MD5: a89d1ea8d264e215ba15a01eb8c2f3f8
SHA1: 9c002d3490cd5905b58eaec9078a8686ee848e8d
SHA256: 29ef35d381eb05a8363fabd984a09994fe93eedfe0cd3024f405c2c5144d1a13
SSDeep: 24576:gckYiZgvAAGnPuY5WKEbfQKctJsld73c9RaNRcVGb1MNLF2mNBwss:NtAuY5FqqoWVGBMOSi
Size: 1716224 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company:
Created at: 2017-02-05 12:49:05
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1908

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\hao123\config.ini (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Popup.txt (5 bytes)
C:\Users\"%CurrentUserName%"\Desktop\hao123µ¼º½.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\hao123\hao123.exe (1561 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tlrwp2[1].htm (429 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASAPI32]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\a89d1ea8d264e215ba15a01eb8c2f3f8_RASMANCS]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????
Product Name: ??????3????
Product Version: 1.0.0.0
Legal Copyright: [?????] ???? 2012 - 2017
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??????3????
Comments: ??????3????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://down.ku122.com/272330304352327324266257270374320302.txt	14.29.32.170
hxxp://down.ku122.com/tlrwp2.html?crack	14.29.32.170
hxxp://www.baiasp.com/tlrwp2.html?crack	14.29.32.170
hxxp://down.ku122.com/.............txt	14.29.32.170
m.hascosafety.com	123.207.98.47

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /tlrwp2.html?crack HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.baiasp.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 15 Jun 2017 07:30:48 GMT

Accept-Ranges: bytes

ETag: "15634b4fa9e5d21:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 15 Jun 2017 10:10:27 GMT

Content-Length: 417
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?".....................g....o....
...1}<]...b{..7N.7..X.iSO?.x...Gw......VMv...h....n3^.W.G1.l.......
......^...>j.w.......>...2.....?..Wu.V..L?K..>Bg.....>Kg.t
.......Y[T..iz'.=..Riz..G.#....9..].E.o..y3.V..G....f.-SB.c..i.../....
..t....>..w.wJ.....*..!>J?...I.Q..7....]..E~.{....~... D..C....E
.|t...............HTTP/1.1 200 OK..Content-Type: text/html..Content-En
coding: gzip..Last-Modified: Thu, 15 Jun 2017 07:30:48 GMT..Accept-Ran
ges: bytes..ETag: "15634b4fa9e5d21:0"..Vary: Accept-Encoding..Server: 
Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Thu, 15 Jun 2017 10:10
:27 GMT..Content-Length: 417...............`.I.%&/m.{.J.J..t...`.$..@.
........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".
....................g....o.......1}<]...b{..7N.7..X.iSO?.x...Gw....
..VMv...h....n3^.W.G1.l.............^...>j.w.......>...2.....?..
Wu.V..L?K..>Bg.....>Kg.t.......Y[T..iz'.=..Riz..G.#....9..].E.o.
.y3.V..G....f.-SB.c..i.../......t....>..w.wJ.....*..!>J?...I.Q..
7....]..E~.{....~... D..C....E.|t.................

GET /.............txt HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: down.ku122.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Fri, 26 May 2017 14:09:13 GMT

Accept-Ranges: bytes

ETag: "3351ffa629d6d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Thu, 15 Jun 2017 10:10:26 GMT

Content-Length: 4031
==================..............====================..[..........]VVV.
xxm4.com[..........]..[..........]........[..........]..==============
======================================..==================2345........
......thedeaf....hXXp://jifen.2345.com/====================......2016-
11-18..[..........]hXXp://down.ku122.com/download/2345/p7_k5209809_TUi
9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe[..........]..[..........]QQ......[.......
...]..====================================================..==========
========9e............................1154995208....hXXp://VVV.919yi.c
om/====================......2016-09-02..[............]hXXp://dl.919yi
.com/pc_single/9e_qqpcmgr_ID=513044,QAV=123243260,.exe[............]..
[............]QQ....[............]..==================================
==================..==================9e............................11
54995208....hXXp://VVV.919yi.com/====================......2016-09-02.
.[............]hXXp://dl.919yi.com/pc_single/9e_Liebao_ID=513044,KSB=2
40574,.exe[............]..[............]..........[............]..====
================================================..==================23
45..............thedeaf....hXXp://jifen.2345.com/====================.
.....2016-11-18..[............]hXXp://down.ku122.com/download/2345/p7_
k5209809_TUi9zvUMQ8ZdGsEzPWwZ8pbdZoG.exe[............]..[............]
2345......[............]..============================================
========..=============================..........=====================
============..=================........4====================..[zmx
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

>7 )!= 2!= ^!=

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

hXXp://down.ku122.com/

\Local Settings\Application Data\hao123\config.ini

hXXp://VVV.ku122.com

\Local Settings\Application Data\hao123\hao123.exe

@.reloc

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

CNotSupportedException

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

OLEACC.dll

d:\code\zebra_proj\dt_proj\basic\Output\BinRelease\Hao123Proj.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

SetWindowsHookExW

CreateDialogIndirectParamW

UnhookWindowsHookEx

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

.PAVCException@@

.PAVCMemoryException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

7%7s7

?$?(?,?0?4?8?<?@?

7074787<7@7

? ?$?(?0?

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

.Class 3 Public Primary Certification Authority0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0>

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

n.aAHu

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2Beijing baidu Netcom science and technology co.ltd1>0<

2Beijing baidu Netcom science and technology co.ltd0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

\2345Soft\2345Explorer\2345Explorer.exe

hXXp://VVV.2345.com/?k5209809

\Tencent\QQBrowser\QQBrowser.exe

\liebao\liebao.exe

360se6\Application\360se.exe

hXXp://hao.360.cn/?src=lm&ls=n29ef8d0697

\Local Settings\Application Data\360Chrome\Chrome\Application\360chrome.exe

\Local Settings\Application Data\360Chrome\Chrome\Application\

Popup.txt

hXXp://VVV.baiasp.com/tlrwp.html?crack

hXXp://VVV.baiasp.com/tlrwp2.html?crack

anonymous@123.com

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

RASAPI32.dll

WinExec

GetWindowsDirectoryA

GetViewportOrgEx

WINMM.dll

RegOpenKeyExA

ShellExecuteA

WS2_32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

CreateDialogIndirectParamA

SetWindowsHookExA

RegCreateKeyExA

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.htm;*.html)|*.htm;*.html

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.1

hXXp://

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

@%s (%s:%d)

%s (%s:%d)

accKeyboardShortcut

@comctl32.dll

@comdlg32.dll

mfcm80u.dll

MSWHEEL_ROLLMSG

Chttp\shell\open\command

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

\Internet Explorer\iexplore.exe

config.ini

\hao123.lnk

\config.ini

\hao123.exe

\uninstall.exe

Software\Microsoft\Windows\CurrentVersion\Uninstall

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1.0.0.0

Hao123.exe

VVV.xxm4com. All rights reserved.

1.6.4.10

(*.*)

2012 - 2017

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1908

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\hao123\config.ini (36 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Popup.txt (5 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\hao123µ¼º½.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\hao123\hao123.exe (1561 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\tlrwp2[1].htm (429 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.