Analysis Date2014-06-29 01:07:17
MD5bcbbecd757d6747a3ad044c9c6292ee3
SHA19a427e88abfd554fec3a0ff973c63d1ced641434

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 325837a058369a0faf7a2284f3595c2f sha1: 197bd4d7a959b864b8b1f4e2699dc0ce0ee83d04 size: 3072
Section.rdata md5: e9ada2616715d6cb7417a16d56d71f92 sha1: e8358806dc67f0233107b51c51727c8a00623745 size: 512
Section.data md5: 41b98b59761071f5f8d17694ed53eadc sha1: bf5d1016c288aa9635914490cc096b68b5550bee size: 512
Section.rsrc md5: d41bfae19cc0be4fe0a58f988ef28f0f sha1: f95dab147e91f71ab3a24b93a8d9fdd2f2e7ae99 size: 42496
Timestamp2008-11-04 12:52:20
VersionLegalCopyright: Copyright © 2000-2003 Intel Corporation
InternalName: SnifferMFC
FileVersion: 1.2
CompanyName: Intel Corporation
ProductName: Intel Call Logging API
ProductVersion: 1.2
FileDescription: SnifferMFC - Intel Call Logging API sample application
OriginalFilename: SnifferMFC.exe
PEhash5f21f470e3af82d890cc92f6e4d6d3f8e46c912f
IMPhash9d30e521e05aa720868d6a07d3e78d80
AV360 SafeBackdoor.Win32.Bulknet.A
AVAd-AwareGen:Variant.Kazy.262406
AVAlwil (avast)Kryptik-NAU [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Cutwail.BS.295
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.BS4
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet.1150
AVEmsisoftGen:Variant.Kazy.262406
AVEset (nod32)Win32/Kryptik.BMDF
AVFortinetW32/Kryptik.WIC!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.262406
AVGrisoft (avg)Agent4.BFPO
AVIkarusTrojan.Agent4
AVK7Trojan ( 0048c3381 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeCutwail-FCWE!BCBBECD757D6
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.262406
AVNormanwinpe/Kryptik.CCOH
AVRisingno_virus
AVSophosTroj/Agent-AEEH
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.2814

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ziptutveheax ➝
C:\Documents and Settings\Administrator\ziptutveheax.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\ziptutveheax.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexziptutveheax
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings
..M
....
.
..
040904b0
 2000-2003 Intel Corporation
4ESS
5ESS
6Open another window for the active document
About4Quit the application; prompts to save documents
&About SnifferMFC...
About SnifferMFC
Activate Task List
Activate this window
&Arrange Icons
Arrange Icons/Arrange windows so they overlap
Attach voice resources
Called
CalledHDisplay Channel variable as specified by Messages up to this one
Calling
CallingFDisplay Called variable as specified by Messages up to this one
Cancel
&Cascade
Cascade Windows5Arrange windows as non-overlapping tiles
Change the window position
Change the window size
Channel
Channel,Display this Message's Trace Text\Trace Text
cl_Close
cl_DecodeTrace
cl_Open
cl_Open arguments
Close
&Close
Close the active document
cl_StartTrace
cl_StopTrace
CompanyName
Copy1Cut the selection and put it on the Clipboard
Copyright 
Create a new document
&Decode Trace
?Display program information, version number and copyright
Enlarge the window to full size"Switch to the next document window&Switch to the previous document window9Close the active window and prompts to save the documents
Erase
Erase All3Copy the selection and put it on the Clipboard
Erase everything
Erase the selection
Exit
E&xit
&File
FILE
FileDescription
FileVersion
Find
Find the specified text
HDisplay Calling variable as specified by Messages up to this one
HDLC
&Help
Insert Clipboard contents
Intel Call Logging API
Intel Corporation
InternalName
ISDN
LegalCopyright
Method:
MS Sans Serif
NET5
Network-side board:
&New	Ctrl+N
&New Window
New Window7Arrange icons at the bottom of the window
Next Pane5Switch back to the previous window pane
Open
&Open
Open an existing document
Open this document
Open this document(Switch to the next window pane
OriginalFilename
Paste
Popup
Previous Pane
ProductName
ProductVersion
Protocol:
QSIGE1
QSIGT1
Ready
Redo
Reduce the window to an icon
Repeat1Replace specific text with different text
Repeat the last action
Replace%Select the entire document
!Restore the window to normal size
Resulting pszDeviceName string:
Save0Save the active document with a new name
Save As
Save the active document
SCRL
Select All
'Show or hide the toolbar
&Sniffer
SnifferMFC
SnifferMFC Document
SnifferMFC.Document
SnifferMFC.exe
SnifferMFC Files (*.snm)
SnifferMFC - Intel Call Logging API sample application
SnifferMFCT
SnifferMFC Version 1.2
SniMFC
.snm
Split
Starting from device:
&Start Trace
&Status Bar
Stop &Trace
StringFileInfo
TEXTINCLUDE
&Tile
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
Toggle StatusBar
Toggle ToolBar,Show or hide the status bar
&Toolbar
Trace Text
Translation
Undo&Redo the previously undone action
Undo the last action
User-side board:
VarFileInfo
&View
VS_VERSION_INFO
&Window
3527Ic
4xWt= M
}6:bu>[
7IILmD)
8=K`XA
AeA.8mAo??
:%,aFb
B=a9mLS
*be+L(@{
cldi\~
CO@1<Q
@.data
?D=dRh0
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
d'NKM2
E5YC]Hm
#endif
#endif //_WIN32
&fiqlb
fM*e?b
/F&@SeD
gdi32.dll
gEBQ0k
GetModuleHandleA
GetObjectW
GetProcAddress
GetTopWindow
g _w!|
HZ,l%y
I#A)DI6
i?E-AS
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\SnifferMFC.rc2"  // non-Microsoft Visual C++ edited resources
Jjb;}s
	{jjT:y
kernel32.dll
LANGUAGE 9, 1
LfH(&I
$lI'(lMY,EQ
"=lkQR
~LL6A<
LoadImageA
LoadLibraryExA
-lTiMA
m*dJTF
	MlXGJ
/N_.B7
`]Ne4t>y
NjbWVm
Nz%:+9
?o$Wmy
oy?R 6@q
P&)#|!
^PCCb!H^eOL
-pi|zn
#pragma code_page(1252)
|PT4c'
p_UEt~Y
Q;aKa2|
_.qh=-
^!QMgu
r2bpD)$2
` ~&r2F
`.rdata
rE	SBu
resource.h
SLHEMq
sX9'Qi
!This program cannot be run in DOS mode.
Tx+NB;
 .)%U?
$u9='CX
unF>1Y
!/UprV
user32.dll
vKD_5e
VR@my]
^W3ly?mO
W6{z,k
WmC"Q[
xJ0a'$
xM05PrUO
XNZG"%,w
"xY`1)
,xZ\4%
YD{v!!
Y),PCq
 Z9xrti
z">?~&B3
ZD7K^~J
ZEovN3s
ZgoRP:
ZH!da_
|Zqr^G"I