• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Tue, 03/28/2017 - 03:02

MemScan.Trojan.Injector.CLM_28ef820be5

Susp_Dropper (Kaspersky), MemScan:Trojan.Injector.CLM (B) (Emsisoft), MemScan:Trojan.Injector.CLM (AdAware), Backdoor.Win32.Kelihos.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 28ef820be5e14a8830aa78a8f8bd7cb0

SHA1: b55fa6de5c2f78e9d6401898085086a8d9f8686c

SHA256: c7106c03d60f416962fcc301e02e0b234e20746ee31e5bcdc97573ccd8d6ff5e

SSDeep: 1536:0n0NunCY WMleaQQ7YdhWL2uy5OhVJQUVlGWEVd6Gqv1/2xTrCR0vDt4PmqIJyZJ:0n0NFp93cdgLZyghzBBE2GqvVKZm

Size: 122880 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2017-03-13 12:00:26

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The MemScan creates the following process(es):

%original file name%.exe:3676
temp1289952996.exe:2860
temp1289952996.exe:2428
temp1289952996.exe:3920
temp1289952996.exe:1084
temp1289952996.exe:3900
temp1289952996.exe:2732
temp1289952996.exe:3804
temp1289952996.exe:980
temp1289952996.exe:3556
temp1289952996.exe:2968
temp1289952996.exe:2840
temp1289952996.exe:3416
temp1289952996.exe:1924
temp1289952996.exe:1584
temp1289952996.exe:1908
temp1289952996.exe:1928
temp1289952996.exe:3040
temp1289952996.exe:1904
temp1289952996.exe:3552
temp1289952996.exe:3292
temp1289952996.exe:2308
temp1289952996.exe:1816
temp1289952996.exe:3368
temp1289952996.exe:1424
temp1289952996.exe:1980
temp1289952996.exe:540
temp1289952996.exe:772
temp1289952996.exe:2564
temp1289952996.exe:1548
temp1289952996.exe:3572
temp1289952996.exe:1256
temp1289952996.exe:2268
temp1289952996.exe:2132
temp1289952996.exe:3480
temp1289952996.exe:2684
temp1289952996.exe:2020
temp1289952996.exe:1528
temp1289952996.exe:760
temp1289952996.exe:320
temp1289952996.exe:3812
temp1289952996.exe:1388
temp1289952996.exe:3272
temp1289952996.exe:2768
temp1289952996.exe:2600
temp1289952996.exe:1452
temp1289952996.exe:2524
temp1289952996.exe:3588
temp1289952996.exe:2468
temp1289952996.exe:2760
temp1289952996.exe:2644
temp1289952996.exe:2856
temp1289952996.exe:3096
temp1289952996.exe:3524
temp1289952996.exe:1956
temp1289952996.exe:1936
temp1289952996.exe:2164
temp1289952996.exe:3408
temp1289952996.exe:100
temp1289952996.exe:3052
temp1289952996.exe:3404
temp1289952996.exe:1804
temp1289952996.exe:3508
temp1289952996.exe:3428
temp1289952996.exe:3540
temp1289952996.exe:1540
temp1289952996.exe:1656
temp1289952996.exe:3460
temp1289952996.exe:2316
temp1289952996.exe:2680
temp1289952996.exe:1720
temp1289952996.exe:3468
temp1289952996.exe:1536
temp1289952996.exe:2180
temp1289952996.exe:2752
temp1289952996.exe:1100
temp1289952996.exe:2300
temp1289952996.exe:3984
temp1289952996.exe:3848
temp1289952996.exe:1872
temp1289952996.exe:1660
INJF037.tmp:572

The MemScan injects its code into the following process(es):

temp1289952996.exe:3320

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.


The MemScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp (119 bytes)

The process temp1289952996.exe:3320 makes changes in the file system.


The MemScan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp.exe (0 bytes)

The process INJF037.tmp:572 makes changes in the file system.


The MemScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe (50 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.


The MemScan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\"%CurrentUserName%"\AppData\Local\Temp]
"INJF037.tmp" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp:*:enabled:@shell32.dll,-1"

The process temp1289952996.exe:3320 makes changes in the system registry.


The MemScan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"SizeCompletedValid" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="

[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"PersistentLocalizedName" = "CB 80 F9 7F 7A 43 FA A7 28 80 00 11 E4 BC 45 6C"

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"LineLoadedQuick" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"RecordModifiedMax" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"ActiveModifiedTheme" = "CB 80 F9 7F 87 62 E5 04 56 A7 FC 05 41 AA 5A FD"

[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 99 01"
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"DefaultCompressedRecord" = "CB 80 F9 7F 73 33 AC 12 80 A4 D6 3F 4E 2C BA 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"InfoPlayedCurrent" = "00 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkSaver" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe"

Dropped PE files

MD5 File path
bbd21b75dc94c90bd950e126a2cd51c5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp
dbb6df3329bd5a720e68a44ad3be80aac:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3676
    temp1289952996.exe:2860
    temp1289952996.exe:2428
    temp1289952996.exe:3920
    temp1289952996.exe:1084
    temp1289952996.exe:3900
    temp1289952996.exe:2732
    temp1289952996.exe:3804
    temp1289952996.exe:980
    temp1289952996.exe:3556
    temp1289952996.exe:2968
    temp1289952996.exe:2840
    temp1289952996.exe:3416
    temp1289952996.exe:1924
    temp1289952996.exe:1584
    temp1289952996.exe:1908
    temp1289952996.exe:1928
    temp1289952996.exe:3040
    temp1289952996.exe:1904
    temp1289952996.exe:3552
    temp1289952996.exe:3292
    temp1289952996.exe:2308
    temp1289952996.exe:1816
    temp1289952996.exe:3368
    temp1289952996.exe:1424
    temp1289952996.exe:1980
    temp1289952996.exe:540
    temp1289952996.exe:772
    temp1289952996.exe:2564
    temp1289952996.exe:1548
    temp1289952996.exe:3572
    temp1289952996.exe:1256
    temp1289952996.exe:2268
    temp1289952996.exe:2132
    temp1289952996.exe:3480
    temp1289952996.exe:2684
    temp1289952996.exe:2020
    temp1289952996.exe:1528
    temp1289952996.exe:760
    temp1289952996.exe:320
    temp1289952996.exe:3812
    temp1289952996.exe:1388
    temp1289952996.exe:3272
    temp1289952996.exe:2768
    temp1289952996.exe:2600
    temp1289952996.exe:1452
    temp1289952996.exe:2524
    temp1289952996.exe:3588
    temp1289952996.exe:2468
    temp1289952996.exe:2760
    temp1289952996.exe:2644
    temp1289952996.exe:2856
    temp1289952996.exe:3096
    temp1289952996.exe:3524
    temp1289952996.exe:1956
    temp1289952996.exe:1936
    temp1289952996.exe:2164
    temp1289952996.exe:3408
    temp1289952996.exe:100
    temp1289952996.exe:3052
    temp1289952996.exe:3404
    temp1289952996.exe:1804
    temp1289952996.exe:3508
    temp1289952996.exe:3428
    temp1289952996.exe:3540
    temp1289952996.exe:1540
    temp1289952996.exe:1656
    temp1289952996.exe:3460
    temp1289952996.exe:2316
    temp1289952996.exe:2680
    temp1289952996.exe:1720
    temp1289952996.exe:3468
    temp1289952996.exe:1536
    temp1289952996.exe:2180
    temp1289952996.exe:2752
    temp1289952996.exe:1100
    temp1289952996.exe:2300
    temp1289952996.exe:3984
    temp1289952996.exe:3848
    temp1289952996.exe:1872
    temp1289952996.exe:1660
    INJF037.tmp:572

  2. Delete the original MemScan file.
  3. Delete or disinfect the following files created/modified by the MemScan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp (119 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe (50 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetworkSaver" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409680410243.05041de948b51237c19ee3ce1a38f9481ff4e
.rdata819268010242.3856892b75229156b31a066c178492656bf80
.data122888565122.36913fef61e5a6c859efbecae7afec6b7aa43
.rsrc163841192401192964.5154807f90f3e486edbdb71342c944598ad23

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://194.165.16.66/questio.exe
dns.msftncsi.com131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The MemScan connects to the servers at the folowing location(s):

Strings from Dumps