MD5: 4b81f6760846a650d5f4fc8e618ade24
SHA1: 43782b0317f61378ff70591288ce681e8b2cad31
SHA256: 2501a25475809358b3a67e9349799a669a19b5ecf5080eec87408d2c670ab0e0
SSDeep: 384:xcIcdOMh7XUFqffXIxwOfK9cSQJvlnjI8:xc9dOMRQUSwOftJvljI8
Size: 16752 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-23 22:47:40
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ewajo.exe:456
%original file name%.exe:1816
papers.exe:1768
paper.exe:164

The Trojan injects its code into the following process(es):

Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ewajo.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (5036 bytes)

The process %original file name%.exe:1816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\papers.exe (16 bytes)

The process papers.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pdf[1].exe (1765 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\paper.exe (1765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)

The process paper.exe:164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PKQCA10.bat (173 bytes)
%Documents and Settings%\%current user%\Application Data\Oluli\ewajo.exe (3557 bytes)

Registry activity

The process ewajo.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 78 0D CF 03 33 3D 42 A7 56 0F 9B C2 63 9C 5B"

[HKCU\Software\Microsoft\Noobewelo]
"3012ei14" = "Du6qjAK0IhE2dHkZde qVnXmvqLLHQDnMCM="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process %original file name%.exe:1816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 1B 91 05 42 6B 4D D4 97 D0 9F 31 28 26 BB 99"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"papers.exe" = "papers"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process papers.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 0C 20 68 34 59 9A 57 69 5E 82 32 0C 79 8C F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "papers.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"paper.exe" = "paper"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process paper.exe:164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 0F D0 57 48 0C 2D 23 01 99 09 5F 0E 53 B8 19"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	205.237.69.74
backpackinglight.com.au	69.4.235.215
littlepaperlane.com.au	206.190.139.245

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Possible Upatre Downloader SSL certificate (fake org)
ET TROJAN Possible Upatre Downloader SSL certificate

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Date: Sun, 27 Jul 2014 14:09:14 GMT

Connection: keep-alive

X-CCC: US

X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Date: Sun, 27 Jul 2014 14:09:14 GMT..Connection: keep-a
live..X-CCC: US..X-CID: 2..1401CF3DB40B609892..

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.idata

@.reloc

Invalid parameter passed to C runtime function.

0123456789

y.dpw|)aq&

9755
*#

)8*<;1/5='#

W}}quyJ2(!B>,%F:09Z

-0:)-:*<*:

0: )4-* 4

:1';$9/<

|r)-9%7s

=6 <#>(;

0;-1.3%6

http://www.google.com/

http://www.bing.com/

HTTP/1.1

gdiplus.dll

GdiplusShutdown

RegDeleteKeyExW

REPORT

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

t.Ht$HHt

m9.td

L$$

w%fkN

zcÁ

.fV@![

ntdll.dll

KERNEL32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

GetKeyboardState

USER32.dll

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

RegCreateKeyExW

RegCloseKey

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegFlushKey

RegEnumKeyExW

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

PFXImportCertStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpEndRequestA

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

VERSION.dll

msvcrt.dll

0 0$0(0,0004080<0

2 2$2(2,2024282

9,:0:4:8:<:

? ?%?>?`?|?

9!9,9 :@:

='>0>9>?>

3#3'3 3/33373

kernel32.dll

shell32.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

urlmon.dll

cabinet.dll

\StringFileInfo\xx\%s

Wadvapi32.dll

launchpadshell.exe

dirclt32.exe

wtng.exe

prologue.exe

pcsws.exe

fdmaster.exe

"%s" %s

/c "%s"

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ewajo.exe:456
   %original file name%.exe:1816
   papers.exe:1768
   paper.exe:164
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6096 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\papers.exe (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pdf[1].exe (1765 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\paper.exe (1765 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\PKQCA10.bat (173 bytes)
   %Documents and Settings%\%current user%\Application Data\Oluli\ewajo.exe (3557 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.