Trojan-Downloader.Win32.Genome.sljx_879c7e7e22

by malwarelabrobot on April 15th, 2018 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.sljx (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Program.Unwanted.713 (DrWeb), RDN/Generic Downloader.x (McAfee), Trojan.Gen.8!cloud (Symantec), PCBackup (AVG), Win32:Dropper-gen [Drp] (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 879c7e7e22d623bef2c3dcf229587ed3
SHA1: beeab9afd77b73b5902ce33c5bf20f6d3308d9d7
SHA256: b0ed84eefe6cdc2177adf5043c1f268e28787d0a0181dd2efc6dba294eeaebc8
SSDeep: 3072:AQIURTXJ4i45J/IE3OZtFcY4VpbZtyvVP0Trvy2u7qZi5JvQO96Cv5koBay:AsGi6qZtGYiZqdP0q2uOZ8vN5xkm
Size: 168805 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

6900d4d659db44a2b0bf9c9bac21b7ab538272.exe:3140
%original file name%.exe:2300

The Trojan-Downloader injects its code into the following process(es):

OLBPre.exe:160

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 6900d4d659db44a2b0bf9c9bac21b7ab538272.exe:3140 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\OLBPre\OLBPre.exe.config (203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsSCM.dll (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\ns655B.tmp (14 bytes)
%Program Files%\OLBPre\es_ES.mo (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (987 bytes)
%Program Files%\OLBPre\de_DE.mo (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6450.tmp (98130 bytes)
%Program Files%\OLBPre\brand.jdat (17848 bytes)
%Program Files%\OLBPre\it_IT.mo (1856 bytes)
%Program Files%\OLBPre\pt_PT.mo (2392 bytes)
%Program Files%\OLBPre\LinqBridge.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\AccessControl.dll (20 bytes)
%Program Files%\OLBPre\fr_FR.mo (2392 bytes)
%Program Files%\OLBPre\uninst.exe (1854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsRandom.dll (808 bytes)
%Program Files%\OLBPre\OLBPre.exe (73138 bytes)

The Trojan-Downloader deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsSCM.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\AccessControl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\ns655B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsl643F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsRandom.dll (0 bytes)

The process OLBPre.exe:160 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\OLBPre\state.jdat (746 bytes)
%Program Files%\OLBPre\aff.jdat (130 bytes)
%Program Files%\OLBPre\LinqBridge.dll (61 bytes)

The process %original file name%.exe:2300 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\NSISdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb59F4.tmp (5446 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_3409.dat (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6900d4d659db44a2b0bf9c9bac21b7ab538272.exe (144319 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (473 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_9997.txt (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsRandom.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\LogEx.dll (1597 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_5355.pdf (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (610 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsJSON.dll (15 bytes)

The Trojan-Downloader deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6900d4d659db44a2b0bf9c9bac21b7ab538272.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb59F3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsRandom.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\LogEx.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\NSISdl.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsJSON.dll (0 bytes)

Registry activity

The process 6900d4d659db44a2b0bf9c9bac21b7ab538272.exe:3140 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"HelpLink" = "http://support.mypcbackup.com"
"UninstallString" = "%Program Files%\OLBPre\uninst.exe"
"Publisher" = "MyPC Backup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OLBPre]
"DisplayName" = "MyPC Backup"
"DisplayIcon" = "%Program Files%\OLBPre\uninst.exe"
"DisplayVersion" = ""
"URLInfoAbout" = "http://www.mypcbackup.com"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ose00000.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsSCM.dll,"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
e5cc3997457cd365e43c19f0f9110148 c:\Program Files\OLBPre\LinqBridge.dll
e69318b530a6c44e62eeda56b900b1de c:\Program Files\OLBPre\OLBPre.exe
f3e2bfc9e6fc7da87167a1cbe6a9c4a4 c:\Program Files\OLBPre\uninst.exe
62efa7b730eb0523a026ea4325403b77 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsSCM.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 53248 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 200704 16544 16896 4.13364 53fbbcbad7e303dab1b5d096832493ae

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 657
53a9f13d3b2dad310cd7e8113fd95d76
63c7fd4cea24f55105ed43ab2b0ed884
e78ce71ea9cf9fd9b917b73cfdd1771e
d3f1c7c6639ad3f18ac95b3aa257c18e
d704b34775a123b1732522f3ec14e04c
74fd47d964a8911b1f98a6a314f4873f
d38f11ba03c9ba244d181ee084a1262c
7ad64a5f30427de4bc136fb8d54b870b
1f934870b1272021e28bc89af705964d
f4281ab268c1592120eb08c7332e5e44
caf4f784ce43a61a9be46a110e93d140
2a9c3712c53d83c93e88827d438f7dda
aae326a5f29b2b36639e91ed3ba049c7
34b56e5d591c5d97c862e6c3db36458c
ee68ca3fca42c4d49295df4403c5e509
4b42ffd530131e273582004f8943e523
987398ece6b652ecd18ae72254e8ffdf
de581e8d4c3c2217bc2185b8eb5c0705
137a4a46bea3c7c7b25d97fafcc37d3b
46e8f4e8b17526a41740b6a6e8591032
418e62f7961619cd7effe0c9bb506a8d
7cb3229850f4c7b3e675c673c170a57e
cf261c32234bc362e787b64987d78339
4d90150f406efbebb2c9dcfdb8e32e48
fb1c549bde55478e8253afd25412419f

URLs

URL IP
hxxp://backupgrid.net/?partner_id=1&hash=none&tid=none&dl=MyPCBackup_ppi_Setup.exe
hxxp://url.fortifi.zone/none/download_ppi/none?installer=MyPCBackup_ppi_Setup.exe
hxxp://backupgrid.jdibackup.netdna-cdn.com/MyPCBackup_ppi_Setup.exe
track.backupgrid.net 35.201.95.250
cdn.backupgrid.net 94.31.29.41
link.mypcbackup.com 107.178.247.140


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: cdn.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Sat, 14 Apr 2018 09:22:58 GMT
Content-Type: application/octet-stream
Content-Length: 2146708
Connection: close
x-amz-id-2: sq/FBqPaTDocKM/gFUvP rVvPFexRIstzbMK02y47mZvCONpo2jcQB9HVczXEUm EcIb/9Ma0RA=
x-amz-request-id: CD12C01AA7951AAA
Last-Modified: Thu, 13 Apr 2017 18:55:31 GMT
ETag: "f9044bbf0bc653c378400b9b1338c52c"
Server: NetDNA-cache/2.2
X-Cache: HIT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
.................... ...............................................s.
......@...............................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@..@.data........
........r..............@....ndata.......@...........................rs
rc........@.......v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.
P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......P
p@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET /?partner_id=1&hash=none&tid=none&dl=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: track.backupgrid.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.0 302 Moved Temporarily
Server: nginx/1.10.3
Date: Sat, 14 Apr 2018 09:22:58 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: SESSID=ntd132vdbtup3ghuk5bni9ilm4; path=/; domain=.backupgrid.net
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: rgisanonymous=false; expires=Mon, 14-May-2018 09:22:58 GMT; Max-Age=2592000
Set-Cookie: rguserid=9e15a18f-6708-49ff-981e-48ece5347720; expires=Mon, 14-May-2018 09:22:58 GMT; Max-Age=2592000
Set-Cookie: rguuid=true; expires=Mon, 14-May-2018 09:22:58 GMT; Max-Age=2592000
Set-Cookie: rgisanonymous=true; expires=Mon, 14-May-2018 09:22:58 GMT; Max-Age=2592000
Access-Control-Allow-Origin: hXXp://VVV.backupgrid.net
location: hXXp://link.mypcbackup.com/none/download_ppi/none?installer=MyPCBackup_ppi_Setup.exe
X-Frontend: track.backupgrid.net
Via: 1.1 google
  ..



GET /none/download_ppi/none?installer=MyPCBackup_ppi_Setup.exe HTTP/1.0
Host: link.mypcbackup.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.0 302 Found
Server: nginx
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache, private
Date: Sat, 14 Apr 2018 09:22:58 GMT
Location: hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe
X-Content-Type-Options: nosniff
Access-Control-Allow-Origin: *
X-Execution-Time: 14.096 ms
Via: 1.1 google
<!DOCTYPE html>.<html>.    <head>.        <meta c
harset="UTF-8" />.        <meta http-equiv="refresh" content="0;
url=hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe" />..       
 <title>Redirecting to hXXp://cdn.backupgrid.net/MyPCBackup_ppi_
Setup.exe</title>.    </head>.    <body>.        Red
irecting to <a href="hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup
.exe">hXXp://cdn.backupgrid.net/MyPCBackup_ppi_Setup.exe</a>.
.    </body>.</html>..

The Trojan-Downloader connects to the servers at the folowing location(s):

OLBPre.exe_160_rwx_0023C000_00004000:

%U[j^

OLBPre.exe_160_rwx_0025C000_00001000:

%XYj^

OLBPre.exe_160_rwx_00480000_00009000:

l.dli

OLBPre.exe_160_rwx_006B0000_00010000:

AV%5xK*

OLBPre.exe_160_rwx_00DA2000_000FB000:

L.bFzPO
y.Sa%
X l.dlT
O5Z g=.ua8^
.DZ 3
Z J8.ua8E
".Za8
(.gv(
mZ ô
%d%&8
.QHa 
.Tqa 
n.Za 
9(.QZ g
<%2X% 
Z =*.Ea8-
.HtZ L%V
.ZZa8
/%XP(
%U%%&8=
Z %Sq
%SEa8
.Za82
8:%UZ Z
.Wa8s
My.Za8l
.mZa8
.Za8m
.Aa8w
.Wa8'
.Za8&
'c.Za8Y
-C.rZ
%UZa8a
eXZ V3Ú8{
. 
.Za8S
?.XZa8
ntdll.dll
v2.0.50727


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    6900d4d659db44a2b0bf9c9bac21b7ab538272.exe:3140
    %original file name%.exe:2300

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Program Files%\OLBPre\OLBPre.exe.config (203 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsSCM.dll (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\ns655B.tmp (14 bytes)
    %Program Files%\OLBPre\es_ES.mo (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk (987 bytes)
    %Program Files%\OLBPre\de_DE.mo (2392 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6450.tmp (98130 bytes)
    %Program Files%\OLBPre\brand.jdat (17848 bytes)
    %Program Files%\OLBPre\it_IT.mo (1856 bytes)
    %Program Files%\OLBPre\pt_PT.mo (2392 bytes)
    %Program Files%\OLBPre\LinqBridge.dll (1856 bytes)
    C:\Users\"%CurrentUserName%"\Desktop\MyPC Backup.lnk (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\AccessControl.dll (20 bytes)
    %Program Files%\OLBPre\fr_FR.mo (2392 bytes)
    %Program Files%\OLBPre\uninst.exe (1854 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6470.tmp\nsRandom.dll (808 bytes)
    %Program Files%\OLBPre\state.jdat (746 bytes)
    %Program Files%\OLBPre\aff.jdat (130 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\NSISdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb59F4.tmp (5446 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Settings_3409.dat (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6900d4d659db44a2b0bf9c9bac21b7ab538272.exe (144319 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aff.conf (473 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Readme_9997.txt (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsRandom.dll (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\LogEx.dll (1597 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\UserGuide_5355.pdf (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\log.txt (610 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw5A24.tmp\nsJSON.dll (15 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now