Trojan.Win32.Swrort.3_e2283248bc

MD5: e2283248bc603682c1bb43d5d0a813f4
SHA1: d83f67484c1143242202f8d7371f85df9932d08c
SHA256: 6b6f554e690f2fa9e1f472e8514c4539d879c387962de01f7bc538fc7402aeb7
SSDeep: 49152:hKh 0Q3ZBgM7D5EGoe17N/FT /hOl8B4TTGfBVwPilxScSqmfZT89To apSb8GP5:x0Q3DDDCeTN JO2B1v35Fhxx
Size: 3819928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ????????????
Created at: 2014-07-03 16:08:15
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1196

The Trojan injects its code into the following process(es):

Explorer.EXE:1684

Mutexes

The following mutexes were created/opened:

RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
ShimCacheMutex
adm_Pcmaster_LunarCalendar
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:1196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\plugins\weathericon\default.icn (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].shtml (6697 bytes)
C:\config\mytime\2014.xml (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ip.qq[1].htm (6289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mytime[1].xml (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\101010100[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\alert[1].xml (11942 bytes)
C:\config\mytime\weatherlist.xml (6768 bytes)
C:\config\mytime\1.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].html (793 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
C:\plugins\mytime.dll (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
C:\config\mytime\mytimeset.cfg (8259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].htm (5181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

C:\mytime.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].shtml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mytime[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAZ6GZR1.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\101010100[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\RuanMei\MagicTray]
"PluginsPath" = "c:\plugins"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\RuanMei\MagicTray]
"ConfigPathNew" = "c:\config\mytime"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\RuanMei\PCMaster]
"AppStart" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B D7 6B 1A 84 FC D8 BE 03 BB A4 4F 64 F9 0F 25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"mytime" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????????????
Product Name: ????
Product Version: 3.0.0.58
Legal Copyright: ????
Legal Trademarks:
Original Filename: mytime.exe
Internal Name: mytime
File Version: 3.0.0.58
File Description: ????
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://117.181.newidc2.cn/pcmaster/mytime.xml?r=1372562
hxxp://search.weather.com.cn/static/xxfb/rss/alert.xml?a=13725621372562	61.4.185.16
hxxp://ip.qq.com/	112.90.83.44
hxxp://117.181.newidc2.cn/api/xzs/aqi/citys/.json?t=1390843
hxxp://www.weather.com.cn/data/sk/101010100.html?_=1394656?t=13946561394656	61.4.185.205
hxxp://m.weather.com.cn/data/101010100.html?_=1395734	113.108.239.114
hxxp://www.weather.com.cn/weather/101010100.shtml?_=1396812	61.4.185.205
hxxp://dat.ruanmei.com/pcmaster/mytime.xml?r=1372562	122.225.117.181
hxxp://api.ruanmei.com/api/xzs/aqi/citys/.json?t=1390843	122.225.117.181

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /data/sk/101010100.html?_=1394656?t=13946561394656 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.weather.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Apache/2.2.0

Date: Thu, 31 Jul 2014 04:55:40 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: BIGipServerwww_pool=79234109.20480.0000; path=/
ab..{"weatherinfo":{"city":"......","cityid":"101010100","temp":"29","
WD":"......","WS":"2...","SD":"64%","WSE":"2","time":"12:40","isRadar"
:"1","Radar":"JC_RADAR_AZ9010_JB"}}..0......


GET /weather/101010100.shtml?_=1396812 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.weather.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.0

Date: Thu, 31 Jul 2014 04:55:39 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Content-Encoding: gzip

Set-Cookie: BIGipServerwww_pool=45679677.20480.0000; path=/
600a..............ys...(..\...C...3&...JQ."A....<~..e23)...$l...P..
T%.Zm..l.."[....,K..U......_...s..}ooh..,y '.....g?..{{....5.....P....
._.1l.[...{.T.P.........B.8Sl....9..m`..X..FK..vUS#..|$_..~..FN...j.bc
..bcf0=.D._..`q.bi...l..(V....Z(.([email protected].\.1..]].K..z.
.{......k...O...y..q..~...........G...X/.~.....fE.v...K......>,.Z..
.u.|..8.....g..F.`..T....}..........WD ..P..k..F.Z....O..'.....C. w...
...W.o.W...Z...'.R.V_\1....W..0.?2/_k}..{98 !.. ..{I.O.EY...h.8g.<.
.."..............3...O.c../..m.~c.5c...uu.j{....y....L..D..d..|[email protected]
[email protected]..............|[email protected]&LKKK..b.1W.
1..V.K.h.R([email protected]`[email protected]...$%[email protected]%...l..n...
.S88s.\m.ec..E7$o..Y3..x........,.(.......#X....SM.....G...7.|.......s
.b..w....g. D.........=.E.)[email protected]...... ........I0g
.0o...D....bM..v(.z.PTr.F)_.*3.j.~.)....[i6.#Z{K.V\(...7....O.....:...
[...P./.....k.)..."~....%.......XYf\.u0X........\......|.i&-...`..A..a
.i_....Z....L`.lOW...L................j.Z.........S..........1H..U...\
y y.T,..5....\a..}..-....._..n]*..sC....h.....r.|.6[......T...Hii.<
S...C5......Z.[........z.1...[#t>..i...x7.CDN.Z).i..;..`.q%..m....\
z [w.G......"\..J}!W........2l..x..ziwq.,].U....P .....G......fh...X..
..`..,A.....X...F....w...#B..r......!`l....u. 1.C..K.S..Ju..]C...(..i0
..0..ra ...\.. .......R.8.8.....j..qx..x.9..6b_....:..\.#0......SS.V.s
,.d2...6.%8..Ab...q4@[email protected].<.bm.fP..r..l..>.....
.Z.D...!...I*.!.ET.8.). .&e..&..3kl%3X...ri.^.3Z$S.2..\..5.X..V[..
<<< skipped >>>

GET /data/101010100.html?_=1395734 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: m.weather.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/0.7.67

Date: Thu, 31 Jul 2014 04:57:04 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"

Content-Encoding: gzip
319............u..R.@...%..CH@..|....i.v$.t.....E.........SD.:U..w..%|
. t...%...l~.....5,J...9......ibQ....iB".}..JO.....=..gFa.....k..L.*.:
Wh..../...`-..s....m..V.P.;;.H...:.4>%.'....^..2wk..1..z09.*...#. R
..S.....`:.I.9...t\.[./'..4|{.&Q.#....,z....O).8......../ J.z..(.s.|..
=.>...4y.UE.j..T.....N....Y.0..v....,.w.&....6V.0..1f.0&.....0q. ..
0.D(..$...E.",`^[email protected].$.. o2\.?.....Q....~......O.->.....
......X.. Y0..,Ac...Tc).:.;....ZD?...8.H..$........A.$JB.\)R!.G..r.e[.
....<.."&'...(b.....#hV/a/.;[email protected]..|.g....M.\[n.....f...:.;..q_^
[email protected].... .....t. ....... ..C*... ..7..e.=...../R..
`_...FHS3aq...2..sMa}[email protected]?*....BNh...x.$..EG.h.^.....'.^
..E.R."......k...9...................\4q].....S..K.a......M\...7.c/.v.
.<<CR.r#\?_.L.,...)....=.%[.....I.P.......0..

GET /api/xzs/aqi/citys/.json?t=1390843 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: api.ruanmei.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Thu, 31 Jul 2014 04:56:51 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>..HTTP/
1.1 404 Not Found..Content-Type: text/html..Server: Microsoft-IIS/8.5.
.X-Powered-By: ASP.NET..Date: Thu, 31 Jul 2014 04:56:51 GMT..Content-L
ength: 1163..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Stric
<<< skipped >>>

GET / HTTP/1.1

User-Agent: GetWeb

Host: ip.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 31 Jul 2014 04:56:49 GMT

Server: Apache/2.4.2 (Unix)

Cache-Control: max-age=0, must-revalidate

Set-Cookie: ipqqcom_user_id=609573; Domain=ip.qq.com; Expires=Fri, 01 Aug 2014 04:56:49 GMT; Path=/; HTTPOnly

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html
f4c..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta ht
tp-equiv="Content-Type" content="text/html; charset=gb2312" />..<
;meta http-equiv="X-UA-Compatible" content="IE=7">..<link rel="s
tylesheet" type="text/css" href="/css/global.css"/>..<link rel="
stylesheet" type="text/css" href="/css/ip.css"/>..<link rel="sty
lesheet" href="/css/thickbox.css" type="text/css" media="screen" />
..<link href="/css/help.css" rel="stylesheet" type="text/css" />
..<title>....IP........_IP....</title>..<script src="/j
s/prototype.js"></script>..<script language="JavaScript" t
ype="text/javascript" src="/js/showlayer.js"></script>..<s
cript language="JavaScript" type="text/javascript" src="/js/public.js"
></script>..<script language="JavaScript" type="text/javas
cript" src="/js/geo.js"></script>..<script language="JavaS
cript" type="text/javascript" src="/js/jquery.js"></script>..
<script language="JavaScript" type="text/javascript" src="/js/iplis
t_thickbox.js"></script>..</head>..<body onload="set
up();Change_Hide_bak(1);login_in(0);status();preselect('');ShowIndex()
;">..<div class="header">..  <div class="padder"> <a
 class="logo" title="...." style="background-image:url(/img/logo.jpg);
 width: 300px; height: 72px;"> </a>..    <div class="l
<<< skipped >>>

GET /static/xxfb/rss/alert.xml?a=13725621372562 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: search.weather.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache/2.2.6 (Unix) DAV/2 SVN/1.4.6 mod_jk/1.2.26

Date: Thu, 31 Jul 2014 04:55:20 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 54060

Last-Modified: Thu, 31 Jul 2014 02:57:28 GMT

Connection: keep-alive

Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>.<rss version="2.0" xml
ns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:content="hXXp://purl.or
g/rss/1.0/modules/content/"><channel><title>...........
.......</title><link>hXXp://VVV.weather.com.cn/alarm/newal
armlist.shtml</link><language>zh</language><item&
gt;<title>...................................................<
;/title><link>hXXp://VVV.weather.com.cn/alarm/newalarmcontent
.shtml?file=1011101-20140731104110-0703.html</link><atype>
......</atype><alevel>......</alevel><astatus>
.........</astatus><img>hXXp://VVV.weather.com.cn/m2/i/ala
rm_s/0703.gif</img><description><![CDATA[..............
....2014...7...31...10...30...........................................
...........24....................................37...................
.......................]]></description><pubDate>2014-0
7-31 10:41:10</pubDate></item><item><title>...
............................................................</title
><link>hXXp://VVV.weather.com.cn/alarm/newalarmcontent.shtml?
file=1013003-20140731103959-0703.html</link><atype>......&
lt;/atype><alevel>......</alevel><astatus>.......
..</astatus><img>hXXp://VVV.weather.com.cn/m2/i/alarm_s/07
03.gif</img><description><![CDA.....................<
;/title><link>hXXp://VVV.weather.com.cn/alarm/newalarmcon
<<< skipped >>>

GET /pcmaster/mytime.xml?r=1372562 HTTP/1.1

Host: dat.ruanmei.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Mon, 28 Jul 2014 07:30:49 GMT

Accept-Ranges: bytes

ETag: "809a54da35aacf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Thu, 31 Jul 2014 04:56:32 GMT

Content-Length: 1712
....A.nr3$..L:.......#.?...#.U.B...Ve...B.....Ru&q|...@ .IK.K.I.H.....
dY......Vo&.A.......5{.z&N..."....r6w"!!?.T%.5).._6x:..d<.....t"...
.|\Q..y.t%>wq..Q...\~...5.......[.|;.D*....fl..]:%..}U......>...
K/P.....4...O#.X........0|.*.........M.1.)...dJ...........l<.Qn...p
......-.}[email protected]./.u.W...3.(..=h......6Z.2...q.....2.
[email protected]...........@..}....20.O[......l...s......t...Ns.[[email protected].
...?.........x.j....Y.E.....@..$..J...v.O./.<'..hQ....~..z.,.M.D:.H
)..pl....nVHm...O..;\.[....ni....Y.E.tv<%...0i.....>.>..Q...5
..=\~F.....&...8.\..T.7F.y...R...X....^.lz.......*............"w-..4,.
...Ce......Iz.......|..,..rt.r.y..M0...G1S&J...Me.'.,...q.np.s.f5.`.ax
<....9.w....i.K....NWy.e."x=?j...\R.,........z.,.M.D.).S......jee8.
.Ex.G...Y-..Y.....KW.N..IH....s.*.|..L.nVG...X..`....W./.>..%OY...9
....KZH.........=\~F..5..W..#>.z.....)....w....qQ....:.Qe[.1..t.1..
e...b;.Z?Q......9..1 .l.JC.....GM......zw)Y.3m..Z.Um....O...#e....08..
.pd'.a.....w7G.Q........!.....k......a_..q....6.p...... >....u..xH!
e.3).J....J6.m&.q..6.p....S~3._'..Ex.G...Yy...........nVHm.R.{P_s..y.]
D.....0..z.............Zx.....m......Iz.....].0..i1....w........{.<
...IN$K&.x\[email protected]......[.9..Fa4..Y1.z....|..L.nV.f:&. &.-m7}.
U...7.9...#-.....`5.YK.f=......../a\..oeM.*........:D.M.Y..m.8.D.A=...
)...CR.....`..imG....M.6j3.Gib.....y......i...F..T.......zw)Y...x...t.
y...R..X...8. .Gk*....X....Nq...]..;...8.......Z..hJ9sP.?)..aH.......j
...<[email protected]*.i="w..W..B.!...........LCFYi..bH.Iq..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

SSShp

SSShT

t;SSSh

SSShx

SSShh

SSSh@

RSShx

xSSSh

FTPjKS

FtPj;S

C.PjRV

<4,$?7/'

(3-!0,1'8"5.*2$

&#xX;

%s="%s"

%s='%s'

version="%s"

encoding="%s"

standalone="%s"

-NHS}Y

MSXML2.XMLHTTP

USER32.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

`'\%D,3

dwmapi.dll

UxTheme.dll

inflate 1.2.5 Copyright 1995-2010 Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

D:\TFS_New2013\MagicTray2013\MagicTray\Bin\Release\mytime.pdb

SetWindowsHookExW

EnumChildWindows

GetKeyState

KERNEL32.dll

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegFlushKey

RegCreateKeyExW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

gdiplus.dll

VERSION.dll

URLDownloadToFileW

urlmon.dll

InternetOpenUrlW

HttpEndRequestW

HttpSendRequestExW

HttpOpenRequestW

HttpQueryInfoW

WININET.dll

IPHLPAPI.DLL

WINMM.dll

dbghelp.dll

GetProcessHeap

GetCPInfo

COMCTL32.dll

GdiplusShutdown

GdipSetImageAttributesColorKeys

.?AVCHttpFile@@

.?AVCUIWebBrowser@meiui@@

.?AVCActiveXEnum@meiui@@

zcÁ

\rm_pcmaster.config##p

c:\%original file name%.exe

j%uP/

T.WH\

r%S[Y

G#.kt

m%XbA

%2xF4T-

ru.pC

-\%DOmk7|

.Gpu'!

,%ukZ<

"=.Dx

D}/d%X

.FF [

.UW<[

(Y.Uh

.DfkS

i.si.

c.oQ0

dwmapi.xTh"

.win;@

td.pdb

.if$$

KERNEL32.DLL

countdown.dll

http://www.usertrust.com1

1http://crl.usertrust.com/UTN-USERFirst-Object.crl05

http://ocsp.usertrust.com0

2Terms of use at https://www.verisign.com/rpa (c)101.0,

jOôA

/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

https://www.verisign.com/rpa0

http://ocsp.verisign.com0;

/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0

https://www.verisign.com/cps0*
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
_ry.WM
M.tgE#
H.ht.
(!%Uj
l.jE/=0
;1B%sP
4]F%d
={E%Sb
%2%Sr
a/.Xp
ru.pCK
-\=wGo
.Gpu'
@2.SX
t%SZ"
XQ-5r}
@.SNO
@.ZXK
'.Wjl
.ZNu<]
(tv%f
FTp85X-
Kso%u
USER32.dll
X10`.KI
i.UNrqIn
?dwmapi.xThf
flf 1.2.5
H.hKd
Key^;1
L9.Rjb
WebBr
.QUH"
em.hover"
!.fSH
[urRjc'&%Xh(T
.rc[R?t
P#=.Ck|QU
?%D*S
remind.dll
.pdata
@.rsrc
8%u&H
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
P.sO|
r%f;A
D:\TFS_New2013\MagicTray2013\MagicTray\Bin\Release\mytime_x64.pdb
fWk%D/
.WVQC,
.ANN2` 
@.lp.
8ËW
A;.oq
^`.Zm
&.QPWu
Y.o%uYF
p%4X A
vY.EN28
USER32.dsi
!"#$%&'()* ,-./0123456789:;<=>?
1.2.5
;.wog
.com/z
.TBm"a#I
dQ-iJ}k
DBKeyb
.%c_T
#v`.rd
0.png
1.png
10.png
11.png
`.Acc#]oG/
.UpYz
12.png
13.png
14.png
15.png
16.png
17.png
18.png
19.png
2.png
20.png
21.png
.jkkM
22.png
23.png
24.png
25.png
26.png
27.png
28.png
29.png
3.png
30.png
@9%u{
31.png
4.png
5.png
53.png
6.png
7.png}VgPSY
8.png
9.png
7.png
images/calendar/calendarfootball.png
images/calendar/calendartip_bg.png
images/calendar/datebg1.png
images/calendar/datebg2.png
images/calendar/day.png
images/calendar/hover.png
images/calendar/NationalHolidays.png
images/calendar/NationalHolidays_DayOff.png
images/calendar/NationalHolidays_piao.png
-wfV}
images/calendar/NationalHolidays_qiu(0).png
images/calendar/NationalHolidays_qiu.png}Ryh
images/calendar/next_mon.png
images/calendar/pre_mon.png
images/calendar/sel.png
images/calendar/split.png
images/calendar/today.png
images/calendar/weather_6day.png
images/calendar/weekbg_blue.png
images/calendar/weekbg_red.png
images/common/button.png
images/common/combo.png
images/common/combo2.png
images/common/comboitembg.png
images/common/common_edit.png
images/common/dropbox_bg.png
images/common/item.hover.png
images/common/item.normal.png
images/common/item.pushed.png
images/common/scrollbar.png
images/common/setlabelbg.png
%frOY
images/common/vscrollbar.png
images/common/vscrollbar1.png
images/dynamicweather/cloudy.jpg
]?.wsPJ
>T-t}vlLA=B{
.djU'\
q!%ua1)
 .VJM
images/dynamicweather/dust.jpg
 .PU)
j0G%U
images/dynamicweather/fog.jpg
images/dynamicweather/rain_big.jpg
images/dynamicweather/rain_mid.jpg
t^Yõ
images/dynamicweather/rain_small.jpg
images/dynamicweather/RemindNotice_Bg.png
images/dynamicweather/snow.jpg
.FH-}
9m.iS
.mR-k
.Lv_I
images/dynamicweather/suncloud.jpg
3Y.KS
%C'dga
ZnH.HP
5 R6.Dk
-o}SS3
images/dynamicweather/sunshine.jpg
qf:.vz
images/flowwindow/flowwindow_dateicon.png
images/flowwindow/flowwindow_itembg.png
images/flowwindow/flowwindow_itembtn.pngm
images/flowwindow/flowwindow_timeicon.png
images/flowwindow/flowwindow_weathericon.png
images/flowwindow/num_big_0.png
images/flowwindow/num_big_1.png
images/flowwindow/num_big_2.png
images/flowwindow/num_big_3.png
images/flowwindow/num_big_4.png
images/flowwindow/num_big_5.png
images/flowwindow/num_big_6.png
images/flowwindow/num_big_7.png
images/flowwindow/num_big_8.png
images/flowwindow/num_big_9.png
H#Y{.dR
images/flowwindow/num_big_below.png
images/flowwindow/num_big_celsius.png
images/flowwindow/num_big_point.png
images/flowwindow/num_big_point2.png
images/flowwindow/num_small_0.png
images/flowwindow/num_small_1.png
images/flowwindow/num_small_2.png
images/flowwindow/num_small_3.png
images/flowwindow/num_small_4.png
images/flowwindow/num_small_5.png
images/flowwindow/num_small_6.png
images/flowwindow/num_small_7.png
images/flowwindow/num_small_8.png
images/flowwindow/num_small_9.png
images/flowwindow/weatherremind_blue.png}S]H
images/flowwindow/weatherremind_orange.png}S[H
images/flowwindow/weatherremind_red.png
images/flowwindow/weatherremind_yellow.png}S]H
7{O .GR
images/main/aero.png
images/main/aero_left.png
images/main/aero_right.png
images/main/chkbox.png
images/main/close.png
images/main/max.png
images/main/menu.png
images/main/min.png
images/main/mytime.png
images/main/radio.png}R
%S!!Ql
images/main/remindbg.png
images/main/restore.png
images/main/skin.png
images/main/switch.png
*!X%Xi
images/plugins/alarmclock.png}S
images/plugins/notepad.png}S
images/plugins/plugins_bg.png
images/plugins/tipbg.png
.Xs:6
images/timemanage/addicn.png
images/timemanage/countdown_add.png
images/timemanage/countdown_bg0.png
images/timemanage/countdown_bg1.png
images/timemanage/countdown_cancle.png
images/timemanage/itemdel.png
images/timemanage/stopwatch_bg.png
SFTp
images/timemanage/stopwatch_btn.png
images/timemanage/time_label.png}S
images/timemanage/worldtime_clockbg.png
images/timemanage/worldtime_hour.png
images/timemanage/worldtime_minute.png
resources.xml
xmls/about.xml
xmls/calendar.xml
xmls/calendartip.xml
xmls/citylist_item.xml
xmls/flowwindow.xml
%cWU4
.SIT$
xmls/mainframe.xml
xmls/pluginsmanager.xml
xmls/pluginstip.xmlU
xmls/set.xml
xmls/timemanage.xml
xmls/timemanage_countdown_item.xml
xmls/timemanage_stopwatch_item.xml
xmls/timemanage_worldtime_item.xml
xmls/weather.xml
xmls/weatherremind.xml
xmls/worldcup.xml
images/calendar/NationalHolidays_qiu.png
images/flowwindow/flowwindow_itembtn.png
images/flowwindow/weatherremind_blue.png
images/flowwindow/weatherremind_orange.png
images/flowwindow/weatherremind_yellow.png
images/main/radio.png
images/plugins/alarmclock.png
images/plugins/notepad.png
images/timemanage/time_label.png
xmls/pluginstip.xml
keY
0Q0b0p0
<%<3<8<@<_<{<
2-3:3?3[3
6-7G7x7}7
4 4$4(4,4044484<4
0 0$0(0,0
< <$<(<,<0<
= =$=(=,=0=4=8=<=
6 6$6(6,6064686<6
? ?$?(?,?
: :$:(:,:0:4:8:<:@:
1(141<1\1
4 4$4(4,404
ntdll.dll
xx
\StringFileInfo\%s\ProductName
\StringFileInfo\%s\FileDescription
\StringFileInfo\%s\FileVersion
\StringFileInfo\%s\ProductVersion
\StringFileInfo\%s\OriginalFilename
\StringFileInfo\%s\LegalCopyright
\StringFileInfo\%s\InternalName
\StringFileInfo\%s\CompanyName
%d.%d.%d.%d
explorer.exe /e,/select,"
explorer.exe /e,/select,
%%X%%X
%s.bak%I64dd
%%X
%%X%%X%%X
.%d.tmp
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Classes\http\shell\open\command
pcmaster.exe
saayaa.exe
cooldock.exe
explorer.exe
OpenUrlWithSaayaa
Internet Explorer\iexplore.exe
http://dat.ruanmei.com/pcmaster/upgrade6.xml
%s?r=%d
rmup.exe
http://down.ruanmei.com/%s?skq=%d
\\.\PhysicalDrive%d
Internet open url failed! error code
\sfc_os.dll
takeown /f %s
icacls %s /grant
%username%:F
icacls %s /grant *S-1-1-0:(F)
.old.tweakcube
.temp.tweakcube
%u.%u.%u.%u
http://www.6655.com/?f=sh
=============SendData:version:%d----%d==%s==%d==%s=
http://www.hao123.com/?tn=12092018_15_hao_pg
http://www.duba.com/?un_383619_1
http://www.2345.com/?11319
^(http://)?(www\.)?hao123\.com(/?(\?tn=. )?)?$
^(http://)?(www\.)?duba\.com(/?(\?.)?)?$
winguard.dll
^(http://)?(www\.)?2345\.com(/?(\?\d )?)?$
http://www.google.com.hk/search?ie=utf-8&oe=utf-8&hl=zh-cn&q={searchterms}
http://www.google.com/favicon.ico
winguard.exe
winguard_x64.dll
winguard_x64.exe
{DAFC3089-C966-4796-BF72-E6BB9C4BB8E5}
http://www.bing.com/search?q={searchTerms}
http://www.bing.com/favicon.ico
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
http://www.baidu.com/s?tn=mswin_oem_dg&ie=utf-8&word={searchTerms}
http://www.baidu.com/favicon.ico
http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8
{0E7B197B-A3DE-4FD4-A19A-1EECF791D16F}
mshtml.dll
%s\log\winguard-d-d-d-d-d-d.log
MoveFile Faild === [%s] [%s] [%d]
IE.AssocFile.HTM
.html
IE.AssocFile.URL
IE.AssocFile.MHT
.mhtml
.shtm
.shtml
Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
https
Software\Classes\%s\shell
Software\Classes\%s\shell\%s\command
IE.HTTP
IE.HTTPS
HTTPS
IE.FTP
%s.HTTP
%s.AssocFile.HTM
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\
IEXPLORE.EXE
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\
%s.%s
Kernel32.dll
%c:%I64d~%I64d
%dx%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion
6.3.9600
%d.%d.%d
360tray.exe
zhudongfangyu.exe
360sd.exe
360rp.exe
ksafetray.exe
ksafesvc.exe
kscan.exe
kxetray.exe
qqpctray.exe
qqpcwebshield.exe
qqpcrtp.exe
avgnt.exe
avcenter.exe
egui.exe
ekrn.exe
rstray.exe
ravmond.exe
avp.exe
msmpeng.exe
ccsvchst.exe
bdagent.exe
kvmonxp.exe
kvsrvxp.exe
uiseagnt.exe
coreframeworkhost.exe
coreserviceshell.exe
uiwatchdog.exe
mcshield.exe
cfp.exe
baidusd.exe
baidusdsvc.exe
baidusdtray.exe
baiduantray.exe
baiduan.exe
baiduansvc.exe
Software\Microsoft\Windows\CurrentVersion\Run
version:%s;business:magictray;setup:%s;cpu:%s;memory:%s;disk:%s;partition:%s;resolution:%s;mac:%s;os:%s;ie:%s;process:%d;autorun:%d;browser:%d;defaultbrowser:%d;
http://union.ruanmei.com/receive/postdata.aspx?uid=
http://union.ruanmei.com/receive/install.aspx?uninstall=1&uid=
http://union.ruanmei.com/receive/install.aspx?uid=
&r=%d
drivers\ANDROIDUSB.sys
&t2=%d
0126|0208|0504|0928|1011
%s %s
hd32-d-d-d-d-d-d-%s.
Last Error: %d, HRESULT %d, File: %s
.zip&v=
union.ruanmei.com
/receive/errorlog.aspx?p=mytime&f=
rkernel32.dll
d-d-d d-d
mytime.exe
mytime.pdb
HKEY_LOCAL_MACHINE
Windows:
%d.%d.%d, SP %d.%d
EIP: X EFlags: X
ESI: X EDI: X ESP: X EBP: X
EAX: X EBX: X ECX: X EDX: X
X,
Operation:
[0xX] Cannot %s.
0xX
d/d/%d
[ExeFileInfo]
d-d-d d:d:d
(%X, %X, %X, %X, %X)
 X
%sX %s
so.6655.com
http://so.6655.com/favicon.ico
{C30DAF89-C966-4796-F7B2-EC4BB8E6BB95}
http://so.6655.com/?s_type=1&k1={searchTerms}
souxia.com
http://www.souxia.com/favicon.ico
{EE930633-72f4-76D7-A0FF-142E3A16EB8C}
http://www.souxia.com/search.aspx?wd={searchTerms}&ie=utf-8
sogou.com
http://www.sogou.com/favicon.ico
{EE930633-72f4-76D7-A0FF-142E3A16EB8B}
http://www.sogou.com/sogou?query={searchTerms}&ie=utf8&pid=sogou-clse-c07d4fe1bad8cc10
baidu.com
http://www.SoSo.com/favicon.ico
{EE930633-72f4-76D7-A0FF-142E3A16EB8D}
http://www.soso.com/q?w={searchTerms}&unc=s400021_4&cid=union.s.wh&ie=utf-8
http://www.google.com.hk/search?client=aff-6655&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q={searchTerms}
%sX
http://dat.ruanmei.com/pcmaster/mytime.xml
mytime.cfg
default.icn
default.snd
I_RuanmeiTime_%dd
http://www.12306.cn/mormhweb/
dd
%s\%d.xml
MSXML2.MXXMLWriter
MSXML2.SAXXMLReader
%s %s %s
%s %s%s
%c%c%c
ddd
worldcup_match%d
res='%s' corner='4,4,4,4'
mainframe.birthdayIcon
mainframe.remindIcon
res='%s' corner='2,2,2,2'
\mytime.txt
kernel32.dll
%d:d
%s %s PM2.5
IDB_DynamicWeather_%d
dest='%d,%d,%d,%d'
%s\mytimeset.cfg
%s\weatherlist.xml
%s\weathericon\default.icn
%s\mytimeinj.exe
%s\mytime.dll
\mytime.dll
\mytimeinj.exe
%Y-%m-%d
\TrayClock.xml
\sound\default.snd
upgrade\default.snd
1230.wav
d30.wav
12.wav
%s.wav
d.wav
%d-d-d d:d
d,
%d-d-d
weathericon_%s_png
%s.png
http://go.ruanmei.com/url.aspx?linkid=155
http://xzs.ithome.com
/select,%s
Rundll32.exe
Shell32.dll,Control_RunDLL timedate.cpl
\rmup.exe
plugins\sound\default.snd
http://bbs.ithome.com/thread-466493-1-1.html
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
b%s?r=%d
IDB_countdown_bg%d
\worldtime.xml
%d-d-d d:d:d
d:d:d
d:d
%s,%s,%s,%s|
%s %s
http://search.weather.com.cn/static/xxfb/rss/alert.xml?a=%d%d
101010100
http://ip.qq.com
http://api.ruanmei.com/api/xzs/aqi/citys/
.json
?t=%d
http://www.weather.com.cn/data/sk/%s.html?_=%d
http://www.weather.com.cn/data/ks/%s.html?_=%d
GetWeb
H?t=%d%d
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Holiday%d
# d
%d-d-d d:d:d
\countdown.xml
%d.d.d %s
http://m.weather.com.cn/data/
?_=%d
 %s
http://www.weather.com.cn/weather/
http://php.weather.sina.com.cn/xml.php?city=
&password=DJOYnieT8234jlsK&day=
&_=%d
%d-d-d d-d-d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\%s
%s~%s
windowshow
windowsized
msimg32.dll
Software\Microsoft\Windows\DWM
Jdest='%d,%d,%d,%d' source='%d,%d,%d,%d'
pagebtn_group_%d
Jsource='%d,%d,%d,%d'
keyboard
User32.dll
<%s>%s