Trojan.Win32.FlyStudio_1828b5236c
Trojan.GenericKD.5076663 (BitDefender), Trojan.Win32.Agent.neyhwg (Kaspersky), Trojan.GenericKD.5076663 (B) (Emsisoft), Artemis!1828B5236C53 (McAfee), SecurityRisk.gen1 (Symantec), Trojan.GenericKD.5076663 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 1828b5236c53ae9c442ca0bcb46d7cda
SHA1: f5c1fc775c4ef2cc3c95661a1d1d01b47293592d
SHA256: 4c317e9b069b42b6316d38e5f6a63814e408e619ee5c583127e47c701419d32a
SSDeep: 12288:/ZVPZu3RFyhvn4dQf0Bjo5 pX5EFiq02uumge oY8CekX8rRJA:LPZUy14LjoAEFvduumge ICekSRW
Size: 530432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-14 06:21:14
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ThunderNewTaskShell.exe:644
The Trojan injects its code into the following process(es):
%original file name%.exe:1672
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process ThunderNewTaskShell.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\AppPatch\LiveUDHelper.dll (98 bytes)
The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\AppPatch\LiveUDHelper.dll (98 bytes)
C:\Windows\AppPatch\ThunderNewTaskShell.exe (201 bytes)
Registry activity
The process ThunderNewTaskShell.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASAPI32]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\ThunderNewTaskShell_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%WinDir%\AppPatch\ThunderNewTaskShell.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
| MD5 | File path |
|---|---|
| 47c0247d7d36861e588a79273f355f3c | c:\Windows\AppPatch\LiveUDHelper.dll |
| 021e756fdcd5da4cf068aaa60a75cde8 | c:\Windows\AppPatch\ThunderNewTaskShell.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: ? ? ? 360
Product Name: 0sd
Product Version: 52.4.53.1
Legal Copyright: ? ??
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 52.4.53.1
File Description: 360
Comments: 4
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 679936 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 684032 | 462848 | 461312 | 5.4895 | 0fbb4933e1df8075d57442209bd389ff |
| .rsrc | 1146880 | 69632 | 68096 | 4.99069 | 8963309ea46fa60bcfcbe770bdc6146e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.rsrc
PW%dya
t$(SSh
~%UVW
u$SShe
\apppatch\ThunderNewTaskShell.exe
.text
`.rdata
@.data
@.reloc
kernel32.dll
d:\src\code_svn\xl_client\xl8_client\branch\SpeedThunder\pdb\ProductRelease\ThunderShell.pdb
KERNEL32.dll
USER32.dll
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSVCP90.dll
MSVCR90.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
LiveUDHelper.dll
GetProcessHeap
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
2%2S2{2=45(545<5\5
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Operate1604
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
\apppatch\LiveUDHelper.dll
.vmp0
`.vmp1
.reloc
ShellExecuteA
4?.fm'
y.Lm@
URLDownloadToFileA
RegOpenKeyExA
9SHELL32.dll
@:}%x
,Mk.vJgY3.VZq1
TA\w%D
]urlmon.dll
.Bo31
user32.dll
C:\windows\apppatch\ThunderNewTaskShell.exe
//.BXWWw
LC%SK'VN*WO*ZQ jb@phEtlIyqQ
RK4WN3QI&SK)WM)[S.aY4g]:
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
<assemblyIdentity version="1.0.0.0"
<requestedExecutionLevel
KERNEL32.DLL
comdlg32.dll
GDI32.dll
SHELL32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
@XLLiveUD.exe
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Replace%Select the entire document
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
1, 0, 0, 2
(*.*)
52.4.53.1
%original file name%.exe_1672_rwx_00401000_00116000:
t$(SSh
~%UVW
u$SShe
\apppatch\ThunderNewTaskShell.exe
.text
`.rdata
@.data
.rsrc
@.reloc
kernel32.dll
d:\src\code_svn\xl_client\xl8_client\branch\SpeedThunder\pdb\ProductRelease\ThunderShell.pdb
KERNEL32.dll
USER32.dll
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSVCP90.dll
MSVCR90.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
LiveUDHelper.dll
GetProcessHeap
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
2%2S2{2=45(545<5\5
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Operate1604
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
\apppatch\LiveUDHelper.dll
.vmp0
`.vmp1
.reloc
ShellExecuteA
4?.fm'
y.Lm@
URLDownloadToFileA
RegOpenKeyExA
9SHELL32.dll
@:}%x
,Mk.vJgY3.VZq1
TA\w%D
]urlmon.dll
.Bo31
user32.dll
C:\windows\apppatch\ThunderNewTaskShell.exe
//.BXWWw
LC%SK'VN*WO*ZQ jb@phEtlIyqQ
RK4WN3QI&SK)WM)[S.aY4g]:
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
@XLLiveUD.exe
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Replace%Select the entire document
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
1, 0, 0, 2
(*.*)
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ThunderNewTaskShell.exe:644
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\AppPatch\LiveUDHelper.dll (98 bytes)
C:\Windows\AppPatch\ThunderNewTaskShell.exe (201 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%WinDir%\AppPatch\ThunderNewTaskShell.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
