{
	"id": "938c4f37-d8f3-4c6d-b815-5bbb67e610b8",
	"created_at": "2026-04-06T00:21:56.07867Z",
	"updated_at": "2026-04-10T03:21:50.236802Z",
	"deleted_at": null,
	"sha1_hash": "3ceb25919b9fd40d7c3fcd8eb737ac937a31c298",
	"title": "Story of the Cutwail/Pushdo hidden C\u0026C server",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1193732,
	"plain_text": "Story of the Cutwail/Pushdo hidden C\u0026C server\r\nBy Threat Intelligence Team 25 Jun 2013\r\nArchived: 2026-04-05 19:23:37 UTC\r\nStory of the Cutwail/Pushdo hidden C\u0026C server\r\nThis is a loose sequel to the Cutwail botnet analysis blogpost published on the malwaremustdie.blogspot.com. In\r\nthis blogpost I will primarily focus on the downloaded PE executable itself (SHA256:\r\n5F8FCC9C56BF959041B28E97BFB5DB9659B20A6E6076CFBA8CB2D591184C9164) and the network traffic\r\nthat it generates. I will also reveal a hidden C\u0026C server.\r\nBut first let's quickly go through the things it does at the beginning:\r\n- It registers an exception handler that will only start the process again using CreateProcess().\r\n- It performs a check whether it has admin privileges.\r\n- It checks or creates a mutex named \"xoxkycomvoly\" (hardcoded identifier used on multiple occasions).\r\n- It checks or creates couple of registry entries under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion.\r\n- It checks if the process image filename is \"xoxkycomvoly.exe\" (it restarts for the first time).\r\n- It nests into the system by creating autorun entry in registry under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.\r\n- It copies itself to the user's profile directory named as \"xoxkycomvoly.exe\".\r\nThen on the first time an exception occurs and the sample is restarted from the user's profile location named as\r\n\"xoxkycomvoly.exe\".\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 1 of 9\n\nInitial startup activities\r\nAfter these initial steps, the sample starts communicating heavily over the network.\r\nThe sample contains number of hardcoded hostnames in a plain text form, making a little bit of an impression that\r\nit is a simple program, but those are rather only decoys. Let's go chronologicaly and see what it does exactly.\r\nThe first group of hardcoded hostnames that takes place is the following list of 6 SMTP servers:\r\nsmtp.live.com\r\nsmtp.mail.yahoo.com\r\nsmtp.sbcglobal.yahoo.com\r\nsmtp.directcon.net\r\nmail.airmail.net\r\nsmtp.compuserve.com\r\nThese SMTP servers are only used to try outgoing TCP connection on port 25, to see if it is filtered in any way (to\r\nsee if it's gonna be able to send spam).\r\nThen there is another list of plain text hostnames, which look somewhat suspiciously:\r\n4darabians.nl\r\n4dbenelux.be\r\naccords-bilateraux.ch\r\n4e-energiezentrale.de\r\n4effect.ca\r\n4egolifestyle.de\r\n4elementos.cl\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 2 of 9\n\n4-elements.ch\r\n4elements.de\r\n4elements.hu\r\n4-elements.se\r\n4emails.de\r\n8wellesley.ca\r\n8zsmost.cz\r\n4enerchi.nl\r\n4entertainmentgroup.tv\r\n4ernila.de\r\n4e-solutions.ch\r\naccounting.ee\r\n0daymusic.biz\r\n0handicap.at\r\n4dbabamozi.hu\r\naccords-bilateraux.ch\r\n0kommanix.de\r\n4effect.ca\r\n4egolifestyle.de\r\n4elementos.cl\r\n4-elements.ch\r\n4elements.gr\r\n4elements.pl\r\nAlmost all of these hostnames listen on port 25, giving a premature idea that they may be the SMTP relays\r\nthrough which it sends spam, but the sample doesn't really do anything much with these, they are only supposed to\r\ndistract us from the real business!\r\nThe interesting thing that comes next is that the sample also contains several enxored data blobs, each one enxored\r\nwith different xor key, and these blobs contain some very interesting things, hidden from the plain sight.\r\nThe first data blob that gets dexored is this list of hostnames:\r\n1st group\r\nof hidden hostnames\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 3 of 9\n\n4dmobil.at\r\n4eternity.ch\r\n4everandever.de\r\n4everflashlight.de\r\n4ever-hosting.de\r\n4evernet.de\r\n4evernails.nl\r\n4every1.cc\r\n4everything.pl\r\n9online.fr\r\n9welten.de\r\n4everweb.nl\r\naccountingtechs.biz\r\nThese dexored hostnames look like a good candidates for C\u0026C servers to me. Indeed as the next step the sample\r\nis trying to connect to one of these hostnames on port 443 (HTTPS) possibly to obtain a command\r\n(Cutwail/Pushdo uses custom binary executable modules). Usage of the HTTPS protocol prevents the actual\r\ncontent to be inspectable in the network capture records, but through reverse engineering we can see that it\r\nrequests GET /. If the server responds with a reasonable reply (at least 1024 bytes long), it proceeds to check\r\nwhether the response contains the familiar HTML mark (which is also enxored btw):\r\n\u003cimg src=\"data:image/jpeg;base64\r\nIf that's indeed found in the server response, the data after the mark (obviously not a jpeg) are decrypted with\r\nsome interesting decryption routines and we get a binary executable (Cutwail/Pushdo module). Then a new\r\nsvchost.exe process is started in a suspended state and the binary is injected into it and executed.\r\nOn the other hand, if the obtained server response does not contain the special HTML mark, no other C\u0026C server\r\nfrom this list is tried. It is simply happy with a web server test page, having no orders from the C\u0026C server. Seems\r\na bit fishy!\r\nSearch for\r\nspecial \"\u003cimg src\" mark\r\nAnyway, next enxored blob that comes to the program flow turns out to be this large list of domains:\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 4 of 9\n\n2nd group\r\nof hidden hostnames\r\nPretty impressive list of 200 hostnames, actually only 176 unique:\r\naccessus.net, accountant.com, actuslendlease.com, agilent.com, allstream.net, amazon.com,\r\nanetsbuys.com, aon.at, arcor.de, aruba.it, atkearney.com, aussiestockforums.com, axelero.hu,\r\nbackaviation.com, badactor.us, bassettfurniture.com, beeone.de, bendcable.com, blackplanet.com,\r\nbluewin.ch, bluewin.com, bmw.com, boardermail.com, brettlarson.com, cablelan.net, caixa.gov.br,\r\ncanada.com, cbunited.com, centrum.cz, cfl.rr.com, charter.com, chataddict.com, chickensys.com,\r\nclaranet.fr, clarksville.com, clear.net.nz, cnet.com, col.com, colorado.edu, comcast.net, cox.com,\r\ncox.net, creighton.edu, cwnet.com, cytanet.com.cy, diamondcpu.com, doctor.com, dr.com, earthlink.com,\r\nearthlink.net, emailmsn.com, embarqmail.com, erzt.com, expn.com, feton.net, floodcity.net, free.fr,\r\nfreenet.de, frisurf.no, frostburg.edu, gallatinriver.net, gatespeed.com, gcsu.edu, gmx.net, grar.com,\r\ngravityboard.com, happyhippo.com, hotmale.com, hoymail.com, ia.telecom.net, idea.com,\r\nidealcollectables.com, ig.com.br, imaginet.com, in.com, indosat.com, intelnet.net.gt, intuit.com,\r\nipeg.com, itexas.net, iupui.edu, iw.com, iwon.com, juno.com, jwu.edu, kazza.com, kcrr.com, kw.com,\r\nlansdownecollege.com, machlink.com, mania.com, marchmail.com, maui.net, mediom.com, metallica.com,\r\nmetrocast.net, mexico.com, microtek.com, midway.edu, migente.com, mindspring.com, ministryofsound.net,\r\nmsu.edu, mts.net, music.com, mville.edu, mvts.com, mynet.com, mzsg.at, nccn.net, netsync.net,\r\nnumber1.net, o2.pl, oakland.edu, oakwood.org, optonline.net, orange.pl, oregonstate.edu,\r\notakumail.com, pandora.be, parrotcay.como.bz, passagen.se, pchome.com.tw, penn.com, pga.com,\r\npicsnet.com, posten.se, potamkinmitsubishi.com, primeline.com, rcn.com, reactionsearch.com,\r\nricochet.com, rockford.edu, rowdee.com, sexstories.com, shmais.com, south.net, springsips.com,\r\nsscomputing.com, stargate.net, stc.com.sa, surfglobal.net, suscom.net, t-mobel.com, talstar.com,\r\ntampabay.rr.com, tellmeimcute.com, the-beach.net, tiscali.co.uk, uakron.edu, ufl.edu, uga.edu,\r\nukr.net, uplink.net, uymail.com, vail.com, vampirefreaks.com, verizonwireless.com, vodafone.com,\r\nvodafone.nl, voicestream.com, wcsu.edu, willinet.net, windermere.com, windstream.net, worldnetatt.net,\r\nworldonline.co.uk, www.aol.com, xtra.co.nz, yahoo.com.cn, yahoo.com.hk, yahoo.com.tw, yatroo.com,\r\nzdnetmail.com, zoomnet.net, zoomtown.com\r\nThe next thing is that it starts a pair of 8 threads. One pair will connect randomly to these hosts on port 80 and\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 5 of 9\n\nsend bogus HTTP requests (like those infamous ptrxcz_ POST requests) and the other pair will connect randomly\r\nto those hosts on port 25 and just send some random data to it, not even SMTP traffic, not even waiting for the\r\nserver banner. This goes on in an endless loop, in the background, 16 noisy threads sending bogus traffic,\r\napparently trying to mask some activity, which is about to start soon.\r\nStart 16 threads generating a\r\nbogus traffic noise\r\n Bogus HTTP\r\ntraffic examples\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 6 of 9\n\nBogus SMTP\r\ntraffic examples\r\nOT: Then the sample collects some informations about our client machine such as disk, network adapter info,\r\noperating system version etc, encrypts it and sends it to lyuchta.org over HTTP in the background:\r\nReporting\r\nclient machine info to lyuchta.org\r\nNow there is an interesting code block in the program, where it iterates through all those 200 dexored hostnames\r\n(victims of bogus traffic). It calculates some hash value from each one and then compares it to some strange\r\nhardcoded value, which only now started to make sense. The comparison condition triggers when comparing\r\n\"anetsbuys.com\" hostname, which happens to match the hash. This is the special C\u0026C server, whose identity is\r\nprimarily being masked. It's not only hidden in the traffic noise from those 16 annoying threads in the background,\r\nbut also being supposedly one of the victims.\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 7 of 9\n\nIterate\r\nthrough all the hosts from 2nd group and find the special one\r\nThis special C\u0026C server is then used to obtain commands (modules) from in the final stage of the malware, where\r\nit enters an endless loop and contacts the special C\u0026C server for orders, modules to load. If it is unable to obtain\r\nan order from it, then it resorts to generate those characteristic KZ domain names with the DGAs and try to obtain\r\nan order from them. Personally I have seen orders to come only from the special C\u0026C \"anetsbuys.com\". When an\r\norder comes and everything goes fine, the sample sleeps for 12 hours, otherwise it sleeps for 2 minutes to repeat\r\nthe loop and get some command.\r\nCommunication with the C\u0026C server:\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 8 of 9\n\nObtained 4\r\nmodules from this one\r\nCutwail/Pushdo module decrypted in the memory:\r\nLooks like\r\na typical executable file\r\nThe modules then perform actual spamming and other malicious activities.\r\nSource: https://blog.avast.com/2013/06/25/15507/\r\nhttps://blog.avast.com/2013/06/25/15507/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.avast.com/2013/06/25/15507/"
	],
	"report_names": [
		"15507"
	],
	"threat_actors": [],
	"ts_created_at": 1775434916,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ceb25919b9fd40d7c3fcd8eb737ac937a31c298.pdf",
		"text": "https://archive.orkl.eu/3ceb25919b9fd40d7c3fcd8eb737ac937a31c298.txt",
		"img": "https://archive.orkl.eu/3ceb25919b9fd40d7c3fcd8eb737ac937a31c298.jpg"
	}
}