MD5: d96c41956306df5e81e3a5ef413dd4ef
SHA1: 13eeb289b2f024d94b0bb48f28954dd93293bbdd
SHA256: 1451d1ff6826f13450873767534857590dd62cf5ff502a8f4afb12bd8be122a9
SSDeep: 98304:U1BZdOT3gk62FJD7mGtpi4vtpydBDAjBirCp331WAO2aQg/ld:UDO8NKmr4vewUrCF1zOlQg/ld
Size: 4480928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPXv0896v102v105v122Delphistub, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:464

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "d96c41956306df5e81e3a5ef413dd4ef.DynamicNS"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCR\d96c41956306df5e81e3a5ef413dd4ef.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\d96c41956306df5e81e3a5ef413dd4ef.DynamicNS]
"(Default)" = "DynamicNS"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\d96c41956306df5e81e3a5ef413dd4ef\DEBUG]
"Trace Level" = ""

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 7E 62 48 E6 A2 35 4E 16 3A 2A 99 E2 D7 18 FB"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\d96c41956306df5e81e3a5ef413dd4ef\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 49
1b1e4162b7ca77292a8fa08bb6313f5d
86016b47293c34508e6e38c6115b9429
cdf1d8f61c99d1694f56d325ff6b28e7
14c144c420fe39453f86c2f34a08814c
d8fd3c2de54637e95267b5e3d7eb6ae4
0edda393d56876fa62eff6579f2ec0d4
c78864a477d72bc077fb0306062f0bcb
b1a12fe143f8495431a2d33a3c252fbe
1aa18274022b8f8b30412a3b2394dbcf
89a0c27e8f701dceecc45efab078352e
b4996d4b4ee9d8246359588a46973576
e200fc2ad6f5610cea8ca6f8f71fde5a
9caf299f6670f46072a845d9266b0a52
19f279db0af179d91ed577e3c4f21be7
57afb57eb9cd7bbf6129ba5458f33f0c
46a3c2d30674acc3963db1c18e982b93
5f97a8f7affaf610840dc739f5239462
a92b129672337cfbd8dc0a6728e35da0
7a0ee1fd6f1962380a5285e7a0543392
d7974d531caf5e8ac69ee80b35c14b97
45b5cc1a1a1e8ecb5d4328628191addf
45e9cb78d94272f767fd9883b51b229e
2fbe5c27758b1b27aa870025c31a80c8
e2e04529f943d0f32b0581ef8948071d
4713a4f5097cadb4a3a9aa720363d2a9

URLs

URL	IP
hxxp://download.torrentex.ru/download.php
hxxp://download1.torrentex.ru/download/torrentex0.1.4b.exe
hxxp://www.systemax.jp/bin/sai-1.2.0-ful-en.exe
hxxp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
hxxp://tundra.site/pages/displayCore2_russian/typ2-1.html
hxxp://tundra.site/pages/displayCore2_russian/css/style.css
hxxp://tundra.site/pages/displayCore2_russian/images/icon1-green.png
hxxp://tundra.site/pages/displayCore2_russian/images/icon2-green.png
hxxp://tundra.site/pages/displayCore2_russian/images/icon3-green.png
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1457563326033&ts=1457563326017&sessionId=GyCle&rfr=&siteId=9306&aus=3958,1,0
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/layouts/graphic_300x250.js?v=4.4.28
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/d00f789b-95d8-4133-8eb1-0fd872f98e9b.gif
hxxp://tundra.site/pages/displayCore2_russian/
hxxp://neu-dl-api.cloudapp.net/api/vp/1?clk=0Mh43OQ7TGKhV8_NgX87YbKfKtbiCcZnU5nUglZpFQRH1A9HqX7ngkkXMcohYGQ4aIJe0T-ltOTS1u_Tzewi_f_gFpblqVI-thFVYe2491Fi02t4uYQuL7rB41ToCf-JImSsWhVnD979VrWGKvnbcHd-C4HQH8YcQekbZ0SHGug2OE4kk4kKahSDVPJ_TDTdfwx7oTG5qmd0tbtpIUhLBkI8IFKWthZlGQydowtYRc0SmDRFud2ezYfpH8WGZ1Qs5eSldhr199UNRM8i-os0KuvtEOKAZ7KBa-G00RU3-_UVECZ0sSxBjkY2wLc81hn0yqwcsmaMZ_VSEfcbNJmUoLg34pZj9OfmpVLWPaVPba8wDjgqdw9OtGiS_z2_zaKmQ3KKM9MLMaGLcJJ-ZYbhHL1GLwlN0YwF6hY71IB76X5Un6TklYIMZjrxWpMwEQPk1xq6nP3N_GOK6ksULRz91w&rfr=

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

The Trojan connects to the servers at the folowing location(s):

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:464

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.