Analysis Date2014-07-28 12:03:40
MD517163fb9b2b7201e75b1c8351d5fc0a3
SHA16e016f4370c3eefed175a4debbcb2cfe02382c45

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: df3cbd4d112e0cc508b6427e7fcad623 sha1: 2fc62ae9e568adfb69f9c1ec1fdbc4e14959a84b size: 69632
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: e8544fc4ad06f37cc328f0bc51955bd6 sha1: d86cb676b8f1aa3c17324e6f032ff5d374ca88e1 size: 4096
Timestamp2014-07-18 07:52:02
VersionInternalName: mokkokojl
FileVersion: 6.01.0001
CompanyName: hyredfcvfg
ProductName: kiojnhytgfc
ProductVersion: 6.01.0001
OriginalFilename: mokkokojl.exe
PackerMicrosoft Visual Basic v5.0
PEhash45adb95ed93911e408349f107f1a50025e6d07d3
IMPhash5c8ef4c8df10b06e20217f3c53b95694
AV360 SafeGen:Variant.Zusy.99880
AVAd-AwareGen:Variant.Zusy.99880
AVAlwil (avast)VB-AIPZ [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.VB.18774
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanPSW.Tepfer.r3
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)Win32/Injector.BIKV
AVFortinetW32/Tepfer.BIFQ!tr.pws
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.99880
AVGrisoft (avg)Inject2.AOLG
AVIkarusTrojan.Win32.Injector
AVK7no_virus
AVKasperskyTrojan-PSW.Win32.Tepfer.ufdn
AVMalwareBytesTrojan.Crypt.NKN
AVMcafeeDropper-FIR!17163FB9B2B7
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail
AVMicroWorld (escan)Gen:Variant.Zusy.99880
AVNormanwinpe/Troj_Generic.VAOZN
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_FORUCON.BMC
AVVirusBlokAda (vba32)TScope.Trojan.VB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\momsbestfriend[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\new-central[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\momsbestfriend[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\womeningold[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexxapkexhydyha
Winsock DNSellislawpc.com
Winsock DNSssosoom.cz
Winsock DNSpublic3.sta.net.cn
Winsock DNSsigmaserv.com
Winsock DNSmaturetimes.com
Winsock DNSfhgc.com
Winsock DNSarrange-hair.com
Winsock DNSkaruizawa-news.org
Winsock DNSatre-ebisu-6fdental.com
Winsock DNSindustrieundhandelsverlag.de
Winsock DNSlefa.com.tr
Winsock DNSkghugheslaw.com
Winsock DNSsamcons.com
Winsock DNScatapultmarketing.com
Winsock DNSsormpack.com
Winsock DNSmomsbestfriend.com
Winsock DNSwomeningold.com
Winsock DNS3cliks.com.br
Winsock DNSsqdog.com
Winsock DNSnew-central.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSwomeningold.com
Type: A
213.192.239.166
DNSkghugheslaw.com
Type: A
192.186.231.6
DNSmomsbestfriend.com
Type: A
72.47.228.224
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSnew-central.com
Type: A
DNScatapultmarketing.com
Type: A
DNSindustrieundhandelsverlag.de
Type: A
HTTP POSThttp://womeningold.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://momsbestfriend.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25
Flows TCP192.168.1.1:1034 ➝ 213.192.239.166:80
Flows TCP192.168.1.1:1036 ➝ 72.47.228.224:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203339   ntent-Length: 39
0x00000070 (00112)   320d0a55 7365722d 4167656e 743a204d   2..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a20776f   ; SV1)..Host: wo
0x000000c0 (00192)   6d656e69 6e676f6c 642e636f 6d0d0a43   meningold.com..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a43 61636865 2d436f6e   Alive..Cache-Con
0x000000f0 (00240)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x00000100 (00256)   0d0a2b37 3853342f 42584752 6c734c42   ..+78S4/BXGRlsLB
0x00000110 (00272)   6a684177 6f794d71 4e304a63 47593757   jhAwoyMqN0JcGY7W
0x00000120 (00288)   794f4a42 59647754 504f3942 5a347977   yOJBYdwTPO9BZ4yw
0x00000130 (00304)   43442b46 6276434a 6c354666 4579764c   CD+FbvCJl5FfEyvL
0x00000140 (00320)   71560d0a 37396245 58774541 72396b4d   qV..79bEXwEAr9kM
0x00000150 (00336)   65577942 39355955 674a7238 6c51496c   eWyB95YUgJr8lQIl
0x00000160 (00352)   46565269 30454c44 50695638 6a2b5a75   FVRi0ELDPiV8j+Zu
0x00000170 (00368)   67714654 7978334a 4a587763 4a714677   gqFTyx3JJXwcJqFw
0x00000180 (00384)   4d2f6357 0d0a7873 58664a33 68756430   M/cW..xsXfJ3hud0
0x00000190 (00400)   54653639 4a57736b 426a4537 30506330   Te69JWskBjE70Pc0
0x000001a0 (00416)   44643532 76707778 754c7446 7363464d   Dd52vpwxuLtFscFM
0x000001b0 (00432)   39453934 2f654439 51515756 702f724c   9E94/eD9QQWVp/rL
0x000001c0 (00448)   67496979 426d0d0a 30333669 576d4476   gIiyBm..036iWmDv
0x000001d0 (00464)   4b47756f 486f4a58 30376243 34725a4f   KGuoHoJX07bC4rZO
0x000001e0 (00480)   57457935 4d745277 70593774 2f434576   WEy5MtRwpY7t/CEv
0x000001f0 (00496)   6b4d537a 43516c50 4f465a58 6b582b57   kMSzCQlPOFZXkX+W
0x00000200 (00512)   434d392b 67544765 0d0a7855 706d6771   CM9+gTGe..xUpmgq
0x00000210 (00528)   37324662 39784274 4f73714c 3176732b   72Fb9xBtOsqL1vs+
0x00000220 (00544)   536e6566 342f5676 736c7635 534c6274   Snef4/Vvslv5SLbt
0x00000230 (00560)   476a6932 4d50565a 5146674a 592f7130   Gji2MPVZQFgJY/q0
0x00000240 (00576)   32507a32 484e546b 4b340d0a 70515a35   2Pz2HNTkK4..pQZ5
0x00000250 (00592)   38703135 6c6f4a55 36476154 61565854   8p15loJU6GaTaVXT
0x00000260 (00608)   6667425a 5553317a 674e6971 7a775043   fgBZUS1zgNiqzwPC
0x00000270 (00624)   3873334a 42487466 64346645 61766459   8s3JBHtfd4fEavdY
0x00000280 (00640)   4f4b786c 5339593d 0d0a                OKxlS9Y=..

0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a4163   .Accept: */*..Ac
0x00000020 (00032)   63657074 2d4c616e 67756167 653a2065   cept-Language: e
0x00000030 (00048)   6e2d7573 0d0a436f 6e74656e 742d5479   n-us..Content-Ty
0x00000040 (00064)   70653a20 6170706c 69636174 696f6e2f   pe: application/
0x00000050 (00080)   6f637465 742d7374 7265616d 0d0a436f   octet-stream..Co
0x00000060 (00096)   6e74656e 742d4c65 6e677468 3a203438   ntent-Length: 48
0x00000070 (00112)   380d0a55 7365722d 4167656e 743a204d   8..User-Agent: M
0x00000080 (00128)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000090 (00144)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x000000a0 (00160)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000b0 (00176)   3b205356 31290d0a 486f7374 3a206d6f   ; SV1)..Host: mo
0x000000c0 (00192)   6d736265 73746672 69656e64 2e636f6d   msbestfriend.com
0x000000d0 (00208)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000e0 (00224)   65702d41 6c697665 0d0a4361 6368652d   ep-Alive..Cache-
0x000000f0 (00240)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000100 (00256)   650d0a0d 0a496a57 506c6479 3053426b   e....IjWPldy0SBk
0x00000110 (00272)   79375467 64423871 724a6d2b 63626d33   y7TgdB8qrJm+cbm3
0x00000120 (00288)   30757570 57304f4e 57304d62 6276766e   0uupW0ONW0Mbbvvn
0x00000130 (00304)   4877642b 58396933 75394968 396b5742   Hwd+X9i3u9Ih9kWB
0x00000140 (00320)   4c736b32 760d0a61 336a624f 59664e64   Lsk2v..a3jbOYfNd
0x00000150 (00336)   68753669 78497a38 57584a69 35444870   hu6ixIz8WXJi5DHp
0x00000160 (00352)   79563638 52586d62 36777444 7670536d   yV68RXmb6wtDvpSm
0x00000170 (00368)   33697a38 4b333579 6c2b2b72 50374a6d   3iz8K35yl++rP7Jm
0x00000180 (00384)   33303563 546e490d 0a696d52 65614c6a   305cTnI..imReaLj
0x00000190 (00400)   752f7167 55774879 4d6e344f 4f626548   u/qgUwHyMn4OObeH
0x000001a0 (00416)   326f6a6d 4144706a 3772364b 7466357a   2ojmADpj7r6Ktf5z
0x000001b0 (00432)   664b764d 6c757444 52414945 71693479   fKvMlutDRAIEqi4y
0x000001c0 (00448)   6c464d42 5271552f 420d0a2b 687a616b   lFMBRqU/B..+hzak
0x000001d0 (00464)   55596233 55395945 54775771 566c4639   UYb3U9YETwWqVlF9
0x000001e0 (00480)   5458657a 50465954 37467643 556a386d   TXezPFYT7FvCUj8m
0x000001f0 (00496)   346b3267 67666366 48507832 38587155   4k2ggfcfHPx28XqU
0x00000200 (00512)   764f4647 566c654b 3641490d 0a2b3870   vOFGVleK6AI..+8p
0x00000210 (00528)   76444b63 43437955 596c5976 6f504434   vDKcCCyUYlYvoPD4
0x00000220 (00544)   6b377372 74314d61 6d4c4230 6a33316a   k7srt1MamLB0j31j
0x00000230 (00560)   756e5135 48517562 4f487447 64392f79   unQ5HQubOHtGd9/y
0x00000240 (00576)   4f685748 4c384a70 7a2b4246 730d0a42   OhWHL8Jpz+BFs..B
0x00000250 (00592)   2b765a7a 51624657 66366637 5078396b   +vZzQbFWf6f7Px9k
0x00000260 (00608)   33514872 642b6248 7134376a 73616564   3QHrd+bHq47jsaed
0x00000270 (00624)   32614457 4c534a47 35657533 72535a76   2aDWLSJG5eu3rSZv
0x00000280 (00640)   64787976 392f4a4a 3962706e 562b310d   dxyv9/JJ9bpnV+1.
0x00000290 (00656)   0a334c64 57365853 474f694d 2f467a72   .3LdW6XSGOiM/Fzr
0x000002a0 (00672)   694a4730 39757a67 54487543 437a5064   iJG09uzgTHuCCzPd
0x000002b0 (00688)   4f384754 30303061 68324f52 6f304e4d   O8GT000ah2ORo0NM
0x000002c0 (00704)   38787162 36726c32 454f7048 57444a36   8xqb6rl2EOpHWDJ6
0x000002d0 (00720)   6a0d0a75 4d336d32 49575638 6e474a67   j..uM3m2IWV8nGJg
0x000002e0 (00736)   37393452 71572f2b 676f3d0d 0a         794RqW/+go=..


Strings
!X.=

040904B0
2&'2
3=&:
6.01.0001
bFU{vjFU
CompanyName
FileVersion
gtupa
hyredfcvfg
i4j4
iF6L
InternalName
KFZve
kiojnhytgfc
L_@EU_LBIY_@LDY^LAHY_[ZBQ_LMDY^LA
mokkokojl
mokkokojl.exe
OriginalFilename
OWVQ
pJxQ
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
                  
':',.)+
092EBE@::73+,+--9
:0[ "wT~*y
1qB%\R
1tV@"f
[\1UZ	
20Zj42_>
28=@:43.0,*<g
2=>9)"
$*?<33
33333333333333333<<<333333333333
#3%54=J
38810,,,33333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333333
3;qP;b9I
3UZ)gR
}4)`HouF
++5548879884948984888//2088848984
++5548879884948984888//208884898478876377893478937456784678u010109987j1413861422429434[pp.;oubli++5548879884948984888//2088848984
++5548879884948984888//2088848984dddddddddddd
<555555555<
?5fCTk_t
!$"697#%-
=]6A:2
^7J`AX
<<8c+)4P
8	.[H^
8u],`L.
+<<AA.
About MyApp
adG_Pw
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
App Description
Application Title
-ASm.#
B@<33<<<<<3333
BBBBBEF
Bm8DKju
buiknf
-b? >V
:)]BV]
b%zMFe
Ca74>;[~
CallWindowProcA
CBu`-4#
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
cmdSysInfo
Company
CompanyProduct
Copyright
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileW
csz?[F
cUY6zC
CZ,5XH
"(D>'|
?D879D@
`.data
D}F')Ow@
DGmftW
DllFunctionCall
Dm(JkV
d]Yb0z
e1AVqhV
eclarebuiknf
EGDGAG
eM'Gb'R
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ExitThread
ExitWindowsEx
Frame1
frmAbout
frmSplash
="f;uX
FV2<l\
-:>g9U
G]}a(W
*`Gdi*y
GetModuleFileNameA
g:GNsF
^g+J_2
gkXHO)d
G*&Vt7
"h7UlG
hAr~(7
HDh	r"
#=%,H<II6$&%C
' hK:V
HsY1P`
'Ii|io5
imgLogo
IsCharUpper
)jh}Kik
^jK91>
 (?Jw<r
$jwwee
KERNEL32
kernel32.dll
)KSm?5
kU3\c}
lblCompany
lblCompanyProduct
lblCopyright
lblDescription
lblDisclaimer
lblLicenseTo
lblPlatform
lblProductName
lblTitle
lblVersion
lblWarning
lE<K|\
LicenseTo
lopmloplk
mciSetYieldProc
MDIForm
MDIForm1
mokkokojl
MSVBVM60.DLL
!MVgB$
n2|V_d
N!-dR-gX
NdrSendReceive
&n+<_Nj
NXDWSQRRKKKL>84.MGP
obaip~tj_GJ\n
Oi)K*!
/ot	\S
oY~o|*A
P0q:Mq
P+0r6fl
<|P[b-
pgVtvWevvw
pgVugGvwgv
pgvvwgvvwG
picIcon
Platform
Product
pwgvwvwvwg
pwgwgw`
pwgwgwgwgw
pwgwgwp
pwgwwgvwgv
qeBM{=
qmf[TS`w
Q	Ntz$
QXYWKRhs}rlke^O?Cc
ReadFile
resutils
ResUtilSetUnknownProperties
rpcrt4
?RT6V9Z
'sw_-Py
&System Info...
tbM6Cj+jp"
!This program cannot be run in DOS mode.
>TJorz
)tU;Bb/F
T:UI&0
Ud-*f`SA
user32
*uu?)Ik
VB5!6&*
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFixstrConstruct
__vbaFPException
__vbaFpI4
__vbaFpR4
__vbaFpR8
__vbaFpUI1
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaI2I4
__vbaI2Var
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaLbound
__vbaLenBstr
__vbaLenBstrB
__vbaLsetFixstr
__vbaOnError
__vbaR8Var
__vbaRedim
__vbaRedimPreserve
__vbaSetSystemError
__vbaStr2Vec
__vbaStrCat
__vbaStrCopy
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaUI1Var
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVargVarCopy
__vbaVarMod
__vbaVarMove
__vbaVarMul
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGt
__vbaVarVargNofree
__vbaVarXor
Version
@vjwi^V
vQ/[L)
Warning
Warning: ...
wg*)Jz
wgvwgw
wgwgwg
WINMM.DLL
wvwvww
x?25TTi
!_X^gfpemtutmZJ[bHGx
;"xTo*
xxh~x~x~
x~x~x~xx
"Y\O]fpljy~
:*Y.PP
ZENMLV]UI;BAHDdF>15
z_G4z_G
z_G4z_GYz_GYz_GYz_GYz_G4
z_G4z_GYz_GYz_GYz_GYz_GYz_GYz_GYz_GYz_GYz_G4
z_G?z_G
z_G?z_Gkz_Gkz_Gkz_Gkz_Gkz_G?
z_G?z_Gkz_Gkz_Gkz_Gkz_Gkz_Gkz_G?
zknncdv
zv&?)J-