Trojan.NSIS.StartPage_12b6abfa78

by malwarelabrobot on February 19th, 2018 in Malware Descriptions.

UDS:DangerousObject.Multi.Generic (Kaspersky), Artemis!12B6ABFA78FA (McAfee), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 12b6abfa78faef4596f27e37069cba7d
SHA1: 8a1d130b5a2ad74c3d66e9f09b562bb892cb7f5f
SHA256: d5e4ab111311f5021bdcba94e71155eadb51b2b3d8680d3b93552d3f2c21759c
SSDeep: 3072:XNzPHk9MpcyxAARl3Pj2yoJVsFdf2lbB874VLlHreEAt4Wo:XhRFxAal3ProJ6Fk9B8kEQ
Size: 159910 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-01 03:33:55
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2224

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\INetC.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k\Update\setup.exe (1666077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA814.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\setup6-142[1].exe (1568224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k\Update\setup.php (329 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA813.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting]
"DontShowUI" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\12b6abfa78faef4596f27e37069cba7d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad3k"

Dropped PE files

MD5	File path
92ec4dd8c0ddd8c4305ae1684ab65fb0	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\INetC.dll
faa7f034b38e729a983965c04cc70fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\nsProcess.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	24636	25088	4.43172	029c8031e2fb36630bb7ccb6d1d379b5
.rdata	32768	4680	5120	3.49642	421f9404c16c75fa4bc7d37da19b3076
.data	40960	108600	1024	3.6204	c93d53142ea782e156ddc6acebdf883d
.ndata	151552	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	192512	80008	80384	3.1538	4bbd00d620e96fe84180c1824c1297c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://saveserpresults.com/setup6-142.exe	192.133.141.11

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

HEAD /setup6-142.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: saveserpresults.com

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 18 Feb 2018 10:19:32 GMT

Content-Type: application/octet-stream

Content-Length: 29253367

Last-Modified: Tue, 06 Feb 2018 20:11:34 GMT

Connection: keep-alive

ETag: "5a7a0bf6-1be5ef7"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Accept-Ranges: bytes

....

GET /setup6-142.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: saveserpresults.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: nginx

Date: Sun, 18 Feb 2018 10:19:32 GMT

Content-Type: application/octet-stream

Content-Length: 29253367

Last-Modified: Tue, 06 Feb 2018 20:11:34 GMT

Connection: keep-alive

ETag: "5a7a0bf6-1be5ef7"

Expires: Thu, 31 Dec 2037 23:55:55 GMT

Cache-Control: max-age=315360000

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........(...F...F.
..F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F...................
......PE..L...s..Y.................b...........3............@.........
..............................@.................................(.....
.......A..............................................................
.............................................text...<`.......b.....
............. ..`.rdata..H............f..............@..@.data...8....
........z..............@....ndata...p...P...........................rs
rc....A.......B...~..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
....(GB..H.P.u..u..u.....@..B...SV.54GB..E.WP.u.....@..e...E..E.P.u...
..@..}..e....\.@........FR..VV..U... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...d.@..E...E.P.E.P.u.....@
..u....E..9}...w....~X.te.v4..T.@....E.tU.}.j.W.E......E.......P.@..vX
W..X.@..u..5L.@.W...E..E.h ...Pj.h ?B.W....@..u.W...u....E.P.u...l.@._
^3.[.....L$..hGB...Si.....VW.T.....tO.q.3.;5lGB.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5lGB.r._^[...U..QQ.U.SV..i.

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2224:

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteExA

SHELL32.dll

RegEnumKeyA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

%s%s.dll

sers\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\INetC.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\INetC.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp

Downloading %s

%dkB (%d%%) of %dkB @ %d.dkB/s

(%d %s%s remaining)

@.reloc

KERNEL32.DLL

USER32.DLL

COMCTL32.DLL

HttpQueryInfoA

FtpCreateDirectoryA

FtpOpenFileA

HttpEndRequestA

HttpAddRequestHeadersA

HttpSendRequestA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestExA

WININET.DLL

INetC.dll

Open URL Error

URL Parts Error

FtpCreateDir failed (550)

Error FTP path (550)

t.UWh

.VkC>

sers\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp

\%original file name%.exe

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k

C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k\Update

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsxA813.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

%%%u"""

'''-$$$.&&&

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.02.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

1.0.5.2

inetc.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2224
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\INetC.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k\Update\setup.exe (1666077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA814.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxA815.tmp\nsProcess.dll (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\setup6-142[1].exe (1568224 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\notepad3k\Update\setup.php (329 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).