Trojan.MSIL.Qhost.bgy_2af3c15cb1

by malwarelabrobot on April 11th, 2018 in Malware Descriptions.

Trojan.GenericKD.3006011 (BitDefender), Trojan.MSIL.Qhost.bgy (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Hosts.43624 (DrWeb), Trojan.GenericKD.3006011 (B) (Emsisoft), Artemis!2AF3C15CB1BE (McAfee), Trojan.Gen.2 (Symantec), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2af3c15cb1bea8a82a1d70a7b13393ef
SHA1: c4997d42de33d73cf592179e1c732be7a71bdaa4
SHA256: e5e3198f50ebbc69f4c64e4810197eb2ffa7c9817ee5e652b0ffed7b2a077cf3
SSDeep: 12288:L7blMV3p VFSNEiBePS9GL8 iDNdRXzRQDE mjXZnwmNONuJ:L7blgKFIKqU8DdlIEhpnJ k
Size: 614049 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

2af3c15cb1bea8a82a1d70a7b13393ef.tmp:2788
OrangeSucksToken.exe:4000
booster.tmp:3612
203032.exe:3684
booster.exe:3512
booster.exe:720
%original file name%.exe:2940

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 2af3c15cb1bea8a82a1d70a7b13393ef.tmp:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe (37 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\itdownload.dll (1489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\booster.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\booster.exe (184720 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\idp.dll (1502 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\itdownload.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\booster.exe.config (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\booster.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\idp.dll (0 bytes)

The process OrangeSucksToken.exe:4000 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (1320 bytes)

The process booster.tmp:3612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\Iji.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\is-HTS4O.tmp (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\Iji.exe (4545 bytes)
%Program Files%\Pipe\203032.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\is-K5G7C.tmp (1 bytes)
%Program Files%\Pipe\203032.exe (5216 bytes)

The process 203032.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8661.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8660.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8650.tmp (53 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1760 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9CC1.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8662.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1544 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9CC0.tmp (54 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.3684.5074494 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8661.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8660.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.3684.5074494 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8650.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9CC1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8662.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9CC0.tmp (0 bytes)

The process booster.exe:3512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (864 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (864 bytes)

The process booster.exe:720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-VNP3B.tmp\booster.tmp (1429 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-VNP3B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-VNP3B.tmp\booster.tmp (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8KCD5.tmp\2af3c15cb1bea8a82a1d70a7b13393ef.tmp (1626 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8KCD5.tmp\2af3c15cb1bea8a82a1d70a7b13393ef.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8KCD5.tmp (0 bytes)

Registry activity

The process 2af3c15cb1bea8a82a1d70a7b13393ef.tmp:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash" = "08 DC 11 24 72 6F 50 91 08 30 5F 9C 91 25 98 25"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Owner" = "E4 0A 00 00 29 41 A2 B0 BD D0 D3 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2af3c15cb1bea8a82a1d70a7b13393ef_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\RestartManager\Session0000]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0000]
"Sequence"
"Owner"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\RestartManager\Session0000]
"SessionHash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process booster.tmp:3612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\RestartManager\Session0001]
"RegFilesHash" = "E9 2D B0 C2 70 AB AC 50 4E 49 CA 7E 75 8F DA 27"
"RegFiles0000" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\Iji.exe"
"SessionHash" = "42 FE 89 A4 94 91 F8 BF C4 6D 39 C4 5C AD 22 5C"
"Owner" = "1C 0E 00 00 E6 4B F0 B1 BD D0 D3 01"
"Sequence" = "1"

The process 203032.exe:3684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\203032_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

Dropped PE files

MD5 File path
dd1630ebbd4ab093c087238614f6c546 c:\Program Files\Pipe\203032.exe
dd1630ebbd4ab093c087238614f6c546 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\Iji.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1320 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 cpm.paneladmin.pro
127.0.0.1 publisher.hmdiadmingate.xyz
127.0.0.1 hmdicrewtracksystem.xyz
127.0.0.1 mydownloaddomain.com
127.0.0.1 linkmate.space
127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 doctorlink.space
127.0.0.1 plugpackdownload.net
127.0.0.1 texttotalk.org
127.0.0.1 gambling577.xyz
127.0.0.1 htagdownload.space
127.0.0.1 mybcnmonetize.com
127.0.0.1 360devtraking.website
127.0.0.1 dscdn.pw
127.0.0.1 bcnmonetize.go2affise.com
127.0.0.1 beautifllink.xyz


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Thlila
Product Name: MebliBilWabna
Product Version: 2.0.3
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: MebliBilWabna Setup
Comments: This installation was built with Inno Setup.
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 41424 41472 4.6051 b7ea439d9c6d5ec722056c9243fb3054
DATA 49152 592 1024 1.89931 9b2268ed5360951559d8041925d025fb
BSS 53248 3732 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 57344 2428 2560 3.10951 df5f31e62e05c787fd29eed7071bf556
.tls 61440 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 65536 24 512 0.132037 14dfa4128117e7f94fe2f8d7dea374a0
.reloc 69632 2332 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 73728 108680 109056 3.50786 f73b30b21bca1e32847f0890c7e1da77

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://asedownloadgate.com/exe/avboost-installer.exe 94.23.252.37
hxxp://s3-eu-west-1.amazonaws.com/ilbssar/zwcp/setup.exe 52.218.65.76
hxxp://apps.digsigtrust.com/roots/dstrootcax3.p7c
hxxp://fg.download.windowsupdate.com.c.footprint.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
www.download.windowsupdate.com 8.253.145.105
apps.identrust.com 192.35.177.64
pc.mainmarketingswarm.com 149.202.91.53


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

HEAD /exe/avboost-installer.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: asedownloadgate.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 10 Apr 2018 11:18:45 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="avboost-installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
....


GET /exe/avboost-installer.exe HTTP/1.1


Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: asedownloadgate.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 10 Apr 2018 11:18:45 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="avboost-installer.exe"
Keep-Alive: timeout=10, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
b6000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Z.........."...0..L..........&j... ........@.. .................
...................@..................................i..O.......0....
.......................di.............................................
.. ............... ..H............text...,J... ...L.................. 
..`.rsrc...0............N..............@..@.reloc...............^.....
.........@..B.................j......H........!.............../...9...
........................................0..o.......(....~....o....s...
.o.............~....(....(......(....o....r...po.....(.....o....t"....
......%...o....&..&..*.........kk.......0..M........(.....s....%(.....
o....o ...%.o!...%.o"...%o#.......io$....o%...(.....o&...*Vr...p.....r
9..p.....*..('...*.~....-.rm..p.....((...o)...s*........~....*.~....*.
......*.~....*..( ...*Vs....(,...t.........*.BSJB............v2.0.5072
7......l...t...#~......$...#Strings............#US.........#GUID......
.D...#Blob...........W..........3........ ...................,........
...........................................Q.................c........
...4.................q.......................C.......................!
.....Q.....h.....(.......'...6.......e.....e.....................U....
.b.......................B..... ...........m.................s.....g..
.......................................8.=...........r.=...........r.e
.......~.......................N...P ............. ............5!.
<<< skipped >>>


HEAD /ilbssar/zwcp/setup.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3-eu-west-1.amazonaws.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: NO7KV7hUr2jkw8IsdEmQV XVy/3fFIDR2qKmMQC/jcBSVljuHZ/9I8fiOA2bgr6hoqk3/vCXeag=
x-amz-request-id: 86B6B79838437F8C
Date: Tue, 10 Apr 2018 11:18:47 GMT
Last-Modified: Tue, 10 Apr 2018 09:36:42 GMT
ETag: "0b0b9268a4306f40034d77a5c3eb4392"
x-amz-version-id: HPxM3wiy.gZwCmiUVwhL.yaQXIE4suR7
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Content-Length: 676814
Server: AmazonS3
....


GET /ilbssar/zwcp/setup.exe HTTP/1.1


Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: s3-eu-west-1.amazonaws.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: cvxC/PfkAknlOVHfC/TV0M4Lr63xzyLTnRCRciaIRkDJ/JfAYbPcZ2EJs1EudKAadaUHOOuc12Y=
x-amz-request-id: 8E4F1F7A3824D552
Date: Tue, 10 Apr 2018 11:18:47 GMT
Last-Modified: Tue, 10 Apr 2018 09:36:42 GMT
ETag: "0b0b9268a4306f40034d77a5c3eb4392"
x-amz-version-id: HPxM3wiy.gZwCmiUVwhL.yaQXIE4suR7
Accept-Ranges: bytes
Content-Type: application/x-msdownload
Content-Length: 676814
Server: AmazonS3
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........F....................@..........................P............
@......@..............................|.... ...,......................
......................................................................
..............CODE................................ ..`DATA....P.......
....................@...BSS......................................idata
..|...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc....,... ...,..................@..P.............P..
....................@..P..............................................
......................................................................
..............................................string................&l
t;.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance.
.L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameI
s...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsF
rom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..Field
Address...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObj
ect.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.
@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86408
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 22 Sep 2017 22:03:52 GMT
If-None-Match: "014e8acee33d31:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Date: Mon, 09 Apr 2018 11:38:05 GMT
Content-Type: application/vnd.ms-cab-compressed
Content-Length: 54015
Connection: keep-alive
Cache-Control: max-age=604800
ETag: "8048a29636c5d31:0"
Expires: Fri, 06 Apr 2018 11:37:55 GMT
Last-Modified: Mon, 26 Mar 2018 19:13:57 GMT
Server: Microsoft-IIS/8.5
x-ccc: DE
x-cid: 3
X-Powered-By: ASP.NET
MSRegion: EMEA
Age: 85254
Accept-Ranges: bytes
MSCF............,...................I.................zL.\ .authroot.s
tl.....X7..CK...<........i.g.B.A.E#k..Z.d.H.lQI..RZdM...".%.KY"D..%
*J...?3nez&7....{....y.........~.9.Da&..3..1..e.0......:o.`08....N....
........d.10&R....l.E.,FX...t.2.0a1...GN.......%E...N..l...v#...0...}.
3.../. .#.`."...H.'...[Y...aF.z~M..S."4..V.'.>o...4.....q\0.P......
....5;..O ......a,{~.3.Z*.Wr....f.$.W..2.)W..,...z.2...z.!.%z.6S/.rK..
...8}.S....4..,....ch ...@~P ..@A..d.Z~...D....3[....6..kC........AP..
A.....;.`....v.>W!.?x}HU.$.8F...C......;L8v..a.g.=tt...hT..m...qgN.
.>P.N..F..!..`.&P...D...........CSc?W...B...B.7sw>.W}....4..u.dD
t)P....d.[!Kpy@....h...X......z|.].:..P.../K..`;V.XsY.oF$...{(.sP..[..
./f.._.-.t.E........h,....r..g3.\.lr.8.y..r4.........Y./..Mu........&l
t;-..d...%.YG.E.V\x..`...................\...}3. h..G....`E..N..".Z.Gh
.....>......A.x.}K].o.... .q..:.*).Y.N%jN..6..$D.....ipk!...[.V.*zD
 E..p.".Y.c.....m.=..1...0$..F..G.B.o_}.m[...........h.=.....d......~.
~..9.@a<..x..K.a..h..`4...O;..=1..x.r.Ioh....y!.....I..........2$..
.Q2.H.Z.L&.Q.@..................I#.......Q.rb....>....f..VM..]Y...?
..x0....t..f`5..S/...6>....m..l. .....`......M.^.CV."..7.C.{.#..(%`
10./.h.I.......w !z...(...?..o....9y.........s>I...4.]..o.t.B.A.q.y
.. ..c......?..rF.....^qr.?dTlf...f..........F..&........F[^..5($.46&l
t;......&......vjK...........x......z2..KTm..H..@&E....;H...(...._....
a|R.Z~......S:........d....Uv*v?7.0..l;.....l....m.o.o..8zv./t.].Q...%
N..F.#..t.DV...B8....CK.....0..dD....?Q5.}.A.P...3=.}J&.........^.
<<< skipped >>>


GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com


HTTP/1.1 200 OK
Date: Mon, 09 Apr 2018 14:08:36 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Last-Modified: Fri, 19 Oct 2012 20:08:11 GMT
Accept-Ranges: bytes
Content-Length: 893
Cache-control: max-age=86400
Content-Type: application/x-pkcs7-mime
0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D.....'..0
9...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U..
..DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital S
ignature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..
..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.
2....w..{........s.z..2..~..0....*8.y.1.P..e..Qc....a.Ka..Rk...K.(.H..
....>.... .[.*....p....%.tr.{j.4.0...h.{T.....Z...=d......Ap..r.&.8
U9C....\@..........%.......:..n.>..\..<..i....*.)W..=....]......
B0@0...U.......0....0...U...........0...U..........{,q...K.u...`...0..
.*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~
.....K. D.....}..j.....N...:.pI............:^H...X._..Z.......Y..n....
...f3.Y[....sG. ...7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G
..P.......dc`........}...=2.e..|.Wv...(9..e...w.j..w........).....55.1
.HTTP/1.1 200 OK..Date: Mon, 09 Apr 2018 14:08:36 GMT..Server: Apache.
.X-Frame-Options: SAMEORIGIN..X-XSS-Protection: 1; mode=block..Last-Mo
dified: Fri, 19 Oct 2012 20:08:11 GMT..Accept-Ranges: bytes..Content-L
ength: 893..Cache-control: max-age=86400..Content-Type: application/x-
pkcs7-mime..0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.....
..D.....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust 
Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U.
...Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H....
.........0............P..W..be......,k0.[...}.@......3vI*.?!I..N..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    2af3c15cb1bea8a82a1d70a7b13393ef.tmp:2788
    OrangeSucksToken.exe:4000
    booster.tmp:3612
    203032.exe:3684
    booster.exe:3512
    booster.exe:720
    %original file name%.exe:2940

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe (37 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\itdownload.dll (1489 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\OrangeSucksToken.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\booster.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MUOGO.tmp\idp.dll (1502 bytes)
    C:\Windows\System32\drivers\etc\hosts (1320 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\Iji.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\is-HTS4O.tmp (4545 bytes)
    %Program Files%\Pipe\203032.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-E256U.tmp\is-K5G7C.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8661.tmp (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A (312 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8660.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8650.tmp (53 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (1544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1760 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9CC1.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8662.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (768 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (1544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A (893 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9CC0.tmp (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-VNP3B.tmp\booster.tmp (1429 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-8KCD5.tmp\2af3c15cb1bea8a82a1d70a7b13393ef.tmp (1626 bytes)

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now