TrojanDownloader:Win32/Cutwail.BE is a member of
Win32/Cutwail - a multi-component family of malware that downloads and executes arbitrary files. This functionality is mostly used to install additional Cutwail components, and other malware on an affected computer. In general, the Cutwail family is used to compromise computers and direct them in various ways at the attacker's will, usually for monetary gain. This could include using the affected computer to distribute additional malware, send spam, generate 'pay per click' advertising revenue, harvest email addresses, and break captchas. Its components are varied, but include trojan downloaders and droppers, spammers, and viruses. Cutwail also employs a rootkit and other defensive techniques to avoid detection and removal.
Installation
TrojanDownloader:Win32/Cutwail.BE copies itself to the following locations:
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "winupd"
With data: "c:\windows\system32\wuaucldt.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The malware utilizes code injection in order to hinder detection and removal. When TrojanDownloader:Win32/Cutwail.BE executes, it may inject code into running processes, including the following, for example:
Payload
Contacts remote hosts
TrojanDownloader:Win32/Cutwail.BE may contact the following remote hosts:
- 174.36.220.203 using port 443
- 174.36.62.66 using port 443
- 68.232.187.4 using port 443
- 74.86.76.194 using port 443
- black.nightphantom.com using port 9333
- cheburash.com using port 443
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 704a2a9c4b7b8f76e27c8aa99bde7cb261dada23.
