MD5: fe9ff0b3dde78d617ccbaa02d85ed4c0
SHA1: ec7eb61b5fde0a186ecbe30d9ec2c2dfafcaf085
SHA256: 4ef97f34eb3d1ed941a136c360f91507e35f833a790508d463a22b8b68a18290
SSDeep: 6144:yZXBsWqsE/Ao mv8Qv0LVmwq4FU0nN876sa10TpBMUuH7Y:0XmwRo mv8QD4 0N46lWfz
Size: 248476 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:892
WScript.exe:1212
WScript.exe:1944

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Napnut\Nezavisimo\dartaniyan.vbs (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (106 bytes)
%Program Files%\Napnut\Nezavisimo\6.txt (27 bytes)
%Program Files%\Napnut\Nezavisimo\Uninstall.ini (2 bytes)
%Program Files%\Napnut\Nezavisimo\5.txt (15 bytes)
%Program Files%\Napnut\Nezavisimo\onkilogok.bat (1 bytes)
%Program Files%\Napnut\Nezavisimo\kislogon.vbs (878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Program Files%\Napnut\Nezavisimo\Uninstall.exe (4428 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)

Registry activity

The process %original file name%.exe:892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"wscript.exe" = "Microsoft (R) Windows Based Script Host"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"EstimatedSize" = "100"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"VersionMajor" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"Language" = "1033"
"DisplayIcon" = "%Program Files%\Napnut\Nezavisimo\Uninstall.exe"
"VersionMinor" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"InstallLocation" = "%Program Files%\Napnut\Nezavisimo\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"UninstallString" = "%Program Files%\Napnut\Nezavisimo\Uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"InstallDate" = "20150525"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Napnut\Nezavisimo]
"onkilogok.bat" = "onkilogok"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"NoRepair" = "1"
"DisplayName" = "Nezavisimo 1.5"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 C1 84 7C 72 4B 26 1F 7A 84 D7 B3 01 B0 66 69"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"DisplayVersion" = "1.5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nezavisimo 1.5]
"NoModify" = "1"
"Publisher" = "Napnut"
"InstallSource" = "c:\"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Nezavisimo" = "%Program Files%\Napnut\Nezavisimo\krip.exe"

The process WScript.exe:1212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF BB D2 27 47 E6 7D 1B 84 88 7B 01 3D 6D 69 1B"

The process WScript.exe:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 13 8A 63 8A 2A 3E 90 B4 51 1A 54 1C 8A F2 DC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1191 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Napnut
Product Name:
Product Version:
Legal Copyright: Napnut
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.5
File Description: Nezavisimo 1.5 Installation
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
b4963c389287f4c6f458afaa28b334a4
cd8c5ce2011db01ed767504290b26287
80f967af249a9209c671d54a5d954b2e
6f5922cd04b5355696a75992bd51fe67
f4a232485e4a65ff6f7daba701e8b39a

URLs

URL	IP
time.windows.com	107.161.146.116

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

msvcrt.dll

OLEAUT32.dll

ole32.dll

VERSION.dll

wscript.exe

advapi32.dll

kernel32.dll

%s%s.DLL

wintrust.dll

%d.%d

Invalid parameter passed to C runtime function.

SOFTWARE\Classes\%s\%s

0x%8X

CreateURLMonikerEx

urlmon.dll

@@8X%u

RegCreateKeyA

RegCloseKey

RegOpenKeyA

RegDeleteKeyA

RegCreateKeyExW

RegCreateKeyExA

RegOpenKeyExW

ReportEventW

RegEnumKeyExA

RegOpenKeyExA

GetProcessHeap

GetCPInfo

MsgWaitForMultipleObjects

EnumThreadWindows

wscript.pdb

stdole2.tlbWWW

.ObjectWW

KeyW

WindowsFolderWWW4

%CopyFolderWWL

Windows Script Host (Ver 5.6)W)

Windows Script Host Application InterfaceW%

Windows Script Host Object

ebstrCmdLineW

78t8x8

5Q5F5

Software\Microsoft\Windows Script Host\Settings

Windows Script Host

WScript.CreateObject

WSHRemote.Execute

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

Microsoft (R) Windows Based Script Host

5.7.0.16599

Microsoft (R) Windows Script Host

(Windows Script Host (debugging disabled)

Windows Script Host Error

Windows Script Host Input Error

This Unicode version of Windows Script Host will only execute under Windows NT.

Please use the ANSI version of Windows Script Host."

WScript execution time was exceeded on script "%1!ls!".

Script execution was terminated.1Could not locate automation class named "%1!ls!".

Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).

Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.

Missing job name.*Unicode is not supported on this platform.

<The Windows Script Host settings have been reset to default.

Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.

Win32 Error 0x%X

Windows Script Host(Windows Script Host (debugging disabled)

Usage: WScript scriptname.extension [option...] [arguments...]

Use engine for executing script

Changes the default script host to CScript.exe

Changes the default script host to WScript.exe (default)

Prevent logo display: No banner will be shown at execution time

#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.

%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

wuauclt.exe_148:

.text

`.data

.rsrc

@.reloc

wuauclt.pdb

GetProcessHeap

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

ntdll.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

USER32.dll

OLEAUT32.dll

SHLWAPI.dll

zcÁ

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuauclt"

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>

</windowsSettings>

name="Microsoft.Windows.Common-Controls"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

wuaueng.dll

Error: 0xx. wuauclt handler: failed to spawn COM server

Error: 0xx. wuauclt handler: failed to load wuaueng

/ReportNow

/ShowWindowsUpdate

/CloseWindowsUpdate

wuauclt.exe failed to get proc address for UI export object with error %#lx

Failed to load %s with error %X

wucltui.dll

wucltux.dll

call RunAUClientUI on wucltui.dll/wucltux.dll

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

wuauclt.exe is exiting with code 0xX

wuauclt.exe launched with command line %s

kernel32.dll

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module: <failed with %d>

= Process: %s

= Process: <failed with %d>

=========== Logging initialized (build: %s, tz: %s) ===========

wups2.dll

wups.dll

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

wupdmgr.exe

Failed to cocreate IShellWindows, error = 0xlX

Failed to obtain window doc for window %d, error = 0xlX

Failed to obtain folder view for window %d, error = 0xlX

Failed to obtain folder IPersist for window %d, error = 0xlX

Window %d is NOT a WU window

Done enumerating windows

Quit for window %d failed: 0xlX

Window %d is a WU window. Attempting to close

Failed to obtain class ID for window %d, error = 0xlX

Got NULL disp interface for window %d

Got %d instead of VT_DISPATCH for window %d

Failed to obtain IWebBrowserApp for window %d, error = 0xlX

Failed to enumerate window %d, error = 0xlX

Found %d explorer windows

Closing WU explorer windows

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

hd-hd-hd%chd:hd:hd:hd

%WinDir%

Windows Update

7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)

wuauclt.exe

Windows

Operating System

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:892
   WScript.exe:1212
   WScript.exe:1944

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Napnut\Nezavisimo\dartaniyan.vbs (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (106 bytes)
   %Program Files%\Napnut\Nezavisimo\6.txt (27 bytes)
   %Program Files%\Napnut\Nezavisimo\Uninstall.ini (2 bytes)
   %Program Files%\Napnut\Nezavisimo\5.txt (15 bytes)
   %Program Files%\Napnut\Nezavisimo\onkilogok.bat (1 bytes)
   %Program Files%\Napnut\Nezavisimo\kislogon.vbs (878 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
   %Program Files%\Napnut\Nezavisimo\Uninstall.exe (4428 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Nezavisimo" = "%Program Files%\Napnut\Nezavisimo\krip.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.