MD5: 97ac9fe88d1f649dd19fede6ade1fc09
SHA1: 7de351b8e0d53e1d04c9658d706006b12b68d827
SHA256: 1e6d931c2371c48f85adc591c5793159304056c01fd459a537c46cfe29462dca
SSDeep: 6144:sbbs8miuWxBn061wjr36UIU yoTiKVpwCbC/ry7YOTD0zoL69 rOV4bXWCH:MgrTMn061M36RUOTvpwpNO/0zoL6UrOi
Size: 348160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: DriverPack
Created at: 2016-01-16 08:27:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2936

The Trojan injects its code into the following process(es):

svchost.exe:1784

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.23.00
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.23.00
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

DRSTUB.exe

Microsoft.VisualBasic

System.Windows.Forms

System.Drawing

avicap32.dll

user32.dll

kernel32.dll

DRSTUB.Resources.resources

DRSTUB.My

Microsoft.VisualBasic.ApplicationServices

.ctor

System.Diagnostics

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.IO

System.Net.Sockets

RegistryKey

Microsoft.Win32

Operators

GetKey

System.Collections

ProcessWindowStyle

WebClient

System.Net

System.Threading

CopyPixelOperation

System.Drawing.Imaging

System.Reflection

TcpClient

System.Text

System.IO.Compression

System.Collections.Generic

OperatingSystem

Microsoft.VisualBasic.MyServices

get_ExecutablePath

wolf_usb_exe

GetKeyboardLayout

GetAsyncKeyState

vKey

MapVirtualKey

GetKeyboardState

lpKeyState

Keys

wVirtKey

Keyboard

GetExecutingAssembly

OpenSubKey

DRSTUB.My.Resources

System.Globalization

System.Resources

System.Configuration

8.0.0.0

My.WebServices

My.User

My.Application

My.Computer

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

My.Settings

1.0.0.0

$721aff54-84bf-4dd4-9947-d32d266b77f6

_CorExeMain

mscoree.dll

<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance">

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

If you want to change the Windows User Account Control level replace the

requestedExecutionLevel node with one of the following.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<requestedExecutionLevel level="highestAvailable" uiAccess="false" />

Specifying requestedExecutionLevel node will disable file and registry virtualization.

compatibility then delete the requestedExecutionLevel node.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<!-- A list of all Windows versions that this application is designed to work with.

Windows will automatically select the most compatible environment.-->

<!-- If your application is designed to work with Windows Vista, uncomment the following supportedOS node-->

<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>-->

<!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->

<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>-->

<!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node-->

<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>-->

<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

cmd.exe

UseShellExecute

WindowStyle

GetSubKeyNames

CreateSubKey

DeleteSubKeyTree

DeleteSubKey

cmd.exe /k ping 0 & del "

Windows

autorun.inf

install.exe

%System%\dllcache

%System%\dllcache\recycled.exe

%System%\dllcache\myporn.scr

%System%\dllcache\doc.pif

C:\windows\system32\drivers\svchost.exe

ShellExecute=install.exe

shell\open\command=install.exe

shell\explore\command=install.exe

shell\Open\command=install.exe

C:\windows\system32\winlogon.scr

desktop.ini

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0.7.1

Prozone.exe

127.0.0.1

Software\Microsoft\Windows\CurrentVersion\Run

??/??/??

ShiftKeyDown

WScript.Shell

&explorer /root,"Í%

DRSTUB.Resources

svchost.exe_1784_rwx_00400000_00014000:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

v2.0.50727

DRSTUB.exe

Microsoft.VisualBasic

System.Windows.Forms

System.Drawing

avicap32.dll

user32.dll

kernel32.dll

DRSTUB.Resources.resources

DRSTUB.My

Microsoft.VisualBasic.ApplicationServices

.ctor

System.Diagnostics

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.IO

System.Net.Sockets

RegistryKey

Microsoft.Win32

Operators

GetKey

System.Collections

ProcessWindowStyle

WebClient

System.Net

System.Threading

CopyPixelOperation

System.Drawing.Imaging

System.Reflection

TcpClient

System.Text

System.IO.Compression

System.Collections.Generic

OperatingSystem

Microsoft.VisualBasic.MyServices

get_ExecutablePath

wolf_usb_exe

GetKeyboardLayout

GetAsyncKeyState

vKey

MapVirtualKey

GetKeyboardState

lpKeyState

Keys

wVirtKey

Keyboard

GetExecutingAssembly

OpenSubKey

DRSTUB.My.Resources

System.Globalization

System.Resources

System.Configuration

8.0.0.0

My.WebServices

My.User

My.Application

My.Computer

4System.Web.Services.Protocols.SoapHttpClientProtocol

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator

11.0.0.0

My.Settings

1.0.0.0

$721aff54-84bf-4dd4-9947-d32d266b77f6

_CorExeMain

mscoree.dll

<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance">

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

If you want to change the Windows User Account Control level replace the

requestedExecutionLevel node with one of the following.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<requestedExecutionLevel level="highestAvailable" uiAccess="false" />

Specifying requestedExecutionLevel node will disable file and registry virtualization.

compatibility then delete the requestedExecutionLevel node.

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<!-- A list of all Windows versions that this application is designed to work with.

Windows will automatically select the most compatible environment.-->

<!-- If your application is designed to work with Windows Vista, uncomment the following supportedOS node-->

<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>-->

<!-- If your application is designed to work with Windows 7, uncomment the following supportedOS node-->

<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>-->

<!-- If your application is designed to work with Windows 8, uncomment the following supportedOS node-->

<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>-->

<!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

cmd.exe

UseShellExecute

WindowStyle

GetSubKeyNames

CreateSubKey

DeleteSubKeyTree

DeleteSubKey

cmd.exe /k ping 0 & del "

Windows

autorun.inf

install.exe

%System%\dllcache

%System%\dllcache\recycled.exe

%System%\dllcache\myporn.scr

%System%\dllcache\doc.pif

C:\windows\system32\drivers\svchost.exe

ShellExecute=install.exe

shell\open\command=install.exe

shell\explore\command=install.exe

shell\Open\command=install.exe

C:\windows\system32\winlogon.scr

desktop.ini

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

0.7.1

Prozone.exe

127.0.0.1

Software\Microsoft\Windows\CurrentVersion\Run

??/??/??

ShiftKeyDown

WScript.Shell

&explorer /root,"Í%

DRSTUB.Resources

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2936
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   "Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.