MD5: cf53d6c75e28713ff002a4a6990f6726
SHA1: bf5a6a4bfbdd54c3496c4bbfbf5858d553f65173
SHA256: eca10da8d6d43b5523139efe4437a42d812d0647217f32eb1360d3b581f1a5ff
SSDeep: 6144:NsaocyLCD7i9XTGr09aLmwV/aLLTyerQ6OI:NtobM7kGr09aLmwFwnm6OI
Size: 243800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-19 17:01:49
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsFE00.tmp:3684
%original file name%.exe:452

The Trojan injects its code into the following process(es):

5204846c-d8f1-11e2-a752-00259033c1da.exe:2224
install.exe:2124

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsFE00.tmp:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (188 bytes)

The process 5204846c-d8f1-11e2-a752-00259033c1da.exe:2224 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (0 bytes)

The process install.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\5204846c-d8f1-11e2-a752-00259033c1da.exe (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (448 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (0 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsFE00.tmp (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFDA0.tmp (8720 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFD9F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp (0 bytes)

Registry activity

The process 5204846c-d8f1-11e2-a752-00259033c1da.exe:2224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Logging" = "0"

The process install.exe:2124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 85 FE F1 1B"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"91C6D6EE3E8AC86384E548C299295C756C817B81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: FLVMPlayer
Product Version:
Legal Copyright: AppInstaller 2013 (131782022)
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.0.13.0
File Description: FLVMPlayer AppInstaller
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 41
20bd8bed24dc29feaa71fa7ab44e24db
0a39eea60f00f52b3ddaf38ee1a8a988
9c78bac38b2374f13c69fc8654f8100d
53fc4b006cd203dfddd02379555c584e
749374fd149858aaced09cd54b5ee3b4
fa0931cfb76056ac3e540044f71edcaa
042b4f143a7033157dadcf39e5b9ccf7
36fec2320b9fa8e4b245b9243258b3a0
2ae7525c754df3d4d9f3bbd415ede981
b7d9b01ae381be0fc27c4aeff008445c
9586577538c04fd68e5e4d876253ef4b
db3211dbb5e4d8189e4723b41deb00c4
55815bb65808fa4b0f26b59e6f6169a4
36f610511bd98de71a8b6e69e533ad81
facf909c4d137078f19775871f3f02d9
63f77013365d6b4c54e6255a3d978158
0142b328673bb401dbc2f850f5def53d
aa4c31ee798a7f9bb25e4442425d84dc
f19da4116d3ee1be79cfe478a4af27d5
6daf0a003d0bdf076bcc27961d6eface
ef8e2285d5a4ca77f63625c8e7d19a54
560bb3b34b334052d1c539d8aea1dc07
cd8de293dbc9e5606c5adc60c428301f
8e36c6d81faf38073c4bcee073164a6e
2f7a51b74c0cad2471aeafe4193df016

URLs

URL	IP
hxxp://e6845.dscb1.akamaiedge.net/ThawtePCA.crl
hxxp://crl.thawte.com/ThawtePCA.crl	23.43.133.163
dns.msftncsi.com
ocsp.thawte.com
cs-g2-crl.thawte.com
www.download.windowsupdate.com
time.windows.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ThawtePCA.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.thawte.com

HTTP/1.1 200 OK

Server: Apache

ETag: "84b5919583c6a74d4407f67543ca4c35:1474920014"

Last-Modified: Mon, 26 Sep 2016 20:00:14 GMT

Date: Tue, 20 Dec 2016 07:01:35 GMT

Content-Length: 537

Connection: keep-alive

Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....thawte, Inc.1(0&..U..
..Certification Services Division1806..U.../(c) 2006 thawte, Inc. - Fo
r authorized use only1.0...U....thawte Primary Root CA..160922000000Z.
.161231235959Z0#0!.."Gc.6.\k.....;....160630172515Z0...*.H............
.5B..(........L.<.:..F.. ....E.....KS..@..T..k....Ai-`a.\.w..f.n;Q.
.k... f.g.MP3....;...L. )....n.X...D..k.].}.6g{|.t.{m... ."..." ..U..P
...xO...,.a..!.M.W?^...w...eI...M?.XxL.(.v.w%...@.....dT.0..fu0..._..|
.R(&...%R......\....t.!...K~@...&..o.Ii<.`.....Z.:HTTP/1.1 200 OK..
Server: Apache..ETag: "84b5919583c6a74d4407f67543ca4c35:1474920014"..L
ast-Modified: Mon, 26 Sep 2016 20:00:14 GMT..Date: Tue, 20 Dec 2016 07
:01:35 GMT..Content-Length: 537..Connection: keep-alive..Content-Type:
 application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U..
..thawte, Inc.1(0&..U....Certification Services Division1806..U.../(c)
 2006 thawte, Inc. - For authorized use only1.0...U....thawte Primary 
Root CA..160922000000Z..161231235959Z0#0!.."Gc.6.\k.....;....160630172
515Z0...*.H.............5B..(........L.<.:..F.. ....E.....KS..@..T.
.k....Ai-`a.\.w..f.n;Q..k... f.g.MP3....;...L. )....n.X...D..k.].}.6g{
|.t.{m... ."..." ..U..P...xO...,.a..!.M.W?^...w...eI...M?.XxL.(.v.w%..
.@.....dT.0..fu0..._..|.R(&...%R......\....t.!...K~@...&..o.Ii<.`..
...Z.:..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

0`.data

.rdata

0@.bss

.idata

.ndata

.rsrc

unpacking data: %d%%

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

*?|<>/":

%s=%s

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

ers\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll

5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp

(.lM!

dR%fN

.zsg3

0`.rdata

.edata

0@.idata

.reloc

nsExec.dll

CreatePipe

PeekNamedPipe

ADVAPI32.dll

KERNEL32.dll

USER32.dll

installer.exe

kernel32.dll

user32.dll

System.CodeDom.Compiler

System.Collections.Generic

System.Collections

System.ComponentModel

System.Diagnostics

System.Globalization

System.IO

System.IO.Compression

NotSupportedException

System.Reflection

System.Reflection.Emit

OperandType

System.Resources

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Security.Cryptography

System.Text

System.Threading

.cctor

.ctor

ProcessHandle

debugPort

set_Key

GetExecutingAssembly

get_OperandType

3System.Resources.Tools.StronglyTypedResourceBuilder

4.0.0.0

$F0C56B8E-65DE-4C4A-B2C3-3426E107DF0B

3.0.13

_CorExeMain

mscoree.dll

*hXXp://cs-g2-crl.thawte.com/ThawteCSG2.crl0

hXXp://ocsp.thawte.com0

Certification Services Division1806

#hXXp://crl.thawte.com/ThawtePCA.crl0

nsnFDB1.tmp

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyA

RegOpenKeyExA

GetWindowsDirectoryA

SHFileOperationA

ShellExecuteA

ExitWindowsEx

COMCTL32.DLL

GDI32.dll

ole32.dll

SHELL32.DLL

VERSION.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe 5204846c-d8f1-11e2-a752-00259033c1da.exe /u5204846c-d8f1-11e2-a752-00259033c1da /e9040787 /dT131782022S1021db70a8d1b11e016bcfd7fa0339 /t1021db70a8d1b11e016bcfd7fa0339

8112.16421

/u5204846c-d8f1-11e2-a752-00259033c1da

c:\%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsxFD9F.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46-7</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98DA2#

PublicKeyToken=

publickeytoken=

dynamic method does not support fault clause

unexpected OperandType

3.0.13.0

nsFE00.tmp_3684:

.text

0`.rdata

0@.bss

.edata

0@.idata

.reloc

nsExec.dll

CreatePipe

PeekNamedPipe

ADVAPI32.dll

KERNEL32.dll

USER32.dll

conhost.exe_2452:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

5204846c-d8f1-11e2-a752-00259033c1da.exe_2224_rwx_006F0000_00010000:

.hP9)h

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   nsFE00.tmp:3684
   %original file name%.exe:452

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\install.exe (188 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarCFAE.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabCFAD.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarFFE2.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EDCF682921FE94F4A02A43CD1A28E6B (537 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab3AC2.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabFFE1.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar22.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8434.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8433.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab21.tmp (51 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\5204846c-d8f1-11e2-a752-00259033c1da.exe (512 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EDCF682921FE94F4A02A43CD1A28E6B (448 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar3AC3.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsFE00.tmp (20 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFDB1.tmp\nsExec.dll (20 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFDA0.tmp (8720 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.