MD5: 068d19b4f79ba3e55aa5f82514e4d39f
SHA1: 7b0d4ba846897d751cdb3e897ecf0bca9a7c5177
SHA256: 2161af6bdb04a2c3a7892e2f4632fae2fee32334e7f73cf69dfad45722866e34
SSDeep: 49152:Fw80cTsjkWazsAH20UiULN/oDJLLooIf2fKWilBDs4H6:y8sjkDpHVVULNQt4o6IiTs
Size: 2405376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-09 22:45:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

svcr.exe:160
%original file name%.exe:3380
ConnectionClient.exe:3580

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process svcr.exe:160 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (14 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (0 bytes)

The process %original file name%.exe:3380 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe (3129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DFD.tmp (5873 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1E9A.tmp (7001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2052.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscgreen.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C2.tmp (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2091.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\RDP6\TsCredentials.exe (353 bytes)
C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.bin (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF3.tmp (1825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C3.tmp (1372 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20B1.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DDD.tmp (1473 bytes)
C:\Users\"%CurrentUserName%"\RDP6\svcr.exe (9324 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DBC.tmp (746 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscpink.bmp (196 bytes)
C:\Users\"%CurrentUserName%"\RDP6\languk.ini (196 bytes)
C:\Users\"%CurrentUserName%"\RDP6\068d19b4f79ba3e55aa5f82514e4d39f.txt (746 bytes)
C:\Users\"%CurrentUserName%"\RDP6\ico2.ico (2049 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF2.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\RDP6\bkgscblue.bmp (196 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DDD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DFD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2091.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2052.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DBC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1E9A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20B1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF2.tmp (0 bytes)

The process ConnectionClient.exe:3580 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\RDP6\svcr.exe (1 bytes)

Registry activity

The process svcr.exe:160 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"AllowSignedFiles" = "1"

[HKCU\Control Panel\Desktop]
"PowerOffActive" = "0"
"LowPowerActive" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fTurnOffSingleAppMode" = "0"

[HKLM\System\CurrentControlSet\Control\Terminal Server]
"HonorLegacySettings" = "1"
"SessionDirectoryActive" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"EnableBalloonTips" = "0"

[HKCU\Digital River]
"DomainName" = "STEEL"
"FirstLogon" = "no"

[HKCU\Control Panel\Desktop]
"PowerOffTimeOut" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnlistedRemotePrograms" = "1"

[HKCU\Control Panel\Desktop]
"LowPowerTimeOut" = "0"

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"AllowUnsignedFiles" = "1"

The process %original file name%.exe:3380 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process ConnectionClient.exe:3580 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Russian (Russia)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

GetProcessWindowStation

C:\Users\adrien\Documents\JWTS\workbench-release\c  \UniversalLauncher\Release\UniversalLauncher.pdb

KERNEL32.dll

USER32.dll

ShellExecuteExW

SHELL32.dll

GetCPInfo

C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe

k.nim=

y.zYJ

.byJ5G

f.FD]

s)urleyA

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

svcr.exe

svcr.exe_160:

.text

`.rdata

@.data

.rsrc

@.reloc

j.Yf;

r%f;M

j.Xf;

j.Zf;

PSSSSSSh

Gt.Ht$

.ku`8iu~fiu

kernel32.dll

?#%X.y

GetProcessWindowStation

operator

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

k.nim=

y.zYJ

.byJ5G

f.FD]

s)urleyA

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

? ?$?(?,?0?4?8?

2 2$2(2,2024282

<#<'< </<

4F4s4

4D4C4R4e4u4

2!2%2)2-2125292=2

01s1

2=22393@3[3

?&?-?4?:?

8Ÿ94:

8!9*919<9

> >$>(>,>

? ?$?(?,?0?

/AutoIt3ExecuteScript

/AutoIt3ExecuteLine

CMDLINE

CMDLINERAW

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MAPKEYS

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDownDelay

SendKeyDelay

TCPTimeout

mscoree.dll

combase.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

789:;<=>?

APPSKEY

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

KEYS

Line %d:

\\?\UNC\

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 14, 2

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Users\"%CurrentUserName%"\RDP6\svcr.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

8, 6, 14, 2

svcr.exe

Modified by an unpaid evaluation copy of Resource Tuner 2 (VVV.heaventools.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   svcr.exe:160
   %original file name%.exe:3380
   ConnectionClient.exe:3580

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   C:\Users\"%CurrentUserName%"\RDP6\bkgsc.bmp (14 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.exe (3129 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DFD.tmp (5873 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1E9A.tmp (7001 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2052.tmp (100 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\bkgscgreen.bmp (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C2.tmp (102 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2091.tmp (100 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\TsCredentials.exe (353 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\ConnectionClient.bin (3073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF3.tmp (1825 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20C3.tmp (1372 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut20B1.tmp (100 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DDD.tmp (1473 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\svcr.exe (9324 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1DBC.tmp (746 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\bkgscpink.bmp (196 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\languk.ini (196 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\068d19b4f79ba3e55aa5f82514e4d39f.txt (746 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\ico2.ico (2049 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut1FF2.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\RDP6\bkgscblue.bmp (196 bytes)
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.