MD5: d90a0bc0aa133e31194451e9e7ffa1d0
SHA1: 89ca3cac79b3266f1637185312f5f89dbe7a773a
SHA256: ce18ba05eb8a388927778bf307cc4d0bdefd20ff7d62f035e6ce5525ffe4272f
SSDeep: 1536:zYo8jHrf4vZV1kKZPBurf3JoouhUQ/5i2biwk:IYvGKxy3rAhBXid
Size: 81920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-10-06 17:04:35
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:424
%original file name%.exe:1108

The Trojan injects its code into the following process(es):

svchost.exe:1260
iexplore.exe:1672

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:424 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

The process %original file name%.exe:1108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (601 bytes)

Registry activity

The process %original file name%.exe:424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 84 8B BF A0 08 83 F7 64 6D D4 F1 B3 57 68 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\XtremeRAT]
"Mutex" = "G9uJ8h"

The process %original file name%.exe:1108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 1C E7 9B F4 F4 1E 9B 20 E7 D8 99 37 59 61 12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Zz98EiHn0s
Product Name: Aa6m5X
Product Version: 38.10.15.23
Legal Copyright: c0Y3H
Legal Trademarks: Bz6o7T8Sk
Original Filename: gka43s1n.exe
Internal Name: gka43s1n.exe
File Version: 38.10.15.23
File Description: z8RDo10Yr
Comments: b4WDd96Mf
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_1260_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

riable>PortMappingNumberOfEntr

<name>NewPortMappingIndex<

KWindows

TServerKeylogger

".KS|[

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

%sodByt@

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

desire.noip.me

Possibldesire.noip.me

ftpuser

Server.exe

{3V1V652R-SS22-120A-6AU1-M5457LWL6666}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

iexplore.exe_1672:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1672_rwx_10000000_0004D000:

`.rsrc

ServerKeyloggerU

789:;<&'()* ,-./12345

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

riable>PortMappingNumberOfEntr

<name>NewPortMappingIndex<

KWindows

TServerKeylogger

".KS|[

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

%sodByt@

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

desire.noip.me

Possibldesire.noip.me

ftpuser

Server.exe

{3V1V652R-SS22-120A-6AU1-M5457LWL6666}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PTF.ftpserver.com

c:\%original file name%.exe

%Program Files%\Internet Explorer\iexplore.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:424
   %original file name%.exe:1108
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe (601 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "18.exe" = "%Documents and Settings%\%current user%\Application DataMicrosoft\System\Services\18.exe"

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.