MD5: 634fc44ab24c2dd3b7e4579d1ab1880a
SHA1: adf4c3f0b25c10a98c6bd63c54626d5ac384ed19
SHA256: cb440f86b44aaaebd6c003b218f4337774ab328234c8536c4ea215288ebaf4ec
SSDeep: 6144:DG4rkRyaO4bpGPzXDjnb/Iz 8jVNc/ITcjry91Wo EcwlO6qnFif3/sZZbvKaLLC:DaRbpGPzXDjnbJZZDLL9RW
Size: 209408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-11-07 04:58:49
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3696

The Trojan injects its code into the following process(es):

%original file name%.exe:2792
svchost.exe:4084

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\InstallDir\Server.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\--((Mutex))--.dat (322 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:2792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{BHV142V7-228T-735G-48W8-5PC6B20BG45B}]
"StubPath" = "%WinDir%\InstallDir\Server.exe restart"

[HKCU\Software\XtremeRAT]
"Mutex" = "--((Mutex))--"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1415329129"

[HKCU\Software\--((Mutex))--]
"ServerStarted" = "28/11/2014 04:58:28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 5D 5D FF 04 A3 62 FD 88 88 C3 02 BB BB 3C 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\--((Mutex))--]
"ServerName" = "%WinDir%\InstallDir\Server.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Server.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:3696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 37 DC 5E 1D 42 90 5C A4 2A 94 0C 55 CB AA F4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: j9X4Wz
Product Name: f9J6Amo8
Product Version: 6.36.2.14
Legal Copyright: Tk01Cpw
Legal Trademarks: y1XFj5t3J
Original Filename: 0.exe
Internal Name: 0.exe
File Version: 6.36.2.14
File Description: j7T6Hsr3
Comments: r6F3Bpm5
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ntdll.dll

ShellExecuteW

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

ahmed-080.no-ip.biz

Server.exe

MMDEVAPI.DLL

{BHV142V7-228T-735G-48W8-5PC6B20BG45B}

2.7.1\Sett

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.7.1\SettHKCU

2.7.1

PortMap

PTF.ftpserver.com

ftpuser

ftppass

c:\%original file name%.exe

%original file name%.exe_2792_rwx_10000000_00048000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ntdll.dll

ShellExecuteW

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

ahmed-080.no-ip.biz

Server.exe

MMDEVAPI.DLL

{BHV142V7-228T-735G-48W8-5PC6B20BG45B}

2.7.1\Sett

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.7.1\SettHKCU

2.7.1

PortMap

PTF.ftpserver.com

ftpuser

ftppass

c:\%original file name%.exe

svchost.exe_4084:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_4084_rwx_10000000_00048000:

.idata

.rdata

P.reloc

P.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

GetKeyboardType

RegOpenKeyExA

RegCloseKey

oleaut32.dll

RegOpenKeyExW

RegCreateKeyW

GetWindowsDirectoryW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

shlwapi.dll

SHDeleteKeyW

FindExecutableW

URLDownloadToCacheFileW

wininet.dll

FtpPutFileW

FtpSetCurrentDirectoryW

GetKeyboardState

ntdll.dll

ShellExecuteW

KWindows

TServerKeylogger

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

ahmed-080.no-ip.biz

Server.exe

MMDEVAPI.DLL

{BHV142V7-228T-735G-48W8-5PC6B20BG45B}

2.7.1\Sett

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2.7.1\SettHKCU

2.7.1

PortMap

PTF.ftpserver.com

ftpuser

ftppass

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3696
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\InstallDir\Server.exe (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\--((Mutex))--.dat (322 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HKCU" = "%WinDir%\InstallDir\Server.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "HKLM" = "%WinDir%\InstallDir\Server.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.