Gen.Variant.Gamarue.1_5346d821fc
HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Gamarue.1 (B) (Emsisoft), Gen:Variant.Gamarue.1 (AdAware), Trojan-Downloader.Win32.Andromeda.FD, TrojanDownloaderAndromeda.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 5346d821fc6ae49b12b13014dbb6721b
SHA1: 94606e9f829a84c236d91c9981745ff4853ed63f
SHA256: bf22ad9320a8573189df046a04a61bc4f2190e30a826ad6bc789a2f22d35565f
SSDeep: 3072:golhK8sqT6MM6MMMMMMMMM2kxYJ ipeq1u4oTsZlgghZ SlnopAqcKzkAwLNe54s:gondu4ogr7 KopAqc68Hvsl
Size: 160256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2013-01-09 15:05:27
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
~msiexec.exe:920
%original file name%.exe:388
%original file name%.exe:1256
The Trojan injects its code into the following process(es):
~msiexec.exe:1540
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process ~msiexec.exe:1540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\svchost.exe (37 bytes)
The process %original file name%.exe:1256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$MSI\~msiexec.exe (37 bytes)
Registry activity
The process ~msiexec.exe:920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 49 13 40 63 6D 8B 63 89 3D A8 10 71 F9 B6 0D"
The process ~msiexec.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 7E 82 6E 5A 76 30 62 40 F1 9A 6D D7 D3 3A 84"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Documents and Settings%\All Users\svchost.exe"
The process %original file name%.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 74 9C FD 4B FF E7 5E 54 F4 FF 7B FC 6C 48 71"
The process %original file name%.exe:1256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 E3 55 2C C0 96 44 02 BC 99 0A 05 0A 9E 6F A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft]
"0022FF03" = "50 4B 03 04 00 A6 01 00 50 A4 00 00 85 D4 21 99"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\$MSI]
"~msiexec.exe" = "CRC CheckSum Fixer"
[HKCU\Software]
"e_magic" = "3C 2B E1 71 72 71 71 71 75 71 71 71 8E 8E 71 71"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 059eef29b2311d2e933d3b68b6f57b9b | c:\Documents and Settings\All Users\svchost.exe |
| 059eef29b2311d2e933d3b68b6f57b9b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\$MSI\~msiexec.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Divine
Product Name: Divine CRC CheckSum Fixer
Product Version: 1, 0, 1, 1
Legal Copyright: Copyright Divine(c) 2012
Legal Trademarks: Divine(c)
Original Filename: CheckSum Fixer.exe
Internal Name: CheckSum Fixer
File Version: 1, 0, 0, 1
File Description: CRC CheckSum Fixer
Comments:
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 10792 | 11264 | 3.9388 | 51f6ada4502705b312cd1609d63b6338 |
| .rdata | 16384 | 500 | 512 | 3.01276 | eab83db1c5019007973bb19b7eb2d050 |
| .data | 20480 | 2677 | 512 | 0.339243 | c5235e929468030e2ffb3160cb3092a3 |
| .rsrc | 24576 | 146880 | 146944 | 5.39774 | b8232333c4695ef72759f9c68ceec5e5 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
b581542057cdbdfc422ee0b0e2b1be6b
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
hdll.hsbie
h.dllhpi32hadva
.PFoE/3
,1.Vd^
UPec.Sk"
_[.HRa
t.erx
kernel32.dll
~msiexec.exe_1540_rwx_00330000_00002000:
%ALLUSERSPROFILE%\svchost.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
cmd.exe
ntdll.dll
GetProcessHeap
kernel32.dll
ws2_32.dll
RegCloseKey
RegOpenKeyExA
advapi32.dll
~msiexec.exe_1540_rwx_00400000_00005000:
.text
hdll.hsbie
h.dllhpi32hadva
.PFoE/3
,1.Vd^
UPec.Sk"
_[.HRa
t.erx
kernel32.dll
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
~msiexec.exe:920
%original file name%.exe:388
%original file name%.exe:1256 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\svchost.exe (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$MSI\~msiexec.exe (37 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Documents and Settings%\All Users\svchost.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
