MD5: 62dc5c561ce9efcbc3b3fc110224e9f2
SHA1: fa9d7f69df3d60227c0d794cf8e3082aa93535bb
SHA256: e4df048888e2c847d372fbc2a94e58271f503e9709488a868b62f6af31ce3621
SSDeep: 3072:CPzUQ2gyYqrf5cu22wsrz89RUsfUJi35IddQoERteN0LUYp8Q:CMfe2RY9mIUJi3HJfLUYp8Q
Size: 157441 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-07-25 03:55:47
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2948

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\INetC.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\setup6-139[1].exe (1403588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn\Update\setup.exe (1490732 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760A.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn\Update\setup.php (329 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx7609.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting]
"DontShowUI" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\62dc5c561ce9efcbc3b3fc110224e9f2_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
"ProxyOverride"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Save Serp Now"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://saveserpnow.com/setup6-139.exe	192.133.141.11

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /setup6-139.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: saveserpnow.com

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 05 Jul 2017 06:28:30 GMT

Content-Type: application/octet-stream

Content-Length: 28950011

Last-Modified: Fri, 14 Oct 2016 07:58:38 GMT

Connection: keep-alive

ETag: "5800902e-1b9bdfb"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Accept-Ranges: bytes
....


GET /setup6-139.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: saveserpnow.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 05 Jul 2017 06:28:31 GMT

Content-Type: application/octet-stream

Content-Length: 28950011

Last-Modified: Fri, 14 Oct 2016 07:58:38 GMT

Connection: keep-alive

ETag: "5800902e-1b9bdfb"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........(...F...F.
..F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F...................
......PE..L....c.W.................^....... .. 2.......p....@.........
..............................@.................................(t....
.......A..............................................................
.............p...............................text....].......^........
.......... ..`.rdata..F....p.......b..............@..@.data...........
.....v..............@....ndata... ...p...........................rsrc.
...A.......B...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.(gD..H.P.u..u..u....r@..B...SV.50gD..E.WP.u....r@..e...E..E.P.u....r@
..}..e....\p@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...dp@..E...E.P.E.P.u....r@..u
....E..9}...w....~X.te.v4..Tp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Xp@..u..5Lp@.W...E..E.h ...Pj.h 'D.W...r@..u.W...u....E.P.u...lr@._^3.
[.....L$..HgD...Si.. ..VW.T.....tO.q.3.;5LgD.sB..i.. ...D.......t.G...
..t...O..t .....u...3....3...F.. ..;5LgD.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

%s%s.dll

sers\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\INetC.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\INetC.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp

@.reloc

KERNEL32.DLL

USER32.DLL

COMCTL32.DLL

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestExA

WININET.DLL

INetC.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

Downloading %s

%dkB (%d%%) of %dkB @ %d.
dkB/s

(%d %s%s remaining)

t.UWh

.QLvNV

;eo

j.ZXd

sx760B.tmp

sers\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp

\%original file name%.exe

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn

C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn\Update

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsx7609.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

1.0.5.2

inetc.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2948

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\nsProcess.dll (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760B.tmp\INetC.dll (808 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\setup6-139[1].exe (1403588 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn\Update\setup.exe (1490732 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx760A.tmp (1568 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\ssn\Update\setup.php (329 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.