Gen.Heur.Minggy.1_afdba4f640
Trojan.Win32.Agent.icgh (Kaspersky), Gen:Heur.Minggy.1 (B) (Emsisoft), Gen:Heur.Minggy.1 (AdAware), Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: afdba4f6401737cc32d05082ec8f409f
SHA1: f473649a4ab28d1c59056150afb9f3cd8136d09c
SHA256: dda28bf17efbbc16e42f7a1daa840d55c0ef963b71826ec6eb071a0e3dd9d66f
SSDeep: 12288:71/aGLDCMNpNAkoSzZWD8ayX2MQCw7D0fLs/egVo/fzsAv0:71/aGLDCM4D8ayGMf1gVo/fgr
Size: 524292 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-27 08:41:59
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
pydtc.exe:1524
%original file name%.exe:748
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process pydtc.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\AUTOEXEC.BAT .exe (1025280 bytes)
C:\MSDOS.SYS .exe (1025280 bytes)
C:\IO.SYS .exe (1025280 bytes)
C:\boot.ini .exe (1025280 bytes)
%Documents and Settings% .exe (1025280 bytes)
C:\RECYCLER .exe (1025280 bytes)
C:\ntldr .exe (1025280 bytes)
C:\%original file name%.exe .exe (1025280 bytes)
C:\original .exe (1025280 bytes)
C:\totalcmd .exe (1025280 bytes)
C:\NTDETECT.COM .exe (1025280 bytes)
C:\System Volume Information .exe (1025280 bytes)
C:\CONFIG.SYS .exe (1025280 bytes)
C:\marker .exe (1025280 bytes)
%Program Files% .exe (1025280 bytes)
%WinDir% .exe (1025280 bytes)
C:\pagefile.sys .exe (1025280 bytes)
The Trojan deletes the following file(s):
C:\Miray (0 bytes)
C:\Mirat (0 bytes)
C:\Mirau (0 bytes)
C:\Mirav (0 bytes)
C:\Mirap (0 bytes)
C:\Miraq (0 bytes)
C:\Mirar (0 bytes)
C:\Miras (0 bytes)
C:\Miram (0 bytes)
C:\Mirao (0 bytes)
C:\Mirai (0 bytes)
C:\Miraa (0 bytes)
C:\Mirac (0 bytes)
The process %original file name%.exe:748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\pydtc.exe (510719 bytes)
%Documents and Settings%\All Users\Application Data\Saaaalamm\Mira.h (512410 bytes)
Registry activity
The process pydtc.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\All Users\Application Data\pydtc.exe"
The process %original file name%.exe:748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 FC 69 62 36 7F EC 1B C6 13 76 C0 2A B4 EB 09"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 653a4362eb612e771eeb97c6dfc04b6a | c:\AUTOEXEC.BAT .exe |
| c8738d7590ebe236a60a34e0a88ccff7 | c:\CONFIG.SYS .exe |
| 7ac8b4735909d1e2c24fec13c9ad0239 | c:\Documents and Settings .exe |
| 3835a08a15685057f0c784aa5e556038 | c:\Documents and Settings\All Users\Application Data\Saaaalamm\Mira.h |
| 486a97655a4b81a983ef91a1a3d41207 | c:\Documents and Settings\All Users\Application Data\pydtc.exe |
| cb1413c12d7c8032baa0f66e863de872 | c:\IO.SYS .exe |
| c3e2f3d0d5e36a96b5d144ea9538e69c | c:\MSDOS.SYS .exe |
| 153647b47b34cdfc7525eaa03a2d028f | c:\NTDETECT.COM .exe |
| 50d54bff2eb6a5eccf6ddf2107b189ba | c:\Perl .exe |
| ef265c8d3285e6e2d546481c787149cd | c:\Program Files .exe |
| c5b75593a2e385cc226ac7b35cfd2f5a | c:\RECYCLER .exe |
| 4a793c2bc4feb057efadde335df1ec34 | c:\System Volume Information .exe |
| e96260725bbc2c11e016346326669ff8 | c:\WINDOWS .exe |
| 458554b3092ae48634b2aa7b5b8fcd3e | c:\%original file name%.exe .exe |
| ef7e270158f04255eb2c84e721e448ec | c:\boot.ini .exe |
| ad28fbd55b1b5ff8f7db34ddf6f23d27 | c:\marker .exe |
| f00f2b17d89c4cd1e3d7f41c8cce9b80 | c:\ntldr .exe |
| d6a5a78a2420b69805818fbb95eb8b03 | c:\original .exe |
| 7a9f921decf296cc7ab5d2f8970d4051 | c:\pagefile.sys .exe |
| 7d9f73523857a3f4f59cfb7099466938 | c:\totalcmd .exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 245368 | 245760 | 4.21465 | 8b164ac8ef3742f37830dc1842275667 |
| .data | 249856 | 608 | 1024 | 0.488703 | 6fda88cf7188a8245a53dfde927250fd |
| .rdata | 253952 | 9384 | 9728 | 3.47165 | dbe852009dbd077a9976cb0ecfb9aadf |
| .bss | 266240 | 18576 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 286720 | 2212 | 2560 | 2.97703 | 5e5242c565219f3bd33a6568632559dc |
| .rsrc | 290816 | 26552 | 26624 | 4.78706 | 3c236293ea4ef5b9e95ae7ce204516a9 |
Dropped from:
f74a51f04a8679694bfde310e88816c8
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rdata
@.bss
.idata
%Documents and Settings%\All Users\Application Data\pydtc.exe
Software\Microsoft\Windows\CurrentVersion\Run
Windows
Operating System
%H:%M:%S
%m/%d/%y
-0123456789
%s:%u: failed assertion `%s'
RegCloseKey
RegOpenKeyA
ADVAPI32.DLL
KERNEL32.dll
msvcrt.dll
SHELL32.DLL
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
pydtc.exe:1524
%original file name%.exe:748 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\AUTOEXEC.BAT .exe (1025280 bytes)
C:\MSDOS.SYS .exe (1025280 bytes)
C:\IO.SYS .exe (1025280 bytes)
C:\boot.ini .exe (1025280 bytes)
%Documents and Settings% .exe (1025280 bytes)
C:\RECYCLER .exe (1025280 bytes)
C:\ntldr .exe (1025280 bytes)
C:\%original file name%.exe .exe (1025280 bytes)
C:\original .exe (1025280 bytes)
C:\totalcmd .exe (1025280 bytes)
C:\NTDETECT.COM .exe (1025280 bytes)
C:\System Volume Information .exe (1025280 bytes)
C:\CONFIG.SYS .exe (1025280 bytes)
C:\marker .exe (1025280 bytes)
%Program Files% .exe (1025280 bytes)
%WinDir% .exe (1025280 bytes)
C:\pagefile.sys .exe (1025280 bytes)
%Documents and Settings%\All Users\Application Data\pydtc.exe (510719 bytes)
%Documents and Settings%\All Users\Application Data\Saaaalamm\Mira.h (512410 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft® Windows® Operating System" = "%Documents and Settings%\All Users\Application Data\pydtc.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
