{
	"id": "1c4f17d8-8446-451a-8518-d7fa8cf25c91",
	"created_at": "2026-04-06T00:16:40.740716Z",
	"updated_at": "2026-04-10T13:11:59.471951Z",
	"deleted_at": null,
	"sha1_hash": "cea43242e385bb10cfce08eed98dc9cf220a15b7",
	"title": "Nov 2012 - Backdoor.W32.Makadocs Sample",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90904,
	"plain_text": "Nov 2012 - Backdoor.W32.Makadocs Sample\r\nArchived: 2026-04-05 15:00:14 UTC\r\nEnd of the year presents:\r\nThese is a sample of W32.Makadocs\r\nRelated News and Analysis:\r\nNovember 2012\r\nMalware Targeting Windows 8 Uses Google Docs | Symantec\r\nBackdoor.Makadocs | Symantec\r\nFile: macadocs.exe_\r\nMD5:  546fa31bb7a4164ca25c8667d4352338\r\nSize: 151552\r\nSymantec:\r\nWhen the Trojan is executed, it creates the following mutex so that only one instance of it runs on the\r\ncompromised computer:\r\nNext, it connects to Google docs and uses it as a proxy in order to receive commands from command-and-control\r\n(C\u0026C) servers\r\nhttps://www.virustotal.com/file/60db904b68bc85f4fc62388ee5a00569f46d29ee0c88fae5d6c07624d17efcf1/analysis/\r\nF-Secure Gen:Trojan.Heur.JP.jqW@amwDZ4dG 9.0.17090.0 20121126\r\nFortinet W32/Agent.IQT!tr 5.0.26.0 20121126\r\nGData Gen:Trojan.Heur.JP.jqW@amwDZ4dG 22 20121126\r\nIkarus Backdoor.Win32.Makadocs T3.1.1.122.0 20121126\r\nJiangmin - 13.0.900 20121126\r\nK7AntiVirus Riskware 9.154.7911 20121126\r\nKaspersky - 9.0.0.837 20121126\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 1 of 10\n\nKingsoft - 2012.9.22.155 20121119\r\nMcAfee Generic BackDoor.u 5.400.0.1158 20121126\r\nMcAfee-GW-Edition Generic BackDoor.u 2012.1 20121126\r\nMicrosoft Backdoor:Win32/Godo.A 1.9002 20121126\r\nMicroWorld-eScan Gen:Trojan.Heur.JP.jqW@amwDZ4dG 12.0.250.0 20121126\r\nNorman W32/Obfuscated.D!genr 6.08.06 20121126\r\nnProtect Trojan/W32.Agent.151552.BDE 2012-11-26.02 20121126\r\nPanda Trj/CI.A 10.0.3.5 20121125\r\nRising Suspicious 24.38.00.01 20121126\r\nSophos Troj/GoDocs-A 4.83.0 20121126\r\nSUPERAntiSpyware - 5.6.0.1008 20121126\r\nSymantec Backdoor.Makadocs 20121.2.1.2 20121126\r\nTheHacker - None 20121125\r\nTotalDefense - 37.0.10178 20121126\r\nTrendMicro BKDR_MAKADOCS.JG 9.561.0.1028 20121126\r\nTrendMicro-HouseCall BKDR_MAKADOCS.JG 9.700.0.1001 20121126\r\nVBA32 - 3.12.18.3 20121124\r\nVIPRE Trojan.Win32.Generic.pak!cobra 14168 20121126\r\nViRobot Backdoor.Win32.S.Makadocs.151552 2011.4.7.4223 20121126\r\nVIRUSTOTAL SANDBOX DATA:\r\nPE HEADER INFORMATION\r\n=====================\r\nTarget machine            : Intel 386 or later processors and compatible processors\r\nEntry point address       : 0x00011EE7\r\nTimestamp                 : 2012-09-20 13:53:00\r\nPE SECTIONS\r\n===========\r\nName        Virtual Address  Virtual Size  Raw Size  Entropy  MD5\r\n.text                  4096        120462    120832     6.54  3ea58442fc447428d5ee9c481ec41a0d\r\n.rdata               126976         22024     22528     5.09  d1a4b555f003f0201966d5237a79b1d4\r\n.data                151552         11644      4608     2.45  c922df55db7e13f8c35fe8405f207863\r\n.rsrc                163840          2400      2560     5.61  a7fa6e5b71905e1ee49e9e968b03b4ca\r\nPE RESOURCES\r\n============\r\nResource type            Number of resources\r\nRT_ICON                   : 1\r\nRT_GROUP_ICON             : 1\r\nResource language        Number of resources\r\nPORTUGUESE BRAZILIAN      : 2\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 2 of 10\n\nPE IMPORTS\r\n==========\r\nurlmon.dll\r\nURLDownloadToFileA\r\nSHELL32.dll\r\nSHGetPathFromIDListA\r\nSHGetSpecialFolderLocation\r\nSHGetFolderPathA\r\nKERNEL32.dll\r\nGetStdHandle\r\nGetConsoleOutputCP\r\nWaitForSingleObject\r\nHeapDestroy\r\nFreeEnvironmentStringsA\r\nCreatePipe\r\nGetCurrentProcess\r\nGetConsoleMode\r\nGetLocaleInfoA\r\nFreeEnvironmentStringsW\r\nSetStdHandle\r\nFindResourceExA\r\nGetCPInfo\r\nGetStringTypeA\r\nWriteFile\r\nGetSystemTimeAsFileTime\r\nHeapReAlloc\r\nGetStringTypeW\r\nInitializeCriticalSection\r\nLoadResource\r\nInterlockedDecrement\r\nSetLastError\r\nPeekNamedPipe\r\nIsDebuggerPresent\r\nExitProcess\r\nGetVersionExA\r\nGetModuleFileNameA\r\nSetProcessWorkingSetSize\r\nUnhandledExceptionFilter\r\nTlsGetValue\r\nMultiByteToWideChar\r\nCreateMutexA\r\nDeleteCriticalSection\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 3 of 10\n\nSetUnhandledExceptionFilter\r\nSetEnvironmentVariableA\r\nTerminateProcess\r\nWriteConsoleA\r\nGetCurrentThreadId\r\nLeaveCriticalSection\r\nWriteConsoleW\r\nInitializeCriticalSectionAndSpinCount\r\nHeapFree\r\nEnterCriticalSection\r\nSetHandleCount\r\nGetOEMCP\r\nQueryPerformanceCounter\r\nGetTickCount\r\nTlsAlloc\r\nFlushFileBuffers\r\nLoadLibraryA\r\nRtlUnwind\r\nGetStartupInfoA\r\nGetProcAddress\r\nGetProcessHeap\r\nCompareStringW\r\nCompareStringA\r\nGetComputerNameA\r\nDuplicateHandle\r\nGetFileType\r\nTlsSetValue\r\nCreateFileA\r\nHeapAlloc\r\nInterlockedIncrement\r\nGetLastError\r\nLCMapStringW\r\nGetConsoleCP\r\nLCMapStringA\r\nGetEnvironmentStringsW\r\nSizeofResource\r\nGetCurrentProcessId\r\nLockResource\r\nWideCharToMultiByte\r\nHeapSize\r\nGetCommandLineA\r\nRaiseException\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 4 of 10\n\nTlsFree\r\nSetFilePointer\r\nReadFile\r\nCloseHandle\r\nGetACP\r\nGetModuleHandleW\r\nGetEnvironmentStrings\r\nCreateProcessA\r\nIsValidCodePage\r\nHeapCreate\r\nVirtualFree\r\nSleep\r\nFindResourceA\r\nVirtualAlloc\r\nOLEAUT32.dll\r\nOrd(4)\r\nOrd(6)\r\nOrd(7)\r\nOrd(9)\r\nADVAPI32.dll\r\nRegCloseKey\r\nRegSetValueExA\r\nRegQueryValueExA\r\nGetUserNameA\r\nRegOpenKeyExA\r\nRegCreateKeyA\r\nole32.dll\r\nCoUninitialize\r\nCoCreateInstance\r\nCoInitialize\r\nEXIF METADATA\r\n=============\r\nMIMEType                  : application/octet-stream\r\nSubsystem                 : Windows GUI\r\nMachineType               : Intel 386 or later, and compatibles\r\nTimeStamp                 : 2012:09:20 14:53:00+01:00\r\nFileType                  : Win32 EXE\r\nPEType                    : PE32\r\nCodeSize                  : 120832\r\nLinkerVersion             : 9.0\r\nEntryPoint                : 0x11ee7\r\nInitializedDataSize       : 36864\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 5 of 10\n\nSubsystemVersion          : 5.0\r\nImageVersion              : 0.0\r\nOSVersion                 : 5.0\r\nUninitializedDataSize     : 0\r\nFile system activity\r\nOpened files...\r\nC:\\WINDOWS\\system32\\net.exe (successful)\r\nC:\\WINDOWS\\Registration\\R000000000007.clb (successful)\r\n\\\\.\\PIPE\\lsarpc (successful)\r\nC:\\WINDOWS\\system32\\shdocvw.dll (successful)\r\nC:\\WINDOWS\\system32\\stdole2.tlb (successful)\r\nC:\\WINDOWS\\system32\\mshtml.tlb (successful)\r\nc:\\autoexec.bat (successful)\r\nC:\\WINDOWS\\system32\\rsaenh.dll (successful)\r\nC:\\WINDOWS\\system32\\dssenh.dll (successful)\r\nC:\\WINDOWS\\WindowsShell.manifest (successful)\r\nC:\\WINDOWS\\system32\\shell32.dll (successful)C:\\WINDOWS\\system32\\url.dll\r\n(successful)C:\\WINDOWS\\system32\\mshtml.dll (successful)C:\\Program Files\\Internet Explorer\\iexplore.exe\r\n(successful)C:\\WINDOWS\\system32\\en-US\\jscript.dll.mui (failed)C:\\WINDOWS\\system32\\inetcpl.cpl\r\n(successful)C:\\Documents and Settings\\\u003cUSER\u003e\\Local Settings\\Application Data\\Microsoft\\Internet\r\nExplorer\\MSIMGSIZ.DAT (successful)C:\\WINDOWS\\system32\\dxtmsft.dll\r\n(successful)C:\\WINDOWS\\system32\\dxtrans.dll (successful)\\\\.\\Ip (successful)\r\nRead files...\r\nC:\\WINDOWS\\Registration\\R000000000007.clb (successful)\r\nC:\\WINDOWS\\system32\\shdocvw.dll (successful)\r\nC:\\WINDOWS\\system32\\stdole2.tlb (successful)\r\nC:\\WINDOWS\\system32\\mshtml.tlb (successful)\r\nc:\\autoexec.bat (successful)\r\nC:\\WINDOWS\\system32\\rsaenh.dll (successful)\r\nC:\\WINDOWS\\system32\\dssenh.dll (successful)\r\nC:\\WINDOWS\\system32\\shell32.dll (successful)\r\nC:\\WINDOWS\\system32\\url.dll (successful)\r\nC:\\WINDOWS\\system32\\mshtml.dll (successful)\r\nRegistry activity\r\nSet keys...\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 6 of 10\n\nKEY:   HKEY_USERS\\S-1-5-21-1275210071-920026266-1060284298-\r\n1003\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\MigrateProxy\r\nTYPE:  REG_DWORD\r\nVALUE: 1 (successful)\r\nKEY:   HKEY_USERS\\S-1-5-21-1275210071-920026266-1060284298-\r\n1003\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\ProxyEnable\r\nTYPE:  REG_DWORD\r\nVALUE: 0 (successful)\r\nKEY:   HKEY_CURRENT_CONFIG\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\ProxyEnable\r\nTYPE:  REG_DWORD\r\nVALUE: 0 (successful)\r\nKEY:   HKEY_USERS\\S-1-5-21-1275210071-920026266-1060284298-\r\n1003\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections\\SavedLegacySettings\r\nTYPE:  REG_BINARY\r\nVALUE:  (successful)\r\nKEY:   HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectDraw\\MostRecentApplication\\Name\r\nTYPE:  REG_SZ\r\nVALUE: iexplore.exe (successful)\r\nKEY:   HKEY_LOCAL_MACHINE\\Software\\Microsoft\\DirectDraw\\MostRecentApplication\\ID\r\nTYPE:  REG_DWORD\r\nVALUE: 37 (successful)\r\nKEY:   HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ZoneMap\\\\ProxyBypass\r\nTYPE:  REG_DWORD\r\nVALUE: 1 (successful)\r\nKEY:   HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ZoneMap\\\\IntranetName\r\nTYPE:  REG_DWORD\r\nVALUE: 1 (successful)\r\nKEY:   HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\ZoneMap\\\\UNCAsIntranet\r\nTYPE:  REG_DWORD\r\nVALUE: 1 (successful)\r\nKEY:   HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\5.0\\Cache\\Extensible Cache\\MSHist012012102920121105\\CachePath\r\nTYPE:  REG_EXPAND_SZ\r\nVALUE: %USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012012102920121105\\ (successful)\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 7 of 10\n\nDeleted keys...\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible\r\nCache\\MSHist012012110420121105 (successful)\r\nProcess activity\r\nCreated processes...\r\nnet.exe localgroup Administrators (successful)\r\nnet.exe localgroup Administradores (successful)\r\nnet.exe group Domain Admins\" /domain\" (successful)\r\nnet.exe group Admins. do Dom\\xednio\" /domain\" (successful)\r\nCode injections in the following processes...\r\nIEXPLORE.EXE (successful)\r\nMutex activity\r\nCreated mutexes...\r\nG46A33F21110 (successful)\r\nCTF.LBES.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)\r\nCTF.Compart.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)\r\nCTF.Asm.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)\r\nCTF.Layouts.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)\r\nCTF.TMD.MutexDefaultS-1-5-21-1275210071-920026266-1060284298-1003 (successful)\r\nDDrawWindowListMutex (successful)\r\nDDrawDriverObjectListMutex (successful)\r\n__DDrawExclMode__ (successful)\r\n__DDrawCheckExclMode__ (successful)\r\nOpened mutexes...\r\nShimCacheMutex (successful)\r\n_!SHMSFTHISTORY!_ (failed)\r\nApplication windows activity\r\nSearched windows...\r\nCLASS: MS_AutodialMonitor\r\nNAME:  (null)\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 8 of 10\n\nCLASS: MS_WebcheckMonitor\r\nNAME:  (null)\r\nWindows service activity\r\nOpened service managers...\r\nMACHINE:  localhost\r\nDATABASE: SERVICES_ACTIVE_DATABASE (successful)\r\nOpened services...\r\nRASMAN (successful)\r\nHooking activity\r\nTYPE:   WH_MOUSE\r\nMETHOD: SetWindowsHook (successful)\r\nTYPE:   WH_KEYBOARD\r\nMETHOD: SetWindowsHook (successful)\r\nRuntime DLLs\r\noleaut32.dll (successful)\r\nsecur32.dll (successful)\r\nversion.dll (successful)\r\nadvapi32.dll (successful)\r\nclbcatq.dll (successful)\r\nrpcrt4.dll (successful)\r\nole32 (successful)\r\nole32.dll (successful)\r\nc:\\windows\\system32\\rpcrt4.dll (successful)\r\nsxs.dll (successful)\r\nAdditional details\r\nThe file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows\r\nAPI function.\r\nThe file installs an application-defined hook procedure into a hook chain. You would install a hook\r\nprocedure to monitor the system for certain types of events. These events are associated either with a\r\nspecific thread or with all threads in the same desktop as the calling thread. This is done making use of\r\nthe SetWindowsHook Windows API function.\r\nNetwork activity\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 9 of 10\n\nDNS requests...\r\ndocs.google.com (173.194.41.67)\r\nwww.gstatic.com (173.194.41.79)\r\nwww.google.com (74.125.132.99)\r\nTCP connections...\r\n173.194.41.73:443\r\n173.194.41.79:443\r\n74.125.132.99:443\r\nUDP communications...\r\n\u003cMACHINE_DNS_SERVER\u003e:53\r\nSource: http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nhttp://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html"
	],
	"report_names": [
		"nov-2012-backdoorw32makadocs-sample.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434600,
	"ts_updated_at": 1775826719,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cea43242e385bb10cfce08eed98dc9cf220a15b7.pdf",
		"text": "https://archive.orkl.eu/cea43242e385bb10cfce08eed98dc9cf220a15b7.txt",
		"img": "https://archive.orkl.eu/cea43242e385bb10cfce08eed98dc9cf220a15b7.jpg"
	}
}