MD5: cd702de3af3e1aab6981a9ee5f205a39
SHA1: c67cd551622dda386158d68d57d132ae97df66d3
SHA256: d8091791250f2a2990ecff528baadce4bb572773aaf958ce6f7b836daf805159
SSDeep: 6144:oIcwchYhOX pd1bEz2s7ETRhEgoJCqrnxQmUMggh:oIVwYUX pd167QhEXoRMd
Size: 266240 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-08 18:28:47
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:388
%original file name%.exe:1784

The Trojan injects its code into the following process(es):

svchost.exe:540
iexplore.exe:668

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1784 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\InstallDir\Server.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)

Registry activity

The process %original file name%.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 94 1F 91 17 7B 43 46 CD 62 FD 2C EA CB 73 5C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 03 E6 18 E6 41 83 0B 8C F6 15 56 0D 26 0B 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%System%\InstallDir\Server.exe restart"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"InstalledServer" = "%System%\InstallDir\Server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\((Mutex))]
"ServerStarted" = "7/13/2016 12:01:43 PM"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%System%\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%System%\InstallDir\Server.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Essentials
Product Name: Essentials
Product Version: 2.3.3.0
Legal Copyright: Copyright (c) Product 2014
Legal Trademarks:
Original Filename: zym20042105031_Lib.exe
Internal Name: zym20042105031_Lib.exe
File Version: 2.3.3.0
File Description: Essentials
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_540_rwx_00C80000_00016000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

?URLDr

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

desifre460.ddns.net

Server.exe

\{5460C4DF-B266-909E-CB58-E32B79832EB2}

PTF.ftpserver.com

ftpuser

ftppass

%System%\InstallDir\Server.exe

%System%\InstallDir\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

iexplore.exe_668:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

iexplore.exe_668_rwx_00C80000_00016000:

`.rsrc

Portions Copyright (c) 1999,2003 Avenger by NhT

Kernel32.dll

ntdll.dll

kernel32.dll

789:;<&'()* ,-./12345

user32.dll

urlmon.dll

wininet.dll

advapi32.dll

Shell32.dll

shell32.dll

shlwapi.dll

KWindows

UnitKeylogger

GetWindowsDirectoryW

GetProcessHeap

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyW

RegCloseKey

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

DeleteUrlCacheEntryW

.idata

.rdata

P.reloc

P.rsrc

?URLDr

KERNEL32.DLL

oleaut32.dll

PSAPI.dll

x.html

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Windows

explorer.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

[Execute]

KeyDelBackspace

XtremeKeylogger

hXXp://

.functions

ÞFAULTBROWSER%

\Microsoft\Windows\

svchost.exe

desifre460.ddns.net

Server.exe

\{5460C4DF-B266-909E-CB58-E32B79832EB2}

PTF.ftpserver.com

ftpuser

ftppass

%System%\InstallDir\Server.exe

%System%\InstallDir\

%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg

Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}

c:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:388
   %original file name%.exe:1784
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\InstallDir\Server.exe (1425 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Windows\((Mutex)).cfg (2 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "HKCU" = "%System%\InstallDir\Server.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "HKLM" = "%System%\InstallDir\Server.exe"

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.