MD5: 033b0618625974a797eb42b53aa4dfcb
SHA1: 549bf3b97310a926d9593820d661d1093438e5ee
SHA256: 19629448fcf86858d033a5ce8cad5a38f27f729e1db4b0c07a46d335a39748a0
SSDeep: 24576:px5NMKzCRXrp9eLDSoFJ9rofw0jqXR8OAVZ59oU:pOKurp9cDjQw0jqXAkU
Size: 1396736 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: Dummy, Ltd.
Created at: 2015-03-19 17:19:42
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:396

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:396 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\UUWiseHelper.dll (291 bytes)

Registry activity

The process %original file name%.exe:396 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 EB C1 37 52 A8 42 F7 16 82 34 92 A6 39 6F 9F"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://s1.uuwise.com/Api/config.aspx	116.255.181.152
lc.uudama.com	116.255.181.147

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

POST /Api/config.aspx HTTP/1.1

User-Agent: WiseClientAPI-2.0.0.5

Version: 2.0.0.5

HASH: dc6b73cbd1f6f5cec640a8c634ae50c8

Cache-Control: no-cache

Accept: */*

TTL: 1439765218166

Content-Type: multipart/form-data; boundary=-------------aabbccddeeff007dc3d73a70130

Content-Length: 378

Host: s1.uuwise.com

Connection: Keep-Alive

---------------aabbccddeeff007dc3d73a70130

Content-Disposition: form-data; name="HASH"

151DACFFAD6E2D210D6B75795BA0A980

---------------aabbccddeeff007dc3d73a70130

Content-Disposition: form-data; name="SID"

103287

---------------aabbccddeeff007dc3d73a70130

Content-Disposition: form-data; name="InitTTL"

1439765218072

---------------aabbccddeeff007dc3d73a70130--

HTTP/1.1 200 OK

Date: Sun, 16 Aug 2015 22:46:59 GMT

Server: Microsoft-IIS/6.0

ServerV: 10040

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Set-Cookie: ASP.NET_SessionId=2pdakv45eujs2mzlriqmj345; path=/; HttpOnly

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 180
313030302C6C632E757564616D612E636F6D3A393230303A3130312C7570622E757577
6973652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A3130
332C7C307C3139342E3234322E39362E32313820HTTP/1.1 200 OK..Date: Sun, 16
 Aug 2015 22:46:59 GMT..Server: Microsoft-IIS/6.0..ServerV: 10040..X-P
owered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Set-Cookie: ASP.NET_S
essionId=2pdakv45eujs2mzlriqmj345; path=/; HttpOnly..Cache-Control: pr
ivate..Content-Type: text/html; charset=utf-8..Content-Length: 180..31
3030302C6C632E757564616D612E636F6D3A393230303A3130312C7570622E75757769
73652E636F6D3A38303A3130322C7570622E7575776973652E636F6D3A38303A313033
2C7C307C3139342E3234322E39362E32313820..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

ole32.dll

kernel32.dll

UUWiseHelper.dll

wininet.dll

uu_loginA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: application/x-www-form-urlencoded

hXXp://tp.hd.mi.com/gettimestamp?callback=jQuery111008230111180524786_

function time(){return new Date().getTime()}

1970-01-01 00:00:00

TEAKEY

*.txt

|*.txt

DD8DC977-AB1D-4687-AC61-774457CC8B40

\UUWiseHelper.dll

@.reloc

SSSSh

ByScreen.JPG

operator

GetProcessWindowStation

E:\work\UUWiseHelper

\UUWiseHelper.pdb

KERNEL32.dll

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

SHLWAPI.dll

urlmon.dll

dbghelp.dll

gdiplus.dll

IPHLPAPI.DLL

WS2_32.dll

GetProcessHeap

GetCPInfo

UUWiseHelper.DLL

uu_easyRecognizeUrlA

uu_easyRecognizeUrlW

uu_loginW

uu_recognizeByCodeTypeAndUrlA

uu_recognizeByCodeTypeAndUrlW

uu_reportError

zcÁ

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

"0,01070

88J8R8x8

0#0'0-01070;0

=*>0>4>8><>

5%6S6

3$3,383\3|3

32F1C86B-E64C-4EAF-8BC1-C142570008BC

:-1014,URL

:-19011,

hXXp://hwid1.vmall.com/casserver/randomcode

hXXps://hwid1.vmall.com/casserver/remoteLogin

&password=

submit=true&loginUrl=http://hwid1.vmall.com/oauth2/portal/login.jsp&service=http://VVV.vmall.com/account/caslogin?url=http%3A%2F%2FVVV.vmall.com%2F&loginChannel=26000000&reqClientType=26&deviceID=&adUrl=&lang=zh-cn&inviterUserID=&inviter=&viewType=0&quickAuth=&userAccount=

SESSIONkEY

-12027,TEAKEY

W%SGs

.BzHR

ri.Ndv

j>.cXz

.qXdt

.Vo%P

KERNEL32.DLL

COMCTL32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

hXXp://

hXXps://

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Adodb.Stream

@ole32.dll

2015-03-19 10:08:00

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

RASAPI32.dll

WinExec

GetKeyState

GetViewportOrgEx

WINMM.dll

WINSPOOL.DRV

RegOpenKeyExA

ShellExecuteA

WININET.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

right-curly-bracket

left-curly-bracket

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

76666677777767654131

//..//0052*($

.myQ S'@

sj%C;>#

"t.CT

.rP;%

%s5I0!

|$-7}&TT}'{kx$

CCaptchaRecognizer::recognizeByCodeTypeAndUrl

hXXp://s1.uudati.com:

hXXp://s1.taskok.com:

hXXp://s1.uudama.com:

hXXp://s1.uuwise.com:

/Api/config.aspx

2.0.0.5

WiseClientAPI-2.0.0.5

CCaptchaRecognizer::__UpdateTKEY

CCaptchaRecognizer::_IsNeedLogin

/Api/DecodeImg.aspx

xxxxxxxxxxx

hXXp://p1.uuwise.net:

hXXp://p1.uudama.net:

hXXp://p1.taskok.com:

hXXp://p1.uuwise.com:

hXXp://p1.uudama.com:

CCaptchaRecognizer::easyRecognizeUrl

%d%d%d%d%d

CCaptchaRecognizer::_CalcRandomPort

/Api/VerifyAPIFile.aspx

/Api/UserLogin.aspx

CCaptchaRecognizer::login

/Api/UserReg.aspx

/Api/PayCard.aspx

/Api/ReportError.aspx

CCaptchaRecognizer::reportError

/Api/UserPoint.aspx

|2.0.0.5|

/Api/DecodeResult.aspx

ID/KEY/

ByTypeBytes.JPG

%d-%d-%d

CHttpRequestHelper::_ReadResponse

User-Agent:WiseClient-2.0.0.5;

WiseClient-2.0.0.5

CHttpRequestHelper::_InternalRequest

CHttpRequestHelper::RequestGetImage

CHttpRequestHelper::RequestPost

ServerPort

UUExtConfig.ini

-:-:-.%d

tCRYPTDLL.DLL

3.cn.pool.ntp.org

2.cn.pool.ntp.org

1.cn.pool.ntp.org

0.cn.pool.ntp.org

cn.pool.ntp.org

\\.\PHYSICALDRIVE0

Microsoft Windows Millennium Edition

Microsoft Windows 98

Microsoft Windows 95

%s (Build %d)

Service Pack 6a (Build %d)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009

Web Edition

Service Pack %d (Build %d)

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003,

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 "R2"

Windows Server 2008

Windows Vista

Windows Server 2008 R2

Windows 7

ox-x-x-x-x-x

\Tencent\Users\*.*

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

!"#$%&'()* ,-.

uuwise.com

2, 0, 0, 5

1.0.0.1

1, 0, 5, 7

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

%original file name%.exe_396_rwx_10000000_0003C000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

SetViewportOrgEx

SetViewportExtEx

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

SetWindowsHookExA

8$#5=625;

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 5, 7

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\UUWiseHelper.dll (291 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.