Analysis Date2014-04-19 05:32:20
MD5839e518d3d7524af79d6cb33a0be9dd1
SHA10bfa7d89c800ae3a44ab42dee4c24d2aee16fdf7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f3fed7f29b1843e2e5e9777650d7bb0b sha1: b91629a9b97317e1cddb783e53dc10c3a483424c size: 3072
Section.rdata md5: e9ada2616715d6cb7417a16d56d71f92 sha1: e8358806dc67f0233107b51c51727c8a00623745 size: 512
Section.data md5: 41b98b59761071f5f8d17694ed53eadc sha1: bf5d1016c288aa9635914490cc096b68b5550bee size: 512
Section.rsrc md5: e52b6e558753d47dd89a9b3ced3b3a16 sha1: 4c969b20a86bfc0765f4cfc9f36157a760b3618e size: 42496
Timestamp2004-10-15 20:39:50
VersionLegalCopyright: Copyright © 2000-2003 Intel Corporation
InternalName: SnifferMFC
FileVersion: 1.2
CompanyName: Intel Corporation
ProductName: Intel Call Logging API
ProductVersion: 1.2
FileDescription: SnifferMFC - Intel Call Logging API sample application
OriginalFilename: SnifferMFC.exe
PEhash5f21f470e3af82d890cc92f6e4d6d3f8e46c912f
IMPhash9d30e521e05aa720868d6a07d3e78d80
AVavgAgent4.BFPO
AVaviraTR/Crypt.ZPACK.Gen2
AVmcafeeCutwail-FCWE!839E518D3D75
AVmsseTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jogkemizadog ➝
C:\Documents and Settings\Administrator\jogkemizadog.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\heliomare[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\wsipowerontheweb[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stecom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\servico-ind[1].htm
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\jogkemizadog.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\stecom[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexjogkemizadog
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSgeodecisions.com
Winsock DNStheautospas.com
Winsock DNSwlf.louisiana.gov
Winsock DNSnataliecurtiss.com
Winsock DNSnd-evenementiel.com
Winsock DNSheliomare.nl
Winsock DNSwsipowerontheweb.com
Winsock DNSnanfangcw.com
Winsock DNSservico-ind.com
Winsock DNSkrafthaus.com
Winsock DNScombine.or.id
Winsock DNSstormwildlifeart.com
Winsock DNSjustconnect.co.za
Winsock DNSfigabara.com
Winsock DNScoopsupermarkt.nl
Winsock DNSchurchsupplies.net
Winsock DNSasterisk.com.sg
Winsock DNSspiti.org
Winsock DNSstecom.nl

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.96.11
DNSheliomare.nl
Type: A
85.158.207.109
DNSsmtp.live.com
Type: A
DNSchurchsupplies.net
Type: A
DNSstecom.nl
Type: A
DNSspiti.org
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25

Raw Pcap

Strings
3K
<

040904b0
 2000-2003 Intel Corporation
4ESS
5ESS
6Open another window for the active document
About4Quit the application; prompts to save documents
&About SnifferMFC...
About SnifferMFC
Activate Task List
Activate this window
&Arrange Icons
Arrange Icons/Arrange windows so they overlap
Attach voice resources
Called
CalledHDisplay Channel variable as specified by Messages up to this one
Calling
CallingFDisplay Called variable as specified by Messages up to this one
Cancel
&Cascade
Cascade Windows5Arrange windows as non-overlapping tiles
Change the window position
Change the window size
Channel
Channel,Display this Message's Trace Text\Trace Text
cl_Close
cl_DecodeTrace
cl_Open
cl_Open arguments
Close
&Close
Close the active document
cl_StartTrace
cl_StopTrace
CompanyName
Copy1Cut the selection and put it on the Clipboard
Copyright 
Create a new document
&Decode Trace
?Display program information, version number and copyright
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
E&xit
&File
FILE
FileDescription
FileVersion
Find
Find the specified text
HDisplay Calling variable as specified by Messages up to this one
HDLC
&Help
Insert Clipboard contents
Intel Call Logging API
Intel Corporation
InternalName
ISDN
LegalCopyright
Method:
MS Sans Serif
NET5
Network-side board:
&New	Ctrl+N
&New Window
New Window7Arrange icons at the bottom of the window
Next Pane5Switch back to the previous window pane
Open
&Open
Open an existing document
Open this document
Open this document(Switch to the next window pane
OriginalFilename
Paste
Popup
Previous Pane
ProductName
ProductVersion
Protocol:
QSIGE1
QSIGT1
Ready
Redo
Reduce the window to an icon
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Resulting pszDeviceName string:
Save0Save the active document with a new name
Save As
Save the active document
SCRL
Select All
'Show or hide the toolbar
&Sniffer
SnifferMFC
SnifferMFC Document
SnifferMFC.Document
SnifferMFC.exe
SnifferMFC Files (*.snm)
SnifferMFC - Intel Call Logging API sample application
SnifferMFCT
SnifferMFC Version 1.2
SniMFC
.snm
Split
Starting from device:
&Start Trace
&Status Bar
Stop &Trace
StringFileInfo
TEXTINCLUDE
&Tile
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Toggle StatusBar
Toggle ToolBar,Show or hide the status bar
&Toolbar
Trace Text
Translation
Undo&Redo the previously undone action
Undo the last action
User-side board:
VarFileInfo
&View
VS_VERSION_INFO
&Window
0%vKzG
3527Ic
3_P$%wT
3QcX7Lg
3TnYL[]
}`4$Fb8
4N&j963
5~l8Y[
5NG]9%KJo
6aD0u<
6jEd0J
6VF,>^N,FfG(
.6*ziL
80Q}5{:
_/9!S3
*.)a%& 
[AfySk]
<aN-@eR
B>*1wY
bd)hZ"
be=S#C
B\(fShb
:b,->G
c0Jvd+
!CCyAa2m
!Cm{UKp
cVw=ja
	~d8/5,
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
dHQw[X
DhUh*X
\:DQxa
dx"$RA
#endif
#endif //_WIN32
eq>Vh]
],euS1
fnalm|
fN%be0
fQz!AJ
Fvq(f:?,\>
gdi32.dll
gEBQ0k
GetModuleHandleA
GetObjectW
GetProcAddress
GetTopWindow
h} 9%C
 H/	WMO
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\SnifferMFC.rc2"  // non-Microsoft Visual C++ edited resources
iYPh,r
j	4,t"
j'X55.
kernel32.dll
LANGUAGE 9, 1
l-!G2}[l
LoadImageA
LoadLibraryExA
'MS0e#
N*1u93
`]Ne4t>y
O1pVj3
#pragma code_page(1252)
q0vey&
_ Q`f/
_.qh=-
q>Qu&8
.rdata
resource.h
RUd7Wyi
r#(UR/
Rw0X\+A
So%r	xo[9G
su\6\|U
%&SURo
!This program cannot be run in DOS mode.
tiVT:=
}tNt5T
user32.dll
(Vv+U1
wFGNSN
wt=0SC
xM05PrUO
@X>[S@
yJ.4-b
Z"8zua
z,G{xh
&\Zq*{^;+