| Analysis Date | 2015-08-22 07:02:27 |
|---|---|
| MD5 | e7c31fcacd7b9bb15fb6de0d29a07d6b |
| SHA1 | 5ec6b7bceb0279e18ecc50076fc0a9e3c74c7ad9 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: fb1de71b8e4dc1cadd3a1dfb6355fd1a sha1: 86fc842fe5cc629733546626daf96bd14b00da23 size: 1024 | |
| Section | .rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024 | |
| Section | .data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512 | |
| Section | .rsrc md5: c94ccb1cb9b65cd920748f0c486bcebd sha1: 9fd0951d72ba87dc208af495868f37498ca8e4eb size: 58368 | |
| Timestamp | 2014-06-26 11:39:44 | |
| PEhash | f13de80a8e0ee698bbf613cc72d0cfdb65aee45e | |
| IMPhash | 4ca0a0adb97211d9334271ded971bdde | |
| AV | CA (E-Trust Ino) | no_virus |
| AV | F-Secure | Gen:Variant.Kazy.327123 |
| AV | Dr. Web | Trojan.MulDrop3.14959 |
| AV | ClamAV | no_virus |
| AV | Arcabit (arcavir) | Gen:Variant.Kazy.327123 |
| AV | BullGuard | Gen:Variant.Kazy.327123 |
| AV | Padvish | no_virus |
| AV | VirusBlokAda (vba32) | Trojan.Cutwail |
| AV | CAT (quickheal) | Trojan.Cutwail.r4 |
| AV | Trend Micro | TROJ_CUTWAIL.SM0 |
| AV | Kaspersky | Trojan.Win32.Generic |
| AV | Zillya! | Trojan.Cutwail.Win32.168 |
| AV | Emsisoft | Gen:Variant.Kazy.327123 |
| AV | Ikarus | Trojan.Win32.Cutwail |
| AV | Frisk (f-prot) | no_virus |
| AV | Authentium | no_virus |
| AV | MalwareBytes | Trojan.Agent.US |
| AV | MicroWorld (escan) | Gen:Variant.Kazy.327123 |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Cutwail.BS |
| AV | K7 | no_virus |
| AV | BitDefender | Gen:Variant.Kazy.327123 |
| AV | Fortinet | W32/Kryptik.CFFF!tr |
| AV | Symantec | no_virus |
| AV | Grisoft (avg) | Agent |
| AV | Eset (nod32) | Win32/Kryptik.CFFF |
| AV | Alwil (avast) | Cutwail-CM [Trj] |
| AV | Ad-Aware | Gen:Variant.Kazy.327123 |
| AV | Twister | no_virus |
| AV | Avira (antivir) | TR/Dropper.Gen |
| AV | Mcafee | Downloader-FAKU!E7C31FCACD7B |
| AV | Rising | no_virus |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\siskuxordese ➝ C:\Documents and Settings\Administrator\siskuxordese.exe |
|---|---|
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
| Registry | HKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mauigiftbaskets[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\weru.co[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\casamolina[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mpccontainment[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1cashmere[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fhgc[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670 |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\interstatepartners[1].htm |
| Creates File | PIPE\lsarpc |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tadashichi[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lotcottages[1].htm |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petrus-kirche[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allisoriginals[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tuchikawa-soba[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dukecom[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm |
| Creates File | C:\Documents and Settings\Administrator\siskuxordese.exe |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[1].htm |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plastivan[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mauigiftbaskets[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\weru.co[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\casamolina[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mpccontainment[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1cashmere[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fhgc[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\interstatepartners[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tadashichi[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lotcottages[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petrus-kirche[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tuchikawa-soba[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allisoriginals[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dukecom[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[1].htm |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plastivan[1].htm |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Creates Mutex | siskuxordese |
| Winsock DNS | gsprinters.com |
| Winsock DNS | magi-cat.org |
| Winsock DNS | einus.net |
| Winsock DNS | mauigiftbaskets.com |
| Winsock DNS | casamolina.com |
| Winsock DNS | tuchikawa-soba.com |
| Winsock DNS | fhgc.com |
| Winsock DNS | petrus-kirche.ch |
| Winsock DNS | southamerica-photo.com |
| Winsock DNS | 1cashmere.com |
| Winsock DNS | allisoriginals.com |
| Winsock DNS | tadashichi.com |
| Winsock DNS | interstatepartners.com |
| Winsock DNS | weru.co.jp |
| Winsock DNS | mpccontainment.com |
| Winsock DNS | dukecom.com |
| Winsock DNS | plastivan.pl |
| Winsock DNS | womeningold.com |
| Winsock DNS | hirose-aa.com |
| Winsock DNS | lotcottages.com |
| Winsock DNS | new-central.com |
Network Details:
| DNS | smtp.glbdns2.microsoft.com Type: A 65.55.176.126 |
|---|---|
| DNS | smtp.mail.global.gm0.yahoodns.net Type: A 63.250.193.228 |
| DNS | smtp.mail.global.gm0.yahoodns.net Type: A 98.138.105.21 |
| DNS | smtp.mail.global.gm0.yahoodns.net Type: A 98.139.211.125 |
| DNS | mpccontainment.com Type: A 198.170.74.105 |
| DNS | dukecom.com Type: A 199.230.54.140 |
| DNS | petrus-kirche.ch Type: A 80.74.155.167 |
| DNS | plastivan.pl Type: A 62.129.197.22 |
| DNS | lotcottages.com Type: A 54.231.141.10 |
| DNS | interstatepartners.com Type: A 69.73.180.18 |
| DNS | mauigiftbaskets.com Type: A 198.154.239.214 |
| DNS | tadashichi.com Type: A 157.7.183.121 |
| DNS | tuchikawa-soba.com Type: A 203.189.104.205 |
| DNS | allisoriginals.com Type: A 64.85.170.150 |
| DNS | new-central.com Type: A 211.10.2.122 |
| DNS | weru.co.jp Type: A 49.212.180.217 |
| DNS | gsprinters.com Type: A 192.185.169.161 |
| DNS | southamerica-photo.com Type: A 89.161.171.117 |
| DNS | womeningold.com Type: A 141.8.226.14 |
| DNS | fhgc.com Type: A 64.90.41.75 |
| DNS | magi-cat.org Type: A 74.208.99.68 |
| DNS | 1cashmere.com Type: A 204.11.56.48 |
| DNS | hirose-aa.com Type: A 153.122.38.44 |
| DNS | einus.net Type: A 221.143.46.17 |
| DNS | smtp.live.com Type: A |
| DNS | smtp.mail.yahoo.com Type: A |
| HTTP POST | http://dukecom.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://mpccontainment.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://lotcottages.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://petrus-kirche.ch/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://plastivan.pl/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://interstatepartners.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://mauigiftbaskets.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://tadashichi.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://tuchikawa-soba.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://allisoriginals.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://new-central.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://weru.co.jp/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://gsprinters.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://southamerica-photo.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://womeningold.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://fhgc.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://1cashmere.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://magi-cat.org/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://hirose-aa.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| HTTP POST | http://einus.net/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) |
| Flows TCP | 192.168.1.1:1031 ➝ 65.55.176.126:25 |
| Flows TCP | 192.168.1.1:1032 ➝ 63.250.193.228:25 |
| Flows TCP | 192.168.1.1:1034 ➝ 199.230.54.140:80 |
| Flows TCP | 192.168.1.1:1040 ➝ 198.170.74.105:80 |
| Flows TCP | 192.168.1.1:1044 ➝ 54.231.141.10:80 |
| Flows TCP | 192.168.1.1:1045 ➝ 80.74.155.167:80 |
| Flows TCP | 192.168.1.1:1046 ➝ 62.129.197.22:80 |
| Flows TCP | 192.168.1.1:1047 ➝ 69.73.180.18:80 |
| Flows TCP | 192.168.1.1:1053 ➝ 198.154.239.214:80 |
| Flows TCP | 192.168.1.1:1054 ➝ 157.7.183.121:80 |
| Flows TCP | 192.168.1.1:1055 ➝ 203.189.104.205:80 |
| Flows TCP | 192.168.1.1:1056 ➝ 64.85.170.150:80 |
| Flows TCP | 192.168.1.1:1057 ➝ 211.10.2.122:80 |
| Flows TCP | 192.168.1.1:1058 ➝ 49.212.180.217:80 |
| Flows TCP | 192.168.1.1:1059 ➝ 192.185.169.161:80 |
| Flows TCP | 192.168.1.1:1060 ➝ 89.161.171.117:80 |
| Flows TCP | 192.168.1.1:1061 ➝ 141.8.226.14:80 |
| Flows TCP | 192.168.1.1:1062 ➝ 64.90.41.75:80 |
| Flows TCP | 192.168.1.1:1063 ➝ 74.208.99.68:80 |
| Flows TCP | 192.168.1.1:1064 ➝ 204.11.56.48:80 |
| Flows TCP | 192.168.1.1:1065 ➝ 153.122.38.44:80 |
| Flows TCP | 192.168.1.1:1066 ➝ 221.143.46.17:80 |
Raw Pcap
Strings