MD5: fa650ce84aa339efdf4e2b56be4150e2
SHA1: 36f6ae5cc55f0f3c0b56281272295c94b99cf1bf
SHA256: 29089a290b51a3fd442fa4d1cd71fc8c29d3cc90da6fc5bfd87b5b2e9b06f55d
SSDeep: 6144:3lOCH282PMplVxicqbrvsy3MeSX8ovaChpRE0t6kCcQ8z6Z39:3IC9xNTqbzN3MtVnhTE
Size: 247296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-07-22 01:38:02
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:472
%original file name%.exe:1564
fa650ce84aa339efdf4e2b56be4150e2Srv.exe:412

The Trojan injects its code into the following process(es):

iexplore.exe:252
iexplore.exe:1296

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\fa650ce84aa339efdf4e2b56be4150e2Srv.exe (56 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process fa650ce84aa339efdf4e2b56be4150e2Srv.exe:412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (56 bytes)

The Trojan deletes the following file(s):

%Program Files%\Microsoft\px1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 BC 51 19 9D 1A 19 16 1D E1 AB A5 F0 3E BA A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "8c7ePBCyH5m"

The process %original file name%.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 87 AB 1B EE DA 47 1D 92 8D 38 D0 4C 6B C0 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: aEQYy7TB54DQT
Product Name: a5B7gcO6ZO8FMYY1
Product Version: 11.14.18.73
Legal Copyright: Copyright (c) 2011
Legal Trademarks: a1VgvLpKuUXUR7KGoC
Original Filename: ff.exe
Internal Name: ff.exe
File Version: 11.14.18.73
File Description: a71NRShqdIW
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_252_rwx_10000000_0005C000:

`.rsrc

.rmnet

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

Srv.exe

c:\fa650ce84aa339efdf4e2b56be4150e2Srv.exe

.rsrc

O.Cp}l

OO.sJD

AM6d%X

4ml%F

.pkrd

.DBxA

Xvi%2x

8KeysX

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>

SHELL32.DLL

USER32.DLL

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

krarmmss43.ddns.net

ftpuser

Server.exe

{KDOW42G6-W0XO-RV70-0TDG-5YGFTGTQA444}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

106.42.73.61

2528-6142

nedwp.exe

iexplore.exe_1296:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1296_rwx_00050000_00001000:

|%Program Files%\Microsoft\DesktopLayer.exe

iexplore.exe_1296_rwx_20010000_00009000:

.text

.rdata

@.data

.reloc

Srv.exe

kernel32.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:472
   %original file name%.exe:1564
   fa650ce84aa339efdf4e2b56be4150e2Srv.exe:412
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\fa650ce84aa339efdf4e2b56be4150e2Srv.exe (56 bytes)
   %Program Files%\Microsoft\DesktopLayer.exe (56 bytes)

4. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.