MD5: 0ed92f7a9cf66dbc6dbfe972f4092c34
SHA1: 2d3a3fae6b21d1282231f19c81b328155d142a4b
SHA256: 42dcc741ea37321072f5eaab242938cba151b862a066ee32355d389d26b35dce
SSDeep: 1536:eFE1pl6et9zYDkTIbUtfm26OBf8arXy3W47:0EE09YCIbx26OBtM
Size: 57344 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-22 17:37:20
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1600

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (871 bytes)

Registry activity

The process %original file name%.exe:1600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 B0 66 1E A7 70 7B 0F 47 D8 3E D9 AE 39 82 E8"

[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"NextInstance" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Check_Associations" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"Count" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 871 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cli.netbars.net/	103.241.49.78
hxxp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 61.142.250.103

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 03 Aug 2015 21:03:54 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.1.6

P3P: CP=CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 0

Connection: close

Content-Type: text/html; charset=Utf-8

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cli.netbars.net

Connection: Keep-Alive

HTTP/1.1 302 Object moved

Connection: close

Date: Mon, 03 Aug 2015 21:04:19 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Location: hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36

Content-Length: 219

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAAAAASST=IKCJEOHDENBJAPCAMCMLGPAE; path=/

Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_m
d5=1def37a4ddb7397b5ba40a59c7f93a36">here</a>.</body>..
.

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1600

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\drivers\etc\hosts (871 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.