MD5: 4c6a6d3966f7fb2fc6424d9745514ff1
SHA1: c6839a4f0aec89e93e7d9c53ee2fa6a1bd5b9954
SHA256: 768891848bdd0cc98f9cd13c2b78267e46aaa50e620788cc29dc3facc956cf7e
SSDeep: 3072:a/I2LykrxdI0TYHdSwEC4kD28S2W8WI1TC:Gkk1K089SO4B8Sb8x12
Size: 105056 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2017-08-03 11:48:03
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3516

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASMANCS]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4c6a6d3966f7fb2fc6424d9745514ff1_RASAPI32]
"ConsoleTracingMask" = "4294901760"

"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

GetProcessWindowStation

operator

hXXps://

kernel32.dll

C:\1\w8.id

XXX

hXXp://

Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120415 Firefox/13.0a2)

Content-Type: application/x-www-form-urlencoded

Software\Microsoft\Windows\CurrentVersion\Internet Settings

\Mozilla\Firefox\Profiles\

*.default

sqlite3_close

sqlite3_finalize

sqlite3_column_text

sqlite3_step

sqlite3_prepare

sqlite3_open

\places.sqlite

\Mozilla Firefox\

sqlite3.dll

mozsqlite3.dll

nss3.dll

SELECT url FROM moz_places

\Google\Chrome\User Data\Default\

SELECT url FROM urls

-lid=%s

KERNEL32.dll

OpenWindowStationW

EnumChildWindows

EnumWindows

CloseWindowStation

SetProcessWindowStation

USER32.dll

GDI32.dll

RegCreateKeyExW

RegCreateKeyExA

RegCloseKey

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

ole32.dll

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

MSIMG32.dll

COMCTL32.dll

HttpOpenRequestA

HttpSendRequestA

WININET.dll

imagehlp.dll

GetProcessHeap

GetCPInfo

adjectivalwessexysujv.com

jv.com

/welcome.php

&vendor=TestEXE13s

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

?$?-?2?8?=?

7 7$7(7,707

ekernel32.dll

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

n del soporte t

a estar en la caja del DVD de Windows o en el correo electr

Activar Windows en l

Windows no se puede activar en este momento. Prueba a activarlo m

Activar Windows

Consulter les informations de support en ligne

de produit (Product Key) doit se trouver dans la bo

te qui contient le DVD Windows ou dans un courrier

Windows.

Activer Windows en ligne

activer Windows pour l

Activer Windows

Product Key eingeben

Der Product Key seiht wie folgt aus:

Supportinfos online anzeigen

Den Product Key finden Sie normlerweise auf der Verpackung Windows-DVD oder in einer E-Mail, die best

tigt, dass Sie Windows erworben baben.

Neuen Product Key eingeben

Windows online aktivieren

Windows kann momentan nicht aktiviert werden. Versuchen Sie es sp

Infos zu Ihrem Product Key

Windows aktivieren

Enter Key

PRODUCT KEY: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

The product key looks similar to this:

Your product key should be on the box that the Windows DVD came in or in an email that shows you bought Windows.

Enter a new product key

Activate Windows online

Windwos can't activate right now. Try activating Windows later. If that doesn't work, contact your system administrator.

Your product key info

Activate Windows

shell32.dll

Windows

\SLCommDlg.dll.mui

\sppcommdlg.dll.mui

\imageres.dll

\\.\PhysicalDrive0

\xelarter.exe

\rundll32.exe

"%s",DldUpdate

v34dfrg32.exe

-prd "%s"

\selfret.bat

\iddel.txt

\WindowsActivation.exe

/c start "" "%s"

\cmd.exe

Software\Microsoft\Windows\CurrentVersion\Run

TrustPort Inter

k7tsecurity.exe

BullGuard.exe

ALMon.exe

avcom.exe

c:\%original file name%.exe

C:\Windows\system32

[Windows Activation]

You must activate Windows

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3516

2. Delete the original Trojan file.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.