaint
complicated
&conceal
conditions
&consumed splendid
&content first
&continued
&continued Grace
&convulsive should
&copying forgot
Copyright (C) 2009
corner Indeed something better;Project summer conformably exactly pompous moral sister--he visitors reprehensibly lingering7convicted verdict; remark blushed Foundation encumbered
&corner nothing
&could furnished
&country
&country--half
&country prettiest
&course Gardens
&criticism exactly
&Dallows Anglaise
DAMAGES
Dashwoods
&declared having
declare things fight particular
&deeper except
&degrees
&delicacy enough
&delicate
departure rejoice indeed; celebrity
despatched character against
&destined sleeping
differ production effort
&disapproval--it
&discovery uplifting
discussing--is
&discussion
&dishonestly objected
dislike
&doing seemed
&donations creature
&Dormer
&Dormer desire
&doubtless
doubt Project	convinced
dramatist
drawing gentlemen;
&drawing-room
&dreadful always
earned
&edification French
effective crisis
&effect pleasant
&effort
&effort nothing
Electra
element things
&emphasis Heaven
&engagement introduced
English
&enjoying equal
&enough
especially
&especially
everything
&excellency education
&expanse stoutly
expected detached
explanation glimmers
&expressed having
expression enough
&faithful
&family getting
fatigue symptom question
&feelings general
fellow
&fidelity
figured indeed passion
FileDescription
FileVersion
finger centre Miriam generous
flowers
&forced greater
&foreign
formed charming
Foundation
foundations principal
&francs
&frankly
&friend Rooth
&further
&future
gaily elastic quickly7things indeed procession parasol things feeling without
&gained
&gains
&generations foresaw
genius
getting remained;
&ghostly armoire
&glimpses sinners;
&gloom mother
godmother;
&go--if
&gracefully listened
grimaces
half-hour confusion
&harder sincerity
having
heard taking
her--and unsmoked ready Everythings
herself
herself>appearance dense startled acquaintance occasion without reward
herself respect enough
&herself supposition
herself upstairs1hypertext surface rat-tat-tat Madame woman Miriam
&him--drop
&himself
&honourable
&house; Julia
humbug rather discussion modesty
&ideas
&ignorance
&imagination splash
&imagine
importance
&importantly therefore
&impression engagement
&infidelity experience
&insisted abruptly
&intelligently
&intentions
InternalName
inveterate
&is--especially
&itself during
&it--that oftenest
Julia
&Julia
&justly allowed
&keeping admiration
&kinsman engaged
&ladies Carteret
&ladies greater
larger
&laughed Dallow
learned
leave
LegalCopyright
&lessons
lifting mother Dormer*inward hundred visitor spoke always member
&like--theyre
&limelight
&little
&little interval
&little little
&little people
logical
loitered
&looked
&losing sometimes
&lucid
magistrates
maid-servant
&manifestly toward
margin
&mariage intense
&marrying--but Harsh
&matters Miriam;
me--as height
&member remember--said
mention
&Merely
merit Gabriel reader;+different broken interesting minutes people
&method daresay
minute fashion
Miriam
&Miriams longing
&Miriam wouldnt
&mistakes mental
mitigate Macbeth prefer"pretty wondered Gabriel thoroughly
&moment
&momentary
moment trees culture
moment vivacity raddled
mother
&mother
mother course foolish--its
&mountebanks pantomime
MS Shell Dlg
&museum should
natural
&nature
necessary
&necessary respectability
&nerves little
&never;
&nothing scrubby
&noticed sthete
&object doings
&objected
objects whatever
observation out-sit pitying
&oclock touched
odious
&offered
offered declared
&opened
&opined
opposition
original
OriginalFilename
originally
others
&others
paddling
painting
&Paris
Parisian
participated things desired
&particular
&parts--which gayer
passed denoted Madame intended!himself course charming messenger2personage person; rolling between rather concerned
passing
&pedantically--that state
penny
&people
&people painters
people result
&perceptible little
performance
perhaps
&period--if resolved
&persistent represented
&person
persons
&persons
Peters
&Peter vulgar
phrase Gabriel
pitchforked
placid6conscious supplied awfully Peters conversation tongue;
&pleading consider
pleasant Street
&polished mouth
politician artistic genuine uncomfortable
&portrait
possibilities
possible
&predictions
preferred;
&presence arrangement
&presented
presumptions irony
&proceeded
&proceeding
produce
&produce judgement
ProductName
ProductVersion
profit whimpered
promptly honour
propriety
&public amusement
&public impulse
&publish Proposed
purpose Choose wouldnt unlikely
pursued height
putting
question
Rachels knowledge--they
&range principle
&rather
&rather passionately
&really
really moored
&reasons
recipe
recipe Application
recipe.exe
&Redistributing
&relapse
&relations creature
&remain silence
&remarking coloured
&remarks leaning
&remonstrance breastplate
&represent party
&reproach
required unprofessional
respect
&respect
&resting something
retired covering8pronounced charming institution Gabriel limits locataire;localism between WARRANTIES deplorable thought other wished
&returned
&returned looked
&revived
RichEdit20A
&right
romantic
&romantic
&rough;
roughened
saying Gabriel
scarcely
scene--a
&scuffle
&second further
seconds involuntary having
&seemed actress
selected English:glanced Gutenberg Carr?? romance picture; humbugging dance	allowance
&selfish Rhineland
sending
&setting hand-shake
settled
&settled practice;
&several
&Several added
shabby
shade
&shades
Sherringham
&Sherringham listening
&Sherringham person
&shilling--only certain
should
&should
&should become
should capable
&shoulders
&shouldnt
&showed Europe
silent Lumley
simplifications
&simplifications
&simply
&sincere little;
&single
&situation
&slipping straightens
&smiling herself
&something
something manner
&Sometimes happiness
sooner soothed suggestion
&sparse words
&speak acquaintances
&speaking
&speak postpone
spectacle chance3Doesnt exactly bristled suggest returned afterwards&appeared impatient differently minutes
&speed
&spoiled
spoken touching reason1suspected abilities colours daresay series Harsh;
&stage-carpenters
&stall authority
&Stanhope precautions
statesmans
station enliven asked prompter
&sterling
&Strand
StringFileInfo
&subsequently narrow
succeeded visitor
&suggestion observation
superfluous
&supply
&suppose
&surprised reason--the
suspected
&suspected
&suspension Baskerville
SysListView32
Tahoma
&talked
&tangled
&tedious
&telling having
&theatre
theatricals
therefore
&Theres afraid
&theres masters
Theyre
&Theyre
theyre smelling-bottle
thing declaration encourage
things rather little interesting;
&think
&thoroughly withdraw
thought
&thought
&through
through whisked.painfully telling great status behind; couldnt	arrogance,strange voice--the afterwards battle picture6return there hers--do studying country English here--I
&to-day--this
&to-night embracing
trade havent
train--he confidence
Translation
&unduly artist
unexpressed opened pleasure--so having
unhappy
uninitiated truth;
&up--give neednt
&vanished
VarFileInfo
&visits anyone
&voice Atlantic
&voice--I simpler
VS_VERSION_INFO
wanderers desperate
was--well
&weighed
Werent lingering history looks=things dining-room vision corners perfectly attention pretend@altogether--a little reached great--and family--a wouldnt studio2country-houses remain walked described magnificent<invite curtains occupation swaying scarcely daresay darkened&Dallow you--that victim vehicle statue
&whether
&windows should
wisdom
without
&without
&without brother
&worrying felicity
&worrying things
&wrested
written knowledge
yourself--the
0/siR)
,17pl7
1WLmCP
4J86l&
?4Ma*jM
5<u@xP
9v[RFn
9,y%!H
a/g@/F@
a"Xu>R
BeginPaint
BitBlt
BM/oh[
CreateCompatibleDC
CreateWindowExA
@.data
DefWindowProcA
DeleteDC
DispatchMessageA
dR'*~1
-DW#M0
ee>XZ(
E\Fi`J
EndPaint
e/vDw[
:eWaWg
ExitProcess
~~F^,'
fA>S%'
feeltheresponsibility
)#|>g?"
gdi32.dll
GetClientRect
GetCommandLineA
GetCurrentThreadId
GetMessageA
GetModuleHandleA
GetObjectA
H7jPF$
hdJh`'q
hegryr89089
,hpner
H/'s@0
I:?:P[
\J8Un4
JT9:%rf
kernel32.dll
KillTimer
KJSrh[W
LoadCursorA
LoadIconA
LoadImageA
LO%"K,
+M?|2R
m7O1K(
#M(/Nm
MPsKm<
NqUfOe(
oB^*5P
ouw.ifK
Q}GFP2
qI>.2	
{qZ^N;
`.rdata
RegisterClassExA
&-rkP<
ROep{^
RU(+N&P
+sAH*G
<*s~D 2
SDB-7z%
SelectObject
SetTimer
ShowWindow
s	^U+(m
!This program cannot be run in DOS mode.
`>tONP#
TranslateMessage
UpdateWindow
user32.dll
{WHYSp
"w@NVQ
W?>tx7
&;[|x<d
 "*Xv1
<y6z(+ocMS
%yfH~B
ymPTB&
zlP!Z43