Analysis Date2014-03-02 22:42:06
MD5985e4a4234de34f6892c54db24a408fb
SHA14d2be4cbdf36e86566a835e177bc65afdbce0791

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ccb5bee51e649fb4bef71d11a1f64251 sha1: 36aca8fb8117f65054a60dc7abec6e4b968341b3 size: 1536
Section.rdata md5: d87a857cc4d64675b460251c750cc54b sha1: a299b39ff7ea8608bb195dc5392521e38a2c045f size: 512
Section.data md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: f764e75ad171f83b1af48e096a5d059d sha1: 765f6d4011a7f9192f1695ea4b087059815261a9 size: 41472
Timestamp2006-01-17 01:36:24
VersionLegalCopyright: Copyright (C) 2000
InternalName: gayka
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: gayka Dynamic Link Library
ProductVersion: 1, 0, 0, 1
FileDescription: gayka DLL
OriginalFilename: gayka.DLL
PEhashd086b1db55597695f4ea78b5787469463f3e1eed
IMPhash4418b07e6e5be32fe4bbcfe8e3b99b8c
AVaviraTR/Crypt.ZPACK.Gen2
AVavgGeneric35.ADGA
AVmsseTrojanDownloader:Win32/Cutwail.BS
AVmcafeeCutwail-FCWE!985E4A4234DE

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\voqikanmujam ➝
C:\Documents and Settings\Administrator\voqikanmujam.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\voqikanmujam.exe
Creates Mutexvoqikanmujam

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.172.254:25

Raw Pcap

Strings
#
.u
..
..
040904B0
1, 0, 0, 1
 5915 - 70
 5915-70
9P9(
a&qB
B;,iOn;
B;,n;j'
[c9P
C*+k;k
CL+k]k;
C<,n<j(
CompanyName
Copyright (C) 2000
C<u<
C;u;
eanX
FileDescription
FileVersion
gayka
gayka DLL
gayka.DLL
gayka Dynamic Link Library
InternalName
iPi<
iPOP
Jaka
Jana
Jbjb
Jbmb
jbmZ
jgk,
J'j'
J(j(
J<J[
J;J]
J<Ja
J;Jb
J;JZ
J;k;
J]k]
J'm'
J[Ma
J;n;
J(n(
J]n]
JOjO
JOmO
jQZa
JSnS
JZM]
JZNb
kan[
!	kAPI5.dll?"
klAPI5.dll
k]nZ
LegalCopyright
LegalTrademarks
LSlS
LSnS
Maka
mbm;
M;k;
M]k]
MS Sans Serif
mZm;
nan<
Nbjb
n]hP
N'j'
N(j(
n[n<
n]n;
NOjO
nPJP
nPOP
nUiP
nZn;
OaaP
OOL_
OPJU
OPO<
OriginalFilename
}(}P
}P[c
ProductName
ProductVersion
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VPJ\
VS_VERSION_INFO
w;-J;OO
wL,O;O]
w<-N(J<
w*,O
w;-O'J;
0?tJP!
_0U]AVZ
27M:lE
2g%3AD
37'zJ\:/S
{4T%^Xv
68dY]n
&#6gX}
#7(Pji
8hmIjW.<N
a7(H$v
Ap\()j
bc879<
BxEnfn
`Cgc\(
\cO[f^vW
C(VePu
:>CZR'
'>d1Pu
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
D}ui0 
E[A/st
E<iJ):
#endif
#endif //_WIN32
F2`1O4'{
,F,CQcn
G2gZ'#@CO
gdi32.dll
GetCurrentProcess
GetModuleHandleA
GetObjectA
)GPS>/
$hR^] 
hVEw-|
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\gayka.rc2"  // non-Microsoft Visual C++ edited resources
#include "..\slide.rh"
!"It`m
 j|L~#
k7w}fs
kernel32.dll
.)+K.F
*Ki RP
kY@qF"G
LANGUAGE 9, 1
LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
LoadImageA
LoadLibraryExA
?LQYqA
lyRv\P
M08!C`L
_`M%^bm
n2LIU"
P)fX;<K
\pLQ:f
PR=-<-*
#pragma code_page(1251)
#pragma code_page(1252)
-p(RLq
q;#XKp
r&5Az.Y 
R~ATX@
.rdata
resource.h
s	;!12
SmesW\
Ta |D&
!This program cannot be run in DOS mode.
TIw@69? 
>U0UAI
^u4sCB
ur:eqw
user32.dll
Vh-BNa
vvTVj{X
W4/BVO
W"AX`,{Z
XG}7p"
xR~kyL
Z(Ew?)
Z:Nmwj
z/s5\r^