MD5: 809eb83e51ce7f58b081f293562bc86b
SHA1: 36831939d90dc8d27b4bce3a265813644e672ba1
SHA256: f27b7d7708b154fc0c9f4bcba6ad79f4252d97cb3334ae954bd3a475876dcbd5
SSDeep: 1536:A6JIXySkRUmpqsa/DbH2PIe LwuXtZJ7G0ivSqDP3D6uPYT8LIQO:A6JLTRU1LPHgBotza0cSqDP3aT2IQO
Size: 75264 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company:
Created at: 2016-12-19 18:05:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

borp.exe:2064
%original file name%.exe:2972

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process borp.exe:2064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (760 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (760 bytes)

The process %original file name%.exe:2972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\borp.exe (678 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2972.479812 (0 bytes)

Registry activity

The process %original file name%.exe:2972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Rz1zg8FA4AUl2
Product Name: ZE!Ei?LF&F3n$
Product Version: 4.1.5.?0
Legal Copyright: Rz1zg8FA4AUl2
Legal Trademarks: ZE!Ei?LF&F3n$
Original Filename: ?????.exe
Internal Name: ?????.exe
File Version: 4.1.5.?0
File Description: Rz1zg8FA4AUl2
Comments: ZE!Ei?LF&F3n$
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   borp.exe:2064
   %original file name%.exe:2972

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (760 bytes)
   C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (760 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\borp.exe (678 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.