MD5: 00366f22698cc90d5bf37e0a0bd44d80
SHA1: 5c2dadfb6d8b8da6f26d25287122e22446921cda
SHA256: fffe6b6d81584a84d7b5ca66cbe66eb1ea6172a58b851ff71d9ceecc5a684009
SSDeep: 768:dJw94CqsTDL2HUmygB4T7OYwOZ/WYXehloPOie/1H5K:Twg4OygMwe/WYXehiPK
Size: 51712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: InstallShield Software Corporation
Created at: 2024-04-18 22:06:08
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Proxy. Trojan program, which allows the usage of user's system as a remote proxy.

Payload

Process activity

The Generic creates the following process(es):

%original file name%.exe:2436

The Generic injects its code into the following process(es):

Lnninpgf.exe:672

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Lnninpgf.exe:672 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (211 bytes)
%System%\surf.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (500 bytes)

The Generic deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (0 bytes)

The process %original file name%.exe:2436 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%System%\Lnninpgf.exe (102 bytes)
%System%\Aedlblgl.dll (6 bytes)

Registry activity

The process Lnninpgf.exe:672 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 09 58 26 FA 3D FB CF 2A 5C 25 0B 80 90 DB B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1601" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess]
"BrowseNewProcess" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1601" = "0"

The process %original file name%.exe:2436 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 30 28 DA 71 2A 72 0B 58 8F 68 0E CD E4 73 97"

[HKCR\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32]
"(Default)" = "%System%\Aedlblgl.dll"
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Web Event Logger" = "{79FEACFF-FFCE-815E-A900-316290B5B738}"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
cda2b99376146f52a5152eaaa345de60

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Generic connects to the servers at the folowing location(s):

.text

.data

.idata

.aciof

%System%\dnkk.dll

%System%\surf.dat

%System%\kk32.dll

%System%\kk32.vxd

%System%

hXXp://crutop.nu/index.php

hXXp://crutop.ru/index.php

hXXp://mazafaka.ru/index.php

hXXp://color-bank.ru/index.php

hXXp://asechka.ru/index.php

hXXp://trojan.ru/index.php

hXXp://fuck.ru/index.php

hXXp://goldensand.ru/index.php

hXXp://filesearch.ru/index.php

hXXp://devx.nm.ru/index.php

hXXp://ros-neftbank.ru/index.php

hXXp://lovingod.host.sk/index.php

hXXp://VVV.redline.ru/index.php

hXXp://cvv.ru/index.php

hXXp://hackers.lv/index.php

hXXp://fethard.biz/index.php

hXXp://ldark.nm.ru/index.htm

hXXp://gaz-prom.ru/index.htm

hXXp://promo.ru/index.htm

hXXp://potleaf.chat.ru/index.htm

hXXp://kadet.ru/index.htm

hXXp://cvv.ru/index.htm

hXXp://crutop.nu/index.htm

hXXp://crutop.ru/index.htm

hXXp://mazafaka.ru/index.htm

hXXp://xware.cjb.net/index.htm

hXXp://konfiskat.org/index.htm

hXXp://parex-bank.ru/index.htm

hXXp://kidos-bank.ru/index.htm

hXXp://kavkaz.ru/index.htm

hXXp://fethard.biz/index.htm

CRYPTKEY

ntdll.dll

kernel32.dll

wsock32.dll

user32.dll

`.rdata

@.data

.reloc

.edata

%s\%s

WinExec

KERNEL32.DLL

CRTDLL.DLL

dll.dll

This KEWL STUFF was coded by V. V. PUPKIN, moderator of crutop.nu

Welcome to our forum, Adult Web Masters! hXXp://crutop.nu

AWM, welcome to CRUTOP.NU - HARDCORE/CONTENT/CHILD PORNO/LOLITAS/RAPE

REAL CASH, REAL BITCHEZ - CRUTOP.NU

%s-%s

%s %s

surf.dat

dnkk.dll

kk32.vxd

kk32.dll

%s\%s.exe

%s/Rtdx1%i.htm

%s\Rtdx1%i.dat

%s /C %s

\command.com

%s\command.pif

%s\cmd.exe

%s\cmd.pif

:u

of fraud on our website, we are undertaking a period review of our member accounts.

%ssetTimeout("x()",%u);

%sself.parent.location="%s";

%s<!-- %u -->

%s%u - Microsoft Internet Explorer

\Iexplore.exe

.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Internet Settings

SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%u

%ssetTimeout("z()",%u);

%sdocument.%s.submit();

%s<input type="edit" value='%s' name='%s%u'><br>

%s<input type="edit" value='%s' name='%s'><br>

%s<form action="%s" method="POST" name="%s">

%s<title>%s%u</title>

%s<!-- %.2u -->

%s%c%c

Web Event Logger

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

CLSID\%s\InProcServer32

%s\%s.dll

{79FEACFF-FFCE-815E-A900-316290B5B738}

TXT: '%s'

%s %X%c

%s FORM_%X

.yahoo.com

webmail.juno.com

my.juno.com/s/

.juno.com

.earthlink.

signin.ebay.

.paypal.com

DeleteUrlCacheEntry

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryA

GetWindowsDirectoryA

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

ole32.DLL

OLEAUT32.DLL

WININET.DLL

USER32.DLL

GDI32.DLL

ADVAPI32.DLL

{9BA05972-F6A8-11CF-A442-00A0C90A8F39}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2436
   

2. Delete the original Generic file.
   
3. Delete or disinfect the following files created/modified by the Generic:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nbeggddc.htm (194 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ehfcjnfh.htm (211 bytes)
   %System%\surf.dat (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\eipjagbo.htm (500 bytes)
   %System%\Lnninpgf.exe (102 bytes)
   %System%\Aedlblgl.dll (6 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "ctfmon.exe" = "%System%\ctfmon.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.