• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 04/01/2017 - 03:05

Trojan.Agent.CCPK_4e8f2c83f7

Trojan.Win32.Agent.icgh (Kaspersky), Trojan.Agent.CCPK (B) (Emsisoft), Trojan.Agent.CCPK (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 4e8f2c83f736065ba813cd10bf8d6bae

SHA1: 200a3b5f215ebd9d855b46d614be0489ede24a79

SHA256: db5e41e1070c50798bb3c6c7e0e864f9ccfbec8b7449e00b112bf31061759e58

SSDeep: 12288:/1/aGLDCMNpNAkoSzZWD8ayXEMQCw7D0FoWxJpcEi0/3IWV//7cSdr00iw2CXvvA:/1/aGLDCM4D8ay0MZo8/v0Hw2AHRT6

Size: 1010953 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: no data

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

tcegr.exe:3404
%original file name%.exe:2604

The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process tcegr.exe:3404 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\config.sys .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\original .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)

The Trojan deletes the following file(s):

C:\Mirax (0 bytes)
C:\Miray (0 bytes)
C:\Mirat (0 bytes)
C:\Mirau (0 bytes)
C:\Mirav (0 bytes)
C:\Miraq (0 bytes)
C:\Mirar (0 bytes)
C:\Miral (0 bytes)
C:\Miram (0 bytes)
C:\Miran (0 bytes)
C:\Mirah (0 bytes)
C:\Mirad (0 bytes)
C:\Miraf (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirab (0 bytes)

The process %original file name%.exe:2604 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
C:\ProgramData\tcegr.exe (1020884 bytes)

Registry activity

The process tcegr.exe:3404 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\tcegr.exe"

Dropped PE files

MD5 File path
f03ea61a5e4e2912c22afd5ea4c91a33c:\$Recycle.Bin .exe
40926ffe555069786a51d5460406a602c:\%original file name%.exe .exe
e74de3ce591d6f4f04144220f85ae113c:\BOOTSECT.BAK .exe
03f0c89b95d0d780679d0365c6ce2779c:\Boot .exe
22013348cb3ea54386c9dee4676ba512c:\Documents and Settings .exe
b965234da0de91d83594aeef63579d10c:\Perl .exe
c94d2df19a91e4842c18a3ecb70314afc:\Program Files .exe
d6625dee19bfcd95ddf4dba42e3e21a2c:\ProgramData .exe
0097732504850319971faed87f071fd4c:\ProgramData\Saaaalamm\Mira.h
7f04abe7b39911c0054a18c6c660962cc:\ProgramData\tcegr.exe
b1f14e32c899c15370d1633cfb3d0ca2c:\System Volume Information .exe
ff35ee2c7825e3b91ba6afa51af769bbc:\Users .exe
0097732504850319971faed87f071fd4c:\Users\All Users\Saaaalamm\Mira.h
7f04abe7b39911c0054a18c6c660962cc:\Users\All Users\tcegr.exe
e260cd50700751a8f6a8e47e286a9340c:\Windows .exe
b37ef05dc86bd98dc40c467d00b31324c:\XELDZ .exe
b317f3d289f6f12914e40624b03f645cc:\autoexec.bat .exe
00e1cafad4103926451c8e0d36e02bd8c:\bootmgr .exe
94c8106f93ddf67edddb93640f5895cac:\config.sys .exe
6d114278fb2ecd8ab74f063dd980a088c:\marker .exe
4c7f10805d8c414962fe149d9a28fe15c:\original .exe
9745417027586ad71807abce0f6fbb99c:\pagefile.sys .exe
e612a1311750afc6aadea4389ff53bc0c:\totalcmd .exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    tcegr.exe:3404
    %original file name%.exe:2604

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\config.sys .exe (1963131 bytes)
    C:\bootmgr .exe (1963131 bytes)
    C:\Boot .exe (1963131 bytes)
    C:\Windows .exe (1963131 bytes)
    C:\ProgramData .exe (1963131 bytes)
    C:\$Recycle.Bin .exe (1963131 bytes)
    C:\BOOTSECT.BAK .exe (1963131 bytes)
    %Documents and Settings% .exe (1963131 bytes)
    C:\original .exe (1963131 bytes)
    C:\totalcmd .exe (1963131 bytes)
    C:\Users .exe (1963131 bytes)
    C:\XELDZ .exe (1963131 bytes)
    C:\autoexec.bat .exe (1963131 bytes)
    C:\System Volume Information .exe (1963131 bytes)
    C:\marker .exe (1963131 bytes)
    %Program Files% .exe (1963131 bytes)
    C:\%original file name%.exe .exe (1963131 bytes)
    C:\pagefile.sys .exe (1963131 bytes)
    C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
    C:\ProgramData\tcegr.exe (1020884 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Microsoft® Windows® Operating System" = "C:\ProgramData\tcegr.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: Mira Malware
Product Version: 1.0.0.155
Legal Copyright: Microsoft Corporation
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.155
File Description: Mira Malware
Comments:
Language: English (United States)

Company Name: Microsoft Corporation Product Name: Mira Malware Product Version: 1.0.0.155 Legal Copyright: Microsoft Corporation Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.155 File Description: Mira Malware Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40962453682457604.225461999eec8e9c4cd12139326da6738ca99
.data24985660810240.4887036fda88cf7188a8245a53dfde927250fd
.rdata253952938497283.47165dbe852009dbd077a9976cb0ecfb9aadf
.bss2662401857600d41d8cd98f00b204e9800998ecf8427e
.idata286720221225602.977035e5242c565219f3bd33a6568632559dc
.rsrc2908167583007508574.88213f76076ea10800bfd506bdac57e102a33

Dropped from:

e138289d27dc4cd869fbbfdc99e90156

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 8
655bc19c80920d15c058c22fdf68359b
861ae4fd3f2ce2a095913253cce682f2
d92d8235a72c26f284f13c7868bf6a3e
9b632550a5725a5ad62c84edf596d2ac
d70d33a4943fd823eae19dca3dbed5aa
c7801a1a9c790b0bea9a7a5f32d10fed
36d2b2a3c9b6dedfd8a6f26c774ace10
1bc9903a1c803ca947112458a16950d0

Network Activity

URLs

URL IP
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

tcegr.exe_3404:

.text

.text

`.data

`.data

.rdata

.rdata

@.bss

@.bss

.idata

.idata

C:\ProgramData\tcegr.exe

C:\ProgramData\tcegr.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

Windows

Windows

Operating System

Operating System

%H:%M:%S

%H:%M:%S

%m/%d/%y

%m/%d/%y

-0123456789

-0123456789

%s:%u: failed assertion `%s'

%s:%u: failed assertion `%s'

RegCloseKey

RegCloseKey

RegOpenKeyA

RegOpenKeyA

ADVAPI32.DLL

ADVAPI32.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL