MD5: 3d0bd911b73d54653341b5a035fd28db
SHA1: 3d84c7cb10fdd745f8205c9e4b0bffa07fe13fe5
SHA256: 8a8f3668c39067f3568d093fec3385113825cb43bb277c83b1eec54a810c45ce
SSDeep: 1536:HAV28z3rL8jvIgNnXvrPtz1TswSpdyh4i5yeHPSxwAXaX2pOf4/UKkiJbwgzEMoi:HIP1InX7JpzSpdsCwKvpxTqXMoleN
Size: 145408 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-12-10 05:00:54
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3188

The Trojan injects its code into the following process(es):

iexplore.exe:3828
Explorer.EXE:284

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Mozilla Firefox\xul.dll (520 bytes)
%Program Files%\Google\Chrome\Application\54.0.2840.59\chrome.dll (1127 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d.bat (250 bytes)

Registry activity

The process %original file name%.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 896 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WINHLP32.EXE
Internal Name: WINHSTB
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
File Description: Windows Winhlp32 Stub
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3828_rwx_00050000_00002000:

user32.dll

advapi32.dll

kernel32.dll

RegCreateKeyExA

RegCloseKey

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TMP1363199.exe

c:\%original file name%.exe

Software\Microsoft\Windows\CurrentVersion\RunOnce

%Program Files%\Internet Explorer\iexplore.exe VVV.google.com

iexplore.exe_3828_rwx_00060000_00020000:

.text

.rdata

@.data

.rsrc

@.reloc

SSSShl

SSShX

SHLWAPI.dll

WS2_32.dll

MFC42.DLL

MSVCRT.dll

_acmdln

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

ShellExecuteExA

SHELL32.dll

' ).;<52

advapi32.dll

content.js

secref.txt

\chrome.dll

\Google\Chrome\Application\

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\RunOnce

ux

\Mozilla Firefox\xul.dll

myextension.json

Extension%d

\extensions.ini

\prefs.js

\extensions.json

\\.\PhysicalDrive0

iphlpapi.dll

\content\icon-64.png

\content\icon-48.png

\content\content.js

\install.rdf

\META-INF\mozilla.sf

\META-INF\mozilla.rsa

\META-INF\manifest.mf

\content\browser.xul

\chrome.manifest

\icons\icon128.png

\icons\icon64.png

\icons\icon48.png

\icons\icon18.png

\background.js

\content.js

\manifest.json

XXXXXXXXXXXXXXXX

echo 127.0.0.1 %v5%%v6%google.com >> %WINDIR%%v1%%v2%%v3%%v4%etc\hosts

d.bat

ntdll.dll

explorer.exe

kernel32.dll

user32.dll

%s %s %s %s

%sTMP%d.exe

\iexplore.exe VVV.google.com

1.1.3

_sig0001.dat

xul.dll

chrome.dll

firefox.exe

chrome.exe

C:/windows/system32

C:/windows/explorer.exe

xxxxxxxxxxxxxxxx

HTTP/1.1 202

HTTP/1.1 200 OK

\Mozilla\Firefox\Profiles\

\Opera Software\Opera Stable\Preferences

\Opera Software\Opera Stable\

\Google\Chrome\User Data\

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

KEYKEYKEYKEY

ws2_32.dll

User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

GET /update?checksum=%s&m=%s&errorcode=%d&idate=%s HTTP/1.1

GET /soft-report?m=%s&res=%d HTTP/1.1

<!-- <requestedExecutionLevel level='asInvoker' uiAccess='false' /> -->

<!-- <requestedExecutionLevel level="requireAdministrator" uiAccess='false' />-->

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

.pngbD$B

http:/

Bwebsto

ate.goog

le.com;

.pngD

tring.fr

 cj.cTcJ

) $cds

'.spl

cu.cm=\' ce

p.bo.

bx.bq

nkeyup

s.db==r)

);bf.br=

#.bt(2bf

nkeydown

https

ext'.spl

ú/po

URL>chr

hXXp://w

ww.mozil

la.org/k

"chrome:(//

-48.png

achrome0.m9A

a.addons .m

Mozilla Corporation1/0-

&Mozilla AMO Production Signing Service1

17235242

.pemy

.ba=/

ca.de=\'Bp

bzt|http

|onkey

U|EXEC

'.split( '|

80,250))

iR.ad"dE

f.bh?by=

.ct==P=

bp.fHQ

.defau

-ci.bq",

 cd.cyL

g.cLk

82,250))

1"2F2e2r2

3$32393?3

iexplore.exe_3828_rwx_00240000_00020000:

.text

.rdata

@.data

.rsrc

@.reloc

SSSShl

SSShX

SHLWAPI.dll

WS2_32.dll

MFC42.DLL

MSVCRT.dll

_acmdln

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

ShellExecuteExA

SHELL32.dll

' ).;<52

advapi32.dll

content.js

secref.txt

\chrome.dll

\Google\Chrome\Application\

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\RunOnce

ux

\Mozilla Firefox\xul.dll

myextension.json

Extension%d

\extensions.ini

\prefs.js

\extensions.json

\\.\PhysicalDrive0

iphlpapi.dll

\content\icon-64.png

\content\icon-48.png

\content\content.js

\install.rdf

\META-INF\mozilla.sf

\META-INF\mozilla.rsa

\META-INF\manifest.mf

\content\browser.xul

\chrome.manifest

\icons\icon128.png

\icons\icon64.png

\icons\icon48.png

\icons\icon18.png

\background.js

\content.js

\manifest.json

XXXXXXXXXXXXXXXX

echo 127.0.0.1 %v5%%v6%google.com >> %WINDIR%%v1%%v2%%v3%%v4%etc\hosts

d.bat

ntdll.dll

explorer.exe

kernel32.dll

user32.dll

%s %s %s %s

%sTMP%d.exe

\iexplore.exe VVV.google.com

1.1.3

_sig0001.dat

xul.dll

chrome.dll

firefox.exe

chrome.exe

C:/windows/system32

C:/windows/explorer.exe

xxxxxxxxxxxxxxxx

HTTP/1.1 202

HTTP/1.1 200 OK

\Mozilla\Firefox\Profiles\

\Opera Software\Opera Stable\Preferences

\Opera Software\Opera Stable\

\Google\Chrome\User Data\

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

KEYKEYKEYKEY

ws2_32.dll

User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

GET /update?checksum=%s&m=%s&errorcode=%d&idate=%s HTTP/1.1

GET /soft-report?m=%s&res=%d HTTP/1.1

<!-- <requestedExecutionLevel level='asInvoker' uiAccess='false' /> -->

<!-- <requestedExecutionLevel level="requireAdministrator" uiAccess='false' />-->

<requestedExecutionLevel level='asInvoker' uiAccess='false' />

.pngbD$B

http:/

Bwebsto

ate.goog

le.com;

.pngD

tring.fr

 cj.cTcJ

) $cds

'.spl

cu.cm=\' ce

p.bo.

bx.bq

nkeyup

s.db==r)

);bf.br=

#.bt(2bf

nkeydown

https

ext'.spl

ú/po

URL>chr

hXXp://w

ww.mozil

la.org/k

"chrome:(//

-48.png

achrome0.m9A

a.addons .m

Mozilla Corporation1/0-

&Mozilla AMO Production Signing Service1

17235242

.pemy

.ba=/

ca.de=\'Bp

bzt|http

|onkey

U|EXEC

'.split( '|

80,250))

iR.ad"dE

f.bh?by=

.ct==P=

bp.fHQ

.defau

-ci.bq",

 cd.cyL

g.cLk

82,250))

1"2F2e2r2

3$32393?3

Explorer.EXE_284_rwx_01DA0000_00002000:

user32.dll

advapi32.dll

kernel32.dll

RegCreateKeyExA

RegCloseKey

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TMP1363199.exe

c:\%original file name%.exe

Software\Microsoft\Windows\CurrentVersion\RunOnce

%Program Files%\Internet Explorer\iexplore.exe VVV.google.com

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3188
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Mozilla Firefox\xul.dll (520 bytes)
   %Program Files%\Google\Chrome\Application\54.0.2840.59\chrome.dll (1127 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\d.bat (250 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.