For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sat, 04/01/2017 - 03:05

Trojan.Generic.20493032_dd346f237b

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20493032 (B) (Emsisoft), Trojan.Generic.20493032 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: dd346f237b63640681eb0fcca0db9e2e

SHA1: e37498d25c6e9191c3b430a5e69c14a906f9ac4d

SHA256: 4c114640f9e3e89f6b3ca27cde31dd7a58ff65d028c3a9136c4a95f8d80593a2

SSDeep: 3072:B2/C6U/CXKwCA/NsC1DrdSocnvD9kfR6ftWSkybNfLjS:5HMKCF/fR6fIozj

Size: 150016 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: Gemius

Created at: 2017-03-14 00:50:51

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:3584
.exe:3792

The Trojan injects its code into the following process(es):

svchost.exe:3616
iexplore.exe:3804

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:3584 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LoMkjwQ.exe (673 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe (44 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (0 bytes)

The process .exe:3792 makes changes in the file system.


The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:3584 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process .exe:3792 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\XtremeRAT]
"Mutex" = "lmx8pleQ0FRNPt"

Dropped PE files

MD5 File path
54a47f6b5e09a77e61649109c6a08866c:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe
54a47f6b5e09a77e61649109c6a08866c:\Windows\System32\InstallDir\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3584
    .exe:3792

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\a33333.xml (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\LoMkjwQ.exe (673 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (768 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe (44 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: Chinese (Simplified, PRC)

Company Name: Product Name: Product Version: 1.0.0.0 Legal Copyright: Legal Trademarks: Original Filename: setup.exe Internal Name: setup.exe File Version: 1.0.0.0 File Description: Comments: Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81921476361479684.96383b3d0d7d4f93b32d2f835ea74e3a5f63b
.rsrc163840102410241.45033eb430732b96f92c7a34280b006cf4762
.reloc172032125120.070639f4afd64c7ac0ca5a63ec3846c653b823

Dropped from:

26c8022bdcc2dc7c31dd8c860b11d3ab

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
ah-antihacker.ddns.net

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

svchost.exe_3616:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

msvcrt.dll

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

RPCRT4.dll

ole32.dll

ole32.dll

ntdll.dll

ntdll.dll

_amsg_exit

_amsg_exit

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

GetProcessHeap

GetProcessHeap

svchost.pdb

svchost.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

name="Microsoft.Windows.Services.SvcHost"

Host Process for Windows Services

Host Process for Windows Services

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

\PIPE\

Host Process for Windows Services

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

svchost.exe

Windows

Windows

Operating System

Operating System

6.1.7600.16385

6.1.7600.16385

svchost.exe_3616_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

juXqhu2.iu

juXqhu2.iu

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

URLDb

URLDb

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

ah-antihacker.ddns.net

ah-antihacker.ddns.net

{W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B}

{W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

dns.net

dns.net

392.168.0.1:1900

392.168.0.1:1900

ÞFAlmx8pleQ0FRNPtPERSIST

ÞFAlmx8pleQ0FRNPtPERSIST

UPnP.UP

UPnP.UP

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

iexplore.exe_3804:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

>.uzf

>.uzf

.us;}

.us;}

IEFRAME.dll

IEFRAME.dll

MLANG.dll

MLANG.dll

iertutil.dll

iertutil.dll

urlmon.dll

urlmon.dll

ole32.dll

ole32.dll

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

KERNEL32.dll

KERNEL32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

GetWindowsDirectoryW

GetWindowsDirectoryW

_amsg_exit

_amsg_exit

_wcmdln

_wcmdln

UrlApplySchemeW

UrlApplySchemeW

PathIsURLW

PathIsURLW

UrlCanonicalizeW

UrlCanonicalizeW

UrlCreateFromPathW

UrlCreateFromPathW

iexplore.pdb

iexplore.pdb

KEYW

KEYW

KEYWh

KEYWh

KEYWD

KEYWD

.ENNNG.

.ENNNG.

a.ry.v

a.ry.v

l.igM4

l.igM4

?1%SGf

?1%SGf

xh.JW^

xh.JW^

.97777"7" " " !

.97777"7" " " !

3.... ))

3.... ))

8888888888888

8888888888888

8888888888

8888888888

.lPV)

.lPV)

úW1

úW1

.ApX/

.ApX/

H.ZAf

H.ZAf

ð[U

ð[U

%s!FK

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

888777777

Y.hilkRROMLK=C,

Y.hilkRROMLK=C,

..(((($$

..(((($$

3...((((%

3...((((%

3....(.''$

3....(.''$

3.2...((((%

3.2...((((%

33.2....(,'

33.2....(,'

55323222...

55323222...

(%&'00443445?

(%&'00443445?

00.,,,4(

00.,,,4(

000.,,9(

000.,,9(

0020..9(

0020..9(

003200;(

003200;(

(#'( (''''!'!

(#'( (''''!'!

Microsoft.InternetExplorer.Default

Microsoft.InternetExplorer.Default

user32.dll

user32.dll

Kernel32.DLL

Kernel32.DLL

xfire.exe

xfire.exe

wlmail.exe

wlmail.exe

winamp.exe

winamp.exe

waol.exe

waol.exe

sidebar.exe

sidebar.exe

psocdesigner.exe

psocdesigner.exe

np.exe

np.exe

netscape.exe

netscape.exe

netcaptor.exe

netcaptor.exe

neoplanet.exe

neoplanet.exe

msn.exe

msn.exe

mshtmpad.exe

mshtmpad.exe

mshta.exe

mshta.exe

loader42.exe

loader42.exe

infopath.exe

infopath.exe

iexplore.exe

iexplore.exe

iepreview.exe

iepreview.exe

groove.exe

groove.exe

explorer.exe

explorer.exe

dreamweaver.exe

dreamweaver.exe

contribute.exe

contribute.exe

aol.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

"%s" %s

Kernel32.dll

Kernel32.dll

\AppPatch\sysmain.sdb

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

kernel32.dll

{00000000-0000-0000-0000-000000000000}

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\Volume

shell:%s

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Frame_URLEntered

Imaging_CreateWebPagePreview

Imaging_CreateWebPagePreview

WS_ExecuteQuery

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

IEXPLORE.EXE

Windows

Windows

9.00.8112.16421

9.00.8112.16421

iexplore.exe_3804_rwx_10000000_0004D000:

`.rsrc

`.rsrc

ServerKeyloggerU

ServerKeyloggerU

789:;

789:;

%SERVER%

%SERVER%

URLMON.DLL

URLMON.DLL

shell32.dll

shell32.dll

hXXp://

hXXp://

advapi32.dll

advapi32.dll

kernel32.dll

kernel32.dll

mpr.dll

mpr.dll

version.dll

version.dll

comctl32.dll

comctl32.dll

gdi32.dll

gdi32.dll

opengl32.dll

opengl32.dll

user32.dll

user32.dll

wintrust.dll

wintrust.dll

msimg32.dll

msimg32.dll

juXqhu2.iu

juXqhu2.iu

KWindows

KWindows

TServerKeylogger

TServerKeylogger

GetWindowsDirectoryW

GetWindowsDirectoryW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyW

RegCreateKeyW

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

FindExecutableW

FindExecutableW

ShellExecuteW

ShellExecuteW

SHDeleteKeyW

SHDeleteKeyW

URLDownloadToCacheFileW

URLDownloadToCacheFileW

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExW

SetWindowsHookExW

MapVirtualKeyW

MapVirtualKeyW

GetKeyboardLayout

GetKeyboardLayout

GetKeyState

GetKeyState

GetKeyboardType

GetKeyboardType

GetKeyboardState

GetKeyboardState

FtpPutFileW

FtpPutFileW

FtpSetCurrentDirectoryW

FtpSetCurrentDirectoryW

.idata

.idata

.rdata

.rdata

P.reloc

P.reloc

P.rsrc

P.rsrc

URLDb

URLDb

KERNEL32.DLL

KERNEL32.DLL

ntdll.dll

ntdll.dll

oleaut32.dll

oleaut32.dll

shlwapi.dll

shlwapi.dll

wininet.dll

wininet.dll

x.html

x.html

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

[Execute]

[Execute]

KeyDelBackspace

KeyDelBackspace

.html

.html

XtremeKeylogger

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

.functions

.functions

icon=shell32.dll,4

icon=shell32.dll,4

shellexecute=

shellexecute=

autorun.inf

autorun.inf

\Microsoft\Windows\

\Microsoft\Windows\

ÞFAULTBROWSER%

ÞFAULTBROWSER%

svchost.exe

svchost.exe

ah-antihacker.ddns.net

ah-antihacker.ddns.net

{W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B}

{W85FPND1-LO20-F66I-3B80-VFA1L3EKVP7B}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

dns.net

dns.net

392.168.0.1:1900

392.168.0.1:1900

ÞFAlmx8pleQ0FRNPtPERSIST

ÞFAlmx8pleQ0FRNPtPERSIST

UPnP.UP

UPnP.UP

PTF.ftpserver.com

PTF.ftpserver.com

ftpuser

ftpuser

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\.exe

%Program Files%\Internet Explorer\iexplore.exe

%Program Files%\Internet Explorer\iexplore.exe