MD5: 7aeafc1865312ba89cd9cbf9bbc8e4a8
SHA1: 4ad2a21d6768be167aaf8ef882256c5ee36eb94e
SHA256: 4f2eb10f39b2121f74cb95d5a4e5d007e8c6d33af25950449e995ce68a9dc70c
SSDeep: 768:fFN/PZsimbcL/5URniXTFxoLLZxNWqk/OsJcYgKNzVauSv6HxdorbcCXdVzbLIZx:LXaiWcz5UuSL/NXYJ1VpXxCFLZJvA
Size: 86016 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-09 01:23:21
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:552
%original file name%.exe:956

The Trojan injects its code into the following process(es):

svchost.exe:172
iexplore.exe:352

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:552 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process %original file name%.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (601 bytes)

Registry activity

The process %original file name%.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 47 A5 E6 41 D5 E9 50 46 10 9C E0 DB 36 6F 9A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "lDMo2nB7z0tc0"

The process %original file name%.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 5A C8 20 44 1C 27 9F BA 50 61 1E D3 DC C4 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Ny9q1F7LmZ
Product Name: Nq60DyEt2
Product Version: 40.19.10.46
Legal Copyright: j1TSq08Rz
Legal Trademarks: Xb98QqWs05
Original Filename: eb0ger2l.exe
Internal Name: eb0ger2l.exe
File Version: 40.19.10.46
File Description: y1XFj5t3J
Comments: Ja0y7Y2T
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

svchost.exe_172:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_172_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

127.0.0.1

Server.exe

{4462WSJ6-SGVX-CJ0R-AK30-AYQD354O4244}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

iexplore.exe_352:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_352_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

127.0.0.1

Server.exe

{4462WSJ6-SGVX-CJ0R-AK30-AYQD354O4244}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

ftpuser

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:552
   %original file name%.exe:956
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (601 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.