MD5: 6d9315385c605890a61b227e11001e96
SHA1: 6285a0a3a997adfb3ee8f5720b30436855414b8a
SHA256: a32793d5774ab6d3d4c88be6be5558d4e233796ea977609a805d778ed5652cad
SSDeep: 12288:kdDRdsrDoPEB5Uh fZN81Eq6RaXMrQAC3TyWl4pIZU8s2yM17sdn/1:IR6rkPo5LkEq6IXoQAC2q4pIZuYmt
Size: 737792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-09 18:31:42
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):
No processes have been created.
The Application injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.
The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 180
9c361ca6b9eda3348cc369af78b0b07e
67277d3ff741847b5d7de30ff57f6124
ed2f64e8de2a2544d60d11ee44c13e69
2ab098c9a8fc1e5c92e04b1c74949c67
cbb790dc5fcdbdb2b56dd05ab17d35c8
8897451dba7c63537dfc429feaf1c0c5
d0f8f50da36b34c1fb900f25517773bb
f4cf5ce0d374bcaa1119e8ec2d4e612a
065da0d46033699786b319fd24b5cc5a
bd6f78893b2834bd1aa3cbeec378a967
225749df158133e804f91ec31a4a89d2
c3412494858d1f5ff88316d8757ae2c3
b5cb66038c7ab3339d57bdd669aa2508
cf4589759e5e0ec1d3f6d2f59ce964fc
e7e763f1ac2f684f82488526921aef8f
38b5a8833b53e1b58e6e1a91ae6f1ce9
e50a4bec5e126bec76848459b08bf76b
94f6329721e8ccd7fbebd1249cd4e2c0
fb148d0b28b1f8b986e87887a27c097c
a609792277c73d7a27eeafc0417f4c7b
7e062242248efe9a00dde258dbb3f385
851e37b470374a743b5a16c5a55fc540
bc37425dfb442e28de71613a186ccc14
8bb8d37c1ca5df5c6d59cd699207abe5
1a5194b798f0486aa53a7aa44469337e
8c6169d4df27fc9004272f5be83bc559

URLs

URL	IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.selfdislikedfarfet.site/FailedToInstall.php?reason=8&version=1.1.5.26	107.20.147.93
hxxp://www.selfdislikedfarfet.site/index.php	107.20.147.93

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE SoundCloud Downloader Install Beacon

Traffic

Web Traffic was not found.

The Application connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.