PUP.Win32.BitcoinMiner_a1aed7b7d8
Trojan-Dropper.Win32.Sysn.prx (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan-Dropper.Win32.Sysn!IK (Emsisoft), PUP.Win32.BitcoinMiner.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: a1aed7b7d8a4613089716a742e7d1377
SHA1: fd64e5daec91ce716f254f89cc1bcf7a020f2df3
SHA256: abe53aa5dc031e7c6177ebaabc1998abd0c467d27d33da5550f04121e8588893
SSDeep: 3072:TAsCdlul pNqHvOTDuleVS3qUGkI4JOcRZ:TAsCdC ewu53ZLJDR
Size: 131584 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-07-09 00:36:59
Summary:
PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Payload
No specific payload has been found.
Process activity
The PUP creates the following process(es):
UFASoft.exe:1312
The PUP injects its code into the following process(es):
a1aed7b7d8a4613089716a742e7d1377.exe:1692
File activity
The process a1aed7b7d8a4613089716a742e7d1377.exe:1692 makes changes in a file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\usft_ext.dll (65864 bytes)
%Documents and Settings%\%current user%\Application Data\coinutil.dll (1014 bytes)
%Documents and Settings%\%current user%\Application Data\btc-evergreen.il (4688 bytes)
%Documents and Settings%\%current user%\Application Data\miner.dll (20748 bytes)
%Documents and Settings%\%current user%\Application Data\UFASoft.exe (1904 bytes)
%Documents and Settings%\%current user%\Application Data\btc.il (8034 bytes)
%Documents and Settings%\%current user%\Application Data\phatk.ptx (11456 bytes)
%Documents and Settings%\%current user%\Application Data\phatk.cl (678 bytes)
%Documents and Settings%\%current user%\Application Data\bdb.dll (31992 bytes)
Registry activity
The process a1aed7b7d8a4613089716a742e7d1377.exe:1692 makes changes in a system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 9D 8F 9A 7B 28 05 DE D7 8B 75 17 AB BE 56 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"UFASoft.exe" = "CommandCenter"
The PUP modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows.exe" = "%Documents and Settings%\%current user%\Application Data\\Loader.exe"
The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process UFASoft.exe:1312 makes changes in a system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 26 8C BB 0D 66 9A 93 83 01 82 95 FF C3 1D 20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://198.23.167.160/sov1001/miner.dll (Malicious) |  |
| hxxp://198.23.167.160/sov1001/phatk.cl | |
| hxxp://198.23.167.160/sov1001/phatk.ptx | |
| hxxp://198.23.167.160/sov1001/usft_ext.dll (Malicious) | |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
UFASoft.exe:1312
- Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
%Documents and Settings%\%current user%\Application Data\usft_ext.dll (65864 bytes)
%Documents and Settings%\%current user%\Application Data\coinutil.dll (1014 bytes)
%Documents and Settings%\%current user%\Application Data\btc-evergreen.il (4688 bytes)
%Documents and Settings%\%current user%\Application Data\miner.dll (20748 bytes)
%Documents and Settings%\%current user%\Application Data\UFASoft.exe (1904 bytes)
%Documents and Settings%\%current user%\Application Data\btc.il (8034 bytes)
%Documents and Settings%\%current user%\Application Data\phatk.ptx (11456 bytes)
%Documents and Settings%\%current user%\Application Data\phatk.cl (678 bytes)
%Documents and Settings%\%current user%\Application Data\bdb.dll (31992 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows.exe" = "%Documents and Settings%\%current user%\Application Data\\Loader.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
