MD5: 9a21d34c68fd562978c772ea802297e2
SHA1: 01cba97d31cd8aa78d731775aa92ba3b87e851aa
SHA256: f786a20d7af71b8b3c976301ab06fe659c5aa9e7438b7bb21c25121fc5c317e7
SSDeep: 393216:VKmzOpYrL9A/VB1hJwwNjZnccHkw1ovXVo:VVzOpE9Ad5JthctLX2
Size: 14455885 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2012-06-09 16:19:49
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):

run-setup.exe:3836
%original file name%.exe:3488

The Application injects its code into the following process(es):

SevenZip-setup.exe:3904

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SevenZip-setup.exe:3904 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\modern-wizard.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB5.tmp (3880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\nsDialogs.dll (9 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB4.tmp (0 bytes)

The process run-setup.exe:3836 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB3.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SevenZip-setup.exe (84403 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB2.tmp (0 bytes)

The process %original file name%.exe:3488 makes changes in the file system.
The Application creates and/or writes to the following file(s):

The Application deletes the following file(s):

Registry activity

The process SevenZip-setup.exe:3904 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 38 6D DA AE 21 BE 5B B6 79 00 0E 50 80 AD 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process run-setup.exe:3836 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 2F 3F B3 73 D6 F7 90 5B C2 3D 2E 1D 55 27 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:3488 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 1D 05 AC ED 4E 0C 00 33 D8 AD 55 5D 0F 5D C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"run-setup.exe" = "run-setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 392
01d8f21bdcf3f33cfd44b21cda45bbe1
36618e01443f68ba10d71159b9ba1586
174bab3f28f1e6ab9691c12205ad67ca
6421617d0cb05e70cc2479f1780e3dd1
e39891f9d5a7b024a539b62105d41d02
4cdd8f7154284c11717e6afeca98af0b
86c06e69e4483ba0a15e97f7d061418a
deea4a582742eaa9cac518df89b2f6a2
1eba8468c07781e001a1f9128b564506
b3638527e4ffe06014a54d62cda42559
bca3d3ce6156480038bad3f8c9a76d80
63e6b63d244334ab87abbb2e2bcbb98a
2ff174b885e108104bb96b1d1d235aef
bd85af46e305582c840c04c34e56e67c
1a6249b13dd127da29e4484b4d7a7f6a
6c59ecf60e13b29456453070318962df
785751e96ae27d6550c7ec600dd98da3
ec556f5eea3f037c7103a91e72461608
78bbd28713a0305647db01c48deaff2b
db37b76b3fe72377d6799d0dea487908
07b1eb7e122877c199b8467e37fa8764
067066cdccc03e89c58724be1891f4a0
2ff4d03912aca37e15ac5f0b42d033a8
775bc0ffc3701d8dbc33452c1b5bbd2a
eab59327294744775e41f2ab2dcb0504

URLs

URL	IP
hxxp://pe-mainin.com/launch.php?p=sevenzip&pid=102&tid=159282&sid=9	46.21.100.248
hxxp://pe-sixi.com/downloadS.php	69.197.35.236
hxxp://d16oc15frjt76r.cloudfront.net/SevenZip-setup.exe	216.137.41.42

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Executable served from Amazon S3

Traffic

GET /downloadS.php HTTP/1.0

Host: pe-sixi.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.0.15

Date: Sun, 18 Jan 2015 09:37:35 GMT

Content-Type: text/html

Connection: close

X-Powered-By: PHP/5.3.3

Location: hXXp://d16oc15frjt76r.cloudfront.net/SevenZip-setup.exe

GET /SevenZip-setup.exe HTTP/1.0

Host: d16oc15frjt76r.cloudfront.net

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 1103464

Connection: close

Date: Mon, 12 Jan 2015 03:19:29 GMT

Last-Modified: Tue, 14 May 2013 07:27:52 GMT

ETag: "fd6eee7e81dc931a8021aba3fbc83b13"

Accept-Ranges: bytes

Server: AmazonS3

Age: 20971

X-Cache: Hit from cloudfront

Via: 1.1 37353014402e563aa01f8380e95f001e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: st7E5nlEI2qaYhc-NqekZb0hxTEyelwncq2nT1mUXAbVN5ttbGTqew==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........J...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc....J.......L...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /launch.php?p=sevenzip&pid=102&tid=159282&sid=9 HTTP/1.0

Host: pe-mainin.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Sun, 18 Jan 2015 09:37:34 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 65

Connection: close

Content-Type: text/html; charset=UTF-8
files=1.u1=hXXp://pe-sixi.com/downloadS.php.n1=SevenZip-setup.exe..

The Application connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\SevenZip-setup.exe"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB3.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskB3.tmp

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.
ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

.vN {

({,{<{*;

nskB3.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ii_start.txt

1=SevenZip-setup.exe

downloadS.php

evenZip-setup.exe

"D:\run-setup.exe"

run-setup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsuB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

D:\run-setup.exe

hXXp://pe-sixi.com/downloadS.php

SevenZip-setup.exe

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

SevenZip-setup.exe_3904:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB6.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB6.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB6.tmp

LangDLL.dll

.sxdata

@.reloc

t^Ht.Hu$

@.dataMZ

.reloc

System.dll

callback%d

.uY?y

:l.PL

nsdB6.tmp

37862257

1\"%CurrentUserName%"\LOCALS~1\Temp\nsdB6.tmp

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\SevenZip-setup.exe"

%Program Files%\SevenZip

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

SevenZip-setup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SevenZip-setup.exe

1628046372

1114406

1769778

1245460

1048912

637862257

-1794506108

newPage_en.ini

hXXp://VVV.software-files.net/delta/eula

hXXp://CONDRE.INFO/cond_redir.php?go=privacy

hXXp://VVV.conduit.com/legal/contentsharingtos.aspx

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

SevenZip-setup.exe_3904_rwx_011C4000_00001000:

callback%d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   run-setup.exe:3836
   %original file name%.exe:3488

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\modern-wizard.bmp (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\LangDLL.dll (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsyB5.tmp (3880 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsdB6.tmp\nsDialogs.dll (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nskB3.tmp\NSISdl.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ii_start.txt (65 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SevenZip-setup.exe (84403 bytes)
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.