Trojan.Agent.CCPK_4e8f2c83f7
Trojan.Win32.Agent.icgh (Kaspersky), Trojan.Agent.CCPK (B) (Emsisoft), Trojan.Agent.CCPK (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 4e8f2c83f736065ba813cd10bf8d6bae
SHA1: 200a3b5f215ebd9d855b46d614be0489ede24a79
SHA256: db5e41e1070c50798bb3c6c7e0e864f9ccfbec8b7449e00b112bf31061759e58
SSDeep: 12288:/1/aGLDCMNpNAkoSzZWD8ayXEMQCw7D0FoWxJpcEi0/3IWV//7cSdr00iw2CXvvA:/1/aGLDCM4D8ay0MZo8/v0Hw2AHRT6
Size: 1010953 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
tcegr.exe:3404
%original file name%.exe:2604
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process tcegr.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\config.sys .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\original .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)
The Trojan deletes the following file(s):
C:\Mirax (0 bytes)
C:\Miray (0 bytes)
C:\Mirat (0 bytes)
C:\Mirau (0 bytes)
C:\Mirav (0 bytes)
C:\Miraq (0 bytes)
C:\Mirar (0 bytes)
C:\Miral (0 bytes)
C:\Miram (0 bytes)
C:\Miran (0 bytes)
C:\Mirah (0 bytes)
C:\Mirad (0 bytes)
C:\Miraf (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirab (0 bytes)
The process %original file name%.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
C:\ProgramData\tcegr.exe (1020884 bytes)
Registry activity
The process tcegr.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\tcegr.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| f03ea61a5e4e2912c22afd5ea4c91a33 | c:\$Recycle.Bin .exe |
| 40926ffe555069786a51d5460406a602 | c:\%original file name%.exe .exe |
| e74de3ce591d6f4f04144220f85ae113 | c:\BOOTSECT.BAK .exe |
| 03f0c89b95d0d780679d0365c6ce2779 | c:\Boot .exe |
| 22013348cb3ea54386c9dee4676ba512 | c:\Documents and Settings .exe |
| b965234da0de91d83594aeef63579d10 | c:\Perl .exe |
| c94d2df19a91e4842c18a3ecb70314af | c:\Program Files .exe |
| d6625dee19bfcd95ddf4dba42e3e21a2 | c:\ProgramData .exe |
| 0097732504850319971faed87f071fd4 | c:\ProgramData\Saaaalamm\Mira.h |
| 7f04abe7b39911c0054a18c6c660962c | c:\ProgramData\tcegr.exe |
| b1f14e32c899c15370d1633cfb3d0ca2 | c:\System Volume Information .exe |
| ff35ee2c7825e3b91ba6afa51af769bb | c:\Users .exe |
| 0097732504850319971faed87f071fd4 | c:\Users\All Users\Saaaalamm\Mira.h |
| 7f04abe7b39911c0054a18c6c660962c | c:\Users\All Users\tcegr.exe |
| e260cd50700751a8f6a8e47e286a9340 | c:\Windows .exe |
| b37ef05dc86bd98dc40c467d00b31324 | c:\XELDZ .exe |
| b317f3d289f6f12914e40624b03f645c | c:\autoexec.bat .exe |
| 00e1cafad4103926451c8e0d36e02bd8 | c:\bootmgr .exe |
| 94c8106f93ddf67edddb93640f5895ca | c:\config.sys .exe |
| 6d114278fb2ecd8ab74f063dd980a088 | c:\marker .exe |
| 4c7f10805d8c414962fe149d9a28fe15 | c:\original .exe |
| 9745417027586ad71807abce0f6fbb99 | c:\pagefile.sys .exe |
| e612a1311750afc6aadea4389ff53bc0 | c:\totalcmd .exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Microsoft Corporation
Product Name: Mira Malware
Product Version: 1.0.0.155
Legal Copyright: Microsoft Corporation
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.155
File Description: Mira Malware
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 245368 | 245760 | 4.22546 | 1999eec8e9c4cd12139326da6738ca99 |
| .data | 249856 | 608 | 1024 | 0.488703 | 6fda88cf7188a8245a53dfde927250fd |
| .rdata | 253952 | 9384 | 9728 | 3.47165 | dbe852009dbd077a9976cb0ecfb9aadf |
| .bss | 266240 | 18576 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 286720 | 2212 | 2560 | 2.97703 | 5e5242c565219f3bd33a6568632559dc |
| .rsrc | 290816 | 758300 | 750857 | 4.88213 | f76076ea10800bfd506bdac57e102a33 |
Dropped from:
e138289d27dc4cd869fbbfdc99e90156
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 8
655bc19c80920d15c058c22fdf68359b
861ae4fd3f2ce2a095913253cce682f2
d92d8235a72c26f284f13c7868bf6a3e
9b632550a5725a5ad62c84edf596d2ac
d70d33a4943fd823eae19dca3dbed5aa
c7801a1a9c790b0bea9a7a5f32d10fed
36d2b2a3c9b6dedfd8a6f26c774ace10
1bc9903a1c803ca947112458a16950d0
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rdata
@.bss
.idata
C:\ProgramData\tcegr.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows
Operating System
%H:%M:%S
%m/%d/%y
-0123456789
%s:%u: failed assertion `%s'
RegCloseKey
RegOpenKeyA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
tcegr.exe:3404
%original file name%.exe:2604 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\config.sys .exe (1963131 bytes)
C:\bootmgr .exe (1963131 bytes)
C:\Boot .exe (1963131 bytes)
C:\Windows .exe (1963131 bytes)
C:\ProgramData .exe (1963131 bytes)
C:\$Recycle.Bin .exe (1963131 bytes)
C:\BOOTSECT.BAK .exe (1963131 bytes)
%Documents and Settings% .exe (1963131 bytes)
C:\original .exe (1963131 bytes)
C:\totalcmd .exe (1963131 bytes)
C:\Users .exe (1963131 bytes)
C:\XELDZ .exe (1963131 bytes)
C:\autoexec.bat .exe (1963131 bytes)
C:\System Volume Information .exe (1963131 bytes)
C:\marker .exe (1963131 bytes)
%Program Files% .exe (1963131 bytes)
C:\%original file name%.exe .exe (1963131 bytes)
C:\pagefile.sys .exe (1963131 bytes)
C:\ProgramData\Saaaalamm\Mira.h (960208 bytes)
C:\ProgramData\tcegr.exe (1020884 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "C:\ProgramData\tcegr.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
