Gen:Variant.Symmi.38647 (B) (Emsisoft), Gen:Variant.Symmi.7303 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dda4cbb34747e2dc180ab6f11266beea
SHA1: 27bc4e74745d97d3e04c8cd4cc1d320d6e259200
SHA256: 5739829c3158e7763d4beafce279051283f50f4b58d6346a73c0f2f09f2b45c6
SSDeep: 49152:CpHRmpApyWLrNSMk1MiebuqmNvdcNql6Je76hfrmiwRTf:CpYkyIrNBuqmNyNql6JOMfrg
Size: 2108928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-03 03:24:48
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan-PSW. Trojan program intended for stealing users passwords.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
service_9008.exe:356
The Trojan injects its code into the following process(es):
%original file name%.exe:1724
XXM Calendare_9008.exe:1700
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_RasPbFileShimCacheMutex
File activity
The process %original file name%.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\service_9008.exe (3769 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@163[1].txt (167 bytes)
%WinDir%\empty.exe (9 bytes)
The process service_9008.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\XXM Software\9008\XXM Calendare_9008.exe (4545 bytes)
The process XXM Calendare_9008.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\SQ PlatForm\8377606110710898463 (15 bytes)
%Documents and Settings%\All Users\Application Data\SQ PlatForm\1 (2 bytes)
%Documents and Settings%\All Users\Application Data\SQ PlatForm\3 (1 bytes)
%Documents and Settings%\%current user%\Desktop\脙茠脗聬脙鈥毭偮∶兤捗偮徝冣