Trojan.Generic.14550625_da28114acf
HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.14550625 (B) (Emsisoft), Trojan.Generic.14550625 (AdAware), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: da28114acfeadd3b2570acc7afbb8346
SHA1: fa69c1d8af73d0619d523aea0c27f0168aefe6f8
SHA256: a1d1ac6b726ce210e7a73e230a16f366ee17418162888124b9631f1256e5cb5e
SSDeep: 12288:Gzf1j558SeDGAOiCdUpSZYxt126xkDafMtV90QfYKbiazI4LSsp01IgQOvSGTqq2:Gzf1j4OUpSZYxT26xAafnYhLXfgHvSGG
Size: 983040 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-19 04:12:12
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):
%original file name%.exe:928
Mutexes
The following mutexes were created/opened:
RasPbFile
ShimCacheMutex
File activity
The process %original file name%.exe:928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ÖÿØ̨ÅäÖÃ.ini (28 bytes)
Registry activity
The process %original file name%.exe:928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 13 34 85 09 88 F9 E5 A0 9E 1E 67 93 22 85 F0"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Chinese (Simplified, PRC)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 745108 | 745472 | 5.15126 | a413d8787ba03ebcf0a26b423dca3377 |
| .rdata | 749568 | 134340 | 135168 | 2.75461 | f84631b158d4e6c8346d4d564be52200 |
| .data | 884736 | 274600 | 69632 | 4.13998 | 807d8ccc04afa37fecdb9d4884fe6bc7 |
| .rsrc | 1163264 | 27320 | 28672 | 3.80959 | 11d0828bb76bd08cac3e9ba447c3588b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.text
.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
kernel32.dll
user32.dll
ntdll.dll
CreateWindowStationA
CloseWindowStation
*.txt
D:\Program Files\
\TCLS\Client.exe
/api/xmlapi.asmx/Regin&AppCode=
hXXp://
[email protected]
Microsoft.XMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP.6.0
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
application/x-www-form-urlencoded
----11----
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
/api/xmlapi.asmx/CardReCharge&Referee=
\\192.168.1.9\D
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%d%d%d
rundll32.exe shell32.dll,
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)
%original file name%.exe_928_rwx_00401000_000B6000:
t%SVh
t$(SSh
~%UVW
u$SShe
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\ÖÿØ̨ÅäÖÃ.ini (28 bytes)
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
