Trojan.Win32.FlyStudio_89258f9264

by malwarelabrobot on May 15th, 2017 in Malware Descriptions.

Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 89258f92646d25aaf7af706c11a5275c
SHA1: 922a7a8c16253fb849ed35bce3d68749860c4ad9
SHA256: f70a96569cdbeba406821946da8a1791d34431149309c61481d75a0ba405ada2
SSDeep: 6144:hXIZ0GbmwPw8wQl/db3RKwgxA96zSmbY4ECdvDzNbeBb/S:GtY8Fb3RKwg2gBhdNbeBL
Size: 289792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2017-04-10 10:37:20
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3676

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hapi.dll (9 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zdkjqd" = "c:\%original file name%.exe"

Dropped PE files

MD5 File path
4fc3c39b0a54584f02df224721c3d7eb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\hapi.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 667648 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 671744 282624 282112 5.49437 44df5202acfc3190cf1103ad4bee58bf
.rsrc 954368 8192 6656 2.42462 db8b8a28fdbe8c1fb922629aa706514d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3676:

`.rsrc
(W%D!
t$(SSh
~%UVW
u$SShe
u-hw}G
shlwapi.dll
kernel32.dll
wininet.dll
user32.dll
ole32.dll
Winhttp.dll
Kernel32.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
software\microsoft\windows\CurrentVersion\Run\zdkjqd
hapi.dll
VAPI32.dllle0c
S `.rde
KERNEL32.DLL
GDI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
ni.dll
pz.dll
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
hXXp://118.123.7.243/hy.txt
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
Common.dll
@`AMainFrame.dll
.@&website=VVV.qq.com
&fromSubId=1&subcmd=all&uin=
hXXp://118.123.7.243/qh.txt
hXXp://wp.qq.com/wpa/qunwpa?idkey=
tencent://groupwpa/?subcmd=all¶m=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
hXXp://118.123.7.243/love/api.asp?type=b&uid=
VBScript.RegExp
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
.rsrc
l@s.EHT
cgyKey
UrlA3R
n8U%u
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
OLEAUT32.dll
RASAPI32.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

%original file name%.exe_3676_rwx_00401000_000E7000:

t$(SSh
~%UVW
u$SShe
u-hw}G
shlwapi.dll
kernel32.dll
wininet.dll
user32.dll
ole32.dll
Winhttp.dll
Kernel32.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WinHttpCheckPlatform
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpOpenRequest
WinHttpSetTimeouts
WinHttpSetCredentials
WinHttpCloseHandle
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpQueryHeaders
software\microsoft\windows\CurrentVersion\Run\zdkjqd
hapi.dll
VAPI32.dllle0c
S `.rde
KERNEL32.DLL
GDI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
ni.dll
pz.dll
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942
hXXp://118.123.7.243/hy.txt
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
Common.dll
@`AMainFrame.dll
.@&website=VVV.qq.com
&fromSubId=1&subcmd=all&uin=
hXXp://118.123.7.243/qh.txt
hXXp://wp.qq.com/wpa/qunwpa?idkey=
tencent://groupwpa/?subcmd=all¶m=
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Adodb.Stream
WinHttp
hXXp://118.123.7.243/love/api.asp?type=b&uid=
VBScript.RegExp
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteA
SetWindowsHookExA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
.rsrc
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hapi.dll (9 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "zdkjqd" = "c:\%original file name%.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now