MD5: f9bea7e8b290533879c4535915fa803d
SHA1: 55ee39b7cb3ffd7dadb9a52d6a30ef496919f6c7
SHA256: 3844846856948a828a5dfe7bddba35a4d61db2da89720e039913424d13812e2f
SSDeep: 6144:H0hNLJgoAUGV BSNXwPMsFiv6BtgZHbGYXwEg:UVgoAUGV UNAPMssG2ZyYXw
Size: 272622 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-04 05:43:56
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2712

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\ButtonEvent.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\ns29DF.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E29.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\inetc.dll (46 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E17.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\modern-wizard.bmp (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E2A.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\ns29DF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E17.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E29.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E18.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh2857.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E2A.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\f9bea7e8b290533879c4535915fa803d_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://apps.identrust.com/roots/dstrootcax3.p7c	192.35.177.64
www.demtxr.com	64.111.117.81
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /roots/dstrootcax3.p7c HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: apps.identrust.com

HTTP/1.1 200 OK

Date: Mon, 19 Dec 2016 17:16:42 GMT

Server: Apache

X-Frame-Options: SAMEORIGIN

X-XSS-Protection: 1; mode=block

Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT

Accept-Ranges: bytes

Content-Length: 893

Cache-control: max-age=86400

Keep-Alive: timeout=5, max=100

Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Mon, 19 Dec 2016 17:16:42 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Keep-Alive: timeout=5, max=1
00..Content-Type: application/x-pkcs7-mime..0..y..*.H.........j0..f...
1.0...*.H.........N0..J0..2.......D.....'..09...@k0...*.H........0?1$0
"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930
211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U.
...DST Root CA X30.."0...*.H.............0............P..W..be....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

hu2.iu

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s%s.dll

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp

@.reloc

SIZE %s

REST %d

Proxy-authorization: basic %s

Authorization: basic %s

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

wininet.dll

FtpCommandA

%s:%s

%u bytes

%u kB

%u MB

%s - %s

%d:d:d

/password

Filename: %s

NSIS_Inetc (Mozilla)

(Err=%d)

Uploading %s

InternetCrackUrlA

FtpOpenFileA

FtpCreateDirectoryA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestExA

HttpEndRequestA

HttpQueryInfoA

WININET.dll

inetc.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.
dkB/s

(%d %s%s remaining)

;$;*;_;};

_rb]cMDBw

nsw2867.tmp

s\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp

C:\Windows\system32\cmd.exe

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsh2857.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

369755511

#&_~9*^~[(^

)^}[$]}/!^|

(^}x([|D%Uv!

%Xu" @`

ok} "${<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v04-Aug-2015.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

1.0.4.4

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\ButtonEvent.dll (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\ns29DF.tmp (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\System.dll (22 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E29.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsDialogs.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\inetc.dll (46 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab7E17.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\nsExec.dll (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw2867.tmp\modern-wizard.bmp (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E18.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar7E2A.tmp (2712 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.