Skip to main content

Gen.Variant.Symmi.7303_dda4cbb347


Gen:Variant.Symmi.38647 (B) (Emsisoft), Gen:Variant.Symmi.7303 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: dda4cbb34747e2dc180ab6f11266beea

SHA1: 27bc4e74745d97d3e04c8cd4cc1d320d6e259200

SHA256: 5739829c3158e7763d4beafce279051283f50f4b58d6346a73c0f2f09f2b45c6

SSDeep: 49152:CpHRmpApyWLrNSMk1MiebuqmNvdcNql6Je76hfrmiwRTf:CpYkyIrNBuqmNyNql6JOMfrg

Size: 2108928 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2014-11-03 03:24:48

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan-PSW. Trojan program intended for stealing users passwords.

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

service_9008.exe:356

The Trojan injects its code into the following process(es):

%original file name%.exe:1724
XXM Calendare_9008.exe:1700

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex

File activity

The process %original file name%.exe:1724 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\service_9008.exe (3769 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (167 bytes)
%WinDir%\empty.exe (9 bytes)

The process service_9008.exe:356 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\XXM Software\9008\XXM Calendare_9008.exe (4545 bytes)

The process XXM Calendare_9008.exe:1700 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SQ PlatForm\8377606110710898463 (15 bytes)
%Documents and Settings%\All Users\Application Data\SQ PlatForm\1 (2 bytes)
%Documents and Settings%\All Users\Application Data\SQ PlatForm\3 (1 bytes)
%Documents and Settings%\%current user%\Desktop\脙茠脗聬脙鈥毭偮∶兤捗偮徝冣