MD5: 5fc51b17977c56d7158e744f254bb2fa
SHA1: a9197dc78760886546d386ec7f5b0b253b1cb86f
SHA256: 6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8
SSDeep: 24576:ZhpOrzcwXRXk96ZcoexPoHhYBssWTmpA:ZSNXtkEcoGgGW6pA
Size: 970240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mindspark Interactive Network, Inc.
Created at: 2014-10-14 18:26:50
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2984
notepad .exe:1776
wscript.exe:1784

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\stres.bat (209 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\invs.vbs (78 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\rundll11-.txt (7345 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata2.bat (176 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\notepad .exe (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata.bat (73 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata2.bat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\invs.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\rundll11-.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata.bat (0 bytes)

The process notepad .exe:1776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\no (34 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\9GPH0NJ1TN.exe (55 bytes)

The process wscript.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata2.bat (4 bytes)

Registry activity

The process %original file name%.exe:2984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
The Trojan adds the reference to itself to be executed when a user logs on:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\file.exe"

The process notepad .exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\VB and VBA Program Settings\INSTALL\DATE]
"FAHL0QL9S9" = "October 7, 2017"

[HKCU\Software\VB and VBA Program Settings\SrvID\ID]
"FAHL0QL9S9" = "NC"

The process wscript.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Red Gate Software Ltd
Product Name: .NET Reflector
Product Version: 8.3.3.115
Legal Copyright:
Legal Trademarks:
Original Filename: Reflector.exe
Internal Name: Reflector.exe
File Version: 8.3.3.115
File Description: .NET Reflector
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
dns.msftncsi.com	131.107.255.255
fearzen.is-leet.com
1fearzen.is-leet.com
2fearzen.is-leet.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

AddMsg

CHAT_ADDMSG

VBA6.DLL

C:\Windows\SysWow64\msvbvm60.dll\3

ws2_32.dll

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

6tmrTCP

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

FtpDownload

InternetOpenUrlA

FtpUpload

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

tmrTCP

?8??8??8??8??8?

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

fearzen.is-leet.com

9GPH0NJ1TN.exe

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

ADVAPI32.dll

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

WScript.Shell

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

\system32\userinit.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

steam.exe

hl.exe

\rspad.dat

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2984
   notepad .exe:1776
   wscript.exe:1784

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\stres.bat (209 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\invs.vbs (78 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\rundll11-.txt (7345 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata2.bat (176 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\notepad .exe (112 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\mata.bat (73 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\no (34 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\9GPH0NJ1TN.exe (55 bytes)
   

4. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "Shell" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FolderName\file.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.