Gen.Variant.MSIL.Mensa.11_8f4f2c8628

by malwarelabrobot on August 31st, 2017 in Malware Descriptions.

Trojan.MSIL.Crypt.ecwt (Kaspersky), Gen:Variant.MSIL.Mensa.11 (B) (Emsisoft), Gen:Variant.MSIL.Mensa.11 (AdAware)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 8f4f2c8628ecf10290844bcae4c745dd
SHA1: 389fd18a5ed7c7964265355cb8ca4435f675a2ba
SHA256: 36359cede7000a7421b2888fc3a34addf583b25f296d3b6faab5bf13e1f3a438
SSDeep: 24576:k8Rn2/2kNSL77s/25gXq4wv9SAXSIxwkrPRdGu6l2OzsVc:kA2/iL7iCsPwvgA1xbPRdGu6l2Oh
Size: 1196032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Nego
Created at: 2017-07-10 15:31:07
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

vbc.exe:4028
%original file name%.exe:3400

The Trojan injects its code into the following process(es):

Windows Update.exe:1588

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Windows Update.exe:1588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24D1.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3B40.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (7726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24BF.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Windows\System32\drivers\etc\hosts (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3B3F.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24D0.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24C0.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OF9L3DR3.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\983WD333.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\YJCP8HIK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\P2Z07O4S.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3B3F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GF0JZXVN.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\00CZ9B9Z.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\QVWF9XLH.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\Z40SB5AS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\59FYE1S2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4CWVLDFS.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K3H6JGON.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SHMEGTHE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\379IMDJA.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3B40.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G6NPTRAV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HGQPYGV7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A5VV6NGJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\O761920L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SK6RC4AQ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7ZFPBM01.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PMGXNABP.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AJQLWW1A.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\K4EMAOY7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24C0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\CZKDRHGB.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\cookies.sqlite (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9UFT3VMU.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FBUBDDF0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8WNTYFZE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\winlogon.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\FDGZES7U.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SN1VAMHK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\ETGRPT21.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VPSNR0J4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24D1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8Q2KNK5G.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\NWCBOWT9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1I56O6EZ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PFR2GFQJ.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GB74HSLE.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KUZ61ORW.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KE9BMB37.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24BF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LXL295FY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KJGZP41Y.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJJJSX58.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KCULDY7L.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\03Z3OHNC.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\AW5IGQT7.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KK0IK9EV.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\0VR58838.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IAU75TW2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24D0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\OLCWAOT0.txt (0 bytes)

The process vbc.exe:4028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)

The process %original file name%.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\winlogon.exe (7775 bytes)

Registry activity

The process Windows Update.exe:1588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 85 FE F1 1B"

[HKLM\SOFTWARE\Microsoft\Tracing\Windows Update_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Update.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Update.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"91C6D6EE3E8AC86384E548C299295C756C817B81"

The process %original file name%.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 923 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	https://pornhub.com/

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	872996	876544	5.52108	8b4c9ac19e25707649a6754f6aa91ee2
.rsrc	884736	16	4096	0	620f0b67a91f7f74151bc5be745b7110
.reloc	892928	12	4096	0.011373	50edc9e8636df7e223cf5c152270f20e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://whatismyipaddress.com/	23.223.26.238
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	62.140.236.163
smtp.mail.com	74.208.5.15
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: whatismyipaddress.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 59

Date: Wed, 30 Aug 2017 07:46:22 GMT

Connection: keep-alive

Access Denied (AK1).  Contact support@whatismyipaddress.comHTTP/1.1 20
0 OK..Content-Type: text/html..Content-Length: 59..Date: Wed, 30 Aug 2
017 07:46:22 GMT..Connection: keep-alive..Access Denied (AK1).  Contac
t support@whatismyipaddress.com..

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86402

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/vnd.ms-cab-compressed

Last-Modified: Tue, 13 Jun 2017 19:04:53 GMT

Accept-Ranges: bytes

ETag: "80f83df077e4d21:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Content-Length: 52967

Date: Wed, 30 Aug 2017 07:46:29 GMT

Connection: keep-alive

X-CCC: UA

X-CID: 2
MSCF............,...................I..................J.` .authroot.s
tl.^R.Y.6..CK...8...........].y.Q..!Jv..%k.....!..DH...B.KBWE.(.f.RQ*.
..f...}'.....x.:.{f...|.s.q..CF.......0....{%i......P.F.yNz:A..L..1..3
...........IG.....4=....~."|..s.|.xuT..._.*.....e.h,....ozs..*.!TmS..A
q... |,.....V..xV....^....FE(.x...N..h...b....y...j.!....7..h. ..@.(V.
.....8..`-..#=.jq'.e...|..X...@...{..rj.d.....?n3.L.......S.......:.O.
.."k.!o......`.l.B 1.....#].....k6.........B.......!P$.A..<..?zk...
.~..P)A0tu....x..-X..E..,a.7,xN..eed.3..L..XT......IG.w_.Y....E....~k.
.X...T.V.g7d.....#.&~.f.O....Dh...x0..J...0..u.dF..P.!..d...%x<!...
....@,...0..3..-.....q.....X.e....A...z.'..2.<.m.f...I.9.z..a.6vo..
 ...P..U7...-.0.Q..<zd!V....=.'.....2H;..5.7.%5PsD.#.....ht%......f
..s.Dp..Lklx%[.!c...I.<...f.<..e.k`......^.......X..?Z...?......
?..I}..5V.v .q.c.9j..Y..J..0U.t./%..Jd @.W.u......U.".)C(........T.4.y
..J.57*^HlY....O|..~\.J]..]e...?..x2c..6.....i.=?x.....N..-X..f"^@'...
.-v..v...7j.Y1.5._v.....*S9.."........%E<E...;p.}........0..P....g.
.@.]E.3........K....K.4V..Q.-,.../.........:.A....Ng,.........BFef.[..
. ..."*...^...L._#:,7..6:.z..!a............E.r>......A....#..c.....
rS.......7.D..JdR.`6.|...>.0....Wf..n..^..8x.4..........-.3y,3.C.(.
...9f...iNK....q....sUq....c...c.....*K.8"..D...<..0............*x,
$x....a....]..p..t.M....6F..u.....p.r.kf...Z......h~.B3...[.....Hc...K
.....I.....%F..:.....N....U..eU........ e. k....3(S..h....1..r..Z.Y...
.....A.i..Z....[%J.....=2"v].....L.P..!........PC*.........j 8.~.)<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Windows Update.exe_1588_rwx_00182000_0000B000:

.hP9)h

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

vbc.exe:4028
%original file name%.exe:3400
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24D1.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3B40.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe (7726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24BF.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (52 bytes)
C:\Windows\System32\drivers\etc\hosts (59 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3B3F.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab24D0.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar24C0.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\winlogon.exe (7775 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\WindowsUpdate.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Update.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe, C:\Users\"%CurrentUserName%"\AppData\Roaming\Windows Update.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.MSIL.Mensa.11_8f4f2c8628

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.MSIL.Mensa.11_8f4f2c8628

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet