Gen.Variant.Zusy.180241_da5411b25b

by malwarelabrobot on July 23rd, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.180241 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: da5411b25b4df1554b38595c8d9c6bba
SHA1: 4f29269d10541e29a4291b67b8bec4bac062bfa3
SHA256: bf9ee98f5f9737bf8ea51a5ee5d02b416098e43fd466b02e8b1edc84b9696304
SSDeep: 6144:VZXBsWqsE/Ao mv8Qv0LVmwq4FU0nN876c3/BZBVWM1m8:TXmwRo mv8QD4 0N46c35ZBV5c8
Size: 237211 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1564
Protect.exe:1192
Protect.exe:2020

The Trojan injects its code into the following process(es):

svchost.exe:812
iexplore.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
%Program Files%\Company\NewProduct\Protect.exe (2104 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\$inst (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)

The process Protect.exe:2020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"HelpLink" = "mailto:[email protected]"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Company\NewProduct]
"protect.exe" = "kek"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallSource" = "c:\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallLocation" = "%Program Files%\Company\NewProduct\"
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"UninstallString" = "%Program Files%\Company\NewProduct\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"InstallDate" = "20160722"

"EstimatedSize" = "91"
"DisplayName" = "NewProduct 1.00"
"URLInfoAbout" = "http://www.company.com/"
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE E9 05 0D CD 1F 15 5C AA 76 AA 02 D2 CB 19 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"Publisher" = "Company"
"VersionMajor" = "1"
"DisplayVersion" = "1.00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewProduct 1.00]
"DisplayIcon" = "%Program Files%\Company\NewProduct\Uninstall.exe"
"Language" = "1049"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process Protect.exe:1192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 4B F9 F0 73 FA 98 79 83 DA 1B 40 6F 70 47 76"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process Protect.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 5D 7D 5D DD 48 D6 F2 75 32 CC E4 71 71 14 A1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"InstalledServer" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"ServerStarted" = "7/22/2016 21:45:20 PM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe restart"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

Dropped PE files

MD5	File path
0cbd55d5184fd87a488d4551c10b4674	c:\Documents and Settings\"%CurrentUserName%"\Application Data\NetHood\Host.exe
0cbd55d5184fd87a488d4551c10b4674	c:\Program Files\Company\NewProduct\Protect.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Company
Product Name:
Product Version:
Legal Copyright: Company
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.00
File Description: NewProduct 1.00 Installation
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	148684	148992	4.57087	bac8bae7a5e5326cf49943b90d1c062a
DATA	155648	10388	10752	2.62963	abafcbfbd7f8ac0226ca496a92a0cf06
BSS	167936	4341	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	176128	6040	6144	3.38637	7a4934595db0efc364c3982c4e335d8c
.tls	184320	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	188416	24	512	0.14174	c4fdd0c5c9efb616fcc85d66056ca490
.reloc	192512	6276	6656	4.56552	867a1120317d51734587a74f6ee70016
.rsrc	200704	7388	7680	3.29739	5b088a613c5b2805c28352211bf683a9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 23
f1053f153ec861d1dd6df3fa723f330a
c5213199b362eb77855c7f0f4c5f7afb
5268d6346e25eb3da97640e2c63400be
b48d3ddf100c38bd9080788c9af3d20e
b3b567431f0ca351486399100145b134
14064f7d87d36e843ea9bdff87718b66
d15e588df6107240a5cd5333b08ed242
5cf0c3f8ba466233a38d90d46605b8c9
f9004cb0871c4564e2c064b8744aaf70
e8481d3825b2c0af156d0e69f36c5a85
dba73e2b51b48a9be9e342b85c2ba185
8a1364b9f462bed07009a391ba94d100
f2ba9fd59d6630fea6116cf0d2f7ce9e
3a10d1a68475d5c015c04f35d1457d27
7ae79bc42133cd8f9cdebeae3802f454
55f1dc28b44f574ecbbb89b8f764ee08
c5e55dfd40c5ac5443a01583fef03d46
e12c5a02e13955cf2c6f66f8d994ce51
e116823f0156126916c873c214662537
410027d66b6807cddae984b2ee7465cb
94d71a07985a52739c0bbc45b664c5ba
aad0c4baaf76e6fb6b429912924445d1
22296b588105990996698f1fc4b39813

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

svchost.exe_812:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_812_rwx_00C80000_00017000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

Keylogg

DURLD

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

kingbosman12.no-ip.biz

C:\User

)EXEmpire

Host.exe

kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}

PTF.ftpserver.com

C:\Users\

ftpuser

nel32.dll

kftppass

keyiso.dll

%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe

%Documents and Settings%\%current user%\Application Data\NetHood\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}

iexplore.exe_1908:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_1908_rwx_00C80000_00017000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

Keylogg

DURLD

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

kingbosman12.no-ip.biz

C:\User

)EXEmpire

Host.exe

kbd{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}

PTF.ftpserver.com

C:\Users\

ftpuser

nel32.dll

kftppass

keyiso.dll

%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe

%Documents and Settings%\%current user%\Application Data\NetHood\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{I7N2485J-HB53-U45G-J1Y0-335P5T2BY6YJ}

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1564
Protect.exe:1192
Protect.exe:2020
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (104 bytes)
%Program Files%\Company\NewProduct\Protect.exe (2104 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)
%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe (601 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NetHood" = "%Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %Documents and Settings%\%current user%\Application Data\NetHood\Host.exe"
Reboot the computer.