Trojan.GenericKD.1686648_119419b9a6
Trojan.MSIL.Citron.bqh (Kaspersky), Trojan.GenericKD.1686648 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 119419b9a6913dab07d26a5031c016b9
SHA1: 0d87e94afdebdc3ba7aa47e9b4e4311732289553
SHA256: 88cab2128ae1f84a2083e10c3967c83be59c4a80edb5b1b91d7246183014cb7f
SSDeep: 3072:idoz3ENhns7D91hQx 2X/o54UBkpjy0QkopzzRfBE9XTMXegE:6oLEPs7ThQvX/oHBkpBQVRfG9DMug
Size: 181248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-05-19 02:52:09
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
WScript.exe:1848
WScript.exe:1516
x32.exe:1716
x32.exe:480
%original file name%.exe:1072
nt32.exe:384
nt32.exe:1380
nt32.exe:1672
nt32.exe:1008
The Trojan injects its code into the following process(es):
%original file name%.exe:1832
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process x32.exe:480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\NTKernel\nt32.exe (673 bytes)
The Trojan deletes the following file(s):
C:\NTKernel\nt32.exe (0 bytes)
The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (65 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (901 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
C:\NTKernel\nt32.exe (673 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\load32.vbs (0 bytes)
The process nt32.exe:1380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\load32.exe (673 bytes)
C:\NTKernel\x32.exe (4046 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (673 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
Registry activity
The process WScript.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 73 37 71 90 BC 15 B2 E1 43 8F 4A 05 D9 B0 40"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data]
"load32.exe" = "load32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process WScript.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 25 26 53 AC 5D C7 F0 BD 5C E2 7C 61 4E 7F 67"
The process x32.exe:1716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 22 26 27 3C 33 94 03 BE 5A F6 93 2D 4E 73 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process x32.exe:480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 4A A4 21 A8 6A B8 6E 27 DF E1 2C 73 3D 4D 3D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"nt32.exe" = "Cheaaoi Medsits"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 7C E1 D0 5E 93 A8 06 18 3A BD 96 6C 41 0D 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "c:\%original file name%.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process %original file name%.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 99 CA 1F D0 38 5B 5C C6 66 48 77 6E 7B 2F 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process nt32.exe:384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 31 7F 59 24 BC 0C 23 05 36 D8 9D 9A 4B 78 28"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process nt32.exe:1380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt32.exe]
"DisableExceptionChainValidation" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSvc.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"x32.exe" = "Sysinternals Autoruns"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 F5 F5 80 00 E3 6F 7A 97 31 CF B4 40 C7 10 A2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\NTKernel\nt32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process nt32.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD C2 56 DA 6E 8D 7D 2C C9 75 9D FA 06 41 72 DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process nt32.exe:1008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 EE C2 A1 04 98 24 5F 3C 74 0F 6D 2C 8B 6C C3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Dropped PE files
| MD5 | File path |
|---|---|
| cc09531c28d6056daea06f5b34f1c785 | c:\NTKernel\nt32.exe |
| cc09531c28d6056daea06f5b34f1c785 | c:\NTKernel\x32.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
Company Name: Teoaeo
Product Name: Cheiuss
Product Version: 5.5.5.6
Legal Copyright: Copyright (c) 2014 Teoaeo Corporation
Legal Trademarks: Teoaeo Corporation
Original Filename: win32.exe
Internal Name: win32.exe
File Version: 5.5.5.6
File Description: Cheaaoi Medsits
Comments: Douiooioi Dirsee Glouei Gugniii Jeoieo
Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 178100 | 178176 | 5.44563 | 9b84d461046b30391c44bf61ebf333c7 |
| .rsrc | 188416 | 1624 | 2048 | 2.79328 | 65478004c074f5fec58846afcaa068b9 |
| .reloc | 196608 | 12 | 512 | 0.070639 | c1b1b8ea22f05b71967473fb3b919960 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://furysro.com/Plasma/gate.php |  91.240.20.14 |
| hxxp://internetincomeengine.net/x1.exe |  192.185.35.46 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET TROJAN Trojan Generic - POST To gate.php with no referer
ET TROJAN W32.Blackshades/Shadesrat Backdoor CnC Beacon
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
WScript.exe:1848
WScript.exe:1516
x32.exe:1716
x32.exe:480
%original file name%.exe:1072
nt32.exe:384
nt32.exe:1380
nt32.exe:1672
nt32.exe:1008 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\NTKernel\nt32.exe (673 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (65 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (901 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\All Users\Application Data\load32.exe (673 bytes)
C:\NTKernel\x32.exe (4046 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "c:\%original file name%.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
