Gen.Variant.Graftor.350771_87d90ad388

by malwarelabrobot on August 27th, 2017 in Malware Descriptions.

Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Gen:Variant.Graftor.350771 (AdAware), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 87d90ad3885bf2b6b8e9d04de522b60c
SHA1: cf4a53b2f6a428a934cc3739f5fc7d348ffae9b9
SHA256: 910518ad998cf090d7ab4eae91f0c18a65347337f970956c9fee77c08cada200
SSDeep: 49152:dqbL5MiwMfzK/Jsb//4hthRUvNnduR5M36xkFGOD6MhIG:dqOiwMFithR2Ndu3zxnO2SZ
Size: 2548974 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup.exe:1720

The Trojan injects its code into the following process(es):

%original file name%.exe:2936

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setup.exe:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscAA91.tmp (7070 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscAA90.tmp (0 bytes)

The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\B (36509 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss49BC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\ZuT2XmqCRd (0 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\87d90ad3885bf2b6b8e9d04de522b60c_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
c17103ae9072a06da581dec998343fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\System.dll
c498ae64b4971132bba676873978de1e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\inetc.dll
e7bdc3db66a2c11f217bf5bfe3c2a1c0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe
a1cd3f159ef78d9ace162f067b544fd9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	233472	16944	17408	3.51858	37c2ccfc5b09cac81285df31ebac23d4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
3239aa1cf4662261740672f1daafbfd9
9679a18869914f14531ad56c03b05918

URLs

URL	IP
get.erattempth.club
get.ercationiv.club

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2936:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\B

etc.dll

Mh.GS

System.dll

callback%d

@.reloc

u.Uj@

MSVCRT.dll

HttpSendRequestA

HttpSendRequestExA

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpEndRequestA

InternetCrackUrlA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

REST %d

SIZE %s

Content-Length: %d

Content-Type: application/x-www-form-urlencoded

Authorization: basic %s

Proxy-authorization: basic %s

%s:%s

FtpCommandA

wininet.dll

%u MB

%u kB

%u bytes

%d:d:d

%s - %s

(Err=%d)

NSIS_Inetc (Mozilla)

Filename: %s

/password

Uploading %s

9!9-9B9}9

.reloc

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp

nsh49CC.tmp

s\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe

Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nss49BC.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

201708261306

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_2936_rwx_10004000_00001000:

callback%d

setup.exe_1720:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

Mh.GS

LangDLL.dll

MoreInfo.dll

t:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb

`.data

.reloc

FindProcDLL.dll

w7tbp.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

m\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp

\StringFileInfo\XX\%s

USER.EXE

1.0.1.2

kernel32.dll

nssAAA2.tmp

File: wrote 5120 to "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll"

Temp\nssAAA2.tmp\LangDLL.dll"

TNOD User & Password Finder

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\setup.exe

\TNODPortable

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp

setup.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nscAA90.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

PortableApps.comLocaleID%

hXXp://portablewares.blogspot.com/

1.6.1.0

2007-2015

TNODPortable_1.6.1.b9_Multilingual.paf.exe

PortableApps.comAppID

TNODPortable

PortableApps.comFormatVersion

3.0.19

PortableApps.comInstallerVersion

3.0.19.0

Portable

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

setup.exe:1720
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssAAA2.tmp\LangDLL.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nscAA91.tmp (7070 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh49CC.tmp\B (36509 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.