Gen.Variant.Graftor.203159_f81a85e7db
Trojan-Downloader.Win32.Dupzom.aod (Kaspersky), Gen:Variant.Graftor.203159 (B) (Emsisoft), Gen:Variant.Graftor.203159 (AdAware)
Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
| Requires JavaScript enabled! |
|---|
MD5: f81a85e7db0a3c65897e1ac1c7256e0b
SHA1: d9e259e9b9270f717af5777656ae31f1219d1b5d
SHA256: 6416f11429388861ef231bd4bf2893fc7c47bddab79f6f60ac3efdcc413a946f
SSDeep: 768:ticNKWsQ1A KXkOfvOZub5TmeIjqCUPADJh: a1ANX1nO81i6ADj
Size: 52247 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-17 15:09:27
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:3364
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:3364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\f81a85e7db0a3c65897e1ac1c7256e0b_RASMANCS]
"MaxFileSize" = "1048576"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 12636 | 12800 | 4.20355 | 0606b9b9813779791462e61008270a28 |
| .rdata | 20480 | 3662 | 4096 | 2.78814 | 198a476c62f8f30adfe28159fe265d2c |
| .data | 24576 | 4052 | 3072 | 4.34789 | 4b090d9cb6a57fac352bcac27eda6493 |
| .rsrc | 28672 | 31032 | 31232 | 2.77232 | fb5dac2945c52cd7534b4c81cd4013ae |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com |  131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.rsrc
KERNEL32.dll
d.dll
mysql
MSVCR90.dll
_amsg_exit
_acmdln
_crt_debugger_hook
GetProcessHeap
imagehlp.dll
a15659062277.f3322.net
723687626
1234567890
Agkymes.exe
hXXp://103.76.85.119/Consys21.dll
hXXp://103.76.85.119:85/v5.exe
Wininet.dll
WININET.dll
127.0.0.1
%Program Files%\AppPatch\mysqld.dll
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3364
- Delete the original Trojan file.
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
