MD5: 0e8e1c67c1332d53c07525be2029e135
SHA1: 7c4ddfbb1f296fd51dd4e3333eed99cc13f38f77
SHA256: 6765006ad3f0ff429a448283fa3652431da7e12e2ded9ab45f3999b0d0546859
SSDeep: 196608:oD841ymNvsL7JgPQ/Psxf0Cqh6NkAk6lgpWjR0eGIQvS:6EGvshfAf0C4Y t0217S
Size: 8903680 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-07-14 01:47:16
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3452

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

Registry activity

The process %original file name%.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\0e8e1c67c1332d53c07525be2029e135_RASAPI32]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: StrikeArena.ru
Product Name: Launcher SA
Product Version: 2.9.7.0
Legal Copyright: Copyright (c) 2015-2017
Legal Trademarks:
Original Filename: Launcher_SA.exe
Internal Name: Launcher_SA.exe
File Version: 2.9.7.0
File Description: Launcher SA
Comments: ??????? ??? ???? ? DayZ/Arma3
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://launcher.strikearena.ru/monitoring/index.php?launcher_v	95.46.8.60
hxxp://launcher.strikearena.ru/monitoring/launcher/Launcher_SA.exe	95.46.8.60

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (Launcher)
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Traffic

GET /monitoring/index.php?launcher_v HTTP/1.1

User-Agent: Launcher

Host: launcher.strikearena.ru

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Tue, 25 Jul 2017 17:11:15 GMT

Content-Type: text/plain

Content-Length: 4

Connection: keep-alive

X-Powered-By: PHP/5.4.45-0 deb7u8
3.36HTTP/1.1 200 OK..Server: nginx/1.2.1..Date: Tue, 25 Jul 2017 17:11
:15 GMT..Content-Type: text/plain..Content-Length: 4..Connection: keep
-alive..X-Powered-By: PHP/5.4.45-0 deb7u8..3.36....


GET /monitoring/launcher/Launcher_SA.exe HTTP/1.1

User-Agent: Launcher

Host: launcher.strikearena.ru

HTTP/1.1 200 OK

Server: nginx/1.2.1

Date: Tue, 25 Jul 2017 17:11:17 GMT

Content-Type: application/octet-stream

Content-Length: 8748544

Last-Modified: Sat, 22 Jul 2017 13:38:49 GMT

Connection: keep-alive

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~
,q.~2#.~?q.~...~ q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..........
.......TsY....PE..L...t..P..........#................./.............@.
.................................;....................................
......P....`..8]......................................................
........@............................................text.............
.................. ..`.rdata...m.......n..................@..@.data...
.0... ......................@....rsrc...8]...`...^... ..............@.
.@....................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................D$.-......j...j.........j
.P....A...................A...~.%.........P............L$.2.A.....V.I.
..q......%....y.H.....@..1.....%....y.H.....@..q......%....y.H.....@..
q......%....y.H.....@......u.^................|$...L$.......SUVW.."...
2.3..D$ .3..D$....I......;.. ..t$ .......................y.J......BH;.
}.G.......D$..y.O...G..|2f....."....u.f;.u..L$..D$..........u..|$..u..
D$ ...D$.f...f.0E............D$...b..._^][.................SUV.....W3.
3..t$.C......y.K......C.\$.... ....t>%F..G%....y.H...@.........
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

tGHt.Ht&

1.2.3

Visual C   CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

KERNEL32.dll

ole32.dll

OLEAUT32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

zcÁ

c:\%original file name%.exe

%Uc[*#

.KPQQPTTTTTTTQTTTTYTUTTTWZZZ[___[ccaccccccgcb

/11158111

598>=81*

*783814-

1788881

18?8?8<1

188???81

 784886881111*

#'&*)***.*1118888AEEJc

<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance">

<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>

Windows

requestedExecutionLevel

<requestedExecutionLevel level="asInvoker" uiAccess="false" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<requestedExecutionLevel level="highestAvailable" uiAccess="false" />

requestedExecutionLevel.

Windows,

Windows

Windows Vista,

supportedOS-->

<!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>-->

Windows 7,

<!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>-->

Windows 8,

<!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>-->

Windows 8.1,

<!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>-->

Windows (Windows XP

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

mscoree.dll

KERNEL32.DLL

StrikeArena.ru

2.9.7.0

Launcher_SA.exe

2015-2017

2.6.2.0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.