For a Limited Time: Get HUGE savings on Pro and Sticky Password Premium! Act now & save 60%! BUY NOW >
  • Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 04/03/2017 - 03:03

Trojan.SalityStub.F_a10da5331c

Trojan.Win32.Small.cox (Kaspersky), Trojan.SalityStub.F (B) (Emsisoft), Trojan.SalityStub.F (AdAware), Virus.Win32.Sality.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: a10da5331c665f1536de3abf624ddca3

SHA1: f34a293e7444b35df21673face9705f5c07b456c

SHA256: 630ea2439d88d863629c1dd08a32c27c22753b07c459f5a61c5c98da890c5ba4

SSDeep: 1536:LyByhG/OQi/6SqTqjLX6mFQfdOJYPiqzFKdP7e/cb9ZcAlw:LyBviSSqMLTFMfFiP7icbwAl

Size: 99328 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-11-05 02:25:00

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es): No processes have been created. The Trojan injects its code into the following process(es):

%original file name%.exe:3420
taskhost.exe:872
Dwm.exe:1376
Explorer.EXE:1440
conhost.exe:1648
TPAutoConnect.exe:2160
conhost.exe:2168

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:3420 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\system.ini (70 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
C:\limfrc.exe (99 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (744 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winvfiibr.exe (561 bytes)
C:\autorun.inf (245 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winpbqj.exe (561 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winvfiibr.exe (0 bytes)
C:\Windows\57703 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067944_Rar (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067944_Rar\wincheck.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winpbqj.exe (0 bytes)

Registry activity

The process %original file name%.exe:3420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda]
"m4_1" = "1735290733"
"m3_1" = "1718420804"
"m3_0" = "17001001"
"m4_4" = "2646195636"
"m4_5" = "86519073"
"m3_5" = "69945096"
"m3_2" = "3487544563"
"m2_2" = "3470576471"
"m2_3" = "910908362"
"m4_0" = "0"
"m2_1" = "1735293664"
"m4_2" = "3470581466"
"m2_4" = "2646190137"
"m2_5" = "86522028"
"m3_3" = "927474798"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Stvncyfrlda\168128873]
"1735290733" = "80"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"-1648771660" = "30"

[HKCU\Software\Stvncyfrlda]
"m3_4" = "2629490589"
"m1_5" = "990974441"
"m1_4" = "2043211597"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Stvncyfrlda]
"m1_0" = "1431655765"
"m1_3" = "553799287"
"m1_2" = "2322242303"
"m1_1" = "692605188"
"m2_0" = "5517"

[HKCU\Software\Stvncyfrlda\168128873]
"-737866757" = "9BEE53A0446C73978E27E06CDA9BEF740F68D020A5365FFF1006D60BC237FCFBDD9F967AF9607A9C8ADC3C3EC5A486E972BDB26E61AB03EA41F108D06DB79CEC490BAEAA15C94E1A5EF0D67C42B881F0F68101A7144C5CE9E0E1C362E34E52D97FFE8FE1125894A9227C39155DC15FDBFF782040A86716B74C3E692CEFB117F0D1F9D83DE3490B6AA07055D5280B56F5A14073930FFDEDC179B508DC77BCFECC2734D1D842469BC39BE77B6439BCBE2B7B016590BC46A488D672C4F1C14726A971881BECA3E9CDB8BB80916833802A26C356243528AEA9371A52A3D9EFBD6CCAC1DDE9416FC08C13DF2A41058E0E47449F3481C519D1E1523706CA7903D85DB2"
"-824385830" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Stvncyfrlda\168128873]
"910904903" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"1821809806" = "0200687474703A2F2F7061647275702E636F6D2E64732F736F62616B61312E67696600687474703A2F2F706161616161642E66642E66642F736F62616B61766F6C6F732E676966"

[HKCU\Software\Stvncyfrlda]
"m4_3" = "910904903"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Stvncyfrlda\168128873]
"86519073" = "72"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

A firewall is disabled:

"EnableFirewall" = "0"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Dropped PE files

MD5 File path
b2258bffb111712fc2e1614915e3915fc:\limfrc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\system.ini (70 bytes)
    %Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (20 bytes)
    C:\limfrc.exe (99 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\reader_sl.exe (744 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winvfiibr.exe (561 bytes)
    C:\autorun.inf (245 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\winpbqj.exe (561 bytes)

  4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409669632660485.53701a27154e0dd1945031ab41845a45c329a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 770
0fd1d5b37f2181ebedd1e9470041a4bd
1952146275b3733e87cf663100fc6ccd
75b4936ffa6197093ddcb80348986b82
4fcb66b85ad6ceeb078208f460735273
1c95b5b0424486394ab2d5ee8b9aace9
22a3373179822f8de18ea14ab273c3c0
ff706af86a741943dd821218d2aeceda
28cb49fcebd7d430cd7e2a3081f1d40f
ee2d5e8d9a3cccec9e6779c45f750613
881545ecffa07303b951f6781830f195
f764c6b1ba500099e1cbcc975abe0420
7e311ab31b60b15830b51810c1264620
0520dee520620ed5b18c66db0610c6fd
9ec548ead927943185add7b0a599620a
380cd2be1830744fba36932742925c72
3081600875766398131f088d8902aeca
c6dffa71465a49ba06337b8aa4132c28
ed62de53ee02ff6d1ad943426c2a9d1a
ae5c2908cf7108e2cf9b6ac0e2c78f9b
6d0a423e96e8bbc26ff3e170c37eab45
570d9133391888b737e4ed8237b5ec7c
6fd30921621262c494716d675c4eaf35
3f68f43cfe3898062be106adb6c4aae7
7557c6e39adbd55fdc0d6bf363ee5605
2e6d717bbe55a36bda43ff1436282980

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3420:

.text

.text

KERNEL32.dll

KERNEL32.dll

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

%original file name%.exe

%original file name%.exe

10da5331c665f1536de3abf624ddca3.exe

10da5331c665f1536de3abf624ddca3.exe

hXXp://padrup.com.ds/sobaka1.gif

hXXp://padrup.com.ds/sobaka1.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

%original file name%.exe_3420_rwx_003F0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

%original file name%.exe_3420_rwx_00401000_00011000:

KERNEL32.dll

KERNEL32.dll

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

%original file name%.exe

%original file name%.exe

.text

.text

10da5331c665f1536de3abf624ddca3.exe

10da5331c665f1536de3abf624ddca3.exe

hXXp://padrup.com.ds/sobaka1.gif

hXXp://padrup.com.ds/sobaka1.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

h.rdla&

h.rdla&

mH.MN8

mH.MN8

T4.At%

T4.At%

S.twa

S.twa

.klkjw:9fqwiBumW

.klkjw:9fqwiBumW

.sysa

.sysa

Zc.pBTa

Zc.pBTa

~%s:*:yd:

~%s:*:yd:

.!.VF*

.!.VF*

.d&?%x=

.d&?%x=

GUrlA'

GUrlA'

"\'Web%w}

"\'Web%w}

HTTP)s'PS

HTTP)s'PS

2GUARDCMD

2GUARDCMD

o.ENHCDM

o.ENHCDM

wWEBWUPD

wWEBWUPD

MM.PF

MM.PF

%xn'[

%xn'[

>>?456789:;

>>?456789:;

!"#$%&'()* ,-./4

!"#$%&'()* ,-./4

qn%CXf

qn%CXf

UP*dB.PPd@.

UP*dB.PPd@.

%FoAN-x

%FoAN-x

ÄEW

ÄEW

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

USER32.dll

USER32.dll

WS2_32.dll

WS2_32.dll

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

taskhost.exe_872_rwx_00580000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

%original file name%.exe_3420_rwx_00520000_010BA000:

hXXp://89.11

hXXp://89.11

.info/home.gifIh

.info/home.gifIh

bW.text

bW.text

JKERNEL32.dll

JKERNEL32.dll

%x.exe

%x.exe

hXXp://89.119.67.154/testo5/

hXXp://89.119.67.154/testo5/

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet777.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet888.info/home.gif

hXXp://kukutrustnet987.info/home.gif

hXXp://kukutrustnet987.info/home.gif

.text

.text

KERNEL32.dll

KERNEL32.dll

.reloc

.reloc

USER32.dll

USER32.dll

h.rdata

h.rdata

H.data

H.data

ntoskrnl.exe

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://VVV.klkjwre9fqwieluoi.info/

hXXp://kukutrustnet777888.info/

hXXp://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

GdiPlus.dll

hXXp://

hXXp://

ipfltdrv.sys

ipfltdrv.sys

VVV.microsoft.com

VVV.microsoft.com

?%x=%d

?%x=%d

&%x=%d

&%x=%d

SYSTEM.INI

SYSTEM.INI

USER32.DLL

USER32.DLL

.%c%s

.%c%s

\\.\amsint32

\\.\amsint32

NTDLL.DLL

NTDLL.DLL

autorun.inf

autorun.inf

ADVAPI32.DLL

ADVAPI32.DLL

win%s.exe

win%s.exe

%s.exe

%s.exe

WININET.DLL

WININET.DLL

InternetOpenUrlA

InternetOpenUrlA

avast! Web Scanner

avast! Web Scanner

Avira AntiVir Premium WebGuard

Avira AntiVir Premium WebGuard

cmdGuard

cmdGuard

cmdAgent

cmdAgent

Eset HTTP Server

Eset HTTP Server

ProtoPort Firewall service

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

SpIDer FS Monitor for Windows NT

Symantec Password Validation

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootDesktopFirewallDataService

WebrootFirewall

WebrootFirewall

%d%d.tmp

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

KERNEL32.DLL

KERNEL32.DLL

Explorer.exe

Explorer.exe

A2CMD.

A2CMD.

ASHWEBSV.

ASHWEBSV.

AVGCC.AVGCHSVX.

AVGCC.AVGCHSVX.

DRWEB

DRWEB

DWEBLLIO

DWEBLLIO

DWEBIO

DWEBIO

FSGUIEXE.

FSGUIEXE.

MCVSSHLD.

MCVSSHLD.

NPFMSG.

NPFMSG.

SYMSPORT.

SYMSPORT.

WEBSCANX.

WEBSCANX.

%c%d_%d

%c%d_%d

purity_control_%x

purity_control_%x

.adata

.adata

M_%d_

M_%d_

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

mongC:\Windows\

mongC:\Windows\

C:\Windows\hywjfubtsnl.log

C:\Windows\hywjfubtsnl.log

hXXp://padrup.com.ds/sobaka1.gif

hXXp://padrup.com.ds/sobaka1.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

hXXp://paaaaad.fd.fd/sobakavolos.gif

C:\Windows\system32\drivers\lmlpp.sys

C:\Windows\system32\drivers\lmlpp.sys

3581629357

3581629357

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

GetProcessHeap

GetProcessHeap

GetWindowsDirectoryA

GetWindowsDirectoryA

RegEnumKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyA

RegCloseKey

RegCloseKey

SHFileOperationA

SHFileOperationA

&3&3&3&389

&3&3&3&389

%F" *" a

%F" *" a

ADVAPI32.dll

ADVAPI32.dll

MSVCRT.dll

MSVCRT.dll

SHELL32.dll

SHELL32.dll

WS2_32.dll

WS2_32.dll

%original file name%.exe_3420_rwx_03490000_00001000:

u%original file name%.exeM_3420_

u%original file name%.exeM_3420_

taskhost.exe_872_rwx_00590000_00001000:

utaskhost.exeM_872_

utaskhost.exeM_872_

Dwm.exe_1376_rwx_00110000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

Dwm.exe_1376_rwx_00120000_00001000:

udwm.exeM_1376_

udwm.exeM_1376_

Explorer.EXE_1440_rwx_01C50000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

Explorer.EXE_1440_rwx_020D0000_00001000:

uexplorer.exeM_1440_

uexplorer.exeM_1440_

conhost.exe_1648_rwx_001B0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

conhost.exe_1648_rwx_001C0000_00001000:

uconhost.exeM_1648_

uconhost.exeM_1648_

TPAutoConnect.exe_2160_rwx_002F0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

TPAutoConnect.exe_2160_rwx_00310000_00001000:

utpautoconnect.exeM_2160_

utpautoconnect.exeM_2160_

conhost.exe_2168_rwx_000B0000_00002000:

SHELL32.DLL

SHELL32.DLL

ShellExecuteA

ShellExecuteA

KERNEL32.DLL

KERNEL32.DLL

.text

.text

conhost.exe_2168_rwx_000C0000_00001000:

uconhost.exeM_2168_

uconhost.exeM_2168_