• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Sun, 04/02/2017 - 03:03

Trojan.GenericKD.4597039_c59ec9aa29

Trojan-Dropper.Win32.Sysn.ceic (Kaspersky), Trojan.GenericKD.4597039 (B) (Emsisoft), Trojan.GenericKD.4597039 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: c59ec9aa2900d0444e445184b567cb8f

SHA1: daa38b395d3ffd0d24e47725773033d363e0e55e

SHA256: 61bec80b6be6183c4cfc4b06e047d68452ac775f9a103bb3d0d1d83aadaa4fa5

SSDeep: 12288:7XwOrReFWQF96hGcWn7GJeKYxh/DNlmWwnTKXVh2OAM1Vs6:7XwOrRsRMHWnSJ2xVCKVhomVH

Size: 471563 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: Heaventools Software

Created at: 2012-12-31 02:38:51

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:1900
uc.exe:1780
Bind.exe:2980
%original file name%.exe:1904
setup.tmp:2504

The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process setup.exe:1900 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (0 bytes)

The process Bind.exe:2980 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (322475 bytes)

The process %original file name%.exe:1904 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1234 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000 (0 bytes)

The process setup.tmp:2504 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files%\fff\is-EMLCE.tmp (23961 bytes)
%Program Files%\fff\unins000.dat (1376 bytes)
%Program Files%\fff\Bind.exe (73 bytes)
%Program Files%\fff\is-HV063.tmp (336232 bytes)
%Program Files%\fff\fff.ini (25 bytes)
%Program Files%\fff\uc.exe (20845 bytes)
%Program Files%\fff\is-27FEK.tmp (601 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp (0 bytes)

Registry activity

The process uc.exe:1780 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"svchost0" = "%Program Files%\fff\uc.exe"

The process Bind.exe:2980 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Bind_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:1904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process setup.tmp:2504 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"
"RegFilesHash" = "52 57 97 14 28 CC 09 85 30 BF CB 12 66 D8 49 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFiles0000" = "%Program Files%\fff\uc.exe, %Program Files%\fff\Bind.exe"
"SessionHash" = "84 1E 35 B4 A2 6E D8 7B E4 2D FA 28 86 63 D2 BF"
"Owner" = "C8 09 00 00 4F 2D BE 0A 98 AA D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"RegFilesHash"
"Sequence"
"RegFiles0000"
"SessionHash"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

Dropped PE files

MD5 File path
9ae609779122802b06182903baec93eac:\Program Files\fff\Bind.exe
c96a0f939b9e809d24d6149046b7eb72c:\Program Files\fff\uc.exe
f13f028e99888a77e21c721961101339c:\Program Files\fff\unins000.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setup.exe:1900
    uc.exe:1780
    Bind.exe:2980
    %original file name%.exe:1904
    setup.tmp:2504

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-DC4UN.tmp\setup.tmp (1423 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Browser_V6.0.1471.913_r_4728_(Build1702151518).exe (322475 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7ZipSfx.000\setup.exe (1234 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-BOL6B.tmp\_isetup\_shfoldr.dll (47 bytes)
    %Program Files%\fff\is-EMLCE.tmp (23961 bytes)
    %Program Files%\fff\unins000.dat (1376 bytes)
    %Program Files%\fff\Bind.exe (73 bytes)
    %Program Files%\fff\is-HV063.tmp (336232 bytes)
    %Program Files%\fff\fff.ini (25 bytes)
    %Program Files%\fff\uc.exe (20845 bytes)
    %Program Files%\fff\is-27FEK.tmp (601 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "svchost0" = "%Program Files%\fff\uc.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Oleg N. Scherbakov
Product Name: 7-Zip SFX
Product Version: 1.6.0.2712
Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov
Legal Trademarks:
Original Filename: 7ZSfxMod_x86.exe
Internal Name: 7ZSfxMod
File Version: 1.6.0.2712
File Description: 7z Setup SFX (x86)
Comments:
Language: Language Neutral

Company Name: Oleg N. Scherbakov Product Name: 7-Zip SFX Product Version: 1.6.0.2712 Legal Copyright: Copyright (c) 2005-2012 Oleg N. Scherbakov Legal Trademarks: Original Filename: 7ZSfxMod_x86.exe Internal Name: 7ZSfxMod File Version: 1.6.0.2712 File Description: 7z Setup SFX (x86) Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40961018541018884.626080c04e49d78a3c453186c916e6f29540d
.rdata10649615306153603.960221eff757b36a6b7a599236ac8b1b35b4d
.data1228801994825603.0851821d5c7a8ba54658b1e07909bf1045c79
.rsrc143360612461442.447653c7269f74cc4a55256fa4ce18159c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 4
712fe060095354d46e56453a9e89361a
f7ee0c604322fd2ecde860d9e255e401
018dc6096ab70a223715be23a7529094
b74229149dee4708eeb55641b246cf2c

Network Activity

URLs

URL IP
hxxp://www.guoneizhu.com/ucni.txt
hxxp://www.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe
dns.msftncsi.com
time.windows.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Browser_V6.0.1471.913_r_4728_(Build1702151518).exe HTTP/1.1

Accept: */*

Accept-Language: zh-cn

User-Agent: wget

Host: VVV.guoneizhu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Tue, 21 Feb 2017 14:15:23 GMT

Accept-Ranges: bytes

ETag: "6f2ddcf04c8cd21:0"

Server: Microsoft-IIS/10.0

Date: Sat, 01 Apr 2017 03:28:34 GMT

Content-Length: 51179792

[email protected]........!..L.!This program cannot be run in DOS mode....$.......]....o...o...o....]..o...._..o....^.;o...6...o....k..o..w4...o..w4..Xo..w4..[o....X..o..w2...o....C.>o...o...m...4..Xo...4...o...4..]o...4...o...4S..o...o;..o...4...o..Rich.o..........................PE..L...Y..X..................................... [email protected]..........Y.......T......................../[email protected]@............................................text...I........................... ..`.data...<e... [email protected],...........&[email protected]@.gfids..([email protected]@[email protected][email protected]@[email protected]..................................................................................................................................................A.......J...A...A...A...A...A...A...A...A...A...A...A...A.3.A.'.A.?.A.Z.A.u.A...A...A.p.A...........J...J...J.)JK.mhL...L.o.L......... .E...........L...L..KK.................{.6.5.1.2.2.C.B.0.-.E.A.0.F.-.4.7.D.F.-.A.9.5.3.-.0.1.7.1.7.0.E.D.1.2.F.9.}.....{.4.e.a.1.6.a.c.7.-.f.d.5.a.-.4.7.c.3.-.8.7.5.b.-.d.b.f.4.a.2.0.0.8.c.2.0.}.....{.8.B.A.9.8.6.D.A.-.5.1.0.0.-.4.0.5.E.-.A.A.3.5.-.8.6.F.3.4.A.0.2.A.C.B.F.}.....{.4.D.C.8.B.4.C.A.-.1.B.D.A.-.4.8.3.e.-.B.5.F.A.-.D.3.C.1.2.E.1.5.B.6.2.D.}.......E.-.-.c.

<<< skipped >>>

GET /ucni.txt HTTP/1.1

Accept: */*

Accept-Language: zh-cn

User-Agent: wget

Host: VVV.guoneizhu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Fri, 31 Mar 2017 10:20:22 GMT

Accept-Ranges: bytes

ETag: "eb6c7678aad21:0"

Server: Microsoft-IIS/10.0

Date: Sat, 01 Apr 2017 03:28:12 GMT

Content-Length: 318

hXXp://VVV.guoneizhu.com/Browser_V6.0.1471.913_r_4728_(Build1702151518).exe Browser_V6.0.1471.913_r_4728_(Build1702151518).exe..hXXp://VVV.guoneizhu.com/FlowSpritSetup_slnt_5011.exe FlowSpritSetup_slnt_5011.exe..hXXp://VVV.guoneizhu.com/sogou_explorer_fast_7.0.6.23853_7471.exe sogou_explorer_fast_7.0.6.23853_7471.exe..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

uc.exe_1780:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

w.SCv

w.SCv

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegCreateKeyW

RegCreateKeyW

RegOpenKeyW

RegOpenKeyW

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

GetCPInfo

GetCPInfo

%s\%s

%s\%s

%s\*.*

%s\*.*

@.reloc

@.reloc

GetProcessWindowStation

GetProcessWindowStation

"%/28;=#$019:>?

"%/28;=#$019:>?

mgM

mgM

zcÁ

zcÁ

1 [email protected]`1|1

1 [email protected]`1|1

8 8$80848

8 8$80848

%Program Files%\fff\uc.exe

%Program Files%\fff\uc.exe

\aa.lnk

\aa.lnk

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345

%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer

Chrome_WidgetWin_1

Chrome_WidgetWin_1

C:\Users\Public\Desktop\

C:\Users\Public\Desktop\

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

qqbrowser.exe

qqbrowser.exe

http\shell\open\command

http\shell\open\command

%s\Internet Explorer\iexplore.exe

%s\Internet Explorer\iexplore.exe

%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC

%USERPROFILE%\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\UC

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser

%s\UCBrowser.exe

%s\UCBrowser.exe

mscoree.dll

mscoree.dll

@KERNEL32.DLL

@KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

index.dat

index.dat

%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe

%Program Files% (x86)\UCBrowser\Application\UCBrowser.exe

%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe

%Program Files% (x86)\2345Soft\2345Explorer\2345Explorer.exe

%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe

%Program Files% (x86)\KuaiZip\X86\KuaiZip.exe

%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe

%Program Files% (x86)\IQIYI Video\LStyle\5.3.21.2676\QyClient.exe

%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe

%Program Files% (x86)\LuDaShi\ComputerZ_CN.exe

%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe

%Program Files% (x86)\YouKu\YoukuClient\YoukuDesktop.exe

InstallerSuccessLaunchCmdLine

InstallerSuccessLaunchCmdLine

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

\UUC0789.exe

\UUC0789.exe

1, 0, 0, 1

1, 0, 0, 1

uc.exe

uc.exe

Bind.exe_2980:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

xDv.SCv

xDv.SCv

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

user32.dll

user32.dll

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

InternetOpenUrlA

InternetOpenUrlA

HttpQueryInfoA

HttpQueryInfoA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

GET%sHTTP/1.1

GET%sHTTP/1.1

Range: bytes=%d-

Range: bytes=%d-

%Program Files%\fff\Bind.exe

%Program Files%\fff\Bind.exe

Bind.exe

Bind.exe

msctls_hotkey32

msctls_hotkey32

HotKey1

HotKey1