PUP.Win32.BitcoinMiner_c2dc3a8b3e
Trojan.Win32.Agent.acvlh (Kaspersky), PUP.Win32.BitcoinMiner.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c2dc3a8b3e5b4679310137772bc30309
SHA1: 6c1f18cc64cb3bc2e2041d00eb417768ec1dd316
SHA256: bac303117192641d5aa76c5f31d2c236f0bba9bd73757e3974ebb82b42ccd7af
SSDeep: 1536:v6VsYTzLddgitIp6Tb62 6u0FFybuY/9CEG:yVsYTzbgQIpO1 6u0FF0N/cv
Size: 52224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-02 20:00:48
Summary:
PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Payload
No specific payload has been found.
Process activity
The PUP creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
%original file name%.exe:1252
The PUP injects its code into the following process(es):
coin-miner.exe:1708
%original file name%.exe:548
File activity
The process wuauclt.exe:344 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The PUP deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
The process coin-miner.exe:1708 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQZCTEZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E6OH474P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R60LTPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8IVFQO3I\desktop.ini (67 bytes)
The process %original file name%.exe:548 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Mining\coin-miner.exe (55762 bytes)
The process %original file name%.exe:1252 makes changes in the file system.
The PUP creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (724 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (724 bytes)
Registry activity
The process Reader_sl.exe:1064 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process coin-miner.exe:1708 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 FA C7 66 DE CD 14 DF 9F 49 07 50 78 4B 07 B3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The PUP modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The PUP deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:548 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 07 C7 1E EA 33 B8 3F 5F EE C5 C9 5D E9 65 E5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Mining]
"coin-miner.exe" = "NPE File Analyzer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ASDBvecX" = "%Documents and Settings%\%current user%\Application Data\Mining\Mining.exe"
The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The PUP modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1252 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 53 0C 8E 99 60 5B 10 3A 38 31 AF 95 CB F8 C5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://192.40.57.179/sil1002/UFA.exe (Malicious) |  |
| getwork.mining.eligius.st | 192.40.57.166 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
%original file name%.exe:1252 - Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8TQZCTEZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\E6OH474P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R60LTPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8IVFQO3I\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Mining\coin-miner.exe (55762 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (724 bytes)
%WinDir%\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (724 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ASDBvecX" = "%Documents and Settings%\%current user%\Application Data\Mining\Mining.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
