Analysis Date2015-01-05 09:55:03
MD5dd66198cb7868f4cd80386d4fbc13598
SHA17915d645a35b749e3dbac583c24eba4e28792ac7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e9dc8e352c7b6aff2e595df3f772eb62 sha1: 5a3a7ecb73a2f0736170ee9568c8b501f936e8f3 size: 1536
Section.rdata md5: 1a885f41a8174b8e3eacb2452dbfd6c6 sha1: 8814fbffaa703470f2823c03ef61110bff27aa26 size: 512
Section.data md5: d6844459d804b118431fd0bd8f8d0dcf sha1: a65a065fe80d588815c7f57e66e66a35e1198950 size: 512
Section.rsrc md5: bc9b0f6aa5ed7ecb376479fd152364f1 sha1: 523e5bac91ae3b2bf4908e224c0315566489a939 size: 40448
Section.reloc md5: 9c5cc25a737eb1fbad42d853ecf4cc08 sha1: b903f8ff2d60c434fcf429b31e1dee4392529db8 size: 512
Timestamp2005-09-16 03:00:56
PackerPE Diminisher v0.1
PEhashabb74dcd88fbb2fe0fd367b128c7fc5c374afc3f
IMPhash67a81aa1ff07fc9e6b40189e53d22cb9
AV360 Safeno_virus
AVAd-AwareGen:Variant.Zusy.56636
AVAlwil (avast)Downloader-TZE [Trj]
AVArcabit (arcavir)Gen:Variant.Zusy.56636
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Cutwail.BS.171
AVBullGuardGen:Variant.Zusy.56636
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1128
AVEmsisoftGen:Variant.Zusy.56636
AVEset (nod32)Win32/Kryptik.BIUH
AVFortinetW32/Pushdo.YOY!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.56636
AVGrisoft (avg)Crypt2.ACXO
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7Backdoor ( 04c529961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesBackdoor.Pushdo
AVMcafeeCutwail-FCTP!DD66198CB786
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Zusy.56636
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Pandex!gen3
AVTrend MicroTROJ_SPNR.1AHQ13
AVVirusBlokAda (vba32)Backdoor.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\kahufkenonwo ➝
C:\Documents and Settings\Administrator\kahufkenonwo.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\stecom[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\arquiteturadigital[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\kahufkenonwo.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\vanguardpkg[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\vanguardpkg[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\sgprinting[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\hartmultimedia[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\childscope[1].htm
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\toddpipe[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\rewardhits[1].htm
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\agence-des-druides[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\gamblingonlinemagazine[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\selldoor[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\victoria.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\4pipp[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\sun-ele.co[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\wsipowerontheweb[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\asterisk.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\vanguardpkg[2].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexkahufkenonwo
Winsock DNSrewardhits.com
Winsock DNSchildscope.com
Winsock DNSsgprinting.ca
Winsock DNSgamblingonlinemagazine.com
Winsock DNSsun-ele.co.jp
Winsock DNSwsipowerontheweb.com
Winsock DNSvictoria.com.pl
Winsock DNShartmultimedia.com
Winsock DNSkamaruka.vic.edu.au
Winsock DNSagence-des-druides.com
Winsock DNSadultlivechat.us
Winsock DNSvanguardpkg.com
Winsock DNS4pipp.com
Winsock DNStoutenmeuse.com
Winsock DNSselldoor.pl
Winsock DNStoddpipe.com
Winsock DNSarquiteturadigital.com
Winsock DNSasterisk.com.sg
Winsock DNSstecom.nl

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNSkamaruka.vic.edu.au
Type: A
Flows TCP192.168.1.1:1032 ➝ 65.55.163.152:25
Flows TCP192.168.1.1:1033 ➝ 63.250.193.228:25

Raw Pcap

Strings
.
.<
:6$@
6)=!
ALaw
Apply
Auto Load
Automatically start synthesize
Auto Quit
Auto Refine
Auto Save
Auto Start
Auto Uniq
Bug Tracking System(&B)
Byteswap
Cancel
Channels
CLEAR
C L E A R
Compute max time msec(default 500ms)
Config(&C)
Config File
Console(&C)
Console Window (TiMidity Win32GUI)
Debug Window (TiMidity Win32GUI)
Directory
Document
Document(&D)
Document Window (TiMidity Win32GUI)
Edit
English
E X I T
ExitProcess
Exit(&X)
File(&F)
Fkf?
Fyf?
Heaps Check
Help(&H)
INI File
Japanese
Language
Linear PCM
List Window (TiMidity Win32GUI)
Load ini file(&L)
Load Playlist(&P)
MIDI IN Device
Mono
MS Sans Serif
Not Auto Display
Not Continue
Not Drag Start
Not Looping
Online Help(&O)
Open Directory(&D)
Open File(&F)
Option
Output
Output Encoding
Output File
Player
PlayList
Play List(&L)
Popup
Port 0
Port 1
Port 2
Port 3
Port max
Precision
Preference(&P)
Process priority
Random Mode
Recursive walk
REFINE
Reload cfg file(&F)
Reload Config File
r-T@
Sample rate
Save ini file(&S)
Save Playlist as(&S)
save pos,size
Signed
Stereo
Sub Window
Supplement(&S)
Synth thread priority
SysTabControl32
Tab1
	Times New Roman
Times New Roman
TiMidity++(&T)
TiMidity++ Win32GUI
TiMidity++ Win32GUI Preference
ToolBarMain
ToolBarSubWnd
ToolbarWindow32
Tracer(&T)
Tracer Window (TiMidity Win32GUI)
uLaw
UNIQ
Unsigned
VALID
Variables Check
VERBOSITY
Version(&V)
Window
Window(&W)
Wrd tracer(&W)
0F0Q0[0e0v0{0
3$3+3O3W3`3q3
344:4@4
46/K\mV>
4MQ#T2
_4YO]3`
8'DZ{M
8H&Yl(
9a oFDJPC
9CxP6u
/9raDE~&
aDDxl<
.ap/tLB
;BG0sc
@C}5wyM
@.data
dwwBW]
;E.b(?
~f<26c
|F30W_qI
FXhB`$
gdi32.dll
GetModuleHandleA
GetObjectA
GetSystemTimeAsFileTime
>GM118|K
IG?%wEx
I"Qqb?
i'\v$2
+Jm3ea6Zp
j|tR|;
kernel32.dll
kljdhsfh398h
k,WIOO
,L.H,a
LoadImageW
LoadLibraryExA
mCU\U*
MFWL<2
mt`6ZW
NOu_W/
nU-;`'w<$|
(^+N~z
Oo&A	oauL
PLc`~0Yl
PNH}ez
p^Op"=)$
^PSW>@
`.rdata
@.reloc
Rich'gG
rzRy1]
 SAj5~
\Si_[g[
!This program cannot be run in DOS mode.
user32.dll
V7IXg0
(v =wR
|V]^y9}h
!{>=~W
WJat4}d%
(WJl&f
wk#/hSx
}+ x!7
?.^Y@O
!|_z$:
!\`[z S