MD5: bd46edf02332245ef26b5723fbef8de4
SHA1: 03521861cd814e20c1c2e9f96336f1311dcc9f40
SHA256: cf1084ee6288d316db9b694bfa0d1c157bed5196ea21f328b42640804ca4aca7
SSDeep: 768:KIsF8HdbKjV8BX7Vy6K7eIVSHach0kVo7SviJI34fh:KIsF5CBX7VX9I8HrCMo7SviJlf
Size: 29696 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Generic creates the following process(es):

%original file name%.exe:344

The Generic injects its code into the following process(es):

svchost.exe:852
svchost.exe:544

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:344 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%WinDir%\InstallDir\Server.exe (29 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)

Registry activity

The process %original file name%.exe:344 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 60 7C 12 0D F7 8E F1 FF 55 25 67 08 5D 7F D3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%WinDir%\InstallDir\Server.exe restart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"InstalledServer" = "%WinDir%\InstallDir\Server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"ServerStarted" = "7/21/2016 3:32:27 AM"

To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\Server.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Generic connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_852_rwx_00C80000_0001A000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

()* ,-./012

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

DURLDnV

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

desifre46.ddns.net

C:\Wind

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

PTF.ftpserver.com

ftpuser

ftppass

%WinDir%\InstallDir\Server.exe

%WinDir%\InstallDir\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

svchost.exe_544:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_544_rwx_00C80000_0001A000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

()* ,-./012

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

DURLDnV

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

desifre46.ddns.net

C:\Wind

Server.exe

{5460C4DF-B266-909E-CB58-E32B79832EB2}

PTF.ftpserver.com

ftpuser

ftppass

%WinDir%\InstallDir\Server.exe

%WinDir%\InstallDir\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

c:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:344
   

2. Delete the original Generic file.
   
3. Delete or disinfect the following files created/modified by the Generic:
   

   %WinDir%\InstallDir\Server.exe (29 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HKCU" = "%WinDir%\InstallDir\Server.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "HKLM" = "%WinDir%\InstallDir\Server.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.