MD5: 06bfaf2e4e56cf115ea572235c695bb3
SHA1: e74585495249a219bd45dcfd72c91e2e4448424a
SHA256: af8f413ca27af075055f7d92406fe232e6393f66ef3e01a48133d4351afbc249
SSDeep: 24576:F6nMsD/lnXmXMMEomTb8e2rvg1KGYMISUJbwaXTw1hTm8JywRX/pA2zLJSCIbG:ctRmMMmTb8emb301dywRX/pA0r
Size: 1929216 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: TODO:
Created at: 2014-07-08 03:53:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:468

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\gzip.dll (30 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 23 D5 8F 84 E6 3A 88 89 C8 4E 33 E8 40 1C 2E"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??
Product Name: ??
Product Version: 1.0.0.0
Legal Copyright: ??
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ??
Comments: ??
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://tp.hd.mi.com/gettimestamp	106.120.176.51
www.baidu.com	180.76.3.151

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gettimestamp HTTP/1.1

Referer: hXXp://tp.hd.mi.com/gettimestamp

Accept: */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

Host: tp.hd.mi.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: close

Date: Mon, 20 Oct 20

The Trojan connects to the servers at the folowing location(s):

.text

.rdata

@.data

.rsrc

@.text

zh.pK

t%SVh

t$(SSh

~%UVW

u$SShe

kernel32.dll

ole32.dll

shlwapi.dll

Kernel32.dll

user32.dll

gzip.dll

wininet.dll

MsgWaitForMultipleObjects

EnumWindows

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

1970-01-01 08:00:00

1970-01-01 00:00:00

hXXp://203.171.232.125:8888/Ip/index.php?id=

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

\gzip.dll

`.data

@.reloc

KERNEL32.dll

gzip.pdb

_u%SV

adodb.stream

Sniffer Portable

HTTP Analyzer

HttpWatch

HTTPDebugger

HttpAnalyzer

WindowsForms10.Window.8.app.0.378734a

TStdHttpAnalyzerForm

&sid=passport&_sign=KKkRvCpZoDC+gLdeyOsdMhwV0Xg=&callback=https://account.xiaomi.com&qs=%3Fsid%3Dpassport

hXXps://account.xiaomi.com/pass/serviceLoginAuth2

>@hXXp://order.mi.com/user/order

hXXp://203.171.232.125:8888/HS/index.php?type=

:(. ?),#

function time(){return new Date().getTime()}

hdurl":"

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36

http=

https

HTTP/1.1

hXXps://

hXXp://

/soft.ini

VVV.baidu.com

hXXp://open.baidu.com/special/time/

window.baidu_time(

\update.exe

GetWindowsDirectoryA

ShellExecuteA

scripting.FileSystemObject

Temp.zip

Temp.exe

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

hXXp://bc.3600gz.cno

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

#include "l.chs\afxres.rc" // Standard components

.QSP99900000L

.PP9961''&&&&

.99961*1'''&'!

`^^^]^\\

%%%)***1///62228///6)))2$$$ 

\update2.exe

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

.FJP\

VBScript.RegExp

*.txt

|*.txt

RASAPI32.dll

WLDAP32.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

icmp.dll

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

hXXp://VVV.eyuyan.com

[email protected]

 86(0411)39895834

 86(0411)39895831

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

DelAllKeyValues

DelKeyValue

GetAllKeys

GetKeyValue

AddKeyValue

DSGetErrMsg

BiTreeGetCurNodeKey

ListGetCurNodeKey

ListUpdateNodeFromKey

ListRemoveNodeFromKey

edatastructure_fnMapDelAllKeyValues

edatastructure_fnMapDelKeyValue

edatastructure_fnMapGetAllKeys

edatastructure_fnMapGetKeyValue

edatastructure_fnMapAddKeyValue

edatastructure_fnBiTreeGetCurNodeKey

edatastructure_fnListGetCurNodeKey

edatastructure_fnListUpdateNodeFromKey

edatastructure_fnListRemoveNodeFromKey

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

01-01 08:00:00

c:\%original file name%.exe

6.0.2600.0 (xpclient.010817-1148)

6.0.2600.0

(*.*)

1.0.0.0

%original file name%.exe_468_rwx_00401000_000AB000:

zh.pK

t%SVh

t$(SSh

~%UVW

u$SShe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\gzip.dll (30 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.