MD5: cd8c5ce2011db01ed767504290b26287
SHA1: a8292b7f9ebcc34efef1867fd82170f17af32a76
SHA256: 7bd994fa26dd773a6e7c639906d01443dd843f65f0be46bae1c654a16098daba
SSDeep: 6144:yZXBsWqsE/Ao mv8Qv0LVmwq4FU0nN876sayf62VwbA t:0XmwRo mv8QD4 0N46lyf62yc t
Size: 248440 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:556
WScript.exe:1824
WScript.exe:1252

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Napnut\Nezavisimo\dartaniyan.vbs (271 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
%Program Files%\Napnut\Nezavisimo\6.txt (27 bytes)
%Program Files%\Napnut\Nezavisimo\Uninstall.ini (2 bytes)
%Program Files%\Napnut\Nezavisimo\5.txt (16 bytes)
%Program Files%\Napnut\Nezavisimo\onkilogok.bat (1 bytes)
%Program Files%\Napnut\Nezavisimo\kislogon.vbs (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Program Files%\Napnut\Nezavisimo\Uninstall.exe (4353 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)

The process WScript.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"EstimatedSize" = "100"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"VersionMajor" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"Language" = "1033"
"DisplayIcon" = "%Program Files%\Napnut\Nezavisimo\Uninstall.exe"
"VersionMinor" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"InstallLocation" = "%Program Files%\Napnut\Nezavisimo\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"UninstallString" = "%Program Files%\Napnut\Nezavisimo\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"InstallDate" = "20150607"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Napnut\Nezavisimo]
"onkilogok.bat" = "onkilogok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"NoRepair" = "1"
"DisplayName" = "Nezavisimo 1.5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 44 82 C4 5F A4 B9 A9 83 38 B4 7F 9D 54 B6 57"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"DisplayVersion" = "1.5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"NoModify" = "1"
"Publisher" = "Napnut"
"InstallSource" = "c:\"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nezavisimo" = "%Program Files%\Napnut\Nezavisimo\krip.exe"

The process WScript.exe:1824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 75 BD 6E B2 D9 5C EB D7 09 99 93 45 1D DE 78"

The process WScript.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 83 10 5C 74 04 97 8D EB 92 83 5E A2 E9 4A A7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1178 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Napnut
Product Name:
Product Version:
Legal Copyright: Napnut
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.5
File Description: Nezavisimo 1.5 Installation
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 6
b4963c389287f4c6f458afaa28b334a4
543aead45568ecb83dc504741f14d01b
80f967af249a9209c671d54a5d954b2e
6f5922cd04b5355696a75992bd51fe67
f4a232485e4a65ff6f7daba701e8b39a
fe9ff0b3dde78d617ccbaa02d85ed4c0

URLs

URL	IP
hxxp://chuteiracansadabsb.com.br/feng/tmp/test.php?id=86	189.38.80.193

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /feng/tmp/test.php?id=86 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: chuteiracansadabsb.com.br

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 07 Jun 2015 04:39:10 GMT

Server: Apache

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 20

Keep-Alive: timeout=5, max=500

Connection: Keep-Alive

Content-Type: text/html
......................

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

wscript.exe

advapi32.dll

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

78t8x8

5Q5F5

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Microsoft (R) Windows Based Script Host

5.7.0.16599

Microsoft (R) Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:556
   WScript.exe:1824
   WScript.exe:1252

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Napnut\Nezavisimo\dartaniyan.vbs (271 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
   %Program Files%\Napnut\Nezavisimo\6.txt (27 bytes)
   %Program Files%\Napnut\Nezavisimo\Uninstall.ini (2 bytes)
   %Program Files%\Napnut\Nezavisimo\5.txt (16 bytes)
   %Program Files%\Napnut\Nezavisimo\onkilogok.bat (1 bytes)
   %Program Files%\Napnut\Nezavisimo\kislogon.vbs (897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
   %Program Files%\Napnut\Nezavisimo\Uninstall.exe (4353 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Nezavisimo" = "%Program Files%\Napnut\Nezavisimo\krip.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.