• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 03/27/2017 - 03:00

Trojan.NSIS.StartPage_bde22ac03a

not-a-virus:AdWare.Win32.Inffinity.yas (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS) Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: bde22ac03a3f59684b84f95b09c929fd

SHA1: d7117729bc5918d673c1f52094ac7f5c8ac4138a

SHA256: 2d527c905318f87fd82890eb9e8ebfd7e2da13f89113e1018e50b82c76ecafc6

SSDeep: 6144:He34R2lhmWzh36dqXEV2rnCeZG/t7FTBqTzP7n7O7L6K2Bfo7pu:T2bbzh36VV2Go0ZTsnz7O7L6ju7pu

Size: 566824 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1784

The Trojan injects its code into the following process(es): No processes have been created.

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:1784 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7944.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\show_page_toolbar (0 bytes)

Registry activity

Dropped PE files

MD5 File path
71c46b663baa92ad941388d082af97e7c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll
325b008aec81e5aaa57096f05d4212b5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll
9384f4007c492d4fa040924f31c00166c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll
a5f8399a743ab7f9c88c645c35b1ebb5c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll
09caf01bc8d88eeb733abc161acff659c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1784

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\NSISdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\UAC.dll (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\modern-wizard.bmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\captura.bmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\BrandingURL.dll (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\ioSpecial.ini (7139 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\InstallOptions.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7945.tmp\LangDLL.dll (13 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623628240644.46394856b32eb77dfd6fb67f21d6543272da5
.rdata28672476451203.4982dc77f8a1e6985a4361c55642680ddb4f
.data3686415471210243.32787922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata19251211059200d41d8cd98f00b204e9800998ecf8427e
.rsrc30310416544168964.13341e957b93201e1ddf40aa35ce0a75289ff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 5612
0a1caace976174f8bffc383c4c3c0fa8
6c0dd3fd53001055d10e6c3b58b132fc
34fc7a7d6c5c000de38f15416e248650
1fe5758661d47a7463311a23be5afc6d
47a989cbf81ee8781ab8e4fcea78e0a6
80fc6018bfb9bfa9c6106a2f6671af3c
53fb1689dda0202c988a9647598a7076
82ab071eb5dae7c473a6a532df07ee4f
d608c8b5046a858542a4be4bc1518cd6
274f9329d87252ba0759faae6d54efab
a2c42bcfa6b9b4ae21d5d30a3fc4449c
9cd7fed5983dc222494dee5067d07d44
e46a6f026f343b82ef1b89c8547087df
a73568d4b4cf791553d20452cb3f2059
562afd7351e91104bccde6123ac2ed62
f2f2f48ed0f0bb349c59226586843b18
d7ef7dba9427c6ac00635ef58b3af430
c97e53869fb36099d60bbfd5a4e3618d
bcc26e9c2ef7871d62fefcca0adeb2de
06af7d27eea09bbf0c878a5c8f90bf85
9dc462916a0e3561935005d57bb68b17
edd3ca449e3aeb7304af05a848d953e1
6d029e8f6961ffb648035057d7d9e826
edaf5fce3680f79f13548f2fc46d5b48
921efa2fcc2ae90b9125b617e545bb96

Network Activity

URLs

URL IP
hxxp://phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini
hxxp://download.phpnuke.org/installers/nsis/pantallatoolbar_babylon_coupish_en.ini91.134.159.129

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps