MD5: e79898539570c8166b1ad52e7343f45d
SHA1: 201000138cb1d1d49fd5d0d95b280cddfdbbc64b
SHA256: 39119442c4dcbd012ccff4bd80e88362f86e06997c5e0d5b5bb97a2f83528ef6
SSDeep: 12288:KFFcsNFVTn4tLDhJ2hstbIcfI0nx9KFMw/iTExZn8YZU75UBD4mbw1mX8d2DQiWF:cesKhIsmGPnKjiwxWYyiB02sUD
Size: 1057792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-16 08:27:15
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1672
vbc.exe:1812
WipeShadow.exe:3736

The Trojan injects its code into the following process(es):

WipeShadow.exe:1084

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)

The process vbc.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)

The process WipeShadow.exe:1084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WipeShadow.exe:1084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileTracingMask" = "4294901760"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: VMware, Inc.
Product Name: VMware Workstation
Product Version: 11.1.4 build-3848939
Legal Copyright: Copyright (c) 1998-2016 VMware, Inc.
Legal Trademarks:
Original Filename: vmnat.exe
Internal Name: vmnat
File Version: 11.1.4 build-3848939
File Description: VMware NAT Service
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://whatismyipaddress.com/	92.122.94.47
smtp.gmail.com	64.233.161.108

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1672
   vbc.exe:1812
   WipeShadow.exe:3736
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.