Trojan.MSIL.Dropper.GZ_91072c9d07
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Dropper.GZ (B) (Emsisoft), Trojan.MSIL.Dropper.GZ (AdAware)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 91072c9d07434e9df33469b8e7ca1222
SHA1: b55e96f801480cd4694f23e532375a871b1e1188
SHA256: f5103d3d70601da369e874860901a3403ad834c05d921fae0387304f91bc57f6
SSDeep: 6144:NWu32OFAap/K7m6ziPUVY4Z0MS1dYcWyVvs0B22GWsLAXj4R:SOl/8m6zhYWyVv1BYLL06
Size: 525312 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2016-12-19 12:36:23
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2320
%original file name%.exe:2296
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:2320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process %original file name%.exe:2296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_7NJKR" = "C:\%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: 9
Product Name: 9
Product Version: 6.3.5.5
Legal Copyright: Copyright (c) 5482
Legal Trademarks:
Original Filename: DOMINO123.exe
Internal Name: DOMINO123.exe
File Version: 6.3.5.5
File Description: 9PFCCQFFN
Comments: 9PFC
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 356348 | 356352 | 4.19905 | 29b557a7237bb11d2d3cc8d73a5337bc |
| .rsrc | 368640 | 167788 | 167936 | 2.47373 | 857a37a0ad7807f7adcdaabe6f0be7a4 |
| .reloc | 540672 | 12 | 512 | 0.070639 | 9c2e109ea7dd4651ab1324e168a5b5c0 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2320
%original file name%.exe:2296 - Delete the original Trojan file.
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_7NJKR" = "C:\%original file name%.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
