Analysis Date2014-07-16 20:05:51
MD52d82af85ec6051200a94cf9da638de74
SHA1526575b15620ea70d83830648e56eb055122631d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ecf33616348409ac5384374165c49006 sha1: 8987187cbc5df3e6ad941c7e910ba6633faeb94d size: 3072
Section.rdata md5: 9f54fed295c5bf23b793d759a4f7f487 sha1: 1c417c12270e375a4af290ba3c37c2463a8fec6b size: 1024
Section.data md5: 1205206d88340b9f0289fd001fabb56c sha1: 93a7347331b6f74d28cae14c7a222b0a42795c8b size: 1536
Section.rsrc md5: b35f3f1172ffb1444fdc6fc723705514 sha1: 737cb8ec7cf7a9581406518256ee359249fef197 size: 40960
Timestamp2014-06-17 19:22:22
VersionLegalCopyright: Copyright (C) 2008
InternalName: sickly
FileVersion: 7,2,4,19
ProductName: sickly Application
ProductVersion: 6,3,4,31
FileDescription: sickly Application
OriginalFilename: sickly.exe
PEhashca00d69e4af8b337f91720bec6752ab2001b1a97
IMPhashcabb308efe69c2b97bdbdd5c98e96b1c
AV360 SafeTrojan.Dropper.Agent.VNI
AVAd-AwareTrojan.Dropper.Agent.VNI
AVAlwil (avast)Kryptik-NXT [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Cutwail.r4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Kryptik.CEET
AVFortinetW32/Kryptik.CEET!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Dropper.Agent.VNI
AVGrisoft (avg)Crypt3.AABD
AVIkarusTrojan.Dropper.Agent
AVK7Trojan ( 0049b9671 )
AVKasperskyTrojan.Win32.Cutwail.dbm
AVMalwareBytesTrojan.Agent.ED
AVMcafeeRDN/Downloader.a!rl
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Trojan.Dropper.Agent.VNI
AVNormanwinpe/Agent.BDQNP
AVRisingno_virus
AVSophosTroj/Loader-N
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\gocdaffyhexo ➝
C:\Documents and Settings\Administrator\gocdaffyhexo.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mjferguson.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sunandgolfhomes[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\inventagrupo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ssosoom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\machins.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\indianapt[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tbssoft[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\norman-spencer[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fjellparkfestivalen[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\7-24airx[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\artbeatcreative[1].htm
Creates FileC:\Documents and Settings\Administrator\gocdaffyhexo.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmaflex[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\indianapt[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mjferguson.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sunandgolfhomes[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tbssoft[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\norman-spencer[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\inventagrupo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tasteofcharlotte[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fjellparkfestivalen[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mailhost.midwestlabs[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\machins.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\sigmaflex[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexgocdaffyhexo
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSmjferguson.co.uk
Winsock DNSssosoom.cz
Winsock DNS7-24airx.com
Winsock DNStbssoft.com
Winsock DNSfjellparkfestivalen.com
Winsock DNSartbeatcreative.com
Winsock DNSmachins.co.uk
Winsock DNSsunandgolfhomes.com
Winsock DNSindianapt.com
Winsock DNSmanten-shirasu.com
Winsock DNSsigmaflex.com
Winsock DNSdrkassis.org
Winsock DNSmailhost.midwestlabs.com
Winsock DNSinventagrupo.com
Winsock DNSunipulse.com
Winsock DNScatapultmarketing.com
Winsock DNStractusservices.co.uk
Winsock DNStasteofcharlotte.com
Winsock DNS89gospel.com
Winsock DNSnorman-spencer.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSfjellparkfestivalen.com
Type: A
85.19.71.172
DNStasteofcharlotte.com
Type: A
208.112.58.229
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSindianapt.com
Type: A
DNSsigmaflex.com
Type: A
DNSnorman-spencer.com
Type: A
HTTP POSThttp://fjellparkfestivalen.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1052 ➝ 85.19.71.172:80
Flows TCP192.168.1.1:1053 ➝ 208.112.58.229:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203538   ntent-Length: 58
0x00000070 (00112)   320d0a55 7365722d 4167656e 743a204d   2..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a20666a   ; SV1)..Host: fj
0x000000c0 (00192)   656c6c70 61726b66 65737469 76616c65   ellparkfestivale
0x000000d0 (00208)   6e2e636f 6d0d0a43 6f6e6e65 6374696f   n.com..Connectio
0x000000e0 (00224)   6e3a204b 6565702d 416c6976 650d0a43   n: Keep-Alive..C
0x000000f0 (00240)   61636865 2d436f6e 74726f6c 3a206e6f   ache-Control: no
0x00000100 (00256)   2d636163 68650d0a 0d0a6a58 6130684a   -cache....jXa0hJ
0x00000110 (00272)   38563342 6a7a7771 6c612f6d 62415443   8V3Bjzwqla/mbATC
0x00000120 (00288)   69524a38 78317168 532b5136 394c4a70   iRJ8x1qhS+Q69LJp
0x00000130 (00304)   71325752 77654a41 6b766f77 41347174   q2WRweJAkvowA4qt
0x00000140 (00320)   7a394341 5a327544 4a680d0a 376e5064   z9CAZ2uDJh..7nPd
0x00000150 (00336)   767a7549 4e786447 7a6a6a6f 5a797132   vzuINxdGzjjoZyq2
0x00000160 (00352)   76755163 55546162 2f63416f 4f546a50   vuQcUTab/cAoOTjP
0x00000170 (00368)   58327a46 78487777 664e2f75 6e34736e   X2zFxHwwfN/un4sn
0x00000180 (00384)   454c4664 4f73526b 382f474a 0d0a526e   ELFdOsRk8/GJ..Rn
0x00000190 (00400)   4f357061 73353073 616e4d4f 376b7834   O5pas50sanMO7kx4
0x000001a0 (00416)   54464e4e 5957394d 6d69656d 5663326c   TFNNYW9MmiemVc2l
0x000001b0 (00432)   6f7a4875 59632b6c 39644b45 53486352   ozHuYc+l9dKESHcR
0x000001c0 (00448)   34464d48 452b616b 53517758 63350d0a   4FMHE+akSQwXc5..
0x000001d0 (00464)   4d546774 45342b76 48594e4d 77413452   MTgtE4+vHYNMwA4R
0x000001e0 (00480)   4f2f4b36 6b616348 692f6473 55387930   O/K6kacHi/dsU8y0
0x000001f0 (00496)   75414252 7667586e 62365978 3444754d   uABRvgXnb6Yx4DuM
0x00000200 (00512)   6f644d2b 7941736a 4f396572 614c4545   odM+yAsjO9eraLEE
0x00000210 (00528)   0d0a7a4b 574c4170 77466843 4e4e6176   ..zKWLApwFhCNNav
0x00000220 (00544)   376f7a5a 3547412b 55426b76 7a466879   7ozZ5GA+UBkvzFhy
0x00000230 (00560)   677a5237 5a472b39 2f487651 745a3864   gzR7ZG+9/HvQtZ8d
0x00000240 (00576)   316b627a 65794a72 6c355943 51746e45   1kbzeyJrl5YCQtnE
0x00000250 (00592)   4c570d0a 317a326e 58685374 50647362   LW..1z2nXhStPdsb
0x00000260 (00608)   62707461 7539596c 68557757 494e5a67   bptau9YlhUwWINZg
0x00000270 (00624)   79796a4f 5879354d 675a2f4d 4d4e3139   yyjOXy5MgZ/MMN19
0x00000280 (00640)   66797864 4f78794f 6e485043 64656e71   fyxdOxyOnHPCdenq
0x00000290 (00656)   72446f4c 0d0a3668 714d7754 4e376974   rDoL..6hqMwTN7it
0x000002a0 (00672)   75775337 6231354c 64553764 31513641   uwS7b15LdU7d1Q6A
0x000002b0 (00688)   48583765 6e6c3078 456d7a4e 72363563   HX7enl0xEmzNr65c
0x000002c0 (00704)   2f44766d 6e4e6e76 5356384f 67503864   /DvmnNnvSV8OgP8d
0x000002d0 (00720)   4e7a5361 45680d0a 72784d43 4248434a   NzSaEh..rxMCBHCJ
0x000002e0 (00736)   6b444339 4b74786b 6b313673 45762b4c   kDC9Ktxkk16sEv+L
0x000002f0 (00752)   5935684e 71356a51 5377355a 4f66366c   Y5hNq5jQSw5ZOf6l
0x00000300 (00768)   53536963 764a3974 64533267 7a555231   SSicvJ9tdS2gzUR1
0x00000310 (00784)   2b476c79 79455745 0d0a2b5a 4f664a43   +GlyyEWE..+ZOfJC
0x00000320 (00800)   544a6434 5276425a 37503844 53516a77   TJd4RvBZ7P8DSQjw
0x00000330 (00816)   56676c6f 63434b61 63766649 35726b57   VglocCKacvfI5rkW
0x00000340 (00832)   54554a56 764a534a 6f4e6c63 733d0d0a   TUJVvJSJoNlcs=..
0x00000350 (00848)                                         


Strings
.
t

041904b0
]\4"
6,3,4,31
7,2,4,19
absence express different daughter
&accompanied Miriam
&adjuration--words dramatic
&agreeable
&always certain
amendment worrying
angelic
&answer continued
appears hours
&asked; experience
attempt Peter
&audibly spirit
&ballet--a
better Harsh
&caution
conscious
considered
conviction
Copyright (C) 2008
cried particular
Dallow silence
&damned richly
&dangerous
&declared necessity--without
degree simply
&differently
&diversion
drawing Grace believe intimate
effect nothing
&elapsed
electronically demands
&enough behind--Im
entered
entirely
&evidently moustache
&exhibitions
&existence reason
expressed
&expressed
fellow
field crabbed
FileDescription
FileVersion
&general
Harsh
her--if
&herself accused
herself perform
&himself
humbugging
hundred actress mother chin--a
&ill-timed prefers
imperturbably
importunity
&inquiries nature
inquiry
intended
interesting
&interesting encouragement
interests ridiculous
&interfere living
InternalName
interval should
&itself
kindly
large
&leaned
LegalCopyright
like--doing
meeting naturally
&mingled
Miriam
&Miriam
&misunderstood
&mouth
MS Shell Dlg
oddest
OriginalFilename
&outsider
&passion
Peter
picture
piece
&please Sometimes
portents
possible erect
prize simplified something
ProductName
ProductVersion
&propositions vehicle
public
rehearsal imperious penalty
&remember
&repeated--go
returned
&returned
RichEdit20A
&risked
&river to-morrow
should
sickly
sickly Application
sickly.exe
&sometimes crumble
sought truth;
&sounds
speech Project chance doubts
spending
steps
StringFileInfo
&stupid entertainer
suggestion
&surprised
SysListView32
Tahoma
&telling
&terribly should
&theatre
&things;
&thinks tendency
&thorough beautiful
&thrown
&together success
Translation
turned
understand
urgent beautifully beribboned
&uttered
VarFileInfo
VS_VERSION_INFO
&wanted
&way--so
&Wheatsheaf Rooth
&whether
which
window chance
&winter scene
wishing consciousness
&without
&woefully youth
wouldnt
0MJ2hO
~;1g3&2
'+$)2LA+
2%m~lSO
2R:-PG
2'y{@s3
3,-qo`
?5*M	C
65|MJI
6lT1Ah
7a&G[e
7T8i7Y.
7Y6. u
.*'!809'
8Hg^^1}
9#fa$R
AZp,CZjh
CreateWindowExA
@.data
DED v8^*
DefWindowProcA
DispatchMessageA
Dn	}w^
dT@M0F
EjNNxcng}
ExitProcess
FindResourceA
*F|nYY
fOs'5w
`!f U#[D
%g-_+^
GetCurrentProcessId
GetMessageA
GetModuleHandleA
GetProcessHeap
GzV /]
|H=>7"
HeapAlloc
I+}bq}
ihJSGU
I&*M`U
$)I V-X
(j2aa)
j@aDwr;-@
kernel32.dll
KillTimer
K	/OJ4
kwX8 ^
@kZy%Rr
"`{L}!
L4(>~P
L})jnXo
LoadCursorA
LoadIconA
LoadResource
Lyypzcgj
M9FllT:
:&m9ra
MaIDWy
Mh;`z[
M	kga{h;CK
M}|}qB
(M.z>,zzB
nB9kdgfrwerbbbmddd
	}n,e?
OXJuyvlc
OxlmW& 
P0i-I?
 P*+l~.>
PostQuitMessage
pROsxx
`P$T){"*W
qkIE[	
-'.R{AT
R+"bo-
`.rdata
RegisterClassExA
}rts{|ruq
SetTimer
)shj)o=>3
ShowWindow
s}uw`"
teR)*i`IsM
!This program cannot be run in DOS mode.
_?TL$mj
TranslateMessage
u\aE? 
'UbTa%
UpdateWindow
user32.dll
V7,;ZU
	vMn;Q>
*-v`tH
wF-;sJT
wzjkyxtqs
xA0_18\z#n
X_A~~agh
YbH_gxZ,
?Y	Fo9
Z-d5R,
ZD{Pt#
zr1Vb_