Trojan.NSIS.StartPage_df2fe6117f

Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS) Behaviour: Trojan The description has been automatically generated by Lavasoft Malware Analysis System and it may...
Blog rating:2 out of5 with1 ratings

Trojan.NSIS.StartPage_df2fe6117f

by malwarelabrobot on August 24th, 2017 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: df2fe6117f49067a584241983d2504cb
SHA1: f42bfc93078880a87d94056c7e9aff1c82684649
SHA256: 36c395fae9f61c689aed3647edf7cd38e246a8d4078ad30fce639185f36c1441
SSDeep: 98304:ZP22A9rBFOLWKhtfKiUwsw5mRgwNtjTz2M2YE6PYAt:U2wrBRekiXsw0J3dPj
Size: 5239671 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2007-05-05 15:23:36
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3880

The Trojan injects its code into the following process(es):

s2exe.exe:3968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Project151Map.sb2 (36078 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe (30480 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\open.fnr (66362 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszB9CE.tmp (131050 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjB921.tmp (0 bytes)

The process s2exe.exe:3968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4183.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8 (1454 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0DD30266AF9B4A57FF10335BAF014F_1A83F80A2067DD202B16599AA2CE4194 (942 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B (2674 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4182.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA72AE1092979CCD3A7B12BE5EF5A9A2 (1252 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8 (2730 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B (942 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA72AE1092979CCD3A7B12BE5EF5A9A2 (650 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0DD30266AF9B4A57FF10335BAF014F_1A83F80A2067DD202B16599AA2CE4194 (1118 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4182.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4183.tmp (0 bytes)

Registry activity

The process s2exe.exe:3968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\s2exe_RASAPI32]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
2a759981d87587cbac0e4c270e6fd736 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22948 23040 4.47592 27548a140ee5871e901b5081d2ea223c
.rdata 28672 4474 4608 3.58713 69c5211e1a88679cc11fd273667a51c9
.data 36864 110552 1024 3.45044 7e7f788f7322d235e21ca51dab874511
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 1646072 1646080 1.89841 812bd0f048e1d538adcf08b4bb89098f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://scratch.mit.edu/scratchr2/static/locale/lang_list.txt 151.101.2.33
hxxp://scratch.mit.edu/site-api/i18n/get-preferred-language/ 151.101.2.33
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY= 178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m/WqorSs9UgOHYm8Cd8rIDZssCEEcg0PqFRhp+F6FkApGEY3Q= 178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRpg21TVpHZ/LeGq/t34TnEClb0IgQUHgWjd49sluJbh0umtIascQAM5zgCEECxXuCwl/CuFVbmbhKEc2M= 178.255.83.1
hxxp://crl.incommon-rsa.org/InCommonRSAServerCA.crl 178.255.83.2


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRpg21TVpHZ/LeGq/t34TnEClb0IgQUHgWjd49sluJbh0umtIascQAM5zgCEECxXuCwl/CuFVbmbhKEc2M= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:54:02 GMT
Server: Apache
Last-Modified: Mon, 21 Aug 2017 18:04:49 GMT
Expires: Mon, 28 Aug 2017 18:04:49 GMT
ETag: 55D6D86009A8437A04879E2D34E38FE8AB93D26A
Cache-Control: max-age=482446,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp19
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........w.l..[.K....q...8..2017082
1180449Z0s0q0I0... ........i.mSV.......w.9..V.".....w.l..[.K....q...8.
.@.^......V.n..sc....20170821180449Z....20170828180449Z0...*.H........
.....'..[.......t....B..Xy...QWBf....o.`...%...|.5.....(G5k./.y...~...
.b<EJ...w..{6.W[y........~......a.w..*..Vg..... .=.....&....q]f....
.-.{E...<...H&.n!cuD.!.W.........[...S.lEa.dp...7u.T*...x..=.....&l
t;.#?....e^.X..Zk.j.M..Pr......cXO.......nf...j9..qN.*........



GET /InCommonRSAServerCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.incommon-rsa.org


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 23 Aug 2017 03:54:06 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 626461
Last-Modified: Tue, 22 Aug 2017 08:53:32 GMT
Connection: close
ETag: "599bf10c-98f1d"
X-CCACDN-Mirror-ID: rmdccacrl1
Cache-Control: max-age=36000
Accept-Ranges: bytes
0....0.......0...*.H........0v1.0...U....US1.0...U....MI1.0...U....Ann
 Arbor1.0...U....Internet21.0...U....InCommon1.0...U....InCommon RSA S
erver CA..170822085332Z..170826085332Z0... 0!..57*-Y..~.....A....14092
2160742Z0!..,......RE....].!..140922161506Z0".....n.....^.n..r.I..1409
22174109Z0".....2....3.......#..140922214152Z0"......%....Z@.l.."...14
0922223922Z0!...f&.....# .C.P.O..140923121431Z0"....}....O".*..B.G4..1
40923141306Z0".....>..a.t.M........140923141318Z0"...... .J|.......
6...140923170247Z0"....RQ.1ga..v..K.....140923191704Z0"...."I.....=..h
...E..140924115602Z0!..A~..G~..3.wg$N$...140924160011Z0!..r....Y.l.&..
LS....140924160022Z0!..('6...w.^....d....140924171120Z0"....=.........
F..y...140924173752Z0".....~..,......1T.U..140924195705Z0!..p..AisNgQ.
...[Oh..140925055500Z0!..l%.l.......^......140925123802Z0!../8........
..A.J...140925150805Z0!..d...d|..$..KW.....140925155625Z0!..]k.......]
3..i....140925164605Z0"....d8.|.>*45..#.no..140925165006Z0!..~y...N
x4....C.....140925165614Z0!....(.O?j[..m\..;N..140925174651Z0"....u.g.
...^Lar......140925174701Z0"....q.RC.W].X........140925181036Z0"....l.
..-.....r..r...140925201547Z0"...."..p....o.E...A..140925203729Z0"....
.l..a..<.[..@|&..140925204907Z0"....S........j.......140926123114Z0
!..e%......ZMMh#.Z...140926140856Z0!..D....i.....1.M....140926171818Z0
"......@o0...cB..n....140926174052Z0"....T-.-.V..UU..X.*..140926211006
Z0"....z...7..U.95...S..140926211014Z0!..C........^8....K..14092621132
9Z0"........l..$.Hb...H..140928193424Z0".......)...O....f?J..14092
<<< skipped >>>


GET /scratchr2/static/locale/lang_list.txt HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: scratch.mit.edu
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: Varnish
Retry-After: 0
Location: hXXps://scratch.mit.edu/scratchr2/static/locale/lang_list.txt
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Aug 2017 03:53:43 GMT
Via: 1.1 varnish
Connection: close
X-Served-By: cache-hhn1544-HHN
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1503460424.726340,VS0,VE0
Strict-Transport-Security: max-age=31536000
X-Xss-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRpg21TVpHZ/LeGq/t34TnEClb0IgQUHgWjd49sluJbh0umtIascQAM5zgCEECxXuCwl/CuFVbmbhKEc2M= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:54:02 GMT
Server: Apache
Last-Modified: Mon, 21 Aug 2017 18:04:49 GMT
Expires: Mon, 28 Aug 2017 18:04:49 GMT
ETag: 55D6D86009A8437A04879E2D34E38FE8AB93D26A
Cache-Control: max-age=482446,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp10
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........w.l..[.K....q...8..2017082
1180449Z0s0q0I0... ........i.mSV.......w.9..V.".....w.l..[.K....q...8.
.@.^......V.n..sc....20170821180449Z....20170828180449Z0...*.H........
.....'..[.......t....B..Xy...QWBf....o.`...%...|.5.....(G5k./.y...~...
.b<EJ...w..{6.W[y........~......a.w..*..Vg..... .=.....&....q]f....
.-.{E...<...H&.n!cuD.!.W.........[...S.lEa.dp...7u.T*...x..=.....&l
t;.#?....e^.X..Zk.j.M..Pr......cXO.......nf...j9..qN.*........



GET /site-api/i18n/get-preferred-language/ HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 23,0,0,185
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: scratch.mit.edu
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: Varnish
Retry-After: 0
Location: hXXps://scratch.mit.edu/site-api/i18n/get-preferred-language/
Content-Length: 0
Accept-Ranges: bytes
Date: Wed, 23 Aug 2017 03:53:44 GMT
Via: 1.1 varnish
Connection: close
X-Served-By: cache-hhn1535-HHN
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1503460424.290419,VS0,VE0
Strict-Transport-Security: max-age=31536000
X-Xss-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:53:50 GMT
Server: Apache
Last-Modified: Sat, 19 Aug 2017 22:42:46 GMT
Expires: Sat, 26 Aug 2017 22:42:46 GMT
ETag: A26F805A3BB1D57694720F1A00460904F5AC2A6C
Cache-Control: max-age=326335,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp10
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017081
9224246Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
...(p[....6c..aC6....20170819224246Z....20170826224246Z0...*.H........
..... .F.h.......|10;.....*.Wz\..........2...,;....<.h.......g3..\.
..._.^.^.)..."V(....@l.m.J.....%...............:\...D.M.V...O..JO2to..
..I'g...l..../yz4_...3..B|......Y8....\..Ew..Z...,.6.S..Eys...hcY(..&.
.no...U...}`f9....'..xq...i|.....X..<wC....=6..T.....;..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:53:50 GMT
Server: Apache
Last-Modified: Sat, 19 Aug 2017 22:42:46 GMT
Expires: Sat, 26 Aug 2017 22:42:46 GMT
ETag: A26F805A3BB1D57694720F1A00460904F5AC2A6C
Cache-Control: max-age=326335,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp19
Content-Length: 471
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2017081
9224246Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
...(p[....6c..aC6....20170819224246Z....20170826224246Z0...*.H........
..... .F.h.......|10;.....*.Wz\..........2...,;....<.h.......g3..\.
..._.^.^.)..."V(....@l.m.J.....%...............:\...D.M.V...O..JO2to..
..I'g...l..../yz4_...3..B|......Y8....\..Ew..Z...,.6.S..Eys...hcY(..&.
.no...U...}`f9....'..xq...i|.....X..<wC....=6..T.....;..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m/WqorSs9UgOHYm8Cd8rIDZssCEEcg0PqFRhp+F6FkApGEY3Q= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:53:56 GMT
Server: Apache
Last-Modified: Sat, 19 Aug 2017 22:42:46 GMT
Expires: Sat, 26 Aug 2017 22:42:46 GMT
ETag: 81E84CD63427CCB5384564F478DC67D0FEB5E6FA
Cache-Control: max-age=326329,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp10
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......Sy.Z. J.T.........f...2017081
9224246Z0s0q0I0... .........0.L4:....p.....v)....Sy.Z. J.T.........f..
.G ...F.~..d...ct....20170819224246Z....20170826224246Z0...*.H........
.....4p...7.1*/c...:...ziT.n5.nH..h....<..r.k.@....n...3.........} 
...:.....P.s_..<..s..#RK%.p.d..'W.ax...i.....=.N.].....p.F.c...b^.!
.......O....X(...x<.%....(.....~.....N*.. &4N.N......f..T..Beo..I..
..|<....d.....`w.-q.......3.hn..pA...t..v.ik.....Bi.|..L...{......F
`......E..d..2...c......C..E.%.$....\.......2g. ...#.....S.N..;.z..~..
....N$......T.....{>.=...~<..P ...wy..E.....=.[..lVo.p!...\k.[..
.'K.fo..y...>...".uY.(.....e..!......F.N.....]....M.72.............
....ey..>;6.i..rZ....).$..9...Y.....[.\w...._W....



GET /InCommonRSAServerCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.incommon-rsa.org


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 23 Aug 2017 03:54:06 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 626461
Last-Modified: Tue, 22 Aug 2017 08:53:32 GMT
Connection: close
ETag: "599bf10c-98f1d"
X-CCACDN-Mirror-ID: rmdccacrl1
Cache-Control: max-age=36000
Accept-Ranges: bytes
0....0.......0...*.H........0v1.0...U....US1.0...U....MI1.0...U....Ann
 Arbor1.0...U....Internet21.0...U....InCommon1.0...U....InCommon RSA S
erver CA..170822085332Z..170826085332Z0... 0!..57*-Y..~.....A....14092
2160742Z0!..,......RE....].!..140922161506Z0".....n.....^.n..r.I..1409
22174109Z0".....2....3.......#..140922214152Z0"......%....Z@.l.."...14
0922223922Z0!...f&.....# .C.P.O..140923121431Z0"....}....O".*..B.G4..1
40923141306Z0".....>..a.t.M........140923141318Z0"...... .J|.......
6...140923170247Z0"....RQ.1ga..v..K.....140923191704Z0"...."I.....=..h
...E..140924115602Z0!..A~..G~..3.wg$N$...140924160011Z0!..r....Y.l.&..
LS....140924160022Z0!..('6...w.^....d....140924171120Z0"....=.........
F..y...140924173752Z0".....~..,......1T.U..140924195705Z0!..p..AisNgQ.
...[Oh..140925055500Z0!..l%.l.......^......140925123802Z0!../8........
..A.J...140925150805Z0!..d...d|..$..KW.....140925155625Z0!..]k.......]
3..i....140925164605Z0"....d8.|.>*45..#.no..140925165006Z0!..~y...N
x4....C.....140925165614Z0!....(.O?j[..m\..;N..140925174651Z0"....u.g.
...^Lar......140925174701Z0"....q.RC.W].X........140925181036Z0"....l.
..-.....r..r...140925201547Z0"...."..p....o.E...A..140925203729Z0"....
.l..a..<.[..@|&..140925204907Z0"....S........j.......140926123114Z0
!..e%......ZMMh#.Z...140926140856Z0!..D....i.....1.M....140926171818Z0
"......@o0...cB..n....140926174052Z0"....T-.-.V..UU..X.*..140926211006
Z0"....z...7..U.95...S..140926211014Z0!..C........^8....K..14092621132
9Z0"........l..$.Hb...H..140928193424Z0".......)...O....f?J..14092
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m/WqorSs9UgOHYm8Cd8rIDZssCEEcg0PqFRhp+F6FkApGEY3Q= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.usertrust.com


HTTP/1.1 200 OK
Date: Wed, 23 Aug 2017 03:53:56 GMT
Server: Apache
Last-Modified: Sat, 19 Aug 2017 22:42:46 GMT
Expires: Sat, 26 Aug 2017 22:42:46 GMT
ETag: 81E84CD63427CCB5384564F478DC67D0FEB5E6FA
Cache-Control: max-age=326329,public,no-transform,must-revalidate
X-OCSP-Reponder-ID: rmdccaocsp10
Content-Length: 727
Connection: close
Content-Type: application/ocsp-response
0..........0..... .....0......0...0......Sy.Z. J.T.........f...2017081
9224246Z0s0q0I0... .........0.L4:....p.....v)....Sy.Z. J.T.........f..
.G ...F.~..d...ct....20170819224246Z....20170826224246Z0...*.H........
.....4p...7.1*/c...:...ziT.n5.nH..h....<..r.k.@....n...3.........} 
...:.....P.s_..<..s..#RK%.p.d..'W.ax...i.....=.N.].....p.F.c...b^.!
.......O....X(...x<.%....(.....~.....N*.. &4N.N......f..T..Beo..I..
..|<....d.....`w.-q.......3.hn..pA...t..v.ik.....Bi.|..L...{......F
`......E..d..2...c......C..E.%.$....\.......2g. ...#.....S.N..;.z..~..
....N$......T.....{>.=...~<..P ...wy..E.....=.[..lVo.p!...\k.[..
.'K.fo..y...>...".uY.(.....e..!......F.N.....]....M.72.............
....ey..>;6.i..rZ....).$..9...Y.....[.\w...._W....







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_3880:




.text
`.rdata
@.data
.ndata
.rsrc
t%SPV
tDSSh
Gw2.Hw
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
%s %s
... %d%%
verifying installer: %d%%
unpacking data: %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe" C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Project151Map.sb2
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
s2exe.exe
Map.sb2
version="5.1.0.0"
13.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
@E:\AAuto\lib\winex\_.aau
import
EnumWindows
EnumChildWindows
enumWindows
cmdid
@main.aau
win.ui
com.flash
_CMDLINE
msgbox
scratch\open.fnr
?http
by hXXp://hi.baidu.com/scratch
"6.0.0.0"
-"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe" C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Project151Map.sb2
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsjB921.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.27</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>
yz.lhuo@gmail.com
0.0.0.4
.........................exe>
scratch2exe.exe
s2exe

s2exe.exe_3968:




.text
`.rdata
@.data
.rsrc
?%uYG
xSSSh
FTPjKS
FtPj;S
C.PjRV
Hw2.Hw%
cmd.exe
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
GetProcessWindowStation
operator
_CMDLINE
import preload;
com.each = function(obj) begin
if(type(obj)==type.function)obj=obj();
if(!com.IsObject(obj))error('
try{enumerator = com.GetEnumerator(obj);}catch(e){err=e}if(err)error(err,2);var function iterator( index ) {var value = owner.Next();return ( value ? index 1 : null ) , value ;}return iterator, enumerator, 0;end
There was not enough memory to complete the operation
Windows error
Unsupported feature required
%d.%d
com.dll
Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}
Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
com.getIUnknow() QueryInterface Failed!
-mapid %d
hh.exe
ID:0x%X: %s
$Spp: AAuto v3.0 Copyright (C) ecranesoft.com $
$URL: VVV.ecranesoft.com $
File %s, Line %d
ExportConstants
ExportEnumerations
ole.host
expected: ::MSG struct
com.CreateEmbed
Invalid form.hwnd!
Union type not supported!
Record type not supported!
TKIND_MODULE and TKIND_MAX not supported!
Exception (%s)
IDispatch.Data
invalid object(com.IDispatch)
Property putref not supported.
Property puts with more than two parameters aren't supported.
showMsg
Spp error: error during error handler execution.
load resource(%s/%s) failed!
bad argument:@%d '%s'
calling:'%s'
bad argument:@%d
expected:%s
got:%s
file:%s
line:#%d
invalid option:'%s'
%s.%s
attempt to use a closed object: %s:#%d ( type:'%s.%s')
stack overflow (%s)
name conflict for namespace '%s'
failed:%s
error:%s
field:'%s'
thread id:%d
thread error:%s
return %s
callback : _struct error '...%s'
Cannot load library '%s'.
%s._struct not found!
Invalid _struct{%s...},Expected a field name! [in]
field:%s
field:%s.%s
Invalid _struct: {...%s},Data Type Error(%c...key:%s) [out]
{ %s }
Invalid _struct{%s...},Expected a field name! [out]
Failed to get the size of the dynamic array!field(%s)
Cannot load remote library '%s'.
Cannot find remote function '%s' in the dll.
Cannot find function '%s' in the dll.
Declare Api:'%s'
Data type error: '...%s'
Struct size has more than %d
%s %s[%d]
invalid key to 'next'
Cann't modify a %s : '%s'
attempt to:%s
kind:%s
name:'%s'
type:%s
attempt to:compare two %s values
attempt to:compare %s with %s
file:%s:
join
^$* ?.:([\-{<%
invalid replacement value (a %s)
no function environment for tail call at level %d
in function '%s'
in function <%s:%d>
import-namespace conflict for global.%s
import
import ide;
importFile
import %s failed ! file not found
import %s failed !syntax error:
import %s failed :
import-namespace conflict for self.%s
%s: %p
io.FILE*
Invalid time:Invalid dayofweek(%d) outside valid range(0~6)
Invalid time:Invalid month(%d) outside valid range(1~12)
Invalid time:Invalid day(%d) outside valid range(1~31)
Invalid time:hour(%d) outside valid range(0~23)
Invalid time:minute (%d) outside valid range(0~59)
Invalid time:second(%d) outside valid range(0~59)
Invalid time:year(%d) outside valid range(1900~9999)
Invalid format directive(...%s)
thread.call() error
[%d]=
['%s']=
["%s"]=
%s'%s'
%s"%s"
%snull
%stopointer(0x%p)
io.file(closed)
io.file(%p)
standard %s file is closed
cdata( by raw.malloc() )
%s\%s
_exepath
_exedir
_exefile
char(%d)
near:...'%s'
byte:%s
$"%s"
%s: %s in precompiled chunk
expected:'%s'
main function has more than %d %s
function at line %d has more than %d %s
match for:'%s'
match line:%d
expected:keyword
%H:%M:%S
%m/%d/%y %H:%M:%S
%m/%d/%y
?#%X.y
%S#[k
ole32.dll
SHDeleteKeyA
SHLWAPI.dll
GetProcessHeap
GetCPInfo
CreatePipe
KERNEL32.dll
USER32.dll
SetViewportExtEx
SetViewportOrgEx
GDI32.dll
RegEnumKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
OLEAUT32.dll
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe
@E:\AAuto\lib\com\flash\_.aau
util.metaProperty
com.flash.xml
ShockwaveFlash.ShockwaveFlash
@E:\AAuto\lib\com\flash\xml.aau
string.xml
@E:\AAuto\lib\com\picture.aau
com.picture
win.guid
win.ole
@lib\config.aau
fsys.config
@E:\AAuto\lib\fsys\_.aau
fsys.path
SHFileOperation
SHFileOperationA
operation
Shlwapi.dll
fsys.shortpath()
joinpath
int hwnd;INT wFunc;string pFrom;string pTo;WORD fFlags;int fAnyOperationsAborted;pointer hNameMappings;string lpszProgressTitle
@E:\AAuto\lib\fsys\config.aau
fsys.table
.table
@E:\AAuto\lib\fsys\path.aau
[\\/:*?"<>|]
@E:\AAuto\lib\fsys\table.aau
@E:\AAuto\lib\gdi\_.aau
.LOGFONT
Gdi32.dll
int(ptr hdcDest,int xoriginDest,int yoriginDest,int wDest,int hDest,pointer hdcSrc,int xoriginSrc,int yoriginSrc,int wSrc,int hSrc,INT crTransparent)
ptr hdcSrc, struct ptSrc, INT crKey,struct blend, INT flags)
crKey
@E:\AAuto\lib\preload\_.aau
User32.dll
Kernel32.dll
MsgWaitForMultipleObjects
EXCEPTION_FLT_DENORMAL_OPERAND
EXCEPTION_FLT_INVALID_OPERATIO
0xX
\.*(. )(%\[\])$
\.*(. )\.([^.] )$
keys
msgWaitForMultipleObjects
@E:\AAuto\lib\string\xml.aau
<%s%s>%s
<%s%s>%s%s</%s>%s
<%s%s/>%s
(.*?)<@]]>@>
^\<\!\-\-.*?\-\-\>
^\<\!.*?\-\-\>
@E:\AAuto\lib\util\metaProperty.aau
@E:\AAuto\lib\win\_.aau
int(addr hwnd,INT msg,ADDR wParam,addr lParam)
int(pointer lpPrevWndFunc,addr hwnd,INT Msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,ADDR wParam,addr lParam)
addr(int idThread,INT msg,ADDR wParam,addr lParam)
addr(addr hwnd,INT msg,pointer wParam,pointer lParam)
addr(addr hwnd,INT msg,int &wParam,int &lParam)
addr(addr hwnd,INT msg,pointer wParam,pointer lParam,INT flags,INT timeout,int & resultult)
GetAsyncKeyState
word(int vKey)
GetKeyState
word( int vKey)
int( addr hwnd,INT uCmd)
bool(addr hwnd,int cmd)
msgbox
msgboxErr
msgboxTest
msgboxTimeout
win.invoke()
INT(int hDlg,struct IpMsgc)
UxTheme.dll
msg_observer
@E:\AAuto\lib\win\guid.aau
Rpcrt4
Rpcrt4.dll
Ole32.dll
@E:\AAuto\lib\win\ole\_.aau
Oleaut32.dll
@E:\AAuto\lib\win\ui\_.aau
win.ui.background
RegisterHotKey
UnregisterHotKey
int(int hwnd,int crKey,BYTE bAlpha,INT dwFlags)
.win.ui.ctrl
reghotkey
unreghotkey
cmdTranslate
%s[TID:%d]
_hotkeys
@E:\AAuto\lib\win\ui\background.aau
win.ui
@Publish\release.win.ui.ctrl.aau
win.ui.ctrl.common
win.ui.ctrl.metaProperty
win.ui.ctrl.button
win.ui.ctrl
win.ui.ctrl.custom
@E:\AAuto\lib\win\ui\ctrl\button.aau
@E:\AAuto\lib\win\ui\ctrl\common.aau
Comctl32.dll
@E:\AAuto\lib\win\ui\ctrl\custom.aau
@E:\AAuto\lib\win\ui\ctrl\metaProperty.aau
@E:\AAuto\lib\winex\_.aau
EnumWindows
EnumChildWindows
enumWindows
cmdid
@main.aau
com.flash
scratch\open.fnr
?http
by hXXp://hi.baidu.com/scratch
version="5.1.0.0"
13.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
KERNEL32.DLL
WUSER32.DLL
Interface: %s
COM.FLASH
COM.FLASH.XML
COM.PICTURE
FSYS.CONFIG
FSYS.PATH
FSYS.TABLE
STRING.XML
UTIL.METAPROPERTY
WIN.GUID
WIN.OLE
WIN.UI
WIN.UI.BACKGROUND
WIN.UI.CTRL
WIN.UI.CTRL.BUTTON
WIN.UI.CTRL.COMMON
WIN.UI.CTRL.CUSTOM
WIN.UI.CTRL.METAPROPERTY
yz.lhuo@gmail.com
0.0.0.4
.........................exe>
scratch2exe.exe
s2exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:3880
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Project151Map.sb2 (36078 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\s2exe.exe (30480 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scratch\open.fnr (66362 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nszB9CE.tmp (131050 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar4183.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8 (1454 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0DD30266AF9B4A57FF10335BAF014F_1A83F80A2067DD202B16599AA2CE4194 (942 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B (2674 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab4182.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FA72AE1092979CCD3A7B12BE5EF5A9A2 (1252 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DFECE1A4D0C745EF29E7B51A2DA008B8 (2730 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B (942 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FA72AE1092979CCD3A7B12BE5EF5A9A2 (650 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0DD30266AF9B4A57FF10335BAF014F_1A83F80A2067DD202B16599AA2CE4194 (1118 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 2 (1 vote)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now