Analysis Date2015-10-23 07:26:38
MD520d6dc179cd097081ab022998537b144
SHA1e617045effe287f4874c12fa75ebc351b0362936

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 25b2c29484ec4c7456d08b4ef503edf5 sha1: c7f1565f9d5b3e39b2650356623a8cb379cddcb8 size: 5632
Section.rdata md5: 2aa52ae4092fa68212fa1af2d5e4c639 sha1: 43d3fa860a6b5c1058e1d8ef7a51c8eb5888f38f size: 1024
Section.data md5: cc5849069ba3da0e051eb5307aad1351 sha1: d9eb5206f73f228a02f10ce83a39e20d84e338b4 size: 512
Section.rsrc md5: 27c12a2006786f49a0639f36bb3cc6ca sha1: 386cce759bc01bef7d5e6587a516c07f8b8ce3c1 size: 25600
Section.reloc md5: 6537ca058d87b21b3d25129e4c07b4e3 sha1: ca6e282840e2f2444385000ebe491f0c8c392f6a size: 512
Timestamp2012-04-08 03:22:23
PEhash882b49ddedcb1ad3bf5f384d09cacd56f079ada5
IMPhashe36bd4198019129d754cda4c0a4b171a
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.3071
AVDr. WebTrojan.MulDrop3.14959
AVClamAVWin.Trojan.Jorik-3087
AVArcabit (arcavir)Gen:Variant.Symmi.3071
AVBullGuardGen:Variant.Symmi.3071
AVPadvishno_virus
AVVirusBlokAda (vba32)Trojan.Totem
AVCAT (quickheal)Trojan.Cutwail.AQ
AVTrend MicroBKDR_PUSHDO.SMJ
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.Jorik.Win32.123864
AVEmsisoftGen:Variant.Symmi.3071
AVIkarusWin32.Jorik
AVFrisk (f-prot)no_virus
AVAuthentiumW32/A-27f991bb!Eldorado
AVMalwareBytesTrojan.Ransom.Gen
AVMicroWorld (escan)Gen:Variant.Symmi.3071
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BV
AVK7no_virus
AVBitDefenderGen:Variant.Symmi.3071
AVFortinetW32/CutMail.EE!tr
AVSymantecTrojan.Gen
AVGrisoft (avg)Generic29.AKJX
AVEset (nod32)Win32/Kryptik.ALAS
AVAlwil (avast)Jorik-NS [Trj]
AVAd-AwareGen:Variant.Symmi.3071
AVTwisterTrojan.17116437DD48AB6D
AVAvira (antivir)TR/Dropper.Gen
AVMcafeeno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dunniscezugx ➝
C:\Documents and Settings\Administrator\dunniscezugx.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\dunniscezugx.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexdunniscezugx
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS9online.fr
Winsock DNS4every1.cz
Winsock DNS4ever-hosting.de

Network Details:

DNS9online.fr
Type: A
212.30.118.74
DNS4ever-hosting.de
Type: A
194.116.186.70
Flows TCP192.168.1.1:1031 ➝ 212.30.118.74:443
Flows TCP192.168.1.1:1032 ➝ 212.30.118.74:443
Flows TCP192.168.1.1:1033 ➝ 194.116.186.70:443
Flows TCP192.168.1.1:1034 ➝ 194.116.186.70:443

Raw Pcap

Strings