MD5: adfb52ba22284932e5bf79c1e8b01417
SHA1: 8264e2dcad2e7d5a9eef9fe82301013499b34668
SHA256: 810064f821c577e9f391d81f39bb429452efb9524e4c79ec51b5d8ceb7b777bb
SSDeep: 768:N/ybgNcFXvtdgI2MyzNtRQtOflIwoHNV2XBFV72B4lA7Ps2Z 7r:AtdgI2MyzNtRQtOflIwoHNV2XBFV72Bc
Size: 25296 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Plus HD.2
Created at: 2013-10-08 16:57:56
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

hhgnrddkjee.exe:1788
hhcbrnaff.exe:1388
rayl.exe:940
%original file name%.exe:556

The Trojan injects its code into the following process(es):

Explorer.EXE:532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process hhgnrddkjee.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TIT8460.bat (185 bytes)
%Documents and Settings%\%current user%\Application Data\Izryir\rayl.exe (3566 bytes)

The process hhcbrnaff.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hhgnrddkjee.exe (1774 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dt8[1].exe (1774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (0 bytes)

The process rayl.exe:940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (5400 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (4764 bytes)

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hhcbrnaff.exe (25 bytes)

Registry activity

The process hhgnrddkjee.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 35 F7 49 BB 1B 80 43 74 BE 9C 1F 49 48 57 57"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process hhcbrnaff.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"hhgnrddkjee.exe" = "hhgnrddkjee"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 CF 26 A0 29 DB CD 3E 16 6F E1 FA C0 39 67 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rayl.exe:940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 C7 E5 EC 9B 7C B1 85 B9 E6 CD 55 87 E2 A5 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Zoerhuj]
"342jdh85" = "4xCU 1raT6mtmQ=="

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 7F 02 DB 2D A7 30 10 7A EC 08 C1 2E 89 F0 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"hhcbrnaff.exe" = "hhcbrnaff"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 17
f5c09a7242c1627e0776288e42e529fb
33f06ae249f66fcbe0b2510a97bacfff
e722ebd7a6fe1412e92ebb5305475176
72b1439c35b791ed666fd3c0bbdc702a
734200fa1cedf5ac85833e45ceeb04b7
561cdb5263874b4f1ee35744a4628be0
e982497697c4462244adb690b018fd48
d11230efbd0a8202d91b3542199a83d7
1db60b32cabc3db9f95c9e8c798f9bfc
4636b74d72674aa14ada3f2d87b2f586
efdd231a3e65fabdd3bb0ceee19e986c
b50bc156922054bd718b5e97f04503e9
71dc3937e84d2b6b945250ed29ea754a
007d53db63751ff2be985f0c06abb9f9
28403d11faef847d137441cc36905f4e
8a371a161bf6235d384024d7b0075a35
e7a52394c1cca84833327eb2b69e5208

URLs

URL	IP
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	95.100.97.65
warehousesale.com.my	42.1.61.90

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

<font color="red">GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1<br>

Accept: */*<br>

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512<br>

Host: VVV.download.windowsupdate.com<br>

Connection: Keep-Alive<br>

Cache-Control: no-cache<br>

Pragma: no-cache<br>

<br>

</font><br><font color="blue">HTTP/1.1 200 OK<br>

Content-Type: text/plain<br>

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT<br>

Accept-Ranges: bytes<br>

ETag: "806f4cbb43dcf1:0"<br>

Server: Microsoft-IIS/7.5<br>

X-Powered-By: ASP.NET<br>

Content-Length: 18<br>

Cache-Control: max-age=8459<br>

Date: Wed, 06 Aug 2014 12:07:51 GMT<br>

Connection: keep-alive<br>

X-CCC: NL<br>

X-CID: 2<br><pre>1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi<br>fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f<br>4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte<br>nt-Length: 18..Cache-Control: max-age=8459..Date: Wed, 06 Aug 2014 12:<br>07:51 GMT..Connection: keep-alive..X-CCC: NL..X-CID: 2..1401CF3DB40B60<br>9892..</pre></font><br><br

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.reloc

Invalid parameter passed to C runtime function.

0123456789

6$7,747<7

gdiplus.dll

GdiplusShutdown

userenv.dll

del "%s"

if exist "%s" goto d

del /F "%s"

HTTP/1.1

RegDeleteKeyExW

>.-0298,>9;{ 

OlzhjkeYLbzlh`t

7* 37 0&0

* 13.701.

REPORT

hXXp://VVV.google.com/

hXXp://VVV.bing.com/

t.Ht$HHt

m9.td

ntdll.dll

KERNEL32.dll

GetKeyboardState

MsgWaitForMultipleObjects

ExitWindowsEx

USER32.dll

CryptGetKeyParam

CryptImportKey

CryptDestroyKey

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegFlushKey

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

PathIsURLW

UrlUnescapeA

SHLWAPI.dll

ShellExecuteW

SHELL32.dll

Secur32.dll

ole32.dll

GDI32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertCloseStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXImportCertStore

CRYPT32.dll

HttpSendRequestExA

HttpQueryInfoA

InternetCrackUrlA

HttpOpenRequestA

HttpEndRequestA

HttpAddRequestHeadersA

WININET.dll

OLEAUT32.dll

NETAPI32.dll

IPHLPAPI.DLL

VERSION.dll

msvcrt.dll

zcÁ

9$9,949<9

3#3(343{3

\StringFileInfo\xx\%s

launchpadshell.exe

dirclt32.exe

wtng.exe

prologue.exe

pcsws.exe

fdmaster.exe

kernel32.dll

"%s" %s

/c "%s"

c.tmp

Wadvapi32.dll

shell32.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

urlmon.dll

cabinet.dll

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   hhgnrddkjee.exe:1788
   hhcbrnaff.exe:1388
   rayl.exe:940
   %original file name%.exe:556
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\TIT8460.bat (185 bytes)
   %Documents and Settings%\%current user%\Application Data\Izryir\rayl.exe (3566 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\hhgnrddkjee.exe (1774 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Cab1.tmp (54 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Tar2.tmp (2712 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dt8[1].exe (1774 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (54 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (5400 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\hhcbrnaff.exe (25 bytes)

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.