Analysis Date2015-02-06 15:29:19
MD5c50dd86da1bc1d20b3b9df9cd51045fa
SHA1c2dd3c6c6893c413b9a228627fecce0ff05a43ee

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e00a4e2c8b4c282c7b55a547f2c20f11 sha1: 74491ab0ea2fce72de6e18f1e923e3d304dd4aee size: 3584
Section.rsrc md5: 61ecb985a217f95341bf67477e053ed8 sha1: 72be2c93e161fcb462d226416370ccb01bd27aac size: 1536
Timestamp2014-09-02 11:49:07
PEhash1ffe3efd2776a349105676624743e5e00bd6f9ea
IMPhashb7ca3d3af3a491d546cd668e0d9cafad
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.450993
AVAlwil (avast)Downloader-E [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.450993
AVAuthentiumW32/Downloader.FCTL-6744
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Kazy.450993
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoad3.33474
AVEmsisoftGen:Variant.Kazy.450993
AVEset (nod32)Win32/TrojanDownloader.Elenoocka.A
AVFortinetW32/Elenoocka.A!tr.dldr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.450993
AVGrisoft (avg)Win32/Heri
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.Cabby.cekm
AVMalwareBytesno_virus
AVMcafeeDownloader-FAOK!C50DD86DA1BC
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.A
AVMicroWorld (escan)Gen:Variant.Kazy.450993
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_DALEXIS.YUW
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c2dd3c6c6893c413b9a228627fecce0ff05a43ee.rtf
Creates FilePIPE\wkssvc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_74296.cab
Creates Process"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\c2dd3c6c6893c413b9a228627fecce0ff05a43ee.rtf"
Creates Mutex63197410
Winsock DNSwindowsupdate.microsoft.com

Process
↳ "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Documents and Settings\Administrator\Local Settings\Temp\c2dd3c6c6893c413b9a228627fecce0ff05a43ee.rtf"

Creates MutexCTF.TimListCache.FMPDefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500MUTEX.DefaultS-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
191.232.80.55
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; cn)
Flows TCP192.168.1.1:1031 ➝ 191.232.80.55:80
Flows TCP192.168.1.1:1032 ➝ 65.55.50.157:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4f706572   User-Agent: Oper
0x00000020 (00032)   612f392e 32352028 57696e64 6f777320   a/9.25 (Windows 
0x00000030 (00048)   4e542036 2e303b20 553b2063 6e290d0a   NT 6.0; U; cn)..
0x00000040 (00064)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000050 (00080)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000070 (00112)   6c6f7365 0d0a0d0a                     lose....


Strings
a%s%s.%s
ax-m.fr/images-box/djigo.tar.gz
congresfnosad2013-aixlesbains.fr/tmp/djigo.tar.gz
DATA
kranendijk-domotica.nl/request/djigo.tar.gz
Opera/9.25 (Windows NT 6.0; U; cn)
%stemp_cab_%d.cab
%supdate_%d.exe
windowsupdate.microsoft.com/
%+0D?)7
63197410
CloseHandle
CreateFileW
CreateMutexA
DeleteFileW
Error code #%d
ExitProcess
FindResourceA
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetTempPathW
GetTickCount
{hQM"}
Invoice.rtf
jP^SSSSh(
KERNEL32.dll
LoadLibraryA
LoadResource
LockResource
lstrlenW
MessageBoxA
SETUPAPI.DLL
SetupIterateCabinetW
<S\"GSY"FSO"GSPZ
SHELL32.DLL
ShellExecuteW
SHLWAPI.DLL
SizeofResource
SSSQhp
SSSSSSV
StrStrIW
SX"GSGp
SX"GSPZ
SX"GSRichY"GS
USER32.dll
VirtualAlloc
VirtualFree
WinHttpConnect
WINHTTP.DLL
WinHttpOpen
WinHttpOpenRequest
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSetOption
wnsprintfA
wnsprintfW
WriteFile
.X'TN|p 
Y"GSY"GSY"GS~