MD5: 943253e069fd6ceecf3468ff30701892
SHA1: 96cb7e8af6c9977dd245e9199ab133c1c6589728
SHA256: 35d013427faa0e16e78b1b164f896cc78cc4dc3e0eebf0174e9daf5516c63bdb
SSDeep: 12288:SQfXWJsW7lerECtu4aLgbqu6khVc0qI7oe3gPqWelbKS2K732LZRvdNCxx9eSG:SQv perrOUj6k7ZqC30jSTj2L3X4qS
Size: 983040 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-22 07:01:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wscript.exe:1144
%original file name%.exe:1552
rundll32.exe:1824
dJNOYcYKDVGJgUUWgCJhC.cmd:344
dumprep.exe:204
dumprep.exe:1416

The Trojan injects its code into the following process(es):

svchost.exe:1176

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJ (803 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\cAcVVLEUOOiP (5524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJhC.cmd (13304 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJ (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\cAcVVLEUOOiP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJhC.cmd (0 bytes)

The process dJNOYcYKDVGJgUUWgCJhC.cmd:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\dJNOYcYKDVGJgUUWgCJ (48 bytes)
%Documents and Settings%\%current user%\Application Data\cAcVVLEUOOiP (1425 bytes)
%Documents and Settings%\%current user%\Application Data\dJNOYcYKDVGJgUUWgCJhC.cmd (5441 bytes)

The process dumprep.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER8feb.dir00\svchost.exe.mdmp (65793 bytes)

The process dumprep.exe:1416 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER8feb.dir00\svchost.exe.hdmp (117780 bytes)

Registry activity

The process wscript.exe:1144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA A1 84 18 26 A5 36 AC A9 85 9D 5C ED 7F 41 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 8E D1 65 76 39 E8 E7 1B BB C9 25 2E 7B C5 DF"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process rundll32.exe:1824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 0D B4 3A E3 F0 A3 52 F9 D0 7D 3B 19 A7 2B 4E"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"svchost.exe" = "Generic Host Process for Win32 Services"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%System%]
"svchost.exe" = "EnableNXShowUI"

The process dJNOYcYKDVGJgUUWgCJhC.cmd:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 3D 18 C8 2D 7A 9E EF 9C A5 33 35 41 C2 18 0E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process dumprep.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 7F 57 EC 16 ED BA 13 80 B3 E8 FE B6 ED 1F B7"

The process dumprep.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 D7 13 E9 F6 CA E1 10 24 27 22 81 E9 05 AF 4F"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_1176_rwx_000A9000_00001000:

%s:%u

svchost.exe_1176_rwx_000D5000_00003000:

.?AV?$TinyList@VWindowEntry@VNCWindows@@@@

{4A4286B0-3652-472E-937F-0BD1B35D4E5B}

%Documents and Settings%\%current user%\Application Data\Microsoft\{4A4286B0-3652-472E-937F-0BD1B35D4E5B}

%Documents and Settings%\%current user%\Application Data\Microsoft\{4A4286B0-3652-472E-937F-0BD1B35D4E5B}\dd4b21e9.exe

\??\%Documents and Settings%\%current user%\Application Data\Microsoft\{4A4286B0-3652-472E-937F-0BD1B35D4E5B}

%System%\wscript.exe

\REGISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003\SOFTWARE\Microsoft\Windows\CurrentVersion

\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

\REGISTRY\USER\S-1-5-21-1844237615-1960408961-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run

\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion

%Documents and Settings%\%current user%\Application Data

%WinDir%\System32

svchost.exe_1176_rwx_01000000_00006000:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

rundll32.exe_1824:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   wscript.exe:1144
   %original file name%.exe:1552
   rundll32.exe:1824
   dJNOYcYKDVGJgUUWgCJhC.cmd:344
   dumprep.exe:204
   dumprep.exe:1416
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJ (803 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\cAcVVLEUOOiP (5524 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\dJNOYcYKDVGJgUUWgCJhC.cmd (13304 bytes)
   %Documents and Settings%\%current user%\Application Data\dJNOYcYKDVGJgUUWgCJ (48 bytes)
   %Documents and Settings%\%current user%\Application Data\cAcVVLEUOOiP (1425 bytes)
   %Documents and Settings%\%current user%\Application Data\dJNOYcYKDVGJgUUWgCJhC.cmd (5441 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WER8feb.dir00\svchost.exe.mdmp (65793 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WER8feb.dir00\svchost.exe.hdmp (117780 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.