Trojan.Win32.FlyStudio_a66097099d

by malwarelabrobot on August 18th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.DownLoader19.1124 (DrWeb), Artemis!A66097099DE9 (McAfee), ML.Attribute.HighConfidence (Symantec), Backdoor.Win32.BlackHole (Ikarus), Trojan:W32/DelfInject.R (FSecure), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: a66097099de9f8ace80ff86ef9aa5cc7
SHA1: 6e8cb04e36667329128bf445643d0c4b30010186
SHA256: 2b671a2229a813b96a1fcf908a8e3e2d4f801516499ef9eb22bab3c3018c8cbc
SSDeep: 49152: Ve7pWKIzUp0xqdwk0cQHGiYYSzSY5voVU7zQY9z:7dWKIzc0xqdwkLQHHhsSYt8w
Size: 2252800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-07-19 12:04:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2504

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\SkinH_EL.dll (178 bytes)

Registry activity

The process %original file name%.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\a66097099de9f8ace80ff86ef9aa5cc7_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
147127382e001f495d1842ee7a9e7912	c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	542382	544768	4.52849	fdd71fad3b8974c98f312d3234dd6bf7
.rdata	548864	1480486	1482752	5.42002	d34d48dcf7bb78b6abdf51f04ac45f09
.data	2031616	312746	86016	3.72153	38027e5e2f06eac8b08b8a90d3588220
.rsrc	2347008	133424	135168	4.87366	0c3b64872c086d2c3015f345caeeb750

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://sale.yimaoip.com/
hxxp://sj.skqq.net/	198.11.181.25

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: sj.skqq.net

Cache-Control: no-cache


HTTP/1.1 200 OK

Connection: close

Date: Thu, 17 Aug 2017 09:27:38 GMT

Server: Microsoft-IIS/6.0

Content-Type: text/html; charset=UTF-8
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "
hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html
 xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http
-equiv="Content-Type" content="text/html; charset=utf-8">..<titl
e>skqq.net...............This domain is for sale</title>..<
;meta name="keywords" content="skqq.net,............,skqq.net......"&g
t;..<meta name="description" content="skqq.net.....................
......This domain is for sale.">..<link rel="stylesheet" href="c
ss.css" type="text/css">..</head>..<body>..<div id="
yimao">..<div id="maint"></div>..<div id="domain">
;..<ul><li class=lid>skqq.net</li></ul>..<u
l><li class=lis>...........................This domain is for
 sale.</li></ul>..</div>..<div id="mainb">..&l
t;ul><li class=li4>............ Contact us</li></ul&
gt;..<ul><li class=li1>QQ...</li><li class=li2>
;<a href=tencent://message/?uin=95519&Site=QQ&Menu=yes>95519<
/a> </li><li class=li1>...... Email</li><
li class=li2>95519@qq.com </li></ul>..<ul>&l
t;li class=li1>......</li><li class=li2>13905733384&nbs
p;</li><li class=li1>...... TEL</li><li class=li2
>13905733384  ...... </li></ul>..</div>..<
;div id="maink"></div>..<div id="mainc"><script <<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2504:

.text

`.rdata

.data

.rsrc

t$(SSh

~%UVW

u$SShe

hMsG

Av=kAv.SCv

SkinH_EL.dll

user32.dll

232531190

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

u.Jck~

zx/%FN[

ce_%D

%C@0H

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

q.7.qE

W>^T%S

%XiR^

1%SqlnD

U[5%u

.OW74

"E.jV

c T.Om

*U%XOd

D%FW@

.gM>$slt

B.iR%

vv#%sY7x

.TY3F

kEY94

.nyBK

wN%U/

4.Ky%t

.h.fO

.TK$N

%dRB:W

[I9%f

8o%sx

.WE= T!N

#?%s(C(

Rd.hYp

.TX=6

,%x)E

R%X4C (

$7.Gs

d,.bw p

o .Kb

KOz-%c Rd

zkey0

=.Lw/Ch

!c%SGd

A.YA'

`.yV8

.qL8d0{

m>[So;.yd]

_ÎW,

%UZtQ

.Fu:#

SShXuy@

f.kz"

@o.Ns

i.IK(

9rBÀ

.nm[&

.DDU0

%f$8C

\SkinH_EL.dll

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

hXXp://

\1.ini

/mmxgts.php?zh=

/fhxx.php?zh=

/cfts.php?zh=

hXXp://iframe.ip138.com/ic.asp

/tjts.php?zh=

/yzts.php?zh=

/cxts.php?zh=

/zlxgts.php?zh=

(<M@.LPbPE1<kj?Abbb

8RRSIHIZZURL(1jkMaV4

|CHI.

CrTR:7RK(#

7<===>>@

D67P;N6%DOi

%8XvQZ'"1:~

;uhe\`'*"7se>'9&d8CeZG67&-77(

~42!!""! !0:

.NovOA>67H@CIN@/AB'&'%*9$####$$%%%%%*((:]pH?R\ZddJ?1

)&!3!"$###

$((($$%%)

$($""!!$())("

.0000./:8-

-01010232-]

&&&&%&&&!

-22t}

!!=\^-746>

-qhhhhxzzzzzzzz}~}{}~{|

\=>7777,

((?<-21.

$)@6/1110

#    ?3,7`

0000....---,,,"

.-,, ,,-.-

.--,,--./.-

/.----./

788:::!0

$;$#!#"99:9#!!!,42

1788!4420

677764./

"$#*  !"999#*!!!!4/

/4!!!402

5478874 .

. !"## *##"9!-

3677887)*.

$$# *  !!!  **#"9#,//..00/

//.)##,////../

 *$9<<<9$# //

/-,,,,-./

///...//

  ##$999$##  /

/    ***   /    *#

}[[[}||}

!,00!!))/

//.   ,,,,  *!##99;;#

,00!!!,*

//  ***  ///

,00!!!!*

(((())**////

/  *##* *//

,0,,!!,/

////  *##**  /

!--,,- /

,0.0-, "

*))))())****

**)#'%%'()*

//***)))*/

// ****   /   **

/....NMNOOQX|

$%%'((('''(

$%''((((&'6

"!!!! ::;;;====;#   *#$9<<>>?>>=<9#*  /   ***  //

   **))335(555

/ **#=?>=;$

111333553

11335553

(5(((&&&(

(67%#!-...000

0,!,,000,

0!!!,0000,

0!!!,0000,

/0!!!,00.0,

2!!!,00.0,!

.0,,

120000,,!

0000,,

/20..- !

/#<<977641

/#<<997763

/)##9777643

/)(777766331113322

335667663

, !!!00.

, ::::8!0

;=???<:!

111220.//

,-.////0/111/

$;;;9!-../

//*)4421

   ***//

136676441

136677641

136777641

35666653

33333333423

146776)1

14677441

1144222//.-!

11110...-"

/.,!$$#"! ./

/***,,,00/

//.-444,,000/

###())*///

  "#9" -

112444400.

12222222

122444400.

444444444474

1111124444

4244444444

332242111/

111220//

124440./

1244-0./

12200../

/..-,- #

//.-,,

///...--,

333331111

3533331111

**,,,-

**)367775

35566444)

5777333566776421/

35677774

1355676631

1124477##

12442211.#$$# /

2211.###  /

///  ***

,,  ---.

;; ,0..,!

35567777664)

!!!" !,,

367797763

(779977)

LSSSSSSIa_lnnhddhlprpigggdddddddhhijjjllljjlnoptqqqppomkkjkkkoprrrrrqokkhgggggiikkiiiikkkkkkkkjiiihhhhhgghhhiikkkkkkkkkkkjiiiiiiiiiiiiiiiiiiiiikkoooookhdccdlqsssqlaJ

(79997(1

*('99$76

(('$$77(

)('&&&(((

(()''%$%')

1111111111

*))(%$99$$9999$$%#()*

)9#74))#9<9#*/

/***)* #9999$##$$$99$##**/

*))*////)### /

/ !!! :::: ,-..-

0000 !0,.///..--./ *#!!*))

.,!!!!-00/00-,,0.

///.-)444221

.00..00,,!!!!899998!0

12111/*))*

// *//. ,0

!!!!89:::84

//  .. ,,000!

.!!!,-,,,!!!!,0..00,,!8!41

.-! ! ,,,!!!!,,,--0,, ! !,/

,,  , ,   ,,

*##)/***/

*9<$##$#*

,00..,! ::

488888887

~~\[[[\}~}}}

/-!!9::::8!0

/-)7#!8!!0

//**)))-/

//// *  *.//

//..***///

/.***))* ./

/**)((()**/

11111111111

////****//

1133444463

#$=>=%'&

132466766)

3246667663

332466644)

***/**//

332244442

/**///** //

333333111

))(66333

/!888!000,,

..!88!!000,

, 8!000,

plEQOOOMEcdhhBBN&%dkppppppokldcCCJJK

:: !000,

200000000000

VVV.tianzm.com

VVV.tianzm.com

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

RASAPI32.dll

AVIFIL32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetCPInfo

KERNEL32.dll

GetKeyState

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

WINSPOOL.DRV

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

VVV.dywt.com.cn

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

=|23456789

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_2504_rwx_10001000_00039000:

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\SkinH_EL.dll (178 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.