Trojan.NSIS.StartPage_e71addb812
not-a-virus:AdWare.NSIS.Xpyn.j (Kaspersky), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: e71addb81200eda8d727ff771dd477cd
SHA1: f43f92cb4fe77e8a333fe584c042beae1ee0bb83
SHA256: 73a81fc097e149ef47cf1319f532ed9d3584c020e7bbc03e3c5c583c6e5311cd
SSDeep: 196608:etYexgDxAlU/fSKHb peJsJsc5DCO4F1lUlPj9zNeHd9jpsN0D3dfryxIUBJgP8:OjlufSKHW22exUl9SektVuJgk
Size: 13708672 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-02 05:45:54
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:1908
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\delete.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\input.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Unicode.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bg.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check-box.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\config.ini (591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk2.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp.txt (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\kuao34conf2[1].ini (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\jindutiao.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\DialogEx.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk3.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\uncheck1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\RC4dll.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\finish.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\uncheck.png (966 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\yes.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk_bak.png (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\change.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Inetc.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx7DA8.tmp (11739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\jieyabutton.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp2.txt (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\no.png (1 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\config.ini (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss7D88.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp2.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp.txt (0 bytes)
Registry activity
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\e71addb81200eda8d727ff771dd477cd_RASAPI32]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 91c9ee5005ac6cb4ec79a3b039b4c8df | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Banner.dll |
| ec138e15734e89232ed5a0e5ee5944ec | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\DialogEx.dll |
| 50fdadda3e993688401f6f1108fabdb4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Inetc.dll |
| c13bf5eead03e5989d157d5ed66e20f4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\RC4dll.dll |
| 00a0194c20ee912257df53bfe258ee4a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\System.dll |
| acbb8be17d02aa83713d58c8d216f15e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Unicode.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name: Su Lang
Product Version: 1.0.0.1
Legal Copyright: (C)??????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.1
File Description: Su Lang
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 25084 | 25088 | 4.49773 | 23ca7817859f8050e8f75236183e7de8 |
| .rdata | 32768 | 7404 | 7680 | 3.70288 | c3a1d271092e8086c1565dfde839ab8a |
| .data | 40960 | 256220 | 512 | 1.01614 | b37070216945156d234628d13558e720 |
| .ndata | 299008 | 704512 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 1003520 | 27040 | 27136 | 2.7869 | e95429fb56f8fe7db1e5ba758bb01e5b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
790a558d6457087d6844ea1abcf46913
URLs
| URL | IP |
|---|---|
| hxxp://srfcount.sulang.com/conf.php |  122.225.107.91 |
| hxxp://srfcount.sulang.com/tmp/conf/kuao34conf2.ini | 122.225.107.91 |
| hxxp://srfcount.SuLang.com/tmp/conf/kuao34conf2.ini | |
| hxxp://srfcount.SuLang.com/conf.php |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\delete.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\input.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Unicode.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bg.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check-box.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\config.ini (591 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk2.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp.txt (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\kuao34conf2[1].ini (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\jindutiao.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\DialogEx.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk3.png (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk.png (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\uncheck1.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\RC4dll.dll (1601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\finish.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\uncheck.png (966 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\yes.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\check.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\bk_bak.png (3616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\change.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\Inetc.dll (804 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx7DA8.tmp (11739 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\jieyabutton.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\tmp2.txt (715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn7DB9.tmp\no.png (1 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
