Trojan.GenericKD.3601336_ecee6bdb18

by malwarelabrobot on October 28th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Dinwod.abqn (Kaspersky), Trojan.GenericKD.3601336 (B) (Emsisoft), Trojan.GenericKD.3601336 (AdAware), Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: ecee6bdb1863954f4904ac3e5bc43050
SHA1: 74fe615183aff1f61ff5813fc2685a14a829e8c4
SHA256: 1f61871319e505f0e5042f48517c5f5bc90f0421f3e004433bafc643731dda37
SSDeep: 12288:8F4cmsnYXGTxamTnNifcbm42mRT1cEY5turxo5 0YmXYyzx/NeuzO5ZP4S6PV3av:8ycmsnYXGTxamTnNifcbm42mRT1cj5te
Size: 782336 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Micronames Corp.
Created at: 2016-09-26 13:22:32
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3264

The Trojan injects its code into the following process(es):

carss.exe:3300

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\mk\carss.exe (5441 bytes)

Registry activity

The process carss.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e0-73-f1]
"WpadDecision" = "0"
"WpadDecisionTime" = "00 52 3E 57 73 30 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e0-73-f1]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\carss_RASMANCS]
"MaxFileSize" = "1048576"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MokaKZ" = "C:\Windows\mk\carss.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{E549E976-C5F2-4E77-819D-55BC9B7C25BC}"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E549E976-C5F2-4E77-819D-55BC9B7C25BC}]
"WpadDecisionTime" = "F0 E6 DD 5A 73 30 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e0-73-f1]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0B 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E549E976-C5F2-4E77-819D-55BC9B7C25BC}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e0-73-f1]
"WpadDecisionTime" = "F0 E6 DD 5A 73 30 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E549E976-C5F2-4E77-819D-55BC9B7C25BC}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E549E976-C5F2-4E77-819D-55BC9B7C25BC}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ecee6bdb1863954f4904ac3e5bc43050_RASMANCS]
"EnableFileTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MokaKZ" = "C:\Windows\mk\carss.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: moka
Product Name: moka_server
Product Version: 16.9.25.1030
Legal Copyright: ???????/???????????,????????.??????????????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 16.9.25.1030
File Description: Client Mocha Server Runtime Process
Comments: Client Mocha Server Runtime Process
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	567321	569344	5.15282	8229a316eb839a21ccf0f6208ab00206
.rdata	573440	113870	114688	3.24974	68557383f749829424528410d40a47ab
.data	688128	320234	69632	4.33107	a283025d770f9f8f80efdcad228d40f6
.rsrc	1011712	24012	24576	3.55799	0204e12e256f16f683478759679df517

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://1212.ip138.com/ic.asp	110.53.246.43

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ic.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 1212.ip138.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Thu, 27 Oct 2016 16:58:36 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDQATRCBCB=FNI

GET /ic.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 1212.ip138.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Thu, 27 Oct 2016 16:58:28 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDSCSQCBDB=AHABJHFAOABMLCAGMFALGMHD; path=/

X-Daa-Tunnel: hop_count=1
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[194.242.96.218] ............</center></body></htm
l>HTTP/1.1 200 OK..Server: Microsoft-IIS/6.0..Connection: keep-aliv
e..Date: Thu, 27 Oct 2016 16:58:28 GMT..Content-Type: text/html..Conte
nt-Length: 219..X-Powered-By: ASP.NET..Set-Cookie: ASPSESSIONIDSCSQCBD
B=AHABJHFAOABMLCAGMFALGMHD; path=/..X-Daa-Tunnel: hop_count=1..<htm
l>..<head>..<meta http-equiv="content-type" content="text/
html; charset=gb2312">..<title> ....IP.... </title>..&l
t;/head>..<body style="margin:0px"><center>....IP....[1
94.242.96.218] ............</center></body></html>..

The Trojan connects to the servers at the folowing location(s):

carss.exe_3300:

.text

.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

{E5000198-4471-40e2-92BC-D0BA075BDBB2}

127.0.0.1:10086##*&*&*&*&*&*&&*&*&*&*&*&*&*&*&*&*&

@*$2018@*$

*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#**#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#**#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*

\mk\carss.execarss.exe

hXXp://1212.ip138.com/ic.asp

mk\carss.exe

software\microsoft\windows\CurrentVersion\Run\MokaKZ

WEB&*&

\mk.bat

>>admin_mk.txt

\admin_mk.txt

.comment {color:green}

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

user32.dll

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

GetWindowsDirectoryA

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

ExitWindowsEx

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WSOCK32.dll

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>

<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>

<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>

<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>

<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>

burlywood

\winhlp32.exe

VVV.dywt.com.cn

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

<meta http-equiv="content-type" content="text/html; charset=gb2312">

[194.242.96.218]

C:\Windows\mk\carss.exe

#include "l.chs\afxres.rc" // Standard components

(*.*)

16.9.25.1030

carss.exe_3300_rwx_00401000_0008B000:

t$(SSh

~%UVW

u$SShe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:3264
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\mk\carss.exe (5441 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MokaKZ" = "C:\Windows\mk\carss.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.