Analysis Date2014-03-09 16:29:13
MD541bba084cec4418f4dad3572203962f8
SHA11ed2f9680b1f37a19e0e598a57595b87c444f908

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 08b893f351a0a694ad903d59f428d0a8 sha1: 9e4190ec8d21e0cf8022063297f39f97a9db8452 size: 116224
Section.rsrc md5: d95bd1f71c616d318aa1e3334f5a6ddd sha1: b3c698cfde0dd8f5bf73bc142bd7d40bc3a12080 size: 10752
Timestamp2005-10-06 16:27:07
VersionLegalCopyright: Microsoft Corporation
InternalName: cgc010
FileVersion: 1.00.0019
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: Microsoft Corporation
ProductName: Microsoft Corporation
ProductVersion: 1.00.0019
FileDescription: Microsoft Corporation
OriginalFilename: cgc010.exe
PackerPECompact 2.5x -> Jeremy Collake
PEhashf70f6144a62e2e4d9c7e95ca8c84dabde7c20029
IMPhash09d0478591d4f788cb3e5ea416c25237
AVclamavTrojan.Spy.Banker-2556
AVmcafeePWS-Banker.gen.h
AVavgGeneric27.SGR
AVaviraTR/Spy.Bancos.u
AVmsseTrojanSpy:Win32/Bancos

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\windows\jdbgmgrnt.exe
Creates Processc:\windows\jdbgmgrnt.exe

Process
↳ c:\windows\jdbgmgrnt.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Service Registry NT Save ➝
"c:\windows\jdbgmgrnt.exe"\\x00
Creates FileC:\WINDOWS\runlog.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFD512.tmp

Network Details:

DNSsmtp.mail.eu.am0.yahoodns.net
Type: A
188.125.69.59
DNSsmtp.mail.yahoo.com.br
Type: A
Flows TCP192.168.1.1:1031 ➝ 188.125.69.59:25

Raw Pcap
0x00000000 (00000)   48454c4f 20434f4d 50555445 522d5858   HELO COMPUTER-XX
0x00000010 (00016)   58585858 0d0a4155 5448204c 4f47494e   XXXX..AUTH LOGIN
0x00000020 (00032)   0d0a                                  ..


Strings
040904B0
1.00.0019
cgc010
cgc010.exe
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
																														
0%<>+{
0%	3+t
0e@2+4$
~0f|?i
0J_V.5EfY5_
0Mn`&f
0)o%'G
'0.qK@m{
+_1&mC
2)#[. 
 }260|<A
2LF1|s[
2)LK=w
,+	2Sp[
|-=}2!V
	3@&8>
47$O4r<=
]$4ec"
#= 4_'m
4-|nH+X8d>
!(4shv
+)#;4t.l
5(4AVh-U1W'
5Bcup>
5oCXjB[
6&!3r a
6A|OK"
[6i^SDL
6plTEka
;%6ud/
7fourKW
7H^NSVx
7_Q>rw
8AWlRA
8+H=i1
8.%:j=|
9fXIYq
/9NtDZ
A=03.c
a6Rg^+C
A;H+^1
:aton er
~BMAqs2
BVJ+LX6
=c2_! L
-<<CB8
!c]\bT
$CCpIF
C$ d'S4
C;`OAl\
c`S4-S
Cs=>i%
D62Yzg
\dr)rD8
`/[EN\
e`[S2Z
|ewi%]
{[ezBf?	
f>!1m/
(\[$f2
##F(2^.
f4F:T4
F&aW+;
fQ'G^^
f*XrbR
FX%&thZ
f)_y1h
fz9Vm9
G.5xd,al v
gaT/w>
gA&xO1
GetProcAddress
G#*HvC~
G#%N >
;g=Ns6
g\Pa|Q
Gtw,C%
"gzKo&y6c
h22P[H<
H2~b|.
h]3U/(
hB+d(s>+A
_hC?,urM
HDj"JR4
h"m~6m
ho7x?dTD&QUm
hQ1t^O
H)wJ5L
HX"K/	4
$i'*Cbu
i;E-O`'gO
I'Hn][
iJ@_5`
i{O[^k
/)IQ9,Q*
irtualFe
iT{MHn
iu-1w>y9
<iXWV:y
i|ZjQb.
,"	% j
J@[;{>1
j29b&y&h-
!}J$3B
	/Jid/
jl<bQ>
%JplYU
jW\mfJ
 ;kA ')
K.&doE
kernel32.dll
kernl32.d
KG>b$=o
km4!aP
k@m,:b
L7i2'`
LF]Vth9KR
LI~@Tp
.l\j..
LoadLibraryA
l}p{EX
M\AqB;!
@M@"A("s
M%Fh?u	
M`G?V_
Mhu`5j
\mmIGI
M-p}(f
`mtdR|
!N`~4P0
n8>*i8h
Ng"Zl	
Njp?n9
n+ki@M0^!
N#o6/Tc
nP>~@1
N[u	xbS|"w
<nv4tX
Nvaa_NI
?o[)@\
.O(AAi
o	b0DV
^oe\,x
oHesUe
OuCL,h:
p[BR8	
[PECompact!]
(P:?F#
>q&D9J)
QiATeX
QJrXfc
=QlPpt
qnH._L+
qoff'fe
]@r7UZNX
R,bQ6gL
rD%lgm
rmTP$g
R.TEppW{
r'v2 R
RVn~2/
RWYbNFK
s*0;7^"7
SAplicn
SEySV	
sfa=!6
SFFc"_
sI-`h>
sm|a(2&
sOshvs
!\SRaB
sr^+Lm
t1iR4@
T8 Wr*
T'$Ap6
T'_b.x
TG0bkJ
!This program cannot be run in DOS mode.
{T*kD=J
]tno7.
tO'^h%{
TO).pC(?
T\vCm]
twu|L%
UC7y=~Ne
UE$EMMA
USQWVR
: >UZ(
V[:2q{
 va-=U
VirtualAlloc
VirtualFree
v)|P2Jn
V`qO=_
^vQ@TA
[?W1@V
W 5rr^
w8##sX
WC#^1^
w`#ds(
Wi}jq{
+"@wM	=^
,w^m4.
wn>y6t
}WT"1%h
wW3@?6
	wW,v|_
('x4:`
);	X5p*
XAb3obE
XjettB
XMc[09"
X\Rb@Q
x_v1l)*7^1:Q
/xWgM	
Xx/iU:	
yC?DD,
`YGtD2
ySy9J;
YU(%o,2
y}<ztC
Zndg5,
z-n	_Jf
zp'lHS
Zr2)}-
Z^_Y[]