Trojan.NSIS.StartPage_6d907ba322

by malwarelabrobot on September 10th, 2017 in Malware Descriptions.

Trojan.Win32.Agent.nfastx (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6d907ba322d9598448761c46ec67c427
SHA1: 1e7d9a324f97c21dd9c5d5393c1c871295fa9021
SHA256: 8b6e2f36493a2fc8dfdafda8daf26962572b510d55579be6501ed6a4d1fa58de
SSDeep: 12288:Q937pcFYWpG1VuD34KFOEqpuh9bkUJtlHK9mnebbcjyiZ3S2XF:Q176F/0KD3hFOEqMcUAgebYuC3j1
Size: 679369 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-01 03:34:02
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

therapeutics.exe:2304

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

Dropped PE files

MD5 File path
a8b2bccb6cd002c4d2795725c06365ed c:\Program Files\Dayne\Dayne.exe
a8b2bccb6cd002c4d2795725c06365ed c:\Program Files\Dayne\therapeutics.dll
a8b2bccb6cd002c4d2795725c06365ed c:\Program Files\Dayne\therapeutics.exe
a8b2bccb6cd002c4d2795725c06365ed c:\Program Files\Woofer\therapeutics.exe
43c121b348d1fd347a7a8a60ddf1054a c:\Program Files\prescriber\prescriber.exe
0f71927bb5790d7a34c130490d77c637 c:\Program Files\sparseness\wast.exe
c2650dad88dffb49c8a46974043f2af1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\113833.exe
aa7527dcfee8922136e56014180858ba c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\28446.exe
05816f68477004f62e95c82646461d38 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\39059.exe
c55d75ad3e775bdd4a954a2d7bd50301 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\67294.exe
c8ff52bfddc6898c202c08c4a61a3d22 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\Microsoft.Win32.TaskScheduler.dll
a7ee21a8dc59690bb9d85b1ebd4da436 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1CD3.tmp\NMcompetent.exe
a8b2bccb6cd002c4d2795725c06365ed c:\Users\"%CurrentUserName%"\AppData\Local\therapeutics.exe
a8b2bccb6cd002c4d2795725c06365ed c:\Windows\freel.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1322 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 validation.sls.microsoft.com
162.222.193.86 aoaomo.tremorhub.com
188.95.50.62 bobomo.tremorhub.com
162.222.193.86 www.howcast.com
162.222.193.86 howcast.com
162.222.193.86 www.ustream.tv
162.222.193.86 ustream.tv
162.222.193.86 www.livestream.com
162.222.193.86 livestream.com
162.222.193.86 www.dailymotion.com
162.222.193.86 dailymotion.com
192.192.3.8 www.virustotal.com
192.192.3.8 virustotal.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: p26o23
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2017
Legal Trademarks:
Original Filename: setup.exe
Internal Name:
File Version: 1.0.0.1
File Description: o23p26
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25172 25600 4.45962 d550b03059038df9bf82548da8080ff6
.rdata 32768 4948 5120 3.62951 5143a41b917c20afc11d259fd85b6ffc
.data 40960 152856 1536 2.80352 4c97d95c0fc95b712d16eb7b0ee5a871
.ndata 196608 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 3288 3584 2.92129 940d2d31abfcee7951a346edee551a75

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
1c9129d5403e6b75174b6607c2852125

URLs

URL IP
hxxp://d3h046tak93335.cloudfront.net/eJ2KXCPa0KXCPa1KXCPa70HNZX82eJ5KXCPa.htm?streakers=2017-08-25&wallpapers=03AMMfScxzNJSz4aGbs7
hxxp://d3h046tak93335.cloudfront.net/jquery.min.js
hxxp://d3h046tak93335.cloudfront.net/amg.php
hxxp://ww.dunstoncarol.pw/a.png?streakers=2017-08-25&wallpapers=03AMMfScxzNJSz4aGbs7&gif=yes&rnd=1504919004000
hxxp://ww1.dunstoncarol.pw/a.png?streakers=2017-08-25&wallpapers=03AMMfScxzNJSz4aGbs7&gif=yes&rnd=1504919004000
hxxp://ww1.dunstoncarol.pw/a.png?streakers=2017-08-25&wallpapers=03AMMfScxzNJSz4aGbs7&gif=yes&rnd=1504919005000
hxxp://ww.dunstoncarol.pw/a.png?streakers=2017-08-25&wallpapers=03AMMfScxzNJSz4aGbs7&gif=yes&rnd=1504919005000
hxxp://whos.amung.us/cwidget/iebrowser1/000000ffffff.png
hxxp://www.videojelly.com/watch-A0gN4n2Ura.html
hxxp://widgets.amung.us/draw/?w=colored&n=2130&c=000000ffffff&p=
hxxp://widgets.amung.us/draw/?w=colored&n=2144&c=000000ffffff&p=
hxxp://www.videojelly.com/jquery.min.js
hxxp://www.videojelly.com/watch-AiVxebjyZd.html
hxxp://www.videojelly.com/watch-A0gN4n2Ura.htm
hxxp://www.videojelly.com/watch-AFdm4vnVKK.html
hxxp://www.videojelly.com/watch-A0WodBSOk1.html


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

wast.exe_2072:

.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
hu2.iu
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteExA
SHELL32.dll
RegEnumKeyA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
%s%s.dll
m Files\Dayne\therapeutics.exe"
Software\Microsoft\Windows\CurrentVersion\Run
"%Program Files%\Dayne\therapeutics.exe"
%Program Files%
\System.dll
\Dayne\therapeutics.exe"
\Dayne\therapeutics.exe
#\therapeutics.exe"
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
Nullsoft Install System v3.02.1
$$\wininit.ini
g:\Co
k%u}W
F3.AEH
2(u.jQ
therapeutics.exe
THERAP~1.EXE
re\Microsoft\Windows\CurrentVersion\Run
"%Program Files%\sparseness\wast.exe"
%Program Files%\sparseness
wast.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsc3072.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
%Program Files%\sparseness\wast.exe
Windows\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.02.1</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
arseness\wast.exe"
"ne\therapeutics.exe"
1.0.0.1

taskeng.exe_4076:

.text
`.data
.rsrc
@.reloc
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
KERNEL32.dll
d:\w7rtm\admin\wmi\jobs\server\session\session\main.cpp
Session::ChannelMsgReceived
d:\w7rtm\admin\wmi\jobs\server\session\session\session.cpp
d:\w7rtm\admin\wmi\jobs\server\session\session\clientchannel2.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\task.cpp
d:\w7rtm\admin\wmi\jobs\server\engine\comhandlerbase.cpp
StopJobMsg
StartJobMsg
ClientPipeName
Invalid parameter passed to C runtime function.
d:\w7rtm\admin\wmi\jobs\common\xml\taskxmlreader.cpp
TaskScheduler.log
j%Xf;
d:\w7rtm\admin\wmi\jobs\server\engine\action.cpp
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
SspiCli.dll
XmlLite.dll
MPR.dll
RegOpenKeyTransactedW
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
FindExecutableW
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
GetProcessWindowStation
_wcmdln
_amsg_exit
GetProcessHeap
SetProcessShutdownParameters
TaskEng.pdb
version="5.1.0.0"
name="Microsoft.Windows.WMI.TaskScheduler.TaskEng"
<requestedExecutionLevel
8 8$8(878
3=4Z4w4
=!=(=0=4=?=>>
5 5U5_5
5b6u6
-131J1X1o1}1
=$=<=\=|=
Password
hXXp://schemas.microsoft.com/windows/2004/02/mit/task
Kieframe.dll
%SystemRoot%\SYSTEM32\cmd.exe
%SystemRoot%\System32\Tasks
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Handshake
WindowSeconds
InitializeCmdlineProcessing()
pCrimson provider registration failed for taskeng, hr=0x%x
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
InteractiveTokenOrPassword
Kurl
%d.%d
%s, (%d)
hXXp://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout
hXXp://schemas.microsoft.com/cdo/configuration/smtpauthenticate
hXXp://schemas.microsoft.com/cdo/configuration/sendusing
hXXp://schemas.microsoft.com/cdo/configuration/smtpserver
201ef99a-7fa0-444c-9399-19ba84f12a1a
C:\Windows\SYSTEM32\cmd.exe
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskeng.exe
Windows
Operating System
6.1.7601.17514

therapeutics.exe_2304_rwx_00142000_00005000:

.chppch


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now