Gen.Variant.Graftor.311380_81b46cb33a

by malwarelabrobot on February 12th, 2018 in Malware Descriptions.

Gen:Variant.Adware.Graftor.290827 (BitDefender), not-a-virus:AdWare.Win32.StartPage.i (Kaspersky), Adware.Win32.StartPage (VIPRE), Gen:Variant.Adware.Graftor.290827 (B) (Emsisoft), Artemis!81B46CB33AC6 (McAfee), Trojan.Gen.2 (Symantec), PUA.HomeGuard (Ikarus), Gen:Variant.Adware.Graftor (FSecure), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GEN.R023C0OG417 (TrendMicro), Gen:Variant.Graftor.311380 (AdAware), Trojan.NSIS.StartPage.FD, PUPYahooCompanion.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 81b46cb33ac63543cee24c92b7c779de
SHA1: fa8c5330ac245cdd1e87fbf7e6f675c4f9f8b7a2
SHA256: 2be352ecafb6930650fae532f74f65c001152499c8b7e80d12ec81a28302d949
SSDeep: 196608:MvGt/UyV6xHFEOR7o830qAlz9mrO5Qw4vOjOE5TAR/CMw:qGt/rVefOllyC
Size: 8701440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2017-06-19 11:51:01
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2252

The Trojan injects its code into the following process(es):

supporth18.exe:2164
CCleaner.exe:3924

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process supporth18.exe:2164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\branding.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE4B6.tmp (437681 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.dat (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.exe (275082 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.ini (148 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner64.exe (345278 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsoE496.tmp (0 bytes)

The process %original file name%.exe:2252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
C:\Windows\ipsec32.sys (392 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
C:\Windows\libegl.dll (791 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk (1 bytes)
C:\Windows\supporth18.exe (490 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)

The process CCleaner.exe:3924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\branding.dll (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.ini (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EXE3GIOXM1Z7YIT79PIK.temp (388 bytes)

Registry activity

The process %original file name%.exe:2252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@""%systemroot%\system32\windowspowershell\v1.0]
"powershell.exe"",-111" = "Performs object-based (command-line) functions"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@""%windir%\System32]
"ie4uinit.exe"",-738" = "Start Internet Explorer without ActiveX controls or browser extensions."

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\81b46cb33ac63543cee24c92b7c779de_RASAPI32]
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process CCleaner.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Dropped PE files

MD5 File path
240c62dc52c157e3bc1bfac3d3a9c550 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.exe
f0a4e54872c6c993611c328b3c32290a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner64.exe
1300b6b2307f6d14b794f52373c5c3bb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\branding.dll
883eff06ac96966270731e4e22817e11 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp\System.dll
65b2f8a9e6d8975b740d3653d0b074bd c:\Windows\libegl.dll
68d71e2e0ebd43f4e4037d789f8d6fba c:\Windows\supporth18.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver ROOTKITPATH the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Gameloader123
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1552332 1552384 4.51841 2b400014dcc2bec5c874602a7507795c
.rdata 1556480 336492 336896 3.49681 a72a3b041051e31cc41dc3c4bcf40341
.data 1896448 49664 24064 3.28372 64f56663b97e92b33abd0e80a739bc3d
.gfids 1949696 109180 109568 2.93097 d086c67ecd5184f620065db403f1095a
.giats 2060288 16 512 0.107561 7bfd3da0db2ba24f0ab307a26fcaefb1
.tls 2064384 9 512 0.014135 1f354d76203061bfdd5a53dae48d5435
.rsrc 2068480 6550064 6550528 5.39943 ee0e517c01a7a6318c56548bf4ce476f
.reloc 8622080 125600 125952 4.49961 dd69f934dbe46ec77bba14476e54b3f8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://u.hao524.com/gameall/api?a=s&nm=wwwww&q=d35&v=1.0.0&s3=0&m=00-50-56-3B-AE-AC 182.255.63.71


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gameall/api?a=s&nm=wwwww&q=d35&v=1.0.0&s3=0&m=00-50-56-3B-AE-AC HTTP/1.1
User-Agent: 81b46cb33ac63543cee24c92b7c779de
Host: u.hao524.com


HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 11 Feb 2018 04:44:45 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..HTTP/1.1 404 Not Found..Serv
er: nginx..Date: Sun, 11 Feb 2018 04:44:45 GMT..Content-Type: text/htm
l..Content-Length: 162..Connection: keep-alive..<html>..<head
><title>404 Not Found</title></head>..<body bg
color="white">..<center><h1>404 Not Found</h1><
;/center>..<hr><center>nginx</center>..</body&
gt;..</html>....

The Trojan connects to the servers at the folowing location(s):

supporth18.exe_2164:

.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp\System.dll
\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp
\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp\System.dll
callback%d
>.BR~
5.BEYn
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://sv.symcb.com/sv.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
.reloc
System.dll
][#
I!A%x
%f;e7
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp
nstE997.tmp
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp
"C:\Windows\supporth18.exe"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner
C:\Windows
supporth18.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsoE496.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Windows\supporth18.exe
*.Yf:(
-<=;9*%%
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
1, 0, 0, 1
branding.dll
5.31.6105.0
CCleaner.exe

supporth18.exe_2164_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2252

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\branding.dll (1856 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE4B6.tmp (437681 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nstE997.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.dat (88 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.exe (275082 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner.ini (148 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CCleaner\CCleaner64.exe (345278 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk (2 bytes)
    C:\Windows\ipsec32.sys (392 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk (2 bytes)
    C:\Windows\libegl.dll (791 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk (1 bytes)
    C:\Windows\supporth18.exe (490 bytes)
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk (1 bytes)
    C:\Users\Public\Desktop\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk (1 bytes)
    C:\Users\Public\Desktop\Google Chrome.lnk (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EXE3GIOXM1Z7YIT79PIK.temp (388 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now