• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Tue, 03/28/2017 - 03:02

Gen.Variant.Application.Razy.62899_c6c95ad804

not-a-virus:HEUR:AdWare.Win32.Sokuxuan.gen (Kaspersky), Gen:Variant.Application.Razy.62899 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: c6c95ad80483ce6c13c6da1474f3c0e0

SHA1: b47e4ef7ef399320e36669f43c9bfb81f995d88c

SHA256: 99343e9c869d284331fcefb334a2bb4e72426580e98b9acb91b277aedb309b06

SSDeep: 24576: J2MdazmND9jeSDjPblXiZNOdgyVG4SZuMALkPXT:dMMzKiSDjhXQajS/ALkvT

Size: 1492992 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2017-03-13 14:44:39

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
20e131fa17e8605d2484628420525c2ac:\Program Files\Maoha\MaohaAP\7z.dll
cf73c3a03582408d422d4f7a01190d00c:\Program Files\Maoha\MaohaAP\DIFxAPI.dll
24d6f19ca07a2ac3bfd6ff1ab3896b85c:\Program Files\Maoha\MaohaAP\ICSDHCP.dll
8dd69fb54e5c29e07b8725c3c19ccfbdc:\Program Files\Maoha\MaohaAP\MaoHaCD.dll
c610588fa9f5065f19d735cc72ad351ac:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet.sys
292f9a2632605d6591e0ea6ed62b6726c:\Program Files\Maoha\MaohaAP\MaoHaWiFiNet64.sys
82bfea273392f5fcb0f19fe1e62a4440c:\Program Files\Maoha\MaohaAP\MaohaDevMng.dll
bde7beffd77d80bfbfd47399ba467e49c:\Program Files\Maoha\MaohaAP\MaohaWiFi.exe
d83716a9bb89a83d1089cf7c5ef231e2c:\Program Files\Maoha\MaohaAP\MaohaWifiBase.dll
993921373facaef60cb9f9e84aab8301c:\Program Files\Maoha\MaohaAP\MaohaWifiSvr.exe
c23979c42db65b1d10e733e50ba90bd3c:\Program Files\Maoha\MaohaAP\MaohaWifiWin7.dll
d3006eb32933300b7da1b121b74b7ce5c:\Program Files\Maoha\MaohaAP\MaohaWifiXP.dll
cd4d3d1cfdce0becb435a970b8e6a576c:\Program Files\Maoha\MaohaAP\MyTheme.dll
41fbc54be444b267ad13711b20cbe6e5c:\Program Files\Maoha\MaohaAP\RaAPAPI.dll
1877c1fc206cc00f602f268c97217291c:\Program Files\Maoha\MaohaAP\RaWifi.dll
14c49377642096f9a6d7f3dfc00044f2c:\Program Files\Maoha\MaohaAP\ResLoader.dll
491c3dfceb37cde6fd0086ef5fc225fbc:\Program Files\Maoha\MaohaAP\SkinBase.dll
c1dd873243befea71d0dc939f38f5afdc:\Program Files\Maoha\MaohaAP\SmartAction.dll
53924a7da2fd9056b71b1dea9a35fb1cc:\Program Files\Maoha\MaohaAP\Uninstall.exe
e1ecdad5c7ff885de6f241437e7a44f9c:\Program Files\Maoha\MaohaAP\Updater\CheckUpdate.dll
9b6e41d5fd9c63c709bda83c0359b7f9c:\Program Files\Maoha\MaohaAP\Updater\MaohaWiFiUpg.exe
0f43af2015ee8f94e9b7061cedc8783dc:\Program Files\Maoha\MaohaAP\WifiDhcpSvr.dll
22c9997dcf3d23ede6dbe1ed6a3b0af1c:\Program Files\Maoha\MaohaAP\WifiHelp64.exe
540a232e81e4e5d67c215af689515e3bc:\Program Files\Maoha\MaohaAP\YunExplorer.exe
072f2457e70e081384edd61c821c419bc:\Program Files\Maoha\MaohaAP\driver\DriverInstall.exe
0f43a42e493fbfdee5f8bd0999c3af20c:\Program Files\Maoha\MaohaAP\driver\DriverInstall_X64.exe
ef7f7d21d627753e4148bc1724b4d639c:\Program Files\Maoha\MaohaAP\driver\DriverTool.dll
2b903da63c57da124f22e1e79ccec479c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat.sys
b8f760633541da35bcff7087e710bcb4c:\Program Files\Maoha\MaohaAP\driver\MaohaWifiProNat64.sys
1a2e5109c2bb5c68d499e17b83acb73ac:\Program Files\Maoha\MaohaAP\drv64\DIFxAPI.dll
2fb4b755ba2e98ca459d420d34b3e3d7c:\Program Files\Maoha\MaohaAP\drv64\drv64.exe
a3f1268c29c18452fa7aa902642710d3c:\Program Files\Maoha\MaohaAP\dt.exe
cadb1a29c7863c1ddbec3e309741d915c:\Program Files\Maoha\MaohaAP\ext\1.dll
a9b884aae19f1785fd51382809fded7fc:\Program Files\Maoha\MaohaAP\ext\3.dll
5d53b78f8d73e81d162d62876e4bd1ccc:\Program Files\Maoha\MaohaAP\ext\4.dll
dbb04e987b4a6b620bf1664b96db616ec:\Program Files\Maoha\MaohaAP\ext\5.dll
1f0f865b1fea713bb9dc480c7c786197c:\Program Files\Maoha\MaohaAP\ext\6.dll
68b2a121a539371262af32004abd2b20c:\Program Files\Maoha\MaohaAP\gzipdll.dll
f96221d6c46ce19751c43c423b7c3ba1c:\Program Files\Maoha\MaohaAP\maohasubstat.dll
1d66e130dac29c706a1005268d98dab0c:\Program Files\Maoha\MaohaAP\pcid.dll
b493c0cdee36755385cee0057c25175fc:\Program Files\Maoha\MaohaAP\pcidetect.dll
0a2041af48f0fbda65876fc7efdc5c9ac:\Program Files\Maoha\MaohaAP\softconfig.dll
618b8336c03c31a3f79a39d9e89983eac:\Program Files\Maoha\MaohaAP\tips.exe
02d316a6166508f4bd5fc478562f2bc1c:\Program Files\Maoha\MaohaAP\tipsdll.dll
0a2ec8bd4f918532798fc4ae82051862c:\Program Files\Maoha\MaohaAP\uninstall.dll
1394468655afebe17af9fe99900cee4dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\00027660\UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe
bfae8cde6902549029fa33b95983778dc:\Users\"%CurrentUserName%"\AppData\Local\Temp\00027689\MaoHaWiFiSetup_257.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys" the Trojan controls operations with a system registry by installing the registry notifier.


Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Delete the original Trojan file.
  3. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  4. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text4096114750311479044.30283c8e6b841b47407b80590fd32bfe49216
.rdata11550722506322508803.3027ef0487f1b34e17be881c8ef93adb6de
.data140902458124312323.60055dbb5f3c1860a3d07e8813a0181d6a07e
.rsrc14704644885123.30772bc0a992bcfbef2cc29fb6c19f25f5374
.reloc147456061396614404.52964d11292eb2f2d27e0246ceb29e700f2e6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://xiaobingdou.com/anzhuang.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCRkRDMjlFQUEzOUFDRjRGNTlBOUM0M0NEMEI0RUQ2RTcyNEY5MzREODM5QkY2MzFDOTk0QThDRENGOEU1MzE=23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3ODE0NjgxOTdDMTlFMUU0NzQ0NDhDQ0JFQkY2N0FFMzk5NDBFQ0IxNDAyQkY5NDg4NkFFNTg2QUZDNzg5RTk4RTIwQkJCRDFBNUVDRDk2MjMxMEE4QzEwMjA2QzA4MDE123.252.160.20
hxxp://xiaobingdou.com/jihuo.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNENCM0YyN0U3MTIzM0JGODY2QUZDM0MzMkYwRjYyNzhERDBFMzIwREU5RkUxRDU1NTczMUQ4Rjg1RDA5QUNCNEFFNjBEODc2NTAzNzQzRDc5Qjg5MDJGNEUyMTNDQkI1NTM2QTRBN0YzMkI3NUFDNUNEQzEzNDRGNDMwRURGNEI223.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3RUFDNjNGNjlBOUY1QkIyNDBBODM5MTY0NzZDMEY3M0NFRDM1MTFFMTc2RkE4QkUwMTkyNjkxNDI3RUE2QUFCODU4NkUxNjI2ODdGQTVDMkQwNjY3QjVDMkY3OURGQzNENTVGRTM4ODI2MUQwNjFEOUMxMTcwQjFFMURGRDM4MzY=23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3NzlCOUFFMkNCODk3NjMxRTc5QTQzNzEzREFDOTg4NjNDQzQ3MjQ4RERERDI0REUxNjI5NzEyNENCQTY1M0VFMUM5QjRCRUUzNDEzMDAwNDA2QzA5OTI2RDc4OTkxRTIyMzc0QzlDODYxQ0QwQkFFREE3RTEwQzFENzA3RjRDRTQ=23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjVGMzRDMjk2OTc0QTBEQ0QxOUEyQzlEQTlCQTE4QzlBMDk3QjE0OUU3RTUzMTRBQzNCMkI3NzNERTg1QjIyNTIzQTM2NUI0Nzk5OTJBRTg1OTIwOEFBNDMwOTA0QTQ1QjNFODQ3MUE0NjJBOTk4MTQ4RkI1Q0QyN0RBNzA1MDBBMjg5QURCM0VCODQxNDFDNkRCMUM0ODU0RDhCQzNBOEM0Q0VFMEJFMkM2M0QyQjdFRENBNjA2NEM4MEFENkMxQkI=23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjU3OTI0NDJFMUZCMUYwNDBFQTYzNDg3NzQzRDc3NTI4QzIzMzZCMDA5REEwNThEOUQzNDY4QTE1MTY4RDRFNzQ4RTY4NEREQTY1RkY5MDYzNzJDMDNEQzk0NkMwOTYwQUM5RjE1QkNCNUM2OUNCOEJCOTM3N0E5NTM4RTFGMjU4MjNFNkIwMzdCODNEN0IxRDQ4RThCQUZENUJGNTA1MkQwRkRDRTY0RjVCMzlGMTM3NTIwNjgxNUI3QzNGREM1M0EwNDNGMkVDMTc1NTZFRjRCNTczRkU4QTBEMEYwM0IyMDlGOEE0RjkzNDQ3REM3NzExQkI0OTM4RjhBMDUxMjIz23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3RUQ0RkRDQjQ2NDkzNDM1MkRCODI2RjI4QzgyMzhFQzVERUVBRDFCNEQwRTAxNjUxMzZCNEVFMEQ5MkZGREFGMTY0QzA5RkI5NDA1QjUzMzA3MzdGNjcyMzAzOTM0REM2ODA5MkI0QkVCRkYwREI0NDQyNUEyODQ0MDgxODgxNkM=23.252.160.20
hxxp://dns.union.uc.cn/pcbrowser/down.php?pid=4775
hxxp://545042.p23.tc.cdntip.com/kz2zzlm/KuaiZip_Setup_2915511984_zzlm_014.exe
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe195.27.31.253
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI4MTg3NjU3MkU3M0VBNjNFMzY2NzhEQzg2ODI3Q0VGNEI1MTY0NTRCODA3MUEwMDY0Mzk0NDEzRDlCOTY2MUI1QTkxQzgwMUI3RUY5RUNBNjc4MjM0N0I3NTM0OEE2OTUzMjcyOTIzQzAzQTdCM0I4Q0RBNzg3QjJBMDhBREEzQTMwQjA2NUZBQjhCQUMzODk5NEE5OTJBQzdBRjA1ODIz23.252.160.20
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3OTkzNDIyNzZGRDJGQTFBQTE0MTVBOEE0N0E5OTY2RjUwODg2QkQ5NEZDQjQyMkVCNEYwN0U1ODk5REQ2M0QxN0QyRDAyNUNFM0FBRThDNENBQjI0NkNEQzY4RDY4QkYzQ0U5NDY4QkRFNDQwNkQ2Qzg1QzJGMzkxNDQyNUEwRTMzMTRCOUJCMkNERThGNEU5MDMxRjNEQzA5RjhGQjQ5QkNDN0E5N0RDOTExQjAyQzZFODJFQzY4MTgyRDlDQ0M0N0U4QTc4ODIwNTY1QTdERUE4MjBBNjFGM0VGQkUzM0RFRTI2MzkwNEU5NjhDQUY4QzQxRkYzQTc4N0ZBMUI1Mw==23.252.160.20
hxxp://umcdn.uc.cn.w.alikunlun.com/biz-data/sec/channel/test/config/av_config.ini195.27.31.253
hxxp://dns.union.uc.cn/pcbrowser/down.php?type=dll&pid=4775
hxxp://1st.dl.ourdvs.com/soft/mhwifi/MaoHaWiFiSetup_257.exe
hxxp://umcdn.uc.cn.w.alikunlun.com/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.dll195.27.31.253
hxxp://xiaobingdou.com/reportInstallaa.aspx?NUQ0Q0RDNzlDNUFCQjQ2Njc2QTg5M0JCNUNEODRCQzE3MjFEMDBDNTdEQThEQTk1MzI4NDM3REJFNkYwOTRBNDU5QTJBRDc1MjJGRTBCMEQzMDQ1M0E3QTU2RTYyMzU3MjZFNTA0M0I1NkY3MkUxRkQ2NkY2OEYyOTY1Q0E2OUI5MjREMEMzMjM2NzgwMDc4MzAzQzg1NjNFRTI1NTdCQkUxNzUwN0MwQTgwOTk0QjgxM0E5MTZFMTY2RDMyMjc1RkM4MzlEQ0IxMEUyODg5MkY1OTEwMEJGNDU4QTdBNkVCRUJGMDk0RjY3RUREOUYxNEUyNTZGOTM2RjJCMjFFMjJCQ0IzMEI4MzIxMTg3QzBCQUVGRkE1OTYyRDhCMjAyNjEyRDE1NzYyQjUxQjlBNzZEODM1MzFGQTI4QTlBRDU=23.252.160.20
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://down2.uc.cn/pcbrowser/down.php?type=dll&pid=4775123.150.188.19
hxxp://umcdn.uc.cn/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.dll195.27.31.253
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab62.140.236.170
hxxp://umcdn.uc.cn/down/4775/UCBrowser_V6.1.2107.204_4775_(Build1703071827)_ChannelU_03081433.exe195.27.31.253
hxxp://wow.uc.cn/biz-data/sec/channel/test/config/av_config.ini195.27.31.253
hxxp://dl.kkdownload.com/kz2zzlm/KuaiZip_Setup_2915511984_zzlm_014.exe118.212.234.21
hxxp://down2.uc.cn/pcbrowser/down.php?pid=4775123.150.188.19
hxxp://res.maoha.com/soft/mhwifi/MaoHaWiFiSetup_257.exe203.130.56.136
update.ss.maohawifi.com121.10.143.40
dns.msftncsi.com131.107.255.255
service.maohawifi.com121.10.143.40
unin.maohawifi.com121.10.143.40

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps