MD5: 93fe3bd2340330c809a5edbe08320cee
SHA1: fe1d02803a5963587ffa5338f94a8f836f3a9b54
SHA256: ab780a82ff855841f6f6c192c1bf2d6c9bad1721c70075d37e30c9aab652ec81
SSDeep: 49152:aKu3FOTJSHQ/RZXJl1pFfuXtRo50CxL/m1jt7BR:EkTgSRlJj3uXD6L/8j1T
Size: 1674752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-31 05:28:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

NCIFFB~1.EXE:1776
%original file name%.exe:1784

The Trojan injects its code into the following process(es):

RegSvcs.exe:2192

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process NCIFFB~1.EXE:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5521.tmp (5505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\eYTIg (500 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\RiNc.exe (1874 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\eYTIg (6993 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5551.tmp (5641 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\RiNc.exe (10129 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5521.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5551.tmp (0 bytes)

The process RegSvcs.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\18-12-2016 (265 bytes)

The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\NCIFFB~1.EXE (33501 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\eYTIg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\RiNc.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\NCIFFB~1.EXE (0 bytes)

Registry activity

The process %original file name%.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16384
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16384 (winblue_rtm.130821-1623)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
crypmap.chickenkiller.com	85.204.49.128

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

jk.AEw

Bv.TBv

Av9.jkj

Bv.SCv

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

UQ.WP

mI.Us

\.gGL

.FFF<

,.bh9

].Whjj*

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

? ?$?(?,?0?4?8?

2 2$2(2,2024282

<#<'< </<

4F4s4

4D4C4R4e4u4

2!2%2)2-2125292=2

01s1

2=22393@3[3

?&?-?4?:?

8Ÿ94:

8!9*919<9

> >$>(>,>

? ?$?(?,?0?

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

Line %d:

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\AppData\Roaming\RiNc.exe

hXXp://VVV.autoitscript.com/autoit3/

AutoIt3.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

RegSvcs.exe_2192:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

.VE_<jR

:Te%s

hU.fS

}vk.Ul

S%S/\n

Gp{.KI

:b.Ui

ePJfc.Nlf

{%s!gek

.Pt]c^

B:\}/

%fGurX

'%C>Pf

Qd.Hk

1,MsG

Z*C.cH4

.Sr[7

^U.xF

%Ur<R

\..Mp

.iK[La

crtG

;.On`

li.bMH\

m%F%g

eZ.gVl

IR.yX

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

imbtcgen.exe

Microsoft.VisualBasic

imbtcgen.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

Please contact abuse@imminentmethods.net with the hardware id: 6986a9d52f30dc2e59898ad346f76a6e and company name: Show if this assembly was found being used maliciously. And the offenders license will be banned. This file was built using Invisible Mode

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

1.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

RegSvcs.exe_2192_rwx_00070000_0005E000:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

.VE_<jR

:Te%s

hU.fS

}vk.Ul

S%S/\n

Gp{.KI

:b.Ui

ePJfc.Nlf

{%s!gek

.Pt]c^

B:\}/

%fGurX

'%C>Pf

Qd.Hk

1,MsG

Z*C.cH4

.Sr[7

^U.xF

%Ur<R

\..Mp

.iK[La

crtG

;.On`

li.bMH\

m%F%g

eZ.gVl

IR.yX

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

imbtcgen.exe

Microsoft.VisualBasic

imbtcgen.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.ComponentModel

System.CodeDom.Compiler

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

Please contact abuse@imminentmethods.net with the hardware id: 6986a9d52f30dc2e59898ad346f76a6e and company name: Show if this assembly was found being used maliciously. And the offenders license will be banned. This file was built using Invisible Mode

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

1.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   NCIFFB~1.EXE:1776
   %original file name%.exe:1784

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5521.tmp (5505 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\eYTIg (500 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\RiNc.exe (1874 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\eYTIg (6993 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut5551.tmp (5641 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\RiNc.exe (10129 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Imminent\Logs\18-12-2016 (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\NCIFFB~1.EXE (33501 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.