Analysis Date2014-11-08 01:10:48
MD576f7896672748ae446cb60ec9db9a332
SHA1bdffa9210ae541a12afdf0cf5ff788265976e8be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 70c63e13dc29d34a1c2efbd3e972cd70 sha1: f7bea847e91af8a31b0f8b63d6dfee7512f52636 size: 1536
Section.rdata md5: 85b3f66e28e7a4fc7fc5cb44ceb0f87d sha1: b1cf53a6f13ed573ebf94bc06d1a98bf62a5fd37 size: 512
Section.data md5: b2b355c3bbce21490b0b37a330ceb791 sha1: 79d94c8a1a8080c6b84ee96a693451637952edfb size: 512
Section.rsrc md5: bfc6aad69fa760b8e6ea4fa7f41ee7ad sha1: a4cfef6460be9fa93e7ad123c56f15e4a457f8fa size: 44032
Timestamp2005-11-23 15:25:09
VersionLegalCopyright: Copyright © '1C' 1996-2003
InternalName: Setup
FileVersion: 8.0.9.32
CompanyName: 1C
Comments: Setup 8.0 application Russian resources
ProductName: 1C:Platform V8.0
ProductVersion: 8.0.9.32
FileDescription: Setup Russian Resources
OriginalFilename: setup.res
PEhashc9c379a42507ca19971a4f56da15808cd01544b6
IMPhash693a9173996754fde14bd7972e3c1b00
AV360 SafeGen:Variant.Kazy.251739
AVAd-AwareGen:Variant.Kazy.251739
AVAlwil (avast)Kryptik-MXJ [Trj]
AVArcabit (arcavir)Backdoor.Pushdo.raf
AVAuthentiumW32/Trojan.ODIV-0988
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Kazy.251739
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanDownloader.Cutwail.BS4
AVClamAVno_virus
AVDr. WebBackDoor.Bulknet - infected, incurable
AVEmsisoftGen:Variant.Kazy.251739
AVEset (nod32)Win32/Kryptik.BKWQ
AVFortinetW32/Pushdo.RAF!tr.bdr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.251739
AVGrisoft (avg)SHeur4.BQMT
AVIkarusBackdoor.Win32.Pushdo
AVK7Trojan ( 0040f64a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent.BFG
AVMcafeeCutwail-FCWE!76F789667274
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS
AVMicroWorld (escan)Gen:Variant.Kazy.251739
AVNormanGen:Variant.Kazy.251739
AVRising0x55cdb3f4
AVSophosno_virus
AVSymantecTrojan.Pandex.B
AVTrend MicroTROJ_SPNR.1AIN13
AVVirusBlokAda (vba32)Backdoor.Pushdo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\widfafocsynw ➝
C:\Documents and Settings\Administrator\widfafocsynw.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\widfafocsynw.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexwidfafocsynw

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 63.250.193.228:25

Raw Pcap

Strings
Ih
..
..II
...]
041904b0
 '1C' 1996-2003
1C:Platform V8.0
 1cv8.efd 
8.0.9.32
Comments
CompanyName
Copyright 
FileDescription
FileVersion
InternalName
LegalCopyright
msctls_progress32
MS Sans Serif
MS Shell Dlg
OriginalFilename
ProductName
ProductVersion
Setup
Setup 8.0 application Russian resources
setup.res
Setup Russian Resources
StringFileInfo
TEXTINCLUDE
Translation
VarFileInfo
VS_VERSION_INFO
...W
wwggOS/3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1Vkp`	H
2ecn^,
{35~7QF
;#(42r
7Dt 5|
8do [2PkB
)^8,MtN
8/xWa4
!9CDan'k4
;[ 9mo
.}9;zFdtzE
%A$D.z
B06XEr&
C!]!L\
@.data
DQ`O14k
eSsk]|
EuA$7Cc7
/f-[\f[
fKZzNk
gdi32.dll
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetVersion
gggggggggggggggggggggggggggg
gghgg									
giiiiiiihi
GqD"z%)
^)Gri]
h								g
h																				gggg
hhheihhi
hhhgeeeeeeeeeiiii
hhhhheegh
hhhhhheegiihhhii
hhhhhhh
hhhhhhii
hhhhhi
h;kI8%
#HndSy
igegig
igeieeeeeeeeei
ig																gg
ighiii
ihg					ggghgg				h
ihhhhhhhhhhhhh
iiggeii
iihggggh
iihhhi
iihiegh
iiieei
iiihhhii
iiiihh
iiiiihhh
iiiiiiihhhhhhhhhhhhhhh
iiiiiiiihhhhh
	I@+Lk
#include "afxres.h"
iS=`kx
IsWindow
jv(6<w
)!jy*nD
k'2p%K
kernel32.dll
%/KWUF
leOj7W
LoadImageA
LoadLibraryA
nCTEWw!f<i
nW(l0i
o<[iW5
OZKLLO
QYnK%u
Qzk+d+P!
`.rdata
resource.h
~Rk<dA
rPAiybp%
rt#&?>
s=a`Us
^"sMI2
!This program cannot be run in DOS mode.
/Tu]}5
Tw?dK8
.U<>Gh
user32.dll
v2sfP}
WF-p/M
(WgEH#
wwwwwwwwwwwww{
X0p+yoT$
X^{@|6-
%z!Y%y