Trojan.Generic.17509400_965334b0b8
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.17509400 (AdAware), Installer.Win32.SmartIM.FD, InstallerSmartIM.YR (Lavasoft MAS)
Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 965334b0b8b4cf5b2bde1f19bf1f7d41
SHA1: b13cae697ea3259475b0e2b54dc08c547ea842e9
SHA256: 485be1f040ad788fbb0f6d15ad97c684289eee180224f90b3aedcad222fc1c33
SSDeep: 393216:Q3GTmdfGblipNyirfnUY Gud2qh3pi20q6MxHBi:Q3qmFGxVirfAv3o20q6aA
Size: 14941749 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CamStudio Group
Created at: 2015-12-27 07:38:55
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Setup.exe:832
%original file name%.exe:2236
Chrome.exe:4084
The Trojan injects its code into the following process(es):
Chrome.exe:1804
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process Setup.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (70 bytes)
The process %original file name%.exe:2236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Setup.exe (512623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Chrome.exe (15737 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx6103.tmp (0 bytes)
The process Chrome.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\DPI Service\dpisv.exe (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\88DCD395-B062-45B3-A6CD-79F37C0EBA08\task.dat (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8C67.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9196.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\88DCD395-B062-45B3-A6CD-79F37C0EBA08\run.dat (8 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8C67.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9196.tmp (0 bytes)
Registry activity
The process %original file name%.exe:2236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process Chrome.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DPI Service" = "%Program Files%\DPI Service\dpisv.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| 089818938ac6f430b29df125bdf82924 | c:\Program Files\DPI Service\dpisv.exe |
| 089818938ac6f430b29df125bdf82924 | c:\Users\"%CurrentUserName%"\AppData\Roaming\Chrome.exe |
| a786d405c6f7f79302d07adcbed6b427 | c:\Users\"%CurrentUserName%"\AppData\Roaming\Setup.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 24124 | 24576 | 4.45853 | 1a13b408c917b27c9106545148d3b8d3 |
| .rdata | 28672 | 4714 | 5120 | 3.46982 | 921acf8cb0aea87c0603fa899765fcc2 |
| .data | 36864 | 154936 | 1536 | 2.97482 | 797517c6ef57aa95d53df2cf07568953 |
| .ndata | 192512 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 225280 | 2536 | 2560 | 3.16884 | 690cead19e4ce22ffbab2214e9e1d5be |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| haxorbaba.duckdns.org |  182.186.123.211 |
| dns.msftncsi.com |  131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Trojan connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
uxtheme.dll
;CRt$
PSAPI.dll
kernel32.dll
1.1.4
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
URLInfoAbout
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
! " # 0 1 2 3!
! !!!"!#!0!1!2!3"
" "!"""#"0"1"2"3#
# #!#"###0#1#2#30
0 0!0"0#000102031
1 1!1"1#101112132
2 2!2"2#202122233
3 3!3"3#30313233
CKv.AKv
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
WinExec
gdi32.dll
GetKeyState
ExitWindowsEx
EnumWindows
winmm.dll
ole32.dll
comctl32.dll
shell32.dll
GetWindowsDirectoryA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteA
cabinet.dll
0(0,00040
7 7$717?7
? ?$?(?,?0?4?
1 1h1
KWindows
UrlMon
version="1.0.0.0"
name="Microsoft.Windows.SIM"
<requestedExecutionLevel level="requireAdministrator"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Chrome.exe_1804:
.text
`.reloc
B.rsrc
/.ffefefeeffe
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
sÞUK
v2.0.50727
NanoCore Client.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
kernel32.dll
psapi.dll
advapi32.dll
ntdll.dll
dnsapi.dll
ClientLoaderForm.resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Operators
Microsoft.VisualBasic.Devices
Microsoft.Win32
RegistryKey
NanoCore.ClientPlugin
NanoCore.ClientPluginHost
System.CodeDom.Compiler
System.Collections.Generic
KeyValuePair`2
System.Collections
System.ComponentModel
System.Diagnostics
ProcessWindowStyle
InvalidOperationException
System.IO
System.IO.Compression
System.Net
System.Net.Sockets
SocketAsyncOperation
OperatingSystem
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.AccessControl
System.Security.Cryptography
System.Security.Principal
WindowsBuiltInRole
WindowsIdentity
WindowsPrincipal
System.Text
System.Threading
FormWindowState
#=qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg=
.cctor
.ctor
ClosePipe
PipeExists
#=qNn8WS2rooUJUoMsG84mQ7PkK4IQF8$E42cyDjfL7Kqc=
#=qwSqLSPEuM8lJy4sOeuH92YjPodcLquqdG$OodozwC60=
#=qiY1B9yU2oVkPHxhn$y67SFTP8x1Jb0botGqdUGkdpQg=
CreatePipe
PipeCreated
#=q85afbI_HcqBFOZnC0iAqsNghLb3LsuyjFtpLEYYoPX8=
#=q$fGRvwQxjFKeY$SH10p0pyPTU$R77VMKr3CcLFQeQ2Y=
#=q6wR5WMLGkL9afTpqmWsw9g==
SetThreadExecutionState
RegOpenKeyEx
RegCloseKey
ContainsKey
PipeClosed
get_Key
GetExecutingAssembly
set_Key
get_ExecutablePath
OpenSubKey
set_UseShellExecute
set_WindowStyle
GetPublicKeyToken
get_Port
get_LastOperation
set_WindowState
8.0.0.0
System.Windows.Forms.Form
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
$025ff702-cd6b-4106-a4da-4152cd5feea9
1.2.2.0
_CorExeMain
mscoree.dll
.Giu}
%s:V5
HUkpa%c
q.Fr'
.TLB<Z<:
M.WO4q
u3DÊvTol-w
2.nmZfnm
m]-mN}
Y%s[Z
FE$.NLxa
g#C?\u.qq
Chrome.exe_1804_rwx_00400000_00038000:
.text
`.reloc
B.rsrc
/.ffefefeeffe
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
sÞUK
v2.0.50727
NanoCore Client.exe
Microsoft.VisualBasic
System.Windows.Forms
System.Drawing
kernel32.dll
psapi.dll
advapi32.dll
ntdll.dll
dnsapi.dll
ClientLoaderForm.resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Operators
Microsoft.VisualBasic.Devices
Microsoft.Win32
RegistryKey
NanoCore.ClientPlugin
NanoCore.ClientPluginHost
System.CodeDom.Compiler
System.Collections.Generic
KeyValuePair`2
System.Collections
System.ComponentModel
System.Diagnostics
ProcessWindowStyle
InvalidOperationException
System.IO
System.IO.Compression
System.Net
System.Net.Sockets
SocketAsyncOperation
OperatingSystem
System.Reflection
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.AccessControl
System.Security.Cryptography
System.Security.Principal
WindowsBuiltInRole
WindowsIdentity
WindowsPrincipal
System.Text
System.Threading
FormWindowState
#=qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg=
.cctor
.ctor
ClosePipe
PipeExists
#=qNn8WS2rooUJUoMsG84mQ7PkK4IQF8$E42cyDjfL7Kqc=
#=qwSqLSPEuM8lJy4sOeuH92YjPodcLquqdG$OodozwC60=
#=qiY1B9yU2oVkPHxhn$y67SFTP8x1Jb0botGqdUGkdpQg=
CreatePipe
PipeCreated
#=q85afbI_HcqBFOZnC0iAqsNghLb3LsuyjFtpLEYYoPX8=
#=q$fGRvwQxjFKeY$SH10p0pyPTU$R77VMKr3CcLFQeQ2Y=
#=q6wR5WMLGkL9afTpqmWsw9g==
SetThreadExecutionState
RegOpenKeyEx
RegCloseKey
ContainsKey
PipeClosed
get_Key
GetExecutingAssembly
set_Key
get_ExecutablePath
OpenSubKey
set_UseShellExecute
set_WindowStyle
GetPublicKeyToken
get_Port
get_LastOperation
set_WindowState
8.0.0.0
System.Windows.Forms.Form
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
$025ff702-cd6b-4106-a4da-4152cd5feea9
1.2.2.0
_CorExeMain
mscoree.dll
.Giu}
%s:V5
HUkpa%c
q.Fr'
.TLB<Z<:
M.WO4q
u3DÊvTol-w
2.nmZfnm
m]-mN}
Y%s[Z
FE$.NLxa
g#C?\u.qq
Chrome.exe_1804_rwx_69722000_00002000:
.ri3J
-yiq.yiw
-yiq.yi
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Setup.exe:832
%original file name%.exe:2236
Chrome.exe:4084 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\7.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\5.tmp (1008 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\4.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (70 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Setup.exe (512623 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Chrome.exe (15737 bytes)
%Program Files%\DPI Service\dpisv.exe (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\88DCD395-B062-45B3-A6CD-79F37C0EBA08\task.dat (39 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp8C67.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp9196.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\88DCD395-B062-45B3-A6CD-79F37C0EBA08\run.dat (8 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DPI Service" = "%Program Files%\DPI Service\dpisv.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
