Trojan.Generic.20493032_dd346f237b
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20493032 (B) (Emsisoft), Trojan.Generic.20493032 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: dd346f237b63640681eb0fcca0db9e2e
SHA1: e37498d25c6e9191c3b430a5e69c14a906f9ac4d
SHA256: 4c114640f9e3e89f6b3ca27cde31dd7a58ff65d028c3a9136c4a95f8d80593a2
SSDeep: 3072:B2/C6U/CXKwCA/NsC1DrdSocnvD9kfR6ftWSkybNfLjS:5HMKCF/fR6fIozj
Size: 150016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Gemius
Created at: 2017-03-14 00:50:51
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3584
.exe:3792
The Trojan injects its code into the following process(es):
svchost.exe:3616
iexplore.exe:3804
Mutexes
The following mutexes were created/opened: No objects were found.
File activity
The process %original file name%.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LoMkjwQ.exe (673 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe (44 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (0 bytes)
The process .exe:3792 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)
Registry activity
The process %original file name%.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process .exe:3792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\XtremeRAT]
"Mutex" = "lmx8pleQ0FRNPt"
Dropped PE files
| MD5 | File path |
|---|---|
| 54a47f6b5e09a77e61649109c6a08866 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe |
| 54a47f6b5e09a77e61649109c6a08866 | c:\Windows\System32\InstallDir\svchost.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3584
.exe:3792 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LoMkjwQ.exe (673 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe (44 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: Chinese (Simplified, PRC)
Company Name: Product Name: Product Version: 1.0.0.0 Legal Copyright: Legal Trademarks: Original Filename: setup.exe Internal Name: setup.exe File Version: 1.0.0.0 File Description: Comments: Language: Chinese (Simplified, PRC)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 147636 | 147968 | 4.96383 | b3d0d7d4f93b32d2f835ea74e3a5f63b |
| .rsrc | 163840 | 1024 | 1024 | 1.45033 | eb430732b96f92c7a34280b006cf4762 |
| .reloc | 172032 | 12 | 512 | 0.070639 | f4afd64c7ac0ca5a63ec3846c653b823 |
Dropped from:
26c8022bdcc2dc7c31dd8c860b11d3ab
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| ah-antihacker.ddns.net |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_3616:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
msvcrt.dll
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
RPCRT4.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
_amsg_exit
_amsg_exit
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
svchost.pdb
svchost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
name="Microsoft.Windows.Services.SvcHost"
Software\Microsoft\Windows NT\CurrentVersion\Svchost Software\Microsoft\Windows NT\CurrentVersion\Svchost Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost \PIPE\ \PIPE\ Host Process for Windows Services Host Process for Windows Services 6.1.7600.16385 (win7_rtm.090713-1255) 6.1.7600.16385 (win7_rtm.090713-1255) svchost.exe svchost.exe Windows Windows Operating System Operating System 6.1.7600.16385 6.1.7600.16385 svchost.exe_3616_rwx_10000000_0004D000:
`.rsrc `.rsrc ServerKeyloggerU ServerKeyloggerU 789:;
789:;
%SERVER% %SERVER% URLMON.DLL URLMON.DLL shell32.dll shell32.dll hXXp:// hXXp:// advapi32.dll advapi32.dll kernel32.dll kernel32.dll mpr.dll mpr.dll version.dll version.dll comctl32.dll comctl32.dll gdi32.dll gdi32.dll opengl32.dll opengl32.dll user32.dll user32.dll wintrust.dll wintrust.dll msimg32.dll msimg32.dll juXqhu2.iu juXqhu2.iu KWindows KWindows TServerKeylogger TServerKeylogger GetWindowsDirectoryW GetWindowsDirectoryW RegOpenKeyExW RegOpenKeyExW RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey RegOpenKeyExA RegOpenKeyExA FindExecutableW FindExecutableW ShellExecuteW ShellExecuteW SHDeleteKeyW SHDeleteKeyW URLDownloadToCacheFileW URLDownloadToCacheFileW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW MapVirtualKeyW MapVirtualKeyW GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyboardType GetKeyboardType GetKeyboardState GetKeyboardState FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc URLDb URLDb KERNEL32.DLL KERNEL32.DLL ntdll.dll ntdll.dll oleaut32.dll oleaut32.dll shlwapi.dll shlwapi.dll wininet.dll wininet.dll x.html x.html HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG [Execute] [Execute] KeyDelBackspace KeyDelBackspace .html .html XtremeKeylogger XtremeKeylogger Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run .functions .functions icon=shell32.dll,4 icon=shell32.dll,4 shellexecute= shellexecute= autorun.inf autorun.inf \Microsoft\Windows\ \Microsoft\Windows\ ÞFAULTBROWSER% ÞFAULTBROWSER% svchost.exe svchost.exe ah-antihacker.ddns.net ah-antihacker.ddns.net {W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B} {W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B} HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run dns.net dns.net 392.168.0.1:1900 392.168.0.1:1900 ÞFAlmx8pleQ0FRNPtPERSIST ÞFAlmx8pleQ0FRNPtPERSIST UPnP.UP UPnP.UP PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser iexplore.exe_3804:
.text .text `.data `.data .rsrc .rsrc @.reloc @.reloc >.uzf >.uzf .us;} .us;} IEFRAME.dll IEFRAME.dll MLANG.dll MLANG.dll iertutil.dll iertutil.dll urlmon.dll urlmon.dll ole32.dll ole32.dll SHELL32.dll SHELL32.dll SHLWAPI.dll SHLWAPI.dll msvcrt.dll msvcrt.dll USER32.dll USER32.dll KERNEL32.dll KERNEL32.dll ADVAPI32.dll ADVAPI32.dll RegOpenKeyExW RegOpenKeyExW RegCloseKey RegCloseKey GetWindowsDirectoryW GetWindowsDirectoryW _amsg_exit _amsg_exit _wcmdln _wcmdln UrlApplySchemeW UrlApplySchemeW PathIsURLW PathIsURLW UrlCanonicalizeW UrlCanonicalizeW UrlCreateFromPathW UrlCreateFromPathW iexplore.pdb iexplore.pdb KEYW KEYW KEYWh KEYWh KEYWD KEYWD .ENNNG. .ENNNG. a.ry.v a.ry.v l.igM4 l.igM4 ?1%SGf ?1%SGf xh.JW^ xh.JW^ .97777"7" " " ! .97777"7" " " ! 3.... )) 3.... )) 8888888888888 8888888888888 8888888888 8888888888 .lPV) .lPV) úW1 úW1 .ApX/ .ApX/ H.ZAf H.ZAf ð[U ð[U %s!FK %s!FK 1YYYY1YY9GEAA=77YRNNNW:.VT1 1YYYY1YY9GEAA=77YRNNNW:.VT1 888777777 888777777 Y.hilkRROMLK=C, Y.hilkRROMLK=C, ..(((($$ ..(((($$ 3...((((% 3...((((% 3....(.''$ 3....(.''$ 3.2...((((% 3.2...((((% 33.2....(,' 33.2....(,' 55323222... 55323222... (%&'00443445? (%&'00443445? 00.,,,4( 00.,,,4( 000.,,9( 000.,,9( 0020..9( 0020..9( 003200;( 003200;( (#'( (''''!'! (#'( (''''!'! Microsoft.InternetExplorer.Default Microsoft.InternetExplorer.Default user32.dll user32.dll Kernel32.DLL Kernel32.DLL xfire.exe xfire.exe wlmail.exe wlmail.exe winamp.exe winamp.exe waol.exe waol.exe sidebar.exe sidebar.exe psocdesigner.exe psocdesigner.exe np.exe np.exe netscape.exe netscape.exe netcaptor.exe netcaptor.exe neoplanet.exe neoplanet.exe msn.exe msn.exe mshtmpad.exe mshtmpad.exe mshta.exe mshta.exe loader42.exe loader42.exe infopath.exe infopath.exe iexplore.exe iexplore.exe iepreview.exe iepreview.exe groove.exe groove.exe explorer.exe explorer.exe dreamweaver.exe dreamweaver.exe contribute.exe contribute.exe aol.exe aol.exe {28fb17e0-d393-439d-9a21-9474a070473a} {28fb17e0-d393-439d-9a21-9474a070473a} Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings DShell32.dll DShell32.dll Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} "%s" %s "%s" %s Kernel32.dll Kernel32.dll \AppPatch\sysmain.sdb \AppPatch\sysmain.sdb -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106323 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106322 -extoff go.microsoft.com/fwlink/?LinkId=106320 -extoff go.microsoft.com/fwlink/?LinkId=106320 kernel32.dll kernel32.dll {00000000-0000-0000-0000-000000000000} {00000000-0000-0000-0000-000000000000} \\?\Volume \\?\Volume shell:%s shell:%s Imaging_CreateWebPagePreview_Perftrack Imaging_CreateWebPagePreview_Perftrack Browseui_Tabs_Tearoff_BetweenWindows Browseui_Tabs_Tearoff_BetweenWindows Frame_URLEntered Frame_URLEntered Imaging_CreateWebPagePreview Imaging_CreateWebPagePreview WS_ExecuteQuery WS_ExecuteQuery Shdocvw_BaseBrowser_FireEvent_WindowStateChanged Shdocvw_BaseBrowser_FireEvent_WindowStateChanged IdleTask_Execution_Time IdleTask_Execution_Time 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) 9.00.8112.16421 (WIN7_IE9_RTM.110308-0330) IEXPLORE.EXE IEXPLORE.EXE Windows Windows 9.00.8112.16421 9.00.8112.16421 iexplore.exe_3804_rwx_10000000_0004D000:
`.rsrc `.rsrc ServerKeyloggerU ServerKeyloggerU 789:;
789:;
%SERVER% %SERVER% URLMON.DLL URLMON.DLL shell32.dll shell32.dll hXXp:// hXXp:// advapi32.dll advapi32.dll kernel32.dll kernel32.dll mpr.dll mpr.dll version.dll version.dll comctl32.dll comctl32.dll gdi32.dll gdi32.dll opengl32.dll opengl32.dll user32.dll user32.dll wintrust.dll wintrust.dll msimg32.dll msimg32.dll juXqhu2.iu juXqhu2.iu KWindows KWindows TServerKeylogger TServerKeylogger GetWindowsDirectoryW GetWindowsDirectoryW RegOpenKeyExW RegOpenKeyExW RegCreateKeyW RegCreateKeyW RegCloseKey RegCloseKey RegOpenKeyExA RegOpenKeyExA FindExecutableW FindExecutableW ShellExecuteW ShellExecuteW SHDeleteKeyW SHDeleteKeyW URLDownloadToCacheFileW URLDownloadToCacheFileW UnhookWindowsHookEx UnhookWindowsHookEx SetWindowsHookExW SetWindowsHookExW MapVirtualKeyW MapVirtualKeyW GetKeyboardLayout GetKeyboardLayout GetKeyState GetKeyState GetKeyboardType GetKeyboardType GetKeyboardState GetKeyboardState FtpPutFileW FtpPutFileW FtpSetCurrentDirectoryW FtpSetCurrentDirectoryW .idata .idata .rdata .rdata P.reloc P.reloc P.rsrc P.rsrc URLDb URLDb KERNEL32.DLL KERNEL32.DLL ntdll.dll ntdll.dll oleaut32.dll oleaut32.dll shlwapi.dll shlwapi.dll wininet.dll wininet.dll x.html x.html HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_CURRENT_USER HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE HKEY_USERS HKEY_USERS HKEY_CURRENT_CONFIG HKEY_CURRENT_CONFIG [Execute] [Execute] KeyDelBackspace KeyDelBackspace .html .html XtremeKeylogger XtremeKeylogger Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run .functions .functions icon=shell32.dll,4 icon=shell32.dll,4 shellexecute= shellexecute= autorun.inf autorun.inf \Microsoft\Windows\ \Microsoft\Windows\ ÞFAULTBROWSER% ÞFAULTBROWSER% svchost.exe svchost.exe ah-antihacker.ddns.net ah-antihacker.ddns.net {W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B} {W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B} HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run dns.net dns.net 392.168.0.1:1900 392.168.0.1:1900 ÞFAlmx8pleQ0FRNPtPERSIST ÞFAlmx8pleQ0FRNPtPERSIST UPnP.UP UPnP.UP PTF.ftpserver.com PTF.ftpserver.com ftpuser ftpuser C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe %Program Files%\Internet Explorer\iexplore.exe %Program Files%\Internet Explorer\iexplore.exe