Gen.Variant.Mikey.53671_089453e52b

by malwarelabrobot on November 4th, 2016 in Malware Descriptions.

Gen:Variant.Mikey.53671 (B) (Emsisoft), Gen:Variant.Mikey.53671 (AdAware), Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR, PUPSpigot.YR (Lavasoft MAS)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 089453e52b8a5f02c79dc427daf66394
SHA1: ababa71b79440c98db40ea318b298d0bcabbeeb7
SHA256: 8617c3033c9eccadbedc13c5cfba8440aa0fd3c1842314a044625cb0734c5279
SSDeep: 3072:9zvR8lcJ9v/lau/B1nbesQvl2fwiHmbIeY41U:VvR8lcJB/N/fC2fwiH2I6O
Size: 175104 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-02 21:40:08
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

C552.tmp.exe:3972
%original file name%.exe:3904
9F3B.tmp.exe:3452
mshta.exe:4052

The Trojan injects its code into the following process(es):

C552.tmp.exe:3900

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process C552.tmp.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\common.js (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFDFD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\styles\common.css (101 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\index.hta (522 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCComSDK.dll (218 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8I7MPU49.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\firefox.png (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\it.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\install.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\chrome.png (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\logo.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCSetupHlp.dll (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\pt.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\install.1478187436.zip (279261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\internetexplorer.png (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KRJ8QK73.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\screenshot.png (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\br.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\styles\installer.css (296 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFDFD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8I7MPU49.txt (0 bytes)

The process %original file name%.exe:3904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9F3B.tmp.exe (14611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\C552.tmp.exe (205076 bytes)

The process 9F3B.tmp.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)

The process mshta.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\json[1].js (322 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\index.hta.log (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\featuredcontent[1].htm (21 bytes)

Registry activity

The process C552.tmp.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "134429773"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "8873702140"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"
"OfferName" = ""
"OfferAccepted" = "0"

The process %original file name%.exe:3904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process 9F3B.tmp.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "UN"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

The process mshta.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Code Store Database\NT5LockDownTest]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
91f2d46151f93599aa519d0d93e0c80d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\9F3B.tmp.exe
5fe59fc57869508e1c84812dbd36ce3b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\C552.tmp.exe
7a51490de5906042b3f440ae9600fd76 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCComSDK.dll
428a5d062b8665ff64b8024a487a4604 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCSetupHlp.dll
91f2d46151f93599aa519d0d93e0c80d c:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (Canada)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 115308 115712 4.54764 23c58d64d3c116cf34cbd00f2d8f1c0c
.rdata 122880 15226 15360 3.71605 05e17ca9bf31b8416f6517f7fe985d51
.data 139264 19468 5120 2.38158 1fa4fc79905bcca5a5bc216063393702
.rsrc 159744 1964 2048 3.39461 a55f06b1710f745042c6566eeda01ed1
.reloc 163840 35712 35840 1.17261 37582812433268d44035b905fdc40ac6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://ip-api.com/json?callback=jQuery191041635303065350876_1478187448945&_=1478187448946
hxxp://update.utorrent.com/featuredcontent.php?w=6.1 67.215.246.203
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ 67.215.238.66
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50 50.17.220.153
router.utorrent.com 82.221.103.244
s3-us-west-2.amazonaws.com 54.231.169.64
api.wiseinstaller.net 104.24.113.101
router.bittorrent.com 67.215.246.10
api.mediaconfig.net 104.27.181.218
s3.amazonaws.com 54.231.50.28


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY External IP Lookup ip-api.com

Traffic

GET /featuredcontent.php?w=6.1 HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: update.utorrent.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Thu, 03 Nov 2016 15:37:30 GMT
Content-Type: text/html
Content-Length: 21
Connection: close
X-Powered-By: PHP/5.4.30
Expires: Thu, 21 Jul 1980 00:00:00 GMT
Cache-Control: private
Last-Modified: Thu, 03 Nov 2016 15:37:30 GMT
{"content_offers":[]}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 234

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"2","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3900","h":"GN-7GzYFp-UDUPDe","sid":"GN-7GzYFp-UDUPDe1478187436","order":"0"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Nov 2016 15:37:12 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 248

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"2","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3900","h":"GN-7GzYFp-UDUPDe","sid":"GN-7GzYFp-UDUPDe1478187436","order":"1"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Nov 2016 15:37:12 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ HTTP/1.1
Host: download-lb.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 0


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 03 Nov 2016 15:37:12 GMT
Content-Type: application/octet-stream
Content-Length: 2397689
Connection: close
X-bt-sig: 6280eb8890af3f03bce5acbc7887c10c05697ddeee48ef03c41cbf3d4b52b0fadf6fa51d9387dc46e6ee2b55de245bd5829ee53d4aab8724f6e6530f7123858adfbf1a401eee9122e32776588b30687e7254665ace20eb2415cb2b60c5f6276edabebecc5c2ce0d6a30690508383fad15eeccc470a73548a8f34d78b246c8f2593434e5220329fe7541c4525c258a3444979f9b2b6a40fda4f5af7c96b51b93e3226859fb380c86f0ffd5646b0910289250aa34ff4830dad8e3e46f9821d29047aa0f15d38e1008628ca2e1f525a77c5eb63d4425e084f9cc7f26086083a8ea7e8cd3475ce0d8f60a5186ab7608a01ec48127c379f8b17b61156c209fe352c69
Last-Modified: Sat, 18 Jun 2016 05:45:18  0000
Accept-Ranges: none
Content-Disposition: attachment; filename="hta.zip"
X-bt-size: 2397689
Cache-Control: private
X-rl-mx: true
Rule-UUID: d7d79ca9-1978-4573-a82b-a0adc05e3e13
Content-MD5: a941fc2419a987ff4de7c86cbf782c8f
Expires: Tue, 01 Jan 1980 00:00:00  0000
X-bt-hash: c5b7fd00cac128923973150476f3f3549d55ae17
PK.........{.H.d..............index.hta<html>..<head>.    
<title>Loading...</title>.    <meta charset="utf-8">
.    <meta http-equiv="X-UA-Compatible" content="IE=9">.    <
meta http-equiv="MSThemeCompatible" content="yes">..    <script 
src="scripts/initialize.js"></script>..    <link rel="styl
esheet" href="styles/common.css"/>..    <!--[if lte IE 8]>.  
  <script src="scripts/es5-shim.js"></script>.    <![en
dif]-->..</head>..<body class="installer_body">.</bo
dy>..<script src="scripts/common.js"></script>..<scr
ipt src="scripts/install.js"></script>..</html>.PK.....
....{.Hw[Yy?...?.......uninstall.hta<html>..<head>.    <
;title>Loading...</title>.    <meta charset="utf-8">.  
  <meta http-equiv="X-UA-Compatible" content="IE=9">.    <met
a http-equiv="MSThemeCompatible" content="yes">..    <script src
="scripts/initialize.js"></script>..    <link rel="stylesh
eet" href="styles/common.css"/>...    <!--[if lte IE 8]>.    
    <script language="javascript" type="text/javascript" src='scrip
ts/es5-shim.js'></script>.    <![endif]-->..</head&g
t;..<body class="installer_body">.</body>..<script src=
"scripts/common.js"></script>...<script src="scripts/unins
tall.js"></script>..</html>.PK.........{.H.....V...V...
...3rdparty/OCComSDK.dllMZ......................@.................
<<< skipped >>>


GET /json?callback=jQuery191041635303065350876_1478187448945&_=1478187448946 HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ip-api.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: text/javascript; charset=utf-8
Date: Thu, 03 Nov 2016 15:37:29 GMT
Content-Length: 322
jQuery191041635303065350876_1478187448945({"as":"AS31561 PITLINE-AS","
city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline 
Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.
96.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"suc
cess","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Cont
rol-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Dat
e: Thu, 03 Nov 2016 15:37:29 GMT..Content-Length: 322..jQuery191041635
303065350876_1478187448945({"as":"AS31561 PITLINE-AS","city":"Kharkiv"
,"country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9
808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region
":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone
":"Europe/Kiev","zip":""});..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 270

{"eventName":"hydra1","action":"INFO","type":"i","res":"1916x902","cts":"1478187445","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3900","h":"GN-7GzYFp-UDUPDe","sid":"GN-7GzYFp-UDUPDe1478187436","order":"3"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Nov 2016 15:37:21 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..



POST /e?i=50 HTTP/1.1
Host: i-50.b-000.xyz.bench.utorrent.com
User-Agent: Hydra HttpRequest
Connection: close
Content-Length: 261

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3900","h":"GN-7GzYFp-UDUPDe","sid":"GN-7GzYFp-UDUPDe1478187436","order":"2"}
HTTP/1.1 200 OK
Content-Type: text/html
Date: Thu, 03 Nov 2016 15:37:21 GMT
Server: nginx
X-Powered-By: PHP/5.4.30
Content-Length: 21
Connection: Close
{"response_code":200}..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3904:

.text
`.rdata
@.data
.rsrc
@.reloc
%s.ef
HKEY
%s %s
%s %d
%s%s%s%s%s
%s near end of file
%s near '%s'
unable to decode byte 0x%x
invalid Unicode '\uX'
invalid Unicode '\uX\uX'
control character 0x%x
duplicate object key
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
ole32.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
KERNEL32.dll
WinHttpOpenRequest
WinHttpCloseHandle
WinHttpConnect
WinHttpOpen
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpReadData
WinHttpQueryDataAvailable
WINHTTP.dll
USER32.dll
OLEAUT32.dll
IPHLPAPI.DLL
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
zcÁ
status=IS&uuid=412cb525-0eb6-52c2-a08c-3c741f2d855d&user_os=Win7 32&user_hash=&v=35.34&nuuid=cc6e0fb051f29334d991df4f89059307&user_agent=IE&trsrc=1
user_agent=IE&uuid=412cb525-0eb6-52c2-a08c-3c741f2d855d&user_os=Win7 32&proc=System,smss.exe,csrss.exe,wininit.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,lsm.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,TPAutoConnSvc.exe,svchost.exe,taskhost.exe,dwm.exe,explorer.exe,VMwareTray.exe,vmtoolsd.exe,TPAutoConnect.exe,conhost.exe,SearchIndexer.exe,svchost.exe,taskhost.exe,sandbox_svc.exe,conhost.exe,cmd.exe,conhost.exe,tshark.exe,cmd.exe,conhost.exe,Procmon.exe,WmiPrvSE.exe&main=1&v=35.34&nuuid=cc6e0fb051f29334d991df4f89059307&user_hash=&trsrc=1 &aff=trs1&enc=
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
status=%s&uuid=%s&user_os=%s&user_hash=%s&v=%s&nuuid=%s&user_agent=%s&trsrc=%s
kernel32.dll
updater_url
%s.exe
updater_cmd
c:\%original file name%.exe
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
?!?%?)?4?:?
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Content-Type: application/x-www-form-urlencoded
user_agent=IE&uuid=%hs&user_os=%hs&proc=%s&main=%hs&v=%hs&nuuid=%hs&user_hash=%hs&trsrc=%hs&aff=%hs&enc=%hs
https
hXXps://s3-us-west-2.amazonaws.com/151125/helloworld.exe
api.wiseinstaller.net
6.8.6.1
amet.jpg

mshta.exe_4052:

.text
`.data
.rsrc
@.reloc
clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
msvcrt.dll
KERNEL32.dll
ADVAPI32.dll
RegCloseKey
RegOpenKeyExA
_amsg_exit
_acmdln
mshta.pdb
name="Microsoft.Windows.InetCore.mshta"
version="5.1.0.0"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
Kernel32.dll
2kernel32.dll
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
MSHTA.EXE
Windows
9.00.8112.16421


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    C552.tmp.exe:3972
    %original file name%.exe:3904
    9F3B.tmp.exe:3452
    mshta.exe:4052

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\common.js (400 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\search_protect.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_horz.png (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uttFDFD.tmp (0 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\styles\common.css (101 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\loading.gif (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_icon.png (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\index.hta (522 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\fr.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_bittorrent.ico (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\index.hta.log (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_horz_ru.png (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCComSDK.dll (218 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8I7MPU49.txt (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\firefox.png (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\es.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\uninstall.hta (575 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\it.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\install.js (18 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\main_utorrent.ico (107 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\chrome.png (12 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\logo.png (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\shell_install_offer.js (7 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\3rdparty\OCSetupHlp.dll (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\pt.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\install.1478187436.zip (279261 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\es5-shim.js (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\de.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\internetexplorer.png (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KRJ8QK73.txt (89 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\mediacaster\screenshot.png (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\ru.json (9 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\en.json (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\initialize.js (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\yandex_browser_setup.bmp (204 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\scripts\uninstall.js (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\images\bt_icon_48px.png (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\i18n\br.json (6 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD2DE.tmp.1478187436\HTA\styles\installer.css (296 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\9F3B.tmp.exe (14611 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\C552.tmp.exe (205076 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\json[1].js (322 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\featuredcontent[1].htm (21 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now