MD5: 57e322ea1909950f81ef558665cc5eaf
SHA1: 4f92f15f336093863b6995f49c67d6bda808aec8
SHA256: 604a9c5cd21f5636efc004f7178004b698d86bb37cb28267fc094ad6866daa9e
SSDeep: 6144:FyhUCZxzn6CTpXavJDsx1DhZAPQg0/g0AmGeWMMILU:AbLfJgRqSRoWMJQ
Size: 304809 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-28 15:59:17
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1756

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 9E 8B 94 94 56 55 2A B1 12 E2 AB 24 1B 0A 87"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Incredible Hulk
Product Name: Incredible Hulk
Product Version: 5.1.0.4
Legal Copyright: Incredible Hulk
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.1.0.4
File Description: Incredible Hulk
Comments: Incredible Hulk
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
910de0e4d00fe6527c14b633d1d2b57c
37eaea331d800b0a4124b6bb0a41cfca
3efe1ea6068a4a45360741d895cbc51a
470d9ad98033043285d8c7f1c5328b0f
2cbe2d0697b21ca778504fcf71886a89
f9cf4f5641268f06d8d2ab37a41059c2
00f8bac150c2abfca84fdd9477785fc9
e3aecf74356333f5510c7733f2a0b57c
a403b16c800f97b8c2bca29be90e5ed2
b5ad0c8f82e2ba87635873e5030ed132
d9010314b8fda9820fe1afb75fd7f257
0095fd475e452c7a430ba281e8bc0b01

URLs

URL	IP
hxxp://url.0755look.com/tj.asp?uid=	123.57.37.211

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tj.asp?uid= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: url.0755look.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 02 Dec 2014 05:30:13 GMT

Server: Microsoft-IIS/6.0

Content-Length: 219

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAASQSDAT=OBCKODACIKPEDDAKGCBIBKCK; path=/

Cache-control: private
<script src="hXXp://s6.cnzz.com/stat.php?id=1253455661&web_id=12534
55661" language="JavaScript"></script>..<br>..<scrip
t language="javascript" type="text/javascript" src="hXXp://js.users.51
.la/17394416.js"></script>..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

.adata

t$(SSh

~%UVW

u$SShe

ole32.dll

kernel32.dll

hXXp://url.2bkan.com/url.asp

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

@hXXp://url.2bkan.com/ip.asp

%Program Files%\

63476321

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

(*.htm;*.html)|*.htm;*.html

X-X-X-X-X-X

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

"%local server IP%"

c:\%original file name%.exe

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

winmm.dll

ws2_32.dll

gdi32.dll

winspool.drv

advapi32.dll

shell32.dll

oleaut32.dll

comctl32.dll

wininet.dll

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

(*.*)

5.1.0.4

%original file name%.exe_1756_rwx_004EA000_00002000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

rasapi32.dll

iphlpapi.dll

winmm.dll

ws2_32.dll

gdi32.dll

winspool.drv

advapi32.dll

shell32.dll

ole32.dll

oleaut32.dll

comctl32.dll

oledlg.dll

wininet.dll

comdlg32.dll

InternetCanonicalizeUrlA

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

5.1.0.4

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.