Win32.Parite.B_eb197ff5c0

Virus.Win32.Parite.b (Kaspersky), Win32.Parite.B (B) (Emsisoft), Win32.Parite.B (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, DDoSNitol.YR (Lavasoft MAS) Behaviour: Trojan...
Blog rating:1.7 out of5 with3 ratings

Win32.Parite.B_eb197ff5c0

by malwarelabrobot on August 22nd, 2017 in Malware Descriptions.

Virus.Win32.Parite.b (Kaspersky), Win32.Parite.B (B) (Emsisoft), Win32.Parite.B (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: eb197ff5c0cd945909c0485e9a507998
SHA1: 39c4dc2340ba329af976ed1432a0042f499fa2c9
SHA256: b96cd6d8c1286053c921f85a8305aa8a01adfaf608bf9ba4d8b7e163700a14db
SSDeep: 3072:yP WALVwOrvfCCOuNycHMnjziwbbmunh75F/R2hRvbMpfytc7PzLhFRNZKwRgWwE:NJwYNy4MnS09nh7bGCfyKPzL0wcjjbqd
Size: 198104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-17 03:04:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2712

The Trojan injects its code into the following process(es):

jwtdww.exe:3428

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\jwtdww.exe (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\qna8AB1.tmp (11186 bytes)

The process jwtdww.exe:3428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\hra33.dll (12 bytes)
C:\Windows\Temp\doa8F24.tmp (11186 bytes)
C:\Windows\Sys (208 bytes)
C:\Boot\lpk.dll (1281 bytes)
C:\RCX9166.tmp (20559 bytes)

Registry activity

The process %original file name%.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\serfewrewrewrewrewrert.Net CLR]
"Description" = "Microsertertrtytrytrertertoft .NET COM Integration with SOAP"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
9d82bbc08381f71ff432d7733607d228 c:\Boot\lpk.dll
9d82bbc08381f71ff432d7733607d228 c:\Perl\bin\lpk.dll
685f1cbd4af30a1d0c25f252d399a666 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\qna8AB1.tmp
9d82bbc08381f71ff432d7733607d228 c:\Windows\System32\hra33.dll
685f1cbd4af30a1d0c25f252d399a666 c:\Windows\Temp\doa8F24.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 40960 20480 18432 5.43325 2e838f022ec847a96f26da3be6a9e10f
.rsrc 61440 4096 1024 1.7219 68907cebc0d0ab64edb020d647ea9525
.heb 65536 4096 1536 4.86853 b6ec624c586ebb11808bff79ed64954c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

jwtdww.exe_3428:

`.rsrc
WS2_32.dll
sUnl=oOpenKey
admin$\g1fd.exe#
" %d:
Wd
.ms-"n
d{{C%s
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyA
RegCloseKey
23.235.184.68
serfewrewrewrewrewrert.Net CLR
Micrrtretrtyrtytrertosoft .Net Framework COM  Support
Microsertertrtytrytrertertoft .NET COM  Integration with SOAP
mpr.dll
\\%s\ipc$
\\%s\admin$\g1fd.exe
\\%s\C$\NewArean.exe
C:\g1fd.exe
\\%s\D$\g1fd.exe
D:\g1fd.exe
\\%s\E$\g1fd.exe
E:\g1fd.exe
\\%s\F$\g1fd.exe
F:\g1fd.exe
at \\%s %d:%d %s
password
12345678
5201314
1314520
%d.%d.%d.%d
hra%u.dll
kernel32.dll
%c%c%c%cÌn.exe
ddd
%c%c%c%c%c%c.exe
%s %s %s%d
%d*%u%s
%u MB
0.0.0.0
%u Gbps
%u Mbps
GET %s HTTP/1.1
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
Host: %s:%d
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
SSShU-@
SSSheH@
.text
`.rdata
@.data
.rsrc
@.reloc
SHELL32.dll
SHLWAPI.dll
lpk.attack
lpk.dll
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
_acmdln
ShellExecuteA
ShellExecuteExA
SHDeleteKeyA
.data
0 0*0/090
KERNEL32.DLL
iphlpapi.dll
MSVCRT.dll
USER32.dll
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer

jwtdww.exe_3428_rwx_00401000_0000D000:

WS2_32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyA
RegCloseKey
23.235.184.68
serfewrewrewrewrewrert.Net CLR
Micrrtretrtyrtytrertosoft .Net Framework COM  Support
Microsertertrtytrytrertertoft .NET COM  Integration with SOAP
mpr.dll
\\%s\ipc$
\\%s\admin$\g1fd.exe
\\%s\C$\NewArean.exe
C:\g1fd.exe
\\%s\D$\g1fd.exe
D:\g1fd.exe
\\%s\E$\g1fd.exe
E:\g1fd.exe
\\%s\F$\g1fd.exe
F:\g1fd.exe
at \\%s %d:%d %s
password
12345678
5201314
1314520
%d.%d.%d.%d
hra%u.dll
kernel32.dll
%c%c%c%cÌn.exe
ddd
%c%c%c%c%c%c.exe
%s %s %s%d
%d*%u%s
%u MB
0.0.0.0
%u Gbps
%u Mbps
GET %s HTTP/1.1
Host: %s
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Referer: hXXp://%s:80/hXXp://%s
%s %s%s
Host: %s:%d
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
SSShU-@
SSSheH@
.text
`.rdata
@.data
.rsrc
@.reloc
SHELL32.dll
SHLWAPI.dll
lpk.attack
lpk.dll
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
_acmdln
ShellExecuteA
ShellExecuteExA
SHDeleteKeyA
.data

jwtdww.exe_3428_rwx_00410000_00001000:

Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer

jwtdww.exe_3428_rwx_00531000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
RemotePort
LocalPort
ReportLevelLkS
0.0.0.0
%d.%d.%d.%d
AutoHotkeys
:].tJ
EInvalidGraphicOperation,0T
EInvalidGraphicOperation
KeyPreview,
WindowState
OnKeyDown
OnKeyPressdzU
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
hu2.iu
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
VprK|%Ud
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
70"!(&&$
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2712

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\jwtdww.exe (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\qna8AB1.tmp (11186 bytes)
    C:\Windows\System32\hra33.dll (12 bytes)
    C:\Windows\Temp\doa8F24.tmp (11186 bytes)
    C:\Boot\lpk.dll (1281 bytes)
    C:\RCX9166.tmp (20559 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1.7 (3 votes)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now