• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 03/25/2017 - 03:00

Trojan.Agent.CERV_1efbf2304a

Trojan.Agent.CERV (B) (Emsisoft), Trojan.Agent.CERV (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 1efbf2304affff18e3c27d46f2857f34

SHA1: a7072c43896ed0a3151f9d21eb54073b6842ce01

SHA256: 3299ab9508f648d2c4d96a2963fb86b76c2f9c931e7cf62995099ae1a153eb58

SSDeep: 12288:EAWzgp6AuSbj3ELyNBAlubqAuPgjVDKt4tNgKd3U8ZwSNWaZHyEonx6nwn8AFFDP:bYMAL/lflPgjVRtdU8Z/NvSnlWy1

Size: 878592 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: Gatut

Created at: 2016-11-09 18:29:49

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:1672

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40967487367490565.50177400afa4952ef65e0f0607ef78a71f7fa
.data75366486268865285.52627b325cf1a4ede1197135d3b33ca98294f
/16843776435246084.4467378c354605d5f9a836d3b946a302c1859
/24851968844887044.508064f226a906aabbbe68035b3dc9fa09baf
.rdata864256435246084.45075269499be580dee942ff7a6b6e2d8640a
.bss872448460800d41d8cd98f00b204e9800998ecf8427e
.idata880640816881923.91373448493d1a0f4947b57a0833b8c045ed2
.tls888832445120.13969631f6ae0efbc8665f66a532ed2022ca95
.rsrc89292814988153603.5628231239b870f6086688cb6c581ac8d678

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 226
e51b3190630594e2fc0d539eca76dbe1
0f38c65c3192a568a0f127781c3e1ad3
e3bd26be518ceabd5cb92753e9cb62ea
a968722a5bb17642c70cd94916416062
2982e6344d97dd051041ffb1df962f7a
4db81dd1bc58bc011c24cee917727de5
3ab8386945e5dd57601b123757071cdf
0b2e22a7e3e640c65e22c170d18200af
a042a31a457f2de9db52ba319a92ba28
fa71e68ab4dd87e5914d76aefcce4167
992b6b530dca98ded19afaae9efd2b45
8d1bbaa093d8eed9bf2d670405828f91
9b7bbbcc4f885b2f42feab41d4588e07
3934f7b9d9cedc60006f610ebfde6240
aa47ef9ec47abaf79ef82608f3fc6f05
1629fd0d4d7e163be648c6bd2dff05ce
62837e65e692b8af8460d4496e846336
62aa718f519adac90ae0c713643c874e
d84402f76949a9319a0ccd1d47b49696
a4e32eab780d1610c83087e8427a323d
9da428f0d8eb0e99ab0f2c862a691824
91e4486091aacbd4d0025e54a10a5f5b
39754dd314a177c524a15f785ea29a47
615cfb960d8b8410e19209f191b4dae6
eefeb47f359807ae59a07515d18ace15
c363ec9646738ba53a5eeee47f6a637e

Network Activity

URLs

URL IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.quaintspokenracketiest.site/index.php54.243.162.153
hxxp://www.quaintspokenracketiest.site/FailedToInstall.php?reason=8&version=1.1.5.2654.243.162.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps