MD5: 415209454ea49e61153b5da020e33b75
SHA1: 58551486b8b6c043a4d77eef71beaabe6195339c
SHA256: b9f268ffc022c93013906e035dc4584921419dd1de2019ca83815ffe6ae529ca
SSDeep: 768:FLUgdbPQ3Fe6vANDy/qzmF6cjQIkp32Qwk7X:FLDP gwCTmkcjNkNz
Size: 27136 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-12-29 09:37:00
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regedit.exe:952
%original file name%.exe:2576

The Trojan injects its code into the following process(es):

svchost.exe:2436

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
C:\%original file name%.exe.tmp1 (1257 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes)

Registry activity

The process regedit.exe:952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 75 DE 5A 2A 22 E8 B7 4E 23 7A 7B 90 34 88 3F"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HTTPFilter" = "%Documents and Settings%\%current user%\Local Settings\HTTPFilter.exe"

The process %original file name%.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D B4 75 75 EF 34 01 E0 CB 92 4F DC 74 FF 5D 48"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Adobe Systems, Inc.
Product Name: Flash? Player Installer/Uninstaller
Product Version: 10,1,53,64
Legal Copyright: Copyright ? 1996-2010 Adobe, Inc.
Legal Trademarks: Adobe? Flash? Player
Original Filename: FlashUtil.exe
Internal Name: Adobe? Flash? Player Installer/Uninstaller 10.1
File Version: 10,1,53,64
File Description: Adobe? Flash? Player Installer/Uninstaller 10.1 r53
Comments:
Language: English

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 13
1a72eeb88199e6a6f4db48d51d30c1c9
8b3ae7ae845360264b74811cd6f2273b
a68582cb34430155e7ac9c9260f90e56
1f25209ab908996a470f26261bb94b33
3492fed5d387eac358c966e612c6deca
814dff71507d822b86f3d42524932cc8
27823e93530f65cc767ddbc2c78f6f15
4b309fdf7ea245b0170583df6f41fce8
0c8ac4129832fd91e63b32466b7a1534
5f20423d6b1b5d3ab5b3624957d5e320
a8d8947bfd03fc505062545a70467083
03aca28424bf46cde6dc2894c1b1be07
7888325139066acfa74022fc606f3c91

URLs

URL	IP
hxxp://www.gov.toh.info/aqdje.php?id=011972111D304CEG3G	211.234.117.178

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /aqdje.php?id=011972111D304CEG3G HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Host: VVV.gov.toh.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Thu, 11 Dec 2014 00:04:48 GMT

Server: Apache/2.2.15 (CentOS)

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /aq
dje.php was not found on this server.</p>.<hr>.<address
>Apache/2.2.15 (CentOS) Server at VVV.gov.toh.info Port 80</addr
ess>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

SSh@C@

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

ADVAPI32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

WS2_32.dll

iphlpapi.dll

SHLWAPI.dll

VVV.gov.toh.info

200.115.173.102

regedit.exe /s

~dfds3.reg

Windows Registry Editor Version 5.00

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

%s.tmp1

[email protected]

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

/%s.php?id=d%s

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

X-X-X-X-X-X

01-01-01-01-01-01

%c%c%c%c%c%c.exe

svchost.exe_2436_rwx_00400000_00005000:

.text

`.rdata

@.data

SSh@C@

MFC42.DLL

MSVCRT.dll

_acmdln

WinExec

KERNEL32.dll

USER32.dll

ADVAPI32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpSendRequestA

HttpOpenRequestA

WININET.dll

WS2_32.dll

iphlpapi.dll

SHLWAPI.dll

VVV.gov.toh.info

200.115.173.102

regedit.exe /s

~dfds3.reg

Windows Registry Editor Version 5.00

"%s"="%s"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinHttp

%s.tmp1

[email protected]

hXXp://%s:%d/%s.php?id=d%s&ext=%s

/%s.php?id=d%s&ext=%s

hXXp://%s:%d/%s.php?id=d%s

%c%c%c%c%c

/%s.php?id=d%s

%%temp%%\%u

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

X-X-X-X-X-X

01-01-01-01-01-01

%c%c%c%c%c%c.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   regedit.exe:952
   %original file name%.exe:2576
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\[email protected] (48 bytes)
   C:\%original file name%.exe.tmp1 (1257 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-796845957-1563985344-1801674531-1003\c5b88721db08c824db69d0bbc702beb8_f3a4e041-90c9-46df-a35a-850a694fae5b (44 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HTTPFilter" = "%Documents and Settings%\%current user%\Local Settings\HTTPFilter.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.