Analysis Date2015-03-30 20:15:30
MD56b8a12d8a3ac7e094b17bf61b088c9c2
SHA18d617d64f08af93f67fa683651a19c1c04d9ce69

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 41d2f4b766998294995897d57556720a sha1: 5b92ba513ebe0e350f30c97e1bec01eec96cff3b size: 3072
Section.rdata md5: 433ec8d97c2f7a3015486ab1823a7028 sha1: bbda6021a0aa6bbd82a70558f430fdcfa50f3c70 size: 512
Section.data md5: c6d40db95de9e0080f3cd50e7d890993 sha1: 78038f159b137071270f739c8075828fa755f29a size: 2048
Section.rsrc md5: 24eba818cf6fc0c1012502d3e1082005 sha1: c8e515e15ffcc72cc7fb0baec23638f0f1b41042 size: 34304
Section.reloc md5: 54c8e9bdfb37f73c23fb175724bc0bc3 sha1: b6a69876a1f3edb7a1802a553e25597c71d449a6 size: 512
Sectionjxayhra md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2001-01-12 02:52:16
VersionLegalCopyright: Copyright © 2013 Western Digital
InternalName: wdsstool
FileVersion: 1.0.1
CompanyName: Western Digital
Comments: Something Info
ProductName: WD system tool
ProductVersion: 1.0.1
FileDescription: WD system tool
PEhash115f2bc8307b7b456deb3a3662c71e869351c783
IMPhash415c5ead847765e2e58f651c2e81c2c2
AV360 Safeno_virus
AVAd-AwareGen:Heur.Zygug.2
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Heur.Zygug.2
AVAuthentiumW32/SuspPack.FW.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Zygug.2
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.893
AVEmsisoftGen:Heur.Zygug.2
AVEset (nod32)Win32/Injector.AFMM
AVFortinetW32/Pushdo.PYD!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Heur.Zygug.2
AVGrisoft (avg)SHeur4.BGUF
AVIkarusTrojan-Downloader.Win32.Cutwail
AVK7Trojan ( 0040f5c81 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.Ransom
AVMcafeeCutwail-FBPN!6B8A12D8A3AC
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Heur.Zygug.2
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroBKDR_PUSHDO.SMK
AVVirusBlokAda (vba32)BScope.Trojan.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\sicasisyhifh ➝
C:\Documents and Settings\Administrator\sicasisyhifh.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\sicasisyhifh.exe
Creates File\Device\Afd\Endpoint
Creates Mutexsicasisyhifh

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.163.152:25

Raw Pcap

Strings
040904b0
1.0.1
 2013 Western Digital
Click on the sample midi file and click the play button.
Close
Comments
CompanyName
Copyright 
FileDescription
FileVersion
InternalName
LegalCopyright
MS Sans Serif
Play
ProductName
ProductVersion
Something Info
Stop
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
wdsstool
WD system tool
Western Digital
:*:0:6:<:B:
%:2c7J
3	4=4U4b4:5O5h5
>3F0!ry
/_3)g	
44;%1D
:47bHbtF`
6"@FN/
7qFs}+
84_*z*.
aX6m/Yx
C29z}'
Cgdi32.dll
CreateDCA
crxb_w
Cw 6UOA7
:CY_d{
D>	2}#
DgzeRF(
DialogBoxParamA
ExitProcess
F6AhIE
F( ed#*
;F~,J(
gdi32.dll
GetModuleHandleA
GetObjectA
GetProcAddress
gUuB-;W2
hqA0_L
,Hr/-,
;?huq 
H]YC5)X
I|[u=<
JpQ;FN
jqfa5	
jxayhra
kernel32.dll
LoadImageA
/m?)33
MessageBoxA
MT0 Z\	a:2,pPb=
mV&'n)e
M"$.x8
~nOhI9
;NTatu
-N.Tz#
&)p `ao
>PyxJ}
%)qDuy
qh,pYn
$Q++z%
.rdata
@.reloc
ry:^_`J
s",1b"
SEj!)X
SetTimer
ShowWindow
!This program cannot be run in DOS mode.
tS]v4dp
UHcu.Is
un,Q_:
user32.dll
&U.S&y4
v47`@?U
^!vcx+
VKillTimer
v\ns2f
W2BCHs
x	"hQG
/Y*C/R
Yj;Qd&
<:YOIJPD