MD5: 71ee3f4d094c94bf291aaee6bbb3e857
SHA1: e304d369a92d372f1211d0dcaedabeffb852ed36
SHA256: fd5fed2e0f8902744f7a58eafacc6de742c4b4cadef67625735e5956cd43077f
SSDeep: 6144:rJVEe3d6bGxEifgBp8013qFfQ0Cf41gl:rJVL3diGxEioBp8qaVkfT
Size: 219648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2011-11-06 20:44:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Spy. Spy program intended for stealing user's confidential data.

Payload

Process activity

The Trojan creates the following process(es):

wmiapsvrd.exe:2924
%original file name%.exe:2944

The Trojan injects its code into the following process(es):

wmiapsvrd.exe:2920
%original file name%.exe:2932
adiadg.exe:2980

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\KEY (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe (305 bytes)

The process %original file name%.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\wmiapsvrd.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\adiadg.exe (39 bytes)

The process adiadg.exe:2980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\wmiapsvrd.exe (221 bytes)

Registry activity

The process %original file name%.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"CZMDSJD295" = "NC"

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"CZMDSJD295" = "May 23, 2017"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"framework" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"framework" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"framework" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe"

The process %original file name%.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process adiadg.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\adiadg.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
liqtoboy.no-ip.biz	204.95.99.109
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

`.rsrc

WebHide_

s|I.ql

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

PSAPI.DLL

SHFileOperationA

CreatePipe

CHAT_ADDMSG

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

VBA6.DLL

C:\Windows\SysWow64\msvbvm60.dll\3

ws2_32.dll

AddMsg

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

*wC:\Windows\SysWOW64\ieframe.oca

UDPSocket

J%Program Files% (x86)\Microsoft Visual Studio\VB98\vbc14663.oca

tmrTCP

tmrUDP

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

imgLoginPressed

imgLogin

txtPassword

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

olepro32.dll

InternetOpenUrlA

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetDirectory

Http_DownloadFile

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpDownload

FtpUpload

cmdShowfiles

msvbvm60.dll

?8??8??8??8??8?

.QX0WPp

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

.text

`.data

.rsrc

.rsmC

KERNEL32.DLL

MSVBVM60.DLL

*\AC:\Users\Admin\Desktop_old\Blackshades project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

ADVAPI32.dll

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WScript.Shell

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

/stext mess.dat

abe2869f-9b47-4cd9-a358-c22904dba7f7

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

\system32\userinit.exe

steam.exe

hl.exe

hXXp:///

@*\AC:\Users\Admin\Desktop_old\Blackshades project\Blackshades NET\server\server.vbp

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wmiapsvrd.exe:2924
   %original file name%.exe:2944
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\KEY (33 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe (305 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\wmiapsvrd.exe (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\adiadg.exe (39 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "framework" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "framework" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\csrss.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft® Windows® Operating System" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\System\adiadg.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.