Trojan.Win32.Cutwail.cks (Kaspersky), Trojan.Win32.Cutwail (VIPRE), Gen:Variant.Zusy.84257 (B) (Emsisoft), Gen:Variant.Zusy.84257 (AdAware), GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2f1fdfb4b528feda34b92a938f9d537b
SHA1: 19f10fab361ec4ac5e20b725cb25449ef3078748
SHA256: d52932b4dee4bb8e88c6b19d221f0c3fe1d29da9cfa9d378f9d203a1750ef87e
SSDeep: 768:1hUt3mlfaZSr4H5pU0WXTBTumE1vmeMbiHvwcman D3 byte6haOE6Z1:1hUtqro5u0gBqhvpvwcmTCbyte3OdZ1
Size: 59392 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-27 13:20:41
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
CTFMON.EXE:296
The Trojan injects its code into the following process(es):
%original file name%.exe:160
File activity
The process %original file name%.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (19245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (17270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (14774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sydney[1].htm (18938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\solutioncorp[1].htm (46313 bytes)
%Documents and Settings%\%current user%\cabwulvycamy.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[2].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (30346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (16078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (10118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fujino-lab[1].txt (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (24757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (13470 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bigtopmultimedia[1].htm (848 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (1255 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (10271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (3966 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graceweb[1].txt (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (10181 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (28403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[2].txt (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\suspendedpage[1].htm (3639 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@genmar.gen[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (24588 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\search[1].htm (62920 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (331 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (81 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (47973 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (2189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (14774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\sortedorganizing[1].htm (4747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (19741 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@malagacorp[1].txt (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (3979 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\wkhk[1].htm (27105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teknorhino[1].htm (24401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\photoclubs[1].htm (57448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (622 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (356352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (121 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (119 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-606747145-1060284298-839522115-1004\c5b88721db08c824db69d0bbc702beb8_3fee1f9f-d02d-4fef-b156-d6ca90eade2d (2136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (27538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\teasing-video[1].htm (53807 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (0 bytes)
Registry activity
The process %original file name%.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"cabwulvycamyzap" = "B0 6F A1 D3 92 C4 F6 B5 E7 1A D8 0B 3D 6F 2E 60"
"AppManagement" = "4C 0B 3D FB 2E EC 1F 51 10 42 01 33 65 24 56 15"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 BD 47 96 9D 6B 03 33 55 31 3F 85 3A 54 89 15"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cabwulvycamy" = "%Documents and Settings%\%current user%\cabwulvycamy.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process CTFMON.EXE:296 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://link-list-uk.com/ | 91.109.14.224 |
| hxxp://bocr.cz/ | 217.198.113.104 |
| hxxp://floridadoubled.com/ | 64.59.81.104 |
| hxxp://teasing-video.com/ | 99.192.154.182 |
| hxxp://business-edge.com/ | 69.64.85.11 |
| hxxp://xing-group.com/ | 59.106.165.171 |
| hxxp://e-storming.com/ | 91.121.66.183 |
| hxxp://neurotoxininstitute.com/ | 190.93.243.134 |
| hxxp://nori-k.com/ | 210.172.144.24 |
| hxxp://d-j-b.net/ | 210.172.144.247 |
| hxxp://vbwgz.com/ | 204.13.64.180 |
| hxxp://topex.ro/ | 193.226.61.45 |
| hxxp://dithd.com/ | 216.177.135.4 |
| hxxp://miltinio-teatras.lt/ | 92.61.39.244 |
| hxxp://sspackaginggroup.com/ | 192.206.4.119 |
| hxxp://digpro.se/ | 89.221.250.12 |
| hxxp://sullyfrance.com/ | 216.8.179.23 |
| hxxp://y8k6h.x.incapdns.net/ | |
| hxxp://unslp.edu.bo/ | 50.28.58.0 |
| hxxp://robertmcintyre.com.au/ | 199.73.58.66 |
| hxxp://genmar.gen.tr/ | 108.162.197.71 |
| hxxp://macgregor.co.kr/ | 14.63.168.164 |
| hxxp://thesergery.com/ | 202.47.95.44 |
| hxxp://gamblingonlinemagazine.com/ | 198.1.90.242 |
| hxxp://osouji-school.com/ | 211.13.204.89 |
| hxxp://kvadratoff.ru/ | 188.93.212.32 |
| hxxp://courtney.ca/ | 67.223.102.97 |
| hxxp://ryumachi-jp.com/ | 111.68.174.253 |
| hxxp://trinity-works.com/ | 219.94.206.70 |
| hxxp://lexjuridica.com/ | 176.28.103.205 |
| hxxp://nd-evenementiel.com/ | 79.98.23.30 |
| hxxp://naijagurus.com/ | 192.64.112.193 |
| hxxp://empordalia.com/ | 5.56.61.199 |
| hxxp://appelfarm.org/ | 162.159.247.49 |
| hxxp://yamamoto-sr.com/ | 49.212.235.209 |
| hxxp://rea-soft.ru/ | 78.47.135.34 |
| hxxp://telenavis.com/ | 108.162.199.13 |
| hxxp://buzzkillmedia.com/ | 173.201.140.128 |
| hxxp://redconeretreat.com/ | 173.204.163.136 |
| hxxp://hinnenwiese.de/ | 85.13.146.133 |
| hxxp://cbsprinting.com.au/ | 162.159.249.145 |
| hxxp://theautospas.com/ | 70.32.102.108 |
| hxxp://geodecisions.com/ | 216.174.25.93 |
| hxxp://automa.it/ | 95.110.195.52 |
| hxxp://xuanxiao.com/ | 222.216.190.60 |
| hxxp://myfilecenter.com/ | 66.33.213.228 |
| hxxp://authentica-travel.com/ | 68.168.112.98 |
| hxxp://kagu-hokuren.com/ | 180.37.186.131 |
| hxxp://iktus.fr/ | 37.187.20.229 |
| hxxp://woodlandhillwinery.com/ | 198.252.69.69 |
| hxxp://rewardhits.com/ | 66.45.248.130 |
| hxxp://toddpipe.com/ | 173.247.243.173 |
| hxxp://mandi-man.com/ | 210.172.144.61 |
| hxxp://shakeyspizza.ph/ | 122.55.79.88 |
| hxxp://slcago.org/ | 97.74.80.192 |
| hxxp://totalearthcare.com.au/ | 108.162.197.53 |
| hxxp://combine.or.id/ | 202.162.33.14 |
| hxxp://altonhousehotel.com/ | 162.159.251.52 |
| hxxp://nanfangcw.com/ | 119.145.168.16 |
| hxxp://vanguardpkg.com/ | 50.62.115.1 |
| hxxp://sarahdavid.com/ | 198.41.191.66 |
| hxxp://mastechn.com/ | 64.207.148.243 |
| hxxp://golfpark-moossee.ch/ | 199.83.130.50 |
| hxxp://lognetic.com/ | 78.47.37.140 |
| hxxp://nazcapictures.com/ | 69.0.211.58 |
| hxxp://acmepacificrepairs.com/ | 69.198.129.78 |
| hxxp://graintrain.coop/ | 204.93.213.45 |
| hxxp://glmghotels.com/ | 162.159.252.130 |
| hxxp://malagacorp.com/ | 108.162.198.168 |
| hxxp://korta-sa.com/ | 91.200.116.222 |
| hxxp://e-kagami.com/ | 54.249.238.243 |
| hxxp://rueggeberg.com/ | 81.209.182.37 |
| hxxp://justconnect.co.za/ | 5.9.122.172 |
| hxxp://doctsf.com/ | 213.186.33.97 |
| hxxp://ixtractor.com/ | 173.199.114.43 |
| hxxp://marcusgrimes.co.uk/ | 109.74.242.160 |
| hxxp://bigtopmultimedia.com/ | 108.162.199.246 |
| hxxp://taykon.com/ | 94.102.11.89 |
| hxxp://d4drmedia.com/ | 208.70.247.105 |
| hxxp://egao.net/ | 121.83.133.146 |
| hxxp://stecom.nl/ | 193.23.143.117 |
| hxxp://www.google.com/search?q=Stecom ICT Uw Apple specialist | 204.9.80.24 |
| hxxp://westhillsstl.org/ | 108.162.197.220 |
| hxxp://berkshirebusiness.org/ | 64.99.80.30 |
| hxxp://dbcomponents.com/ | 66.147.244.241 |
| hxxp://austriansurfing.at/ | 85.13.151.94 |
| hxxp://urantiaproject.com/ | 69.94.124.47 |
| hxxp://ziuabarbatului.ro/ | 194.50.126.226 |
| hxxp://screaminpeach.com/ | 198.41.249.164 |
| hxxp://eleterno.com/ | 184.168.233.1 |
| hxxp://stormwildlifeart.com/ | 70.86.7.138 |
| hxxp://eyggroup.com/ | 85.233.160.22 |
| hxxp://freepatentauction.com/ | 213.186.33.4 |
| hxxp://photoclubs.com/ | 209.50.251.101 |
| hxxp://brijindia.com/ | 67.18.185.98 |
| hxxp://eygwindows.co.uk/ | |
| hxxp://wkhk.net/ | 203.189.104.242 |
| hxxp://bigjohnsbeefjerky.com/ | 162.159.244.192 |
| hxxp://nasz-sklep.pl/ | 91.192.164.134 |
| hxxp://acicinvestor.ca/ | 207.150.203.36 |
| hxxp://cabooseonline.com/ | 192.138.20.228 |
| hxxp://fraser-high.school.nz/ | 210.48.67.144 |
| hxxp://schiedel.it/ | 217.145.99.26 |
| hxxp://sortedorganizing.com/ | 74.220.199.6 |
| hxxp://choice-select.com/ | 50.56.218.189 |
| hxxp://icigrain.com/ | 199.91.125.58 |
| hxxp://biurimex.pl/ | 89.161.181.123 |
| hxxp://paulrenna.com/ | 198.154.229.165 |
| hxxp://pbna.com/ | 93.186.180.72 |
| hxxp://theprintinghouseltd.co.uk/ | 46.20.228.113 |
| hxxp://momonophoto.com/ | 203.189.105.136 |
| hxxp://denville.ca/ | 204.11.237.35 |
| hxxp://violadagamba.com/ | 74.124.195.5 |
| hxxp://penavision.co.in/ | 174.136.57.160 |
| hxxp://4pipp.com/ | 141.101.116.69 |
| hxxp://paintball.be/ | 213.186.33.19 |
| hxxp://ezmedi.com/ | 218.150.78.243 |
| hxxp://christybarry.com/ | 66.49.139.143 |
| hxxp://fastarchofamerica.com/ | 75.119.209.232 |
| hxxp://christybarry.com/cgi-sys/suspendedpage.cgi | |
| hxxp://childscope.com/ | 173.203.121.238 |
| hxxp://spiti.org/ | 217.199.187.58 |
| hxxp://geothermusa.com/ | 50.62.125.1 |
| hxxp://childscope.com/web/store/home | |
| hxxp://sun-ele.co.jp/ | 210.169.184.168 |
| hxxp://safetyconnection.ca/ | 209.222.48.210 |
| hxxp://accel.lt/ | 216.64.219.60 |
| hxxp://mattiussiecologia.com/ | 95.110.203.75 |
| hxxp://a1683.b.akamai.net/ | |
| hxxp://mattiussiecologia.com/en/index.aspx | |
| hxxp://a1683.b.akamai.net/main.php | |
| hxxp://graceweb.net/ | 208.97.174.44 |
| hxxp://cf-protected-www.graceweb.net.cdn.cloudflare.net/ | |
| hxxp://budbad.com/ | 144.76.86.115 |
| hxxp://wlf.louisiana.gov/ | 184.106.119.164 |
| hxxp://churchsupplies.net/ | 66.232.99.164 |
| hxxp://optiver.com.au/ | 217.195.114.124 |
| hxxp://sigmametalsinc.com/ | 208.113.149.173 |
| hxxp://www.optiver.com/sydney/ | 217.195.124.19 |
| hxxp://nuritech.com/ | 222.239.78.139 |
| hxxp://fujino-lab.com/ | 8.5.1.48 |
| hxxp://www.sigmaaero.com/ | 208.113.225.142 |
| hxxp://tvndra.net/ | 91.216.141.46 |
| hxxp://easyformations.net/ | 88.208.216.219 |
| hxxp://hostphd.com.br/ | 192.196.156.73 |
| hxxp://mail57.us2.mcsv.net/ | 173.231.139.57 |
| hxxp://avant-ime.com/ | 37.148.207.99 |
| hxxp://guberman.com.br/ | 186.202.149.17 |
| hxxp://victoria.com.pl/ | 89.161.158.128 |
| hxxp://eurasia.it/ | 54.229.116.65 |
| hxxp://solutioncorp.com/ | 209.208.32.245 |
| hxxp://bethisraelcenter.org/ | 204.213.246.4 |
| hxxp://structives.org/ | 70.32.113.95 |
| hxxp://asj.co.jp/ | 219.118.206.4 |
| hxxp://kamaruka.vic.edu.au/ | 112.140.176.61 |
| www.biurimex.pl | 89.161.181.123 |
| www.ixtractor.com | 173.199.114.43 |
| www.graceweb.net | 108.162.197.90 |
| www.patentauction.com | 213.186.33.4 |
| chocolatecovers.com | 67.192.11.8 |
| aciuba.com.br | 186.249.220.203 |
| kurecci.or.jp | 119.245.187.119 |
| mailchimp.com | 173.192.210.69 |
| www.traderush.com | 199.83.128.93 |
| msasys.com | 216.70.112.211 |
| www.myfilecenter.com | 66.33.213.228 |
| celebikalip.com.tr | 10.0.0.1 |
| ibcd.com.br | 192.168.0.1 |
| coe.pku.edu.cn | 162.105.5.245 |
| vitalur.by | 178.159.246.76 |
| norakuroya.com | 175.45.136.72 |
| www.accel.lt | 216.156.249.24 |
| www.childscope.com | 173.203.121.238 |
| audio-direkt.net | 127.0.0.1 |
| eomc.net | 213.208.149.2 |
| jeansmate.co.jp | 211.1.230.105 |
| www.mattiussiecologia.com | 95.110.203.75 |
| hpp-services.com | 127.0.0.1 |
| www.momonophoto.com | 203.189.105.136 |
| www.photoclubs.com | 209.50.251.101 |
| aethora.com | 67.207.143.253 |
| www.bocr.cz | 217.198.113.104 |
| mojacar-vacaciones.com | 127.0.0.1 |
| www.justconnect.co.za | 5.9.122.172 |
| www.icigrain.com | 199.91.125.58 |
| www.wkhk.net | 203.189.104.242 |
| zeronet.co.jp | 49.212.5.127 |
| e-shuukyaku.com | 211.13.204.89 |
| www.solutioncorp.com | 209.208.32.245 |
| steelpennygames.com | 54.227.239.237 |
| dormfantasies.com | 184.94.149.35 |
| bredainternet.nl | 127.0.0.1 |
| www.teknorhino.com | 66.45.248.130 |
| leadershipforum.us | 66.39.30.185 |
| iaiglobal.or.id | 49.50.8.93 |
| smtp.live.com | 65.55.96.11 |
| www.eygwindows.co.uk | 173.0.131.15 |
| trenpalau.com | |
| nichedictionary.com | |
| etcycles.com | |
| enzoyrodrigo.com.br.ukraine.luluoffice.com | |
| isle-karnataka.org.ukraine.luluoffice.com | |
| x-cellcommunications.de.ukraine.luluoffice.com | |
| hoyuu.com | |
| bapasitaramsevatrust.org.ukraine.luluoffice.com | |
| aipi.co.nz.ukraine.luluoffice.com | |
| meubles-jacquelin.com | |
| urayasu.net | |
| manuyantralaya.com | |
| hifuken.com | |
| toutenmeuse.com | |
| urayasu.net.ukraine.luluoffice.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN Backdoor.Win32.Pushdo.s Checkin ET RBN Known Russian Business Network IP group 73 ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source) ET POLICY Http Client Body contains pw= in cleartext ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS ET RBN Known Russian Business Network IP group 379
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\easyformations[1].htm (19245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\momonophoto[1].htm (17270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[1].htm (14774 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigtopmultimedia[1].txt (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sydney[1].htm (18938 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\solutioncorp[1].htm (46313 bytes)
%Documents and Settings%\%current user%\cabwulvycamy.exe (59392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[2].htm (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\kamaruka.vic.edu[1].htm (30346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\violadagamba[1].htm (16078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\empordalia[1].htm (10118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fujino-lab[1].txt (134 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\index[1].htm (24757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\home[1].htm (13470 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@totalearthcare.com[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4pipp[1].txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\bigtopmultimedia[1].htm (848 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@appelfarm[1].txt (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bigjohnsbeefjerky[1].txt (126 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@golfpark-moossee[1].txt (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\combine.or[1].htm (1255 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[1].txt (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\yamamoto-sr[1].htm (10271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\biurimex[1].htm (3966 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graceweb[1].txt (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\theprintinghouseltd.co[1].htm (10181 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doctsf[2].txt (159 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@freepatentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@screaminpeach[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\brijindia[1].htm (28403 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neurotoxininstitute[1].txt (128 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbsprinting.com[1].txt (123 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[2].txt (280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\suspendedpage[1].htm (3639 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@genmar.gen[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\hostphd.com[1].htm (24588 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@graintrain[1].txt (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\search[1].htm (62920 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@altonhousehotel[1].txt (124 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@glmghotels[1].txt (119 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[3].txt (331 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@paintball[1].txt (81 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@traderush[1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teasing-video[1].htm (47973 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.patentauction[1].txt (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\urantiaproject[1].htm (2189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\robertmcintyre.com[2].htm (14774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\sortedorganizing[1].htm (4747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\budbad[1].htm (19741 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@malagacorp[1].txt (119 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\lexjuridica[1].htm (3979 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@telenavis[1].txt (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\wkhk[1].htm (27105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\teknorhino[1].htm (24401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\photoclubs[1].htm (57448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\woodlandhillwinery[1].htm (622 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (356352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\fraser-high.school[1].htm (759 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@westhillsstl[1].txt (121 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sarahdavid[1].txt (119 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-606747145-1060284298-839522115-1004\c5b88721db08c824db69d0bbc702beb8_3fee1f9f-d02d-4fef-b156-d6ca90eade2d (2136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\redconeretreat[1].htm (27538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\slcago[1].htm (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\teasing-video[1].htm (53807 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"cabwulvycamy" = "%Documents and Settings%\%current user%\cabwulvycamy.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 1436 | 1536 | 2.15227 | 6906e4712ef6400da99f7fd38d250ac3 |
| .rdata | 8192 | 222 | 512 | 1.37902 | bc634afefb223c21725357088300c807 |
| .data | 12288 | 31796 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| dta | 45056 | 81 | 512 | 0.852872 | d9ceba73c42ef82d0616ece555520bea |
| .rsrc | 49152 | 55768 | 55808 | 4.60998 | c1565553d1aa53f8d4752faccc9ae368 |
Network Activity
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker: