Analysis Date2013-09-18 13:29:31
MD5df3146252d9468a2757c5a031ec2f265
SHA148f402e3c527986114cb249c6e881b50cf938de8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e659396a56df6d6684eccf5398aa2f6c sha1: 2177145b75571a16fc2d9eee121b9476de345e65 size: 1536
Section.rdata md5: 0af8f709317d00fc6d4d864fbfc36e98 sha1: f7f14b50827b47b42c2cafaadca1e863ca6d30c3 size: 512
Section.data md5: 1874a948577021618abba04a1a6f00c6 sha1: ed74ed8926ebdf371f36b480cba181d6cdfe962d size: 512
Section.rsrc md5: a1f393ba79c75b5a1db4b02931ed9d82 sha1: 6a904ee65e96b3156b7838493d8209afc323577e size: 47104
Timestamp2008-07-17 16:30:19
PackerPE Diminisher v0.1
PEhash03ff2b0702a7fab43be956d135dbe8956c38339e
AVmsseTrojanDownloader:Win32/Cutwail
AVavgDownloader.Generic13.BKRA
AVaviraTR/Dldr.Cutwail.44

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\wopfocefyshi ➝
C:\Documents and Settings\Administrator\wopfocefyshi.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\wopfocefyshi.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\koetterfireprotection[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\childscope[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexwopfocefyshi
Winsock DNSnuritech.com
Winsock DNSalternative-aquitaine.co.uk
Winsock DNSchildscope.com
Winsock DNStheautospas.com
Winsock DNSrodeoshow.com.au
Winsock DNSctr4process.org
Winsock DNSkoetterfireprotection.com
Winsock DNSosouji-school.com
Winsock DNSsteelpennygames.com
Winsock DNSauthentica-travel.com
Winsock DNSagrarno.ru
Winsock DNShostphd.com.br
Winsock DNSservico-ind.com
Winsock DNSmomonophoto.com
Winsock DNStrinity-works.com
Winsock DNSvbwgz.com
Winsock DNSajdo.net
Winsock DNSdbcomponents.com
Winsock DNSorion-networks.net
Winsock DNSe-storming.com
Winsock DNSasterisk.com.sg

Network Details:

DNSsmtp.hot.glbdns.microsoft.com
Type: A
65.55.96.11
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.96.11:25

Raw Pcap

Strings
0.as52ew96i{=:m
1iGlzA
1kHg:f
_4=7}<
5lDGg{U
<	5V[Yk
99C7p|R
9]o9R^v
A/5D3&
A(e:dd 
a${J:z8
Anh#H^
.b^dd3
@ 	bFbm[
!bgVX]
b#OD/7
BR~AwnWlq
Btkqv`
&(c&	;
CreateThread
c%"Ug)&Yk-*]o1.as52ew96i{=:
"?\{D@
d483?m$
@.data
_Dn`28
"DvG&[z)
#|*[?=E
&fkXi:
	@'fQQNNL
g[1u9Ai
*gAYB	
gdi32.dll
GetModuleHandleA
GetObjectW
g=x.SgN
$H>2mA
(%Hq$A
) [iDlz&&
II9Z{G
iki	bN
#include "afxres.h"
*ip>Cn
*]JG4T]
JJ{IvHW+
JM+2	l|!
J/o=bk:*B7	
%jo>`g<
kernel32.dll
Ks)3YY~
L0t~{j
l9q+7FUu
..\..\langres.h
$l,dgL
LjAe)P4
lnASJ2+HY
LoadImageW
LoadLibraryExA
MD;"&0K
MDlv$@2@fF
=!n{D=z
NOOI>w@
>.ns-$
o1.as52%w96i{=:
O1|(mx4Ci
Pc%"Wg)&
PSQRVW
q>(1BB
Qc%"Ug)&
Qc%"Ug)&Yk-*]o1.as52ew96i{=:m
Q|Jv'G
r(B"MMy
`.rdata
"=R	T"
,<rwF6
~S7soT
t|CMx^)
tDPzueT
!This program cannot be run in DOS mode.
tOX$Qx#
:~%TsORD
TT/3=2?V	u
%;ub)Sy
,'uEmQC
"UMX&Yk
UN" 6n
u+:p	W^*
user32.dll
VGU]Z4
@v{Jr2)Z
VqzaOD1
WaitForSingleObject
+WKBSX
|wnsB25
XxE[%M
XZm(]~
y5(IRT
yB6Gd&
yRWnyY$
zI#k:-
|z<	n{
z'VO-w6*