Analysis Date2015-08-22 07:02:27
MD5e7c31fcacd7b9bb15fb6de0d29a07d6b
SHA15ec6b7bceb0279e18ecc50076fc0a9e3c74c7ad9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fb1de71b8e4dc1cadd3a1dfb6355fd1a sha1: 86fc842fe5cc629733546626daf96bd14b00da23 size: 1024
Section.rdata md5: 5e001465d8cd3c885bc984c952e08cb6 sha1: 32ee3ee5d774fd02de6c2a88102ae2ee5e5e4e06 size: 1024
Section.data md5: fc7eb756c1f4b17f16449816cc3cec81 sha1: 2617518e49202d532dae1af9ba05aecfefd1e75b size: 512
Section.rsrc md5: c94ccb1cb9b65cd920748f0c486bcebd sha1: 9fd0951d72ba87dc208af495868f37498ca8e4eb size: 58368
Timestamp2014-06-26 11:39:44
PEhashf13de80a8e0ee698bbf613cc72d0cfdb65aee45e
IMPhash4ca0a0adb97211d9334271ded971bdde
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.327123
AVDr. WebTrojan.MulDrop3.14959
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.327123
AVBullGuardGen:Variant.Kazy.327123
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Cutwail
AVCAT (quickheal)Trojan.Cutwail.r4
AVTrend MicroTROJ_CUTWAIL.SM0
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Cutwail.Win32.168
AVEmsisoftGen:Variant.Kazy.327123
AVIkarusTrojan.Win32.Cutwail
AVFrisk (f-prot)no_virus
AVAuthentiumno_virus
AVMalwareBytesTrojan.Agent.US
AVMicroWorld (escan)Gen:Variant.Kazy.327123
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVK7no_virus
AVBitDefenderGen:Variant.Kazy.327123
AVFortinetW32/Kryptik.CFFF!tr
AVSymantecno_virus
AVGrisoft (avg)Agent
AVEset (nod32)Win32/Kryptik.CFFF
AVAlwil (avast)Cutwail-CM [Trj]
AVAd-AwareGen:Variant.Kazy.327123
AVTwisterno_virus
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeDownloader-FAKU!E7C31FCACD7B
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\siskuxordese ➝
C:\Documents and Settings\Administrator\siskuxordese.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mauigiftbaskets[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\weru.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\casamolina[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mpccontainment[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1cashmere[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fhgc[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\interstatepartners[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tadashichi[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lotcottages[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petrus-kirche[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allisoriginals[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tuchikawa-soba[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dukecom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm
Creates FileC:\Documents and Settings\Administrator\siskuxordese.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plastivan[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mauigiftbaskets[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\weru.co[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\casamolina[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mpccontainment[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\1cashmere[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\fhgc[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\interstatepartners[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tadashichi[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lotcottages[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\magi-cat[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\petrus-kirche[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\tuchikawa-soba[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\allisoriginals[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gsprinters[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\dukecom[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\einus[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\southamerica-photo[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\hirose-aa[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\plastivan[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexsiskuxordese
Winsock DNSgsprinters.com
Winsock DNSmagi-cat.org
Winsock DNSeinus.net
Winsock DNSmauigiftbaskets.com
Winsock DNScasamolina.com
Winsock DNStuchikawa-soba.com
Winsock DNSfhgc.com
Winsock DNSpetrus-kirche.ch
Winsock DNSsouthamerica-photo.com
Winsock DNS1cashmere.com
Winsock DNSallisoriginals.com
Winsock DNStadashichi.com
Winsock DNSinterstatepartners.com
Winsock DNSweru.co.jp
Winsock DNSmpccontainment.com
Winsock DNSdukecom.com
Winsock DNSplastivan.pl
Winsock DNSwomeningold.com
Winsock DNShirose-aa.com
Winsock DNSlotcottages.com
Winsock DNSnew-central.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.global.gm0.yahoodns.net
Type: A
98.139.211.125
DNSmpccontainment.com
Type: A
198.170.74.105
DNSdukecom.com
Type: A
199.230.54.140
DNSpetrus-kirche.ch
Type: A
80.74.155.167
DNSplastivan.pl
Type: A
62.129.197.22
DNSlotcottages.com
Type: A
54.231.141.10
DNSinterstatepartners.com
Type: A
69.73.180.18
DNSmauigiftbaskets.com
Type: A
198.154.239.214
DNStadashichi.com
Type: A
157.7.183.121
DNStuchikawa-soba.com
Type: A
203.189.104.205
DNSallisoriginals.com
Type: A
64.85.170.150
DNSnew-central.com
Type: A
211.10.2.122
DNSweru.co.jp
Type: A
49.212.180.217
DNSgsprinters.com
Type: A
192.185.169.161
DNSsouthamerica-photo.com
Type: A
89.161.171.117
DNSwomeningold.com
Type: A
141.8.226.14
DNSfhgc.com
Type: A
64.90.41.75
DNSmagi-cat.org
Type: A
74.208.99.68
DNS1cashmere.com
Type: A
204.11.56.48
DNShirose-aa.com
Type: A
153.122.38.44
DNSeinus.net
Type: A
221.143.46.17
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
HTTP POSThttp://dukecom.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mpccontainment.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lotcottages.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://petrus-kirche.ch/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://plastivan.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://interstatepartners.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mauigiftbaskets.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tadashichi.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://tuchikawa-soba.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://allisoriginals.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://new-central.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://weru.co.jp/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://gsprinters.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://southamerica-photo.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://womeningold.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://fhgc.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://1cashmere.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://magi-cat.org/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://hirose-aa.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://einus.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25
Flows TCP192.168.1.1:1034 ➝ 199.230.54.140:80
Flows TCP192.168.1.1:1040 ➝ 198.170.74.105:80
Flows TCP192.168.1.1:1044 ➝ 54.231.141.10:80
Flows TCP192.168.1.1:1045 ➝ 80.74.155.167:80
Flows TCP192.168.1.1:1046 ➝ 62.129.197.22:80
Flows TCP192.168.1.1:1047 ➝ 69.73.180.18:80
Flows TCP192.168.1.1:1053 ➝ 198.154.239.214:80
Flows TCP192.168.1.1:1054 ➝ 157.7.183.121:80
Flows TCP192.168.1.1:1055 ➝ 203.189.104.205:80
Flows TCP192.168.1.1:1056 ➝ 64.85.170.150:80
Flows TCP192.168.1.1:1057 ➝ 211.10.2.122:80
Flows TCP192.168.1.1:1058 ➝ 49.212.180.217:80
Flows TCP192.168.1.1:1059 ➝ 192.185.169.161:80
Flows TCP192.168.1.1:1060 ➝ 89.161.171.117:80
Flows TCP192.168.1.1:1061 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1062 ➝ 64.90.41.75:80
Flows TCP192.168.1.1:1063 ➝ 74.208.99.68:80
Flows TCP192.168.1.1:1064 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1065 ➝ 153.122.38.44:80
Flows TCP192.168.1.1:1066 ➝ 221.143.46.17:80

Raw Pcap

Strings