For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 03/27/2017 - 03:00

Application.Downloader.AKK_6d9315385c

Application.Downloader.AKK (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 6d9315385c605890a61b227e11001e96

SHA1: 6285a0a3a997adfb3ee8f5720b30436855414b8a

SHA256: a32793d5774ab6d3d4c88be6be5558d4e233796ea977609a805d778ed5652cad

SSDeep: 12288:kdDRdsrDoPEB5Uh fZN81Eq6RaXMrQAC3TyWl4pIZU8s2yM17sdn/1:IR6rkPo5LkEq6IXoQAC2q4pIZuYmt

Size: 737792 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-11-09 18:31:42

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es): No processes have been created. The Application injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.


The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.


The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Application file.
  3. Delete or disinfect the following files created/modified by the Application:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40966130886133765.514877b88abd958984beb06b6396e55787664
.data61849690364906245.518088dd3663bc5218f10562c7309e658798d
.rdata712704870487044.44283c1381e19cdf1066bf95ce957baefa68
.bss724992230400d41d8cd98f00b204e9800998ecf8427e
.idata729088809281923.9282395d9b9c789fd087870f0854c4fe03eca
.tls737280445120.142404162a4c0fae74fb067ab49760f71d0850
.rsrc74137614988153603.56282ff7f2f458fc19a67a6717dcc7191c088

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 180
9c361ca6b9eda3348cc369af78b0b07e
67277d3ff741847b5d7de30ff57f6124
ed2f64e8de2a2544d60d11ee44c13e69
2ab098c9a8fc1e5c92e04b1c74949c67
cbb790dc5fcdbdb2b56dd05ab17d35c8
8897451dba7c63537dfc429feaf1c0c5
d0f8f50da36b34c1fb900f25517773bb
f4cf5ce0d374bcaa1119e8ec2d4e612a
065da0d46033699786b319fd24b5cc5a
bd6f78893b2834bd1aa3cbeec378a967
225749df158133e804f91ec31a4a89d2
c3412494858d1f5ff88316d8757ae2c3
b5cb66038c7ab3339d57bdd669aa2508
cf4589759e5e0ec1d3f6d2f59ce964fc
e7e763f1ac2f684f82488526921aef8f
38b5a8833b53e1b58e6e1a91ae6f1ce9
e50a4bec5e126bec76848459b08bf76b
94f6329721e8ccd7fbebd1249cd4e2c0
fb148d0b28b1f8b986e87887a27c097c
a609792277c73d7a27eeafc0417f4c7b
7e062242248efe9a00dde258dbb3f385
851e37b470374a743b5a16c5a55fc540
bc37425dfb442e28de71613a186ccc14
8bb8d37c1ca5df5c6d59cd699207abe5
1a5194b798f0486aa53a7aa44469337e
8c6169d4df27fc9004272f5be83bc559

Network Activity

URLs

URL IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.selfdislikedfarfet.site/FailedToInstall.php?reason=8&version=1.1.5.26107.20.147.93
hxxp://www.selfdislikedfarfet.site/index.php107.20.147.93

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps