Trojan.Downloader.JRBX_0d97c8ce7b
not-a-virus:AdWare.Win32.MultiPlug.nbjn (Kaspersky), Trojan.Downloader.JRBX (B) (Emsisoft), Trojan.Downloader.JRBX (AdAware)
Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.
| Requires JavaScript enabled! |
|---|
MD5: 0d97c8ce7b242e73c4cb5eab619354ab
SHA1: e55ba6c89c94662e2858dcfe417b15c38cfccb7e
SHA256: c5973df8f4d4d3484be7ad8eb5aef27f95af0780831eeb3c639f4f7442d12b5f
SSDeep: 24576:jJVL0poEy2kMxOg25jc40saulajKz3Fz9Fpc/:jJl0popHjcb/89jg/
Size: 872448 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-02-17 14:58:33
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:308
Mutexes
The following mutexes were created/opened:
RasPbFile
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
File activity
The process %original file name%.exe:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\c8cAa97CF\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c8cAa97CF\images\progressbar.gif (588 bytes)
Registry activity
The process %original file name%.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKCR\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 14 D1 06 28 4A 87 7F C7 62 F3 4D 96 73 47 85"
[HKCR\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCR\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Of The
Product Name: Mineral Usual
Product Version: 1.0.0.8
Legal Copyright: All rights reserved for Of The LTD.
Legal Trademarks:
Original Filename: active-boot-disk.exe
Internal Name: active-boot-disk.exe
File Version: 5.1.3.3
File Description: Or Past
Comments:
Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 135168 | 132608 | 4.661 | 04debfc21317b5fcdd6bfce16a5d01e3 |
| .data | 139264 | 90112 | 81408 | 5.48056 | 2fdfd311f9ce294362f86df1d10fa89a |
| .rdata | 229376 | 643072 | 639488 | 5.52097 | c4d4aec5869674cce1644990e267e083 |
| .rsrc | 872448 | 12288 | 10752 | 3.19975 | 22ff9e8291d4b727b4d5ab1bfdcf01ae |
| .reloc | 884736 | 8192 | 7168 | 3.81129 | d741828edf64f6e411e002fd52f030bf |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 8
3766d6493f29bf1fcb80840fb72974f9
27c63d251e6c4f9da118db8667e9afb8
26815b4b0fb8c511b08071e6ae32a9d3
3139495a29163bcf5aea4597b3c4be48
73fa2f9b1bdc2e1a19dfb42bd9a08186
fc6dbe0b7cdd9e7f14f05c2d8681040f
3b9b4fcbd002e8ecbdd60d922418e0c8
df2404e26156d13f654b35c944525334
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
`.data
.rdata
@.rsrc
@.reloc
=$.hk
=%.hk
=%u{jIH>%S
hO.Lqb
.TCl!
c:\%original file name%.exe
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
APPHELP.dll
GetProcessWindowStation
CryptDestroyKey
CryptDuplicateKey
COMCTL32.dll
GetProcessHeap
GetCPInfo
a>~0"%x
.mSX ,a
&XÝe
ey5`m%X,
tØ%!
.Fh.
;k^Ý;Cz
%XLu
S~%S[
:%F<um
F%xyX
%4s24L|
|!#{@)2>.RHOA
j.jb}
BXSqlYoF
@c.SL
(bK.aw.]N
3Vk%ft
|g.BY
.rG\F
ßHW
Y\.Wmx
J:\Fi
ymh.kjhJ
II$%S)
'-oB}
CMd@Cl
@t:%fM
A%F<Q
".lY3
.Ojwn
9.lNy>RF
.yi|}
ka.PMO
n.bA.
k|(,%x
5.qo"
Z!.ey
.aM}cY
lX:%C
tB.BC
g8.QOt
UKASQLIu
>gK.sE
p0!%x
U%u*"
K7.Ba;
{y.bv.nZkf
|yw.ic_
?dK%.vjc
Re.Hf
.uyD1
stdole2.tlbWWW
Created by MIDL version 7.00.0555 at Thu Sep 11 23:13:06 2014
ssssssssssssssssssssssssssssshhhhhhsssss
sssssssssssssssssssssssssssh
ssssssssssssssssssssssssssh2
sssssssssssssssssssssssssh
sssssssssssssssssssssssssh2
ssssssssssssssssssssssssh
ssssssssssssssssssssssssh2
hhhhhssssssssssssssssssssh
hsssssssssssssssssssh2
hssssssssssssssssssh
hssssssssssssssssssh2
222222222
22222222222222
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" /><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" /><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><requestedExecutionLevel level="asInvoker" uiAccess="false" />
5a6;6]6
848>8{8}:32.exe
combase.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
2USER32.DLL
5.1.3.3
active-boot-disk.exe
1.0.0.8
%original file name%.exe_308_rwx_00D20000_00002000:
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\c8cAa97CF\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\c8cAa97CF\images\progressbar.gif (588 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
