Trojan.Agent.CCPK_be839c8483

by malwarelabrobot on May 20th, 2017 in Malware Descriptions.

Trojan.Agent.CCPK (BitDefender), Worm:Win32/Mira.A (Microsoft), Trojan.Win32.Agent.icgh (Kaspersky), Worm.Win32.Mira.a (v) (VIPRE), Trojan.MulDrop5.32888 (DrWeb), Trojan.Agent.CCPK (B) (Emsisoft), W32/Worm-FUC!BE839C848349 (McAfee), W32.SillyFDC (Symantec), Worm.Win32.Mira (Ikarus), Trojan.Agent.CCPK (FSecure), SHeur4.BVDT (AVG), Win32:Malware-gen (Avast), WORM_MIRAS.SMN (TrendMicro), Trojan.Agent.CCPK (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: be839c8483496ab025756e0378624170
SHA1: 3fc038232394be045b4615be37bcf8e1b1a35f29
SHA256: 9107e208eba4a6f8c079ef47c91da3123d5e8f11cd5cc53f06bfd32a41271c8b
SSDeep: 12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0kOjdHt8F0bywWV13AzgtCsYpduP3No87:71/aGLDCM4D8ayGMwedH60tWV13AgCsX
Size: 688200 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2014-02-27 08:41:59
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

vgmah.exe:3104
%original file name%.exe:848

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process vgmah.exe:3104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\original .exe (1346717 bytes)
C:\config.sys .exe (1346717 bytes)
C:\bootmgr .exe (1346717 bytes)
C:\Boot .exe (1346717 bytes)
C:\Windows .exe (1346717 bytes)
C:\ProgramData .exe (1346717 bytes)
C:\$Recycle.Bin .exe (1346717 bytes)
C:\BOOTSECT.BAK .exe (1346717 bytes)
%Documents and Settings% .exe (1346717 bytes)
C:\totalcmd .exe (1346717 bytes)
C:\Users .exe (1346717 bytes)
C:\XELDZ .exe (1346717 bytes)
C:\autoexec.bat .exe (1346717 bytes)
C:\System Volume Information .exe (1346717 bytes)
C:\marker .exe (1346717 bytes)
C:\%original file name%.exe .exe (1346717 bytes)
%Program Files% .exe (1346717 bytes)
C:\pagefile.sys .exe (1346717 bytes)

The Trojan deletes the following file(s):

C:\Mirax (0 bytes)
C:\Mirau (0 bytes)
C:\Mirav (0 bytes)
C:\Miraw (0 bytes)
C:\Mirap (0 bytes)
C:\Mirar (0 bytes)
C:\Miras (0 bytes)
C:\Miram (0 bytes)
C:\Mirah (0 bytes)
C:\Mirai (0 bytes)
C:\Miraj (0 bytes)
C:\Mirad (0 bytes)
C:\Mirae (0 bytes)
C:\Mirag (0 bytes)
C:\Miraa (0 bytes)
C:\Mirac (0 bytes)

The process %original file name%.exe:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Saaaalamm\Mira.h (542872 bytes)
C:\ProgramData\vgmah.exe (804670 bytes)

Registry activity

The process vgmah.exe:3104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftÃ‚Â® WindowsÃ‚Â® Operating System" = "C:\ProgramData\vgmah.exe"

Dropped PE files

MD5	File path
9b39d86ca2284d22446241f0b046afd8	c:\$Recycle.Bin .exe
fc41ae83dc980cf2c3300c340426ee4a	c:\BOOTSECT.BAK .exe
bc66a220375c919c7712ae2473329eab	c:\Boot .exe
9d30153b8bc1b3524465cd7be324779b	c:\Documents and Settings .exe
ac5e727570f46b013f13226fa8a9b4e7	c:\Perl .exe
ba10c484d6ad9cf008eb10fa4111adc7	c:\Program Files .exe
1e81764340cf910a58b5d0640349e345	c:\ProgramData .exe
d882647ae95e92c82bd66478d7043df3	c:\ProgramData\Saaaalamm\Mira.h
33a1a253b4af223ee37c1cd9c6c46d22	c:\ProgramData\vgmah.exe
9a368b3b9418ecbd5adb97c67038d441	c:\System Volume Information .exe
3888a32a0ab7f1619d0b74851a8febad	c:\Users .exe
d882647ae95e92c82bd66478d7043df3	c:\Users\All Users\Saaaalamm\Mira.h
33a1a253b4af223ee37c1cd9c6c46d22	c:\Users\All Users\vgmah.exe
6fbe1fda26c71ee493c17730a584fd3e	c:\Windows .exe
28bc76b6f48b6039f7e8235c21f5bc86	c:\XELDZ .exe
f4af0eb86e4b76f3e6c77b21b2b7afb8	c:\autoexec.bat .exe
ea8d176343297a3efc84fc87cfcfdc73	c:\%original file name%.exe .exe
8231752471ecdcbd2dd31028e1caa325	c:\bootmgr .exe
023175f29b1f773db9e5bfa52b99d208	c:\config.sys .exe
575a06949c3d6c09c34f5ef0319dd17c	c:\marker .exe
0af4d2457e897862be9429979dda2236	c:\original .exe
c674fbe9be19657586fa80613e804456	c:\pagefile.sys .exe
00cdc0dae16cd4ee92d9e25a77c548d4	c:\totalcmd .exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	245368	245760	4.21465	8b164ac8ef3742f37830dc1842275667
.data	249856	608	1024	0.488703	6fda88cf7188a8245a53dfde927250fd
.rdata	253952	9384	9728	3.47165	dbe852009dbd077a9976cb0ecfb9aadf
.bss	266240	18576	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	286720	2212	2560	2.97703	5e5242c565219f3bd33a6568632559dc
.rsrc	290816	26552	26624	4.19534	7ad53b830d25f56d127d743b7c1a3717

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
ccd3719cc98cbc5e9efd295dabeb0f11
1955975b7640580714c3abd149d23ee5
afb7759d5b2e688b66822c500aaf6315
7b09c2fda50e1f28f57bf54e0a1132f2

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

vgmah.exe_3104:

.text

`.data

.rdata

@.bss

.idata

C:\ProgramData\vgmah.exe

Software\Microsoft\Windows\CurrentVersion\Run

Windows

Operating System

%H:%M:%S

%m/%d/%y

-0123456789

%s:%u: failed assertion `%s'

RegCloseKey

RegOpenKeyA

ADVAPI32.DLL

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

SearchProtocolHost.exe_3776:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1948:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

vgmah.exe:3104
%original file name%.exe:848
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\original .exe (1346717 bytes)
C:\config.sys .exe (1346717 bytes)
C:\bootmgr .exe (1346717 bytes)
C:\Boot .exe (1346717 bytes)
C:\Windows .exe (1346717 bytes)
C:\ProgramData .exe (1346717 bytes)
C:\$Recycle.Bin .exe (1346717 bytes)
C:\BOOTSECT.BAK .exe (1346717 bytes)
%Documents and Settings% .exe (1346717 bytes)
C:\totalcmd .exe (1346717 bytes)
C:\Users .exe (1346717 bytes)
C:\XELDZ .exe (1346717 bytes)
C:\autoexec.bat .exe (1346717 bytes)
C:\System Volume Information .exe (1346717 bytes)
C:\marker .exe (1346717 bytes)
C:\%original file name%.exe .exe (1346717 bytes)
%Program Files% .exe (1346717 bytes)
C:\pagefile.sys .exe (1346717 bytes)
C:\ProgramData\Saaaalamm\Mira.h (542872 bytes)
C:\ProgramData\vgmah.exe (804670 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftÃ‚Â® WindowsÃ‚Â® Operating System" = "C:\ProgramData\vgmah.exe"
Reboot the computer.