Gen.Variant.Strictor.132567_cf4872cc54
Gen:Variant.Strictor.132567 (BitDefender), VirTool:Win32/Obfuscator (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Virus.Win32.Virut.Generic (v) (VIPRE), Trojan.DownLoader26.51438 (DrWeb), Gen:Variant.Strictor.132567 (B) (Emsisoft), Generic-FAAF!CF4872CC549F (McAfee), Packed.Vmpbad!gen4 (Symantec), Trojan.Win32.VMProtect (Ikarus), Gen:Variant.Strictor.132567 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0CFE18 (TrendMicro), GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Virus, Packed, VirTool, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: cf4872cc549ffa4ddecd11c02eb6b38d
SHA1: 4848640afe037594d2e0eee5dc2e19f413bfc8a8
SHA256: 3b60621eb2af71cb89be2aaadd2cd5ea7b97b9ffbe1492ff9223860b9d50c67b
SSDeep: 49152:FV1w7TWYiFz4/V PHrh6vaFPMlKsc7gut/LAQPLMvFoTQxZlOoPpY29DxDfl109R:xSq5RSaalKxCHlWZ3RuwmuY
Size: 2912256 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2018-06-14 22:39:01
Analyzed on: Windows7 SP1 32-bit
Summary:
Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:2312
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes)
The Trojan deletes the following file(s):
C:\Windows\System32\drivers\etc\hosts (0 bytes)
Registry activity
The process %original file name%.exe:2312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\InetCtls.Inet.1]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\MSComDlg.CommonDialog.1\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Help Property Page Object"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\InetCtls.Inet\CurVer]
"(Default)" = "InetCtls.Inet.1"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}]
"(Default)" = "DInetEvents"
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Open Property Page Object"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2]
"(Default)" = "Microsoft Common Dialog Control 6.0 (SP6)"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Print Property Page Object"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Version]
"(Default)" = "1.2"
[HKCR\InetCtls.Inet.1\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS]
"(Default)" = "2"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1]
"(Default)" = "132497"
[HKCR\MSComDlg.CommonDialog\CurVer]
"(Default)" = "MSComDlg.CommonDialog.1"
[HKCR\InetCtls.Inet\CLSID]
"(Default)" = "{48E59293-9880-11CF-9754-00AA00C00908}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"WindowClassName" = "DDEMLMom"
[HKCR\MSComDlg.CommonDialog]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus\1]
"(Default)" = "132499"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\InetCtls.Inet]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}]
"(Default)" = "IInet"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID]
"(Default)" = "InetCtls.Inet.1"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\MiscStatus]
"(Default)" = "0"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ProgID]
"(Default)" = "MSComDlg.CommonDialog.1"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control General Property Page Object"
[HKCR\MSComDlg.CommonDialog\CLSID]
"(Default)" = "{F9043C85-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Font Property Page Object"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}]
"(Default)" = "ICommonDialog"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "ICommonDialogEvents"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"Version" = "1.2"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\MSComDlg.CommonDialog.1]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX, 1"
[HKCR\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\VersionIndependentProgID]
"(Default)" = "MSComDlg.CommonDialog"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID]
"(Default)" = "InetCtls.Inet"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSINET.OCX"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
"(Default)" = "Microsoft Common Dialog Control, version 6.0 (SP6)"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
"(Default)" = "Common Dialog Color Property Page Object"
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Internet Control URL Property Page Object"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSINET.OCX, 1"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib]
"(Default)" = "{48E59290-9880-11CF-9754-00AA00C00908}"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\FLAGS]
"(Default)" = "2"
[HKCR\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib]
"Version" = "1.2"
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
"(Default)" = "Microsoft Internet Transfer Control 6.0 (SP6)"
[HKCR\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\TypeLib]
"(Default)" = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"
[HKCR\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32]
"(Default)" = "C:\Windows\system32\COMDLG32.OCX"
[HKCR\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\HELPDIR]
"(Default)" = ""
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}]
[HKCR\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}]
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}]
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
The Trojan deletes the following value(s) in system registry:
[HKCR\CLSID\{7629CFA2-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{3C4F3BE3-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{3C4F3BE7-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{3C4F3BE5-47EB-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}\InprocServer32]
"ThreadingModel"
[HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32]
"ThreadingModel"
Dropped PE files
MD5 | File path |
---|---|
eb5f811c1f78005b3c147599a0cccf51 | c:\Windows\System32\COMCTL32.OCX |
ab412429f1e5fb9708a8cdea07479099 | c:\Windows\System32\COMDLG32.OCX |
90a39346e9b67f132ef133725c487ff6 | c:\Windows\System32\MSINET.OCX |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 9100 bytes in size. The following strings are added to the hosts file listed below:
182.253.238.102 | localhost |
182.253.238.102 | www.puasaciter.com |
182.253.238.102 | puasaciter.com |
182.253.238.102 | citpekalongan.net |
182.253.238.102 | www.citpekalongan.net |
182.253.238.102 | www.pekalongan-kommuniti.net |
182.253.238.102 | wawcheatvip.blogspot.co.id |
182.253.238.102 | wawcheatvip.blogspot.com |
182.253.238.102 | waw-jakarta-cheater.blogspot.co.id |
182.253.238.102 | waw-jakarta-cheater.blogspot.com |
182.253.238.102 | pekalongan-kommuniti-cheat.blogspot.com |
182.253.238.102 | pekalongan-kommuniti-cheat.blogspot.co.id |
182.253.238.102 | www.pekalongankomuniti.com |
182.253.238.102 | pekalongan-kommunitiy.blogspot.com |
182.253.238.102 | pointblankidhack.xyz |
182.253.238.102 | pekalongan-kommuniti.net |
182.253.238.102 | rhm-files.blogspot.co.id |
182.253.238.102 | www.rhm-files.blogspot.co.id |
182.253.238.102 | rhm-files.blogspot.com |
182.253.238.102 | sites.google.com |
182.253.238.102 | www.rhm-files.blogspot.com |
182.253.238.102 | rhm-files.blogspot.sg |
182.253.238.102 | www.rhm-files.blogspot.sg |
182.253.238.102 | mrcheat.us |
182.253.238.102 | www.mrcheat.us |
182.253.238.102 | www.mrcheat.net |
182.253.238.102 | applogsg.matrix.netease.com |
182.253.238.102 | mgbsdksgtest.matrix.netease.com |
182.253.238.102 | unisdk.update.netease.com |
182.253.238.102 | netease.com |
182.253.238.102 | mrcheat.net |
182.253.238.102 | rhm-files.blogspot.co.uk |
182.253.238.102 | www.rhm-files.blogspot.co.uk |
182.253.238.102 | rhm-files.blogspot.de |
182.253.238.102 | www.rezpektor-key.net |
182.253.238.102 | rezpektor-key.net |
182.253.238.102 | vista-tigabelas.blogspot.com |
182.253.238.102 | vista-tigabelas.blogspot.co.id |
182.253.238.102 | vista-tigabelas.blogspot.de |
182.253.238.102 | update.netease.com |
182.253.238.102 | g61.update.netease.com |
182.253.238.102 | d-cit.blogspot.com |
182.253.238.102 | d-cit.blogspot.co.id |
182.253.238.102 | mod-cit.blogspot.co.id |
182.253.238.102 | mod-cit.blogspot.com |
182.253.238.102 | mod-cit.blogspot.de |
182.253.238.102 | www.gelo-cheats.com |
182.253.238.102 | gelo-cheats.com |
182.253.238.102 | bancyberz.com |
182.253.238.102 | www.vvip-x-anonymous.com |
182.253.238.102 | vvip-x-anonymous.com |
182.253.238.102 | mrcheat.us |
182.253.238.102 | www.mrcheat.us |
182.253.238.102 | mrcheat.us/blog |
182.253.238.102 | www.mrcheat.us/blog |
182.253.238.102 | www.mrcheat.us/blog/ |
182.253.238.102 | bagicheatonline.blogspot.co.id |
182.253.238.102 | bagicheatonline.blogspot.com |
182.253.238.102 | bagicheatonline.blogspot.de |
182.253.238.102 | triomarbot.com |
182.253.238.102 | www.bagicheatonline.blogspot.co.id |
182.253.238.102 | www.sundaizer.com |
182.253.238.102 | sundaizer.com |
182.253.238.102 | www.bancyberz.com |
182.253.238.102 | gudang-ngecit.com |
182.253.238.102 | www.gudang-ngecit.com |
182.253.238.102 | mediadisk.net |
182.253.238.102 | cupit-cheat.com |
182.253.238.102 | www.cupit-cheat.com |
182.253.238.102 | www.mediadisk.net |
182.253.238.102 | propekalongan-kommunity.blogspot.co.id |
182.253.238.102 | www.propekalongan-kommunity.blogspot.co.id |
182.253.238.102 | propekalongan-kommunity.blogspot.com |
182.253.238.102 | www.propekalongan-kommunity.blogspot.com |
182.253.238.102 | propekalongan-kommunity.blogspot.sg |
182.253.238.102 | mitracit.blogspot.co.id |
182.253.238.102 | mitracit.blogspot.com |
182.253.238.102 | www.propekalongan-kommunity.blogspot.sg |
182.253.238.102 | kotakciter.blogspot.co.id |
182.253.238.102 | www.kotakciter.blogspot.co.id |
182.253.238.102 | kotakciter.blogspot.com |
182.253.238.102 | www.kotakciter.blogspot.com |
182.253.238.102 | kotakciter.blogspot.sg |
182.253.238.102 | www.kotakciter.blogspot.sg |
182.253.238.102 | kotakciter.blogspot.co.uk |
182.253.238.102 | www.kotakciter.blogspot.co.uk |
182.253.238.102 | www.citpurworejo.com |
182.253.238.102 | citpurworejo.com |
182.253.238.102 | www.vazdancer.net |
182.253.238.102 | vazdancer.net |
182.253.238.102 | mediadisk.net |
182.253.238.102 | www.mediadisk.net |
182.253.238.102 | mediadisk.net |
182.253.238.102 | www.mediadisk.net |
182.253.238.102 | mediadisk1.net |
182.253.238.102 | www.mediadisk.net |
182.253.238.102 | mediadisk1.net |
182.253.238.102 | www.mediadisk.net |
182.253.238.102 | mediadisk2.net |
182.253.238.102 | www.mediadisk2.net |
182.253.238.102 | mediadisk3.net |
182.253.238.102 | 140.207.168.45/g/d |
182.253.238.102 | api.goapk.com |
182.253.238.102 | api.goapk.com/ucsdk.php |
182.253.238.102 | appdump.x.netease.com/upload |
182.253.238.102 | fc.my.163.com:8080/ |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/before_create_order |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/check_channel |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/check_white_phone |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/create_order |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/dot_upload |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/init |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/reg_ver_confirm |
182.253.238.102 | fee.arc-soft.com:26000/gamefee/sdk/ver_confirm |
182.253.238.102 | g0.gdl.netease.com |
182.253.238.102 | g73.drpf.x.easebar.com |
182.253.238.102 | h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$& |
182.253.238.102 | hydra.alibaba.com |
182.253.238.102 | m.alipay.com/?action=h5quit |
182.253.238.102 | mbdl.update.netease.com/%s.mbdl |
182.253.238.102 | mbdl.update.netease.com/httpdns.mbdl |
182.253.238.102 | mcgw.alipay.com/sdklog.do |
182.253.238.102 | mobile.unionpay.com/getclient?platform=android&type=securepayplugin |
182.253.238.102 | mobilegw-1-64.test.alipay.net/mgw.htm |
182.253.238.102 | mobilegw.aaa.alipay.net/mgw.htm |
182.253.238.102 | mobilegw.alipay.com/mgw.htm |
182.253.238.102 | mobilegw.stable.alipay.net/mgw.htm |
182.253.238.102 | tqlm.16163.com/zt/tqlm/gamefeedback-test/index.html |
182.253.238.102 | update.unisdk.163.com/feature/query.json |
182.253.238.102 | update.unisdk.163.com/g0/ |
182.253.238.102 | update.unisdk.163.com/html/latest_default.json |
182.253.238.102 | update.unisdk.easebar.com/feature/ |
182.253.238.102 | update.unisdk.easebar.com/html/latest_v4.json |
182.253.238.102 | update.unisdk.easebar.com/html/latest_v9.json |
182.253.238.102 | update.unisdk.easebar.com/realname/ |
182.253.238.102 | update.unisdk.easebar.com/realname/all.json |
182.253.238.102 | update.unisdk.easebar.com/realname/all.json.md5 |
182.253.238.102 | applog.matrix.netease.com |
182.253.238.102 | applog.matrix.netease.com |
182.253.238.102 | applog.matrix.netease.com |
182.253.238.102 | applogsg.matrix.easebar.com |
182.253.238.102 | applogsg.matrix.easebar.com |
182.253.238.102 | applogsg.matrix.easebar.com |
182.253.238.102 | data-detect.nie.easebar.com |
182.253.238.102 | data-detect.nie.netease.com |
182.253.238.102 | dby.ipaynow.cn/api/payment |
182.253.238.102 | g0-unipatch.nie.easebar.com |
182.253.238.102 | g0-unipatch.nie.netease.com |
182.253.238.102 | mgbsdk.matrix.netease.com |
182.253.238.102 | mobilegw.alipay.com |
182.253.238.102 | pay.ipaynow.cn |
182.253.238.102 | pay.ipaynow.cn/api_release/ |
182.253.238.102 | pay.ipaynow.cn/sdk/syncException |
182.253.238.102 | sigma-echoes.proxima.nie.netease.com/query/ |
182.253.238.102 | udt-sigma.proxima.nie.easebar.com/query |
182.253.238.102 | udt-sigma.proxima.nie.netease.com/query |
182.253.238.102 | unisdk.update.easebar.com/unipatch/ |
182.253.238.102 | www.mediadisk3.net |
182.253.238.102 | mediadisk4.net |
182.253.238.102 | www.mediadisk4.net |
182.253.238.102 | mediadisk5.net |
182.253.238.102 | www.mediadisk5.net |
182.253.238.102 | mediadisk6.net |
182.253.238.102 | www.mediadisk6.net |
182.253.238.102 | mediadisk7.net |
182.253.238.102 | www.mediadisk7.net |
182.253.238.102 | mediadisk8.net |
182.253.238.102 | www.mediadisk8.net |
182.253.238.102 | mediadisk9.net |
182.253.238.102 | www.mediadisk9.net |
182.253.238.102 | mediadisk6.net |
182.253.238.102 | www.mediadisk6.net |
182.253.238.102 | duniaku.net |
182.253.238.102 | www.duniaku.net |
182.253.238.102 | mrsnapznet.us |
182.253.238.102 | www.mrsnapznet.us |
182.253.238.102 | blackxat.com |
182.253.238.102 | www.blackxat.com |
182.253.238.102 | black-xat.com |
182.253.238.102 | www.xlack-xat.com |
182.253.238.102 | 203.117.172.56 |
182.253.238.102 | 203.117.172.43 |
182.253.238.102 | 203.117.172.4 |
182.253.238.102 | 203.117.172.57 |
182.253.238.102 | bandicam.com |
182.253.238.102 | www.bandicam.com |
182.253.238.102 | ssl.bandisoft.com |
182.253.238.102 | fairplay.pb.garena.co.id |
182.253.238.102 | wellbia.com |
182.253.238.102 | www.wellbia.com |
182.253.238.102 | zm1.november-lax.com |
182.253.238.102 | www.adnetworkperformance.com |
182.253.238.102 | n162adserv.com |
182.253.238.102 | 447pihoz.tech |
182.253.238.102 | rdsa2012.com |
182.253.238.102 | www.blkget.com |
182.253.238.102 | ampclicks.com |
182.253.238.102 | match.mixplugin.com |
182.253.238.102 | track.funshopfun.com |
182.253.238.102 | cdn.adplxmd.com |
182.253.238.102 | cdn.todigroup.com |
182.253.238.102 | www.blkget8.com |
182.253.238.102 | Offerjuice.me |
182.253.238.102 | www.Offerjuice.me |
182.253.238.102 | www.ab4hr.com |
182.253.238.102 | track.frwdx.com |
182.253.238.102 | adsrvmedia.adk2x.com |
182.253.238.102 | zo6.realsuperblite.com |
182.253.238.102 | srv.revdepo.com |
182.253.238.102 | www.trackingclick.net |
182.253.238.102 | xml.adfclick1.com |
182.253.238.102 | prjcq.com |
182.253.238.102 | servicegetbook.net |
182.253.238.102 | damaral.com |
182.253.238.102 | Cliponyu.com |
182.253.238.102 | 49.media.tumblr.com |
182.253.238.102 | 40.media.tumblr.com |
182.253.238.102 | 41.media.tumblr.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name: Mehgai3Oapem1Ahi
Product Version: 1.00
Legal Copyright:
Legal Trademarks:
Original Filename: Triptofan telekil Ros V1.1.exe
Internal Name: Triptofan telekil Ros V1.1
File Version: 1.00
File Description:
Comments:
Language: English (United Kingdom)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 180048 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.data | 184320 | 11024 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 196608 | 7677152 | 28672 | 3.95539 | 1055dc4a5624c597bbdcab2f846afee8 |
.vmp0 | 7876608 | 216676 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.vmp1 | 8093696 | 2877259 | 2879488 | 5.50489 | 1dc2e6959f70286fd940276c18bfafe3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
URL | IP |
---|---|
hxxp://blogspot.l.googleusercontent.com/ | |
hxxp://ghs.google.com/ | |
hxxp://www3.l.google.com/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | |
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6 | |
hxxp://googleapis.l.google.com/ajax/libs/jquery/2.1.3/jquery.min.js | |
hxxp://pl14336753.pvclouds.com/c1/91/cd/c191cdedf2d49ff724fe8b19d5277cff.js | 213.196.2.2 |
hxxp://googleapis.l.google.com/css?family=Oswald:400,700 | |
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k | |
hxxp://pagead46.l.doubleclick.net/pagead/js/adsbygoogle.js | |
hxxp://ad.a-ads.com/713373?size=468x60 | 176.9.125.108 |
hxxp://ie8eamus.com/sfp.js | 213.196.5.1 |
hxxp://www.modulepush.com/e604cb81f3c1551e1b0b66f6ab1e3f05/invoke.js | 198.134.112.241 |
hxxp://e734.a.akamaiedge.net/js/300/addthis_widget.js | |
hxxp://go.oclasrv.com/apu.php?zoneid=1369047 | 78.140.191.114 |
hxxp://deloton.com/apu.php?zoneid=1369047 | 194.187.98.221 |
hxxp://ghs.google.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts | |
hxxp://pl14336753.pvclouds.com/invoke.js | 213.196.2.2 |
hxxp://www.modulepush.com/watch.105175222876?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= | 198.134.112.241 |
hxxp://www.modulepush.com/watch.105175222876?shu=43dff7b2e9dc75d650f206b5ccadbaaf0f9abd3937a0cb6d69143a181a409eb74f605be0c65af8b7519d42d6c826ed869c6a6a42c1acfcd24138d6a30c68b900a38da4526279d6e18f9ad1e4&pst=1529333401&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&tz=3&dev=r&res=4.0&kw=[] | 198.134.112.241 |
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | |
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff | |
hxxp://gstaticadssl.l.google.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff | |
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm | |
hxxp://www3.l.google.com/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K | |
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ= | |
hxxp://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj/6qJAfE5/j9OXBRE4= | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | |
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= | |
hxxp://scontent.xx.fbcdn.net/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42 | |
hxxp://a875.dscb.akamai.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ/icg9B19asFe73bPYs+reAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0= | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= | |
hxxp://ghs.google.com/favicon.ico | |
hxxp://cdnjs.cloudflare.com/ajax/libs/fingerprintjs2/1.6.1/fingerprint2.min.js | 104.19.199.151 |
hxxp://a1363.dscg.akamai.net/pki/crl/products/tspca.crl | |
hxxp://ie8eamus.com/fp?uuid=&fingerprint=ab4174aa8f1a47e69078e73ac87c027d&ua=Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&dev=r&res=4.0&b_frame=false&pk=c191cdedf2d49ff724fe8b19d5277cff | 213.196.5.1 |
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl | 77.222.148.96 |
hxxp://fonts.googleapis.com/css?family=Oswald:400,700 | 172.217.18.170 |
hxxp://www.urldelivery.com/watch.105175222876?shu=43dff7b2e9dc75d650f206b5ccadbaaf0f9abd3937a0cb6d69143a181a409eb74f605be0c65af8b7519d42d6c826ed869c6a6a42c1acfcd24138d6a30c68b900a38da4526279d6e18f9ad1e4&pst=1529333401&rmtc=t&uuid=&pii=&in=false&refer=http://www.citpekalongan.com/&key=297d1249bc74199553e630694b53577e&tz=3&dev=r&res=4.0&kw=[] | 198.134.112.243 |
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBkI1RFpfx7k | 172.217.18.174 |
hxxp://www.citpekalongan.com/ | 172.217.18.179 |
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCELheZBeE9GM | 172.217.18.174 |
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCAmuJW8izj/K | 172.217.18.174 |
hxxp://s7.addthis.com/js/300/addthis_widget.js | 2.22.92.206 |
hxxp://fonts.gstatic.com/s/oswald/v16/TK3hWkUHHAIjg75-ohoTus9E.woff | 172.217.18.163 |
hxxp://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj/6qJAfE5/j9OXBRE4= | 178.255.83.1 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAs8O2AaGPWe4ra7BWBe8sA= | 93.184.220.29 |
hxxp://citpekalongans.blogspot.com/ | 172.217.18.161 |
hxxp://staticxx.facebook.com/connect/xd_arbiter/r/mAiQUwlReIP.js?version=42 | |
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCBY5YDkvcYm6 | 172.217.18.174 |
hxxp://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ/icg9B19asFe73bPYs+reAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0= | 2.21.89.25 |
hxxp://fonts.gstatic.com/s/oswald/v16/TK3iWkUHHAIjg752GT8A.woff | 172.217.18.163 |
hxxp://www.bnserving.com/invoke.js | 213.196.2.1 |
hxxp://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js | 172.217.23.170 |
hxxp://www.urldelivery.com/watch.105175222876?key=297d1249bc74199553e630694b53577e&kw=[]&refer=http://www.citpekalongan.com/&tz=3&dev=r&res=4.0&uuid= | 198.134.112.243 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | 93.184.220.29 |
hxxp://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEH7hSm9v7/LTfz+tZU062rQ= | 23.51.123.27 |
hxxp://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm+IHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc/HIGOD+aUx0= | 172.217.18.174 |
hxxp://www.citpekalongan.com//feeds/posts/summary?alt=json-in-script&orderby=published&max-results=7&callback=recentPosts | 172.217.18.179 |
hxxp://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js | 216.58.205.226 |
hxxp://www.citpekalongan.com/favicon.ico | 172.217.18.179 |
hxxp://sr.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0JBRnBp/14Jg/Xj4aa6BlKlQVdQQUAVmr5906C1mmZGPWzyAHV9WR52oCECxqpDaJyq/+D0ZiblxvnRI= | 23.51.123.27 |
hxxp://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ+uksCCDVgU4Bnrknm | 172.217.18.174 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEArt3qPbsnm34qUGW3vikxY= | 93.184.220.29 |
1.bp.blogspot.com | 172.217.18.161 |
2.bp.blogspot.com | 172.217.18.161 |
adservice.google.com | 172.217.22.2 |
scontent.fiev7-2.fna.fbcdn.net | 77.222.131.81 |
www.blogger.com | 172.217.18.169 |
www.paypalobjects.com | 80.239.245.5 |
3.bp.blogspot.com | 172.217.18.161 |
resources.blogblog.com | 172.217.18.169 |
4.bp.blogspot.com | 172.217.18.161 |
adservice.google.com.ua | 172.217.21.226 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\MSINET.OCX (267 bytes)
C:\Windows\System32\COMCTL32.OCX (608 bytes)
C:\Windows\System32\COMDLG32.OCX (307 bytes)
C:\Windows\System32\drivers\etc\hosts (9 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.