Trojan.MSIL.Bladabindi.2_1c204760ef
Gen:Variant.Kazy.337644 (BitDefender), Trojan.DownLoader9.24700 (DrWeb), Gen:Variant.Kazy.337644 (B) (Emsisoft), Trojan-Ransom.Win32.Blocker (Ikarus), Gen:Variant.Kazy.337644 (FSecure), MSIL:Agent-BNK [Trj] (Avast), TROJ_FORUCON.BMC (TrendMicro), Trojan.MSIL.Bladabindi.2.FD, mzpefinder_pcap_file.YR, Sinowal.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Ransom, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1c204760ef8450a1b963001938f6bafc
SHA1: e117323b30132cf5bd2a2ababa967a036556b077
SHA256: c8a2a51d72cd3bb5894d83511ad1c3ad183ea3a178928ec621a754d8dda4142d
SSDeep: 3072:S0 WomUrMtm720SIg20sFtPFW8f gB22lfn3fAtwhdt5XnLu1qyVEk0ghwhJ5U:vohrMtm/3gh2jB34tCdHXLurFb2h
Size: 245248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: SummerSoft
Created at: 2014-02-12 18:47:15
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
javabeta15v2u3.exe:2160
nt32.exe:304
%original file name%.exe:256
%original file name%.exe:1820
The Trojan injects its code into the following process(es):
WScript.exe:1068
cvtres.exe:2440
nt32.exe:1628
javaan17v2u5.exe:2716
File activity
The process nt32.exe:1628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\NTKernel\javabeta15v2u3.exe (6500 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
C:\NTKernel\load32 (7972 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (1281 bytes)
%Documents and Settings%\All Users\Application Data\load32.exe (1281 bytes)
C:\NTKernel\javaan17v2u5.exe (2136 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\load32.vbs (0 bytes)
The process %original file name%.exe:256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\NTKernel\nt32.exe (1281 bytes)
Registry activity
The process javabeta15v2u3.exe:2160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 58 4E 3E 78 A8 B1 01 22 3D 16 2E 1D 01 1D 14"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process WScript.exe:1068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 8C B0 F1 BE AA 71 EC 72 13 6C A4 D3 0B BC 93"
The process cvtres.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 7A 78 50 F3 3A 57 A3 AD F8 56 EC 15 A4 38 23"
The process nt32.exe:1628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"javaan17v2u5.exe" = "HADMZTLER"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"javabeta15v2u3.exe" = "HADMZTLER"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt32.exe]
"DisableExceptionChainValidation" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "explorer.exe,%Documents and Settings%\All Users\Application Data\load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings]
"REG_DWORD" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F AA D4 C7 02 B6 48 7B 78 49 65 9A DC 59 F4 74"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals]
"version" = "-a scrypt -o stratum tcp://stratum2.dogechain.info:3333 -O praytous.user:x -t THREADS"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Load" = "C:\NTKernel\nt32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"Debugger" = "%Documents and Settings%\%current user%\My Documents\315load32.exe"
The following service is disabled:
[HKLM\System\CurrentControlSet\Services\Schedule]
"Start" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The process nt32.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB A3 70 60 A4 10 C5 C7 6A 7A 0E 8D 42 40 7F 95"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process javaan17v2u5.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 34 FD E5 1D 37 C4 D3 1E 57 4A 6E 2F 61 3D 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 36 41 0A A3 C4 01 E5 8B CE DE 5C 0A 22 63 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\NTKernel]
"nt32.exe" = "LUZESZI"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 BC EB 08 D5 C9 9A 29 36 81 36 4E D7 90 2B A5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://wwwhold.in/8/8/plas/gate.php |  |
| hxxp://wwwhold.in/data/javabeta.exe | |
| hxxp://wwwhold.in/data/CPU.files | |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
javabeta15v2u3.exe:2160
nt32.exe:304
%original file name%.exe:256
%original file name%.exe:1820 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\NTKernel\javabeta15v2u3.exe (6500 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Update.Microsoft.com.url (46 bytes)
C:\NTKernel\load32 (7972 bytes)
%Documents and Settings%\%current user%\My Documents\315load32.exe (1281 bytes)
%Documents and Settings%\All Users\Application Data\load32.exe (1281 bytes)
C:\NTKernel\javaan17v2u5.exe (2136 bytes)
%Documents and Settings%\All Users\Application Data\load32.vbs (873 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
C:\NTKernel\nt32.exe (1281 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NT Kernel Service" = "C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 C:\Windows\System32\taskmgr.exe %Program Files%\Microsoft\Windows" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
