Win32.Madangel.DIA_6074c83922

by malwarelabrobot on August 19th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Injector.pbuu (Kaspersky), Win32.Madangel.DIA (B) (Emsisoft), Win32.Madangel.DIA (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 6074c83922f7a481fd8b07c54a9dcd59
SHA1: 114b1d0b894021a30b9771edadc63b7f50f00b38
SHA256: b765a67d42018f3d24245be1641b536107784c737d0449720046b2a92f07a997
SSDeep: 6144:MltPsuG7z1kQBmabEsTBiv3YC7vGIbR6MHHUSppSwTaQZtsQUoatf:m1suGv1kQBjbEsTwv3Lm
Size: 334124 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-11 07:16:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1152

The Trojan injects its code into the following process(es):

%original file name%.exe:348
Explorer.EXE:888

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Adobe\Reader 9.0\Reader\ACROTEXTEXTRACTOR.EXE (100 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBEUPDATERINSTALLMGR.EXE (100 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (1188 bytes)
C:\totalcmd\TCUNINST.EXE (1300 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (1124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (1044 bytes)
%Program Files%\WinPcap\rpcapd.exe (1588 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (1556 bytes)
%Program Files%\Outlook Express\oemig50.exe (1652 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\READERUPDATER.EXE (356 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACRORD32INFO.EXE (1604 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (658 bytes)
C:\totalcmd\TOTALCMD64.EXE (1510 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (548 bytes)
%Program Files%\Messenger\msmsgs.exe (1428 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACROBROKER.EXE (52 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (436 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe (1428 bytes)
C:\totalcmd\NOCLOSE.EXE (1764 bytes)
%System%\Serverx.exe (1504347 bytes)
%Program Files%\Outlook Express\wabmig.exe (1236 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (692 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (996 bytes)
%Program Files%\NetMeeting\conf.exe (108 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1300 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe (110 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (116 bytes)
%Program Files%\NetMeeting\cb32.exe (1540 bytes)
%Program Files%\Outlook Express\setup50.exe (1252 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBE_UPDATER.EXE (1046 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1236 bytes)
%Program Files%\Internet Explorer\iedw.exe (1684 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ADOBECOLLABSYNC.EXE (340 bytes)
%Program Files%\Outlook Express\wab.exe (980 bytes)
%Program Files%\NetMeeting\wb32.exe (1540 bytes)
C:\totalcmd\NOCLOSE64.EXE (1220 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (532 bytes)
%Program Files%\Microsoft Office\Office14\PPTVIEW.EXE (1840 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (708 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ACROBATUPDATER.EXE (356 bytes)
C:\totalcmd\TCMDX64.EXE (1252 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LOGTRANSPORT2.EXE (1060 bytes)
%Program Files%\Movie Maker\moviemk.exe (1156 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1876 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (1556 bytes)
C:\totalcmd\TCUNIN64.EXE (1908 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1044 bytes)
C:\totalcmd\TCMADMIN.EXE (1940 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUTILITY.EXE (596 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ADOBEARMHELPER.EXE (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPREVHNDLRSHIM.EXE (340 bytes)
C:\totalcmd\TCMDX32.EXE (1684 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (692 bytes)
%Program Files%\Outlook Express\msimn.exe (1652 bytes)
C:\totalcmd\TcUsbRun.exe (1764 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (1316 bytes)
C:\totalcmd\TCMADM64.EXE (356 bytes)
C:\totalcmd\TOTALCMD.EXE (1592 bytes)
%Program Files%\WinPcap\UNINSTALL.EXE (1552 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1732 bytes)

Registry activity

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Serverx" = "%System%\Serverx.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	ZieF.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

Company Name: Oracle Corporation
Product Name: Java(TM) Platform SE 8
Product Version: 8.0.40.25
Legal Copyright: Copyright (c) 2015
Legal Trademarks:
Original Filename: java.exe
Internal Name: java
File Version: 8.0.40.25
File Description: Java(TM) Platform SE binary
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	107966	108032	4.62622	e737892dafba196f5517192a47b4d843
.rdata	114688	29656	29696	4.4583	2aa9d8184737734f8a35c6a9358f11e8
.data	147456	13504	5632	2.2278	fff6823adbeba8b906a283898eeb89b0
.rsrc	163840	33112	33280	4.17222	a25eeb76d2171a8d55dfb485f18f6d5a
.reloc	200704	156460	156460	4.52662	13adba8540b19c50cf9851e94b43fbcd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
irc.zief.pl	148.81.111.121

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN IRC Nick change on non-standard port

Traffic

NICK aziqrnej.USER n020501 . . :#a8a67a25e Service Pack 3.JOIN #.364.

:irc 001 aziqrnej :Hi virtu.:irc 376 aziqrnej :End of /MOTD command.:i
rc 001 aziqrnej :Hi virtu.:irc 376 aziqrnej :End of /MOTD command..:az
iqrnej JOIN #.364..:aziqrnej JOIN #.364.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_348:

.text

`.rdata

@.data

.rsrc

@.reloc

FTPQ

1.8.0_40-b25

wwwd_args[%d] = %s

Windows original main args:

-Djava.class.path=%s

TRACER_MARKER: NativeMemoryTracking: got value %s

TRACER_MARKER: NativeMemoryTracking: putenv arg %s

TRACER_MARKER: NativeMemoryTracking: env var is %s

%s%d=%s

option[-] = '%s'

ignoreUnrecognized is %s,

----%s----

-Djava.class.path=

-Dapplication.home=%s

-Denv.class.path=%s

-Dsun.java.command=

-Dsun.java.launcher=SUN_STANDARD

dotversion:%s

fullversion:%s

javaw:%s

launcher name:%s

program name:%s

javargs:%s

debug:%s

argv[-] = '%s'

App's argc is %d

%s is '%s'

Warning: %s VM not supported; %s VM will be used

Error: %s VM not supported

Error: Unable to resolve VM alias %s

Error: Corrupt jvm.cfg file; cycle in alias list.

Default VM: %s

Error: main-class: attribute exceeds system limits of %d bytes

Error: Unable to locate JRE meeting specification "%s"

JRE-Version = %s, JRE-Restrict-Search = %s Selected = %s

Error: Syntax error in version specification "%s"

Error: Invalid or corrupt jarfile %s

Error: Unable to access jarfile %s

-Djava.awt.headless=

-Djava.awt.headless=true

Error: %s requires class path specification

%s full version "%s"

Error: %s requires jar file specification

Warning: %s option is no longer supported.

-Xrunhprof:cpu=old,file=java.prof

-Xrunhprof:cpu=old,file=%s

-Dsun.java.launcher.diag=true

%ld micro seconds to parse jvm.cfg

name: %s vmType: %s alias: %s

name: %s vmType: %s server_class: %s

jvm.cfg[%d] = ->%s<-

Warning: Unknown VM type on line %d of `%s'

Warning: Missing server class VM on line %d of `%s'

Warning: Missing VM type on line %d of `%s'

Warning: No leading - on line %d of `%s'

Error: could not open `%s'

argv[%d] = %s

\bin\splashscreen.dll

Error: Unable to resolve %s

Error: CreateProcess(%s, ...) failed:

ReExec Args: %s

ReExec Command: %s (%s)

%s\bin\%s.exe

ExecJRE: new: %s

ExecJRE: old: %s

Error: loading: %s

jvm.dll

passing arguments as-is

passing arguments as-is.

Warning: app args is larger than the original, %d %d

%s\jvm.dll

%s\bin\%s\jvm.dll

Version major.minor.micro = %s.%s

Failed reading value of registry key:

%s\%s\JavaHome

Error: Registry key '%s'\CurrentVersion'

has value '%s', but '%s' is required.

Error: Failed reading value of registry key:

%s\CurrentVersion

Error: opening registry key '%s'

Error: could not find java.dll

%s\jre\bin\java.dll

JRE path is %s

%s\bin\java.dll

-Dsun.java2d.opengl

-Dsun.java2d.d3d

-Dsun.java2d.noddraw

-Dsun.awt.warmup

Error: missing `%s' JVM at `%s'.

Error: no known VMs. (check for corrupt jvm.cfg file)

%s%slib%s%s%sjvm.cfg

Error: This Java instance does not support a %d-bit JVM.

CRT path is %s

\bin\msvcr100.dll

msvcr100.dll

Error: can't find JNI interfaces in: %s

JVM path is %s

\bin\awt.dll

\bin\java.dll

\bin\verify.dll

before: "%s"

after : "%s"

META-INF/MANIFEST.MF

1.2.8

inflate 1.2.8 Copyright 1995-2013 Mark Adler

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

d:\re\puppet\workspace\8-2-build-windows-i586-cygwin\jdk8u40\2855\build\windows-i586\jdk\objs\java_objs\java.pdb

RegCloseKey

RegOpenKeyExA

RegEnumKeyA

ADVAPI32.dll

USER32.dll

COMCTL32.dll

PeekNamedPipe

GetCPInfo

GetProcessHeap

KERNEL32.dll

zcÁ

3333333333330

333333333307

PP%d(jjjjj

<assemblyIdentity version="8.0.40.25" processorArchitecture="X86" name="Oracle Corporation, Java(tm) 2 Standard Edition" type="win32"></assemblyIdentity>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>

3"3 353@3{3

6 6$6(6,6

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

.Uby[#

mscoree.dll

.KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

8.0.40.25

java.exe

.Java SE Development Ki

%original file name%.exe_348_rwx_00456000_00002000:

KERNEL32.dll

USER32.DLL

ADVAPI32.DLL

MPR.DLL

WSOCK32.DLL

SHELL32.DLL

hXXp://vguarder.91i.net/user.htm

hXXp://vguarder.bravehost.com/user.htm

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

WinExec

RegNotifyChangeKeyValue

RegOpenKeyA

ShellExecuteA

\setupx.exe

\updatex.exe

\Serverx.exe

=.exet

=.scrt

.idata

.reloc

Explorer.EXE_888_rwx_00FF0000_00001000:

%System%\Serverx.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1152
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Program Files%\Adobe\Reader 9.0\Reader\ACROTEXTEXTRACTOR.EXE (100 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBEUPDATERINSTALLMGR.EXE (100 bytes)
%Program Files%\Internet Explorer\IEXPLORE.EXE (1188 bytes)
C:\totalcmd\TCUNINST.EXE (1300 bytes)
%Documents and Settings%\All Users\Application Data\Adobe\Reader\9.3\ARM\ADBERDR950_EN_US.EXE (1124 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe (1044 bytes)
%Program Files%\WinPcap\rpcapd.exe (1588 bytes)
%Program Files%\Common Files\Java\Java Update\jaureg.exe (1556 bytes)
%Program Files%\Outlook Express\oemig50.exe (1652 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\READERUPDATER.EXE (356 bytes)
%Program Files%\Internet Explorer\Connection Wizard\inetwiz.exe (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACRORD32INFO.EXE (1604 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\msnsusii.exe (658 bytes)
C:\totalcmd\TOTALCMD64.EXE (1510 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DW20.EXE (548 bytes)
%Program Files%\Messenger\msmsgs.exe (1428 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ACROBROKER.EXE (52 bytes)
%Program Files%\Common Files\Java\Java Update\jucheck.exe (436 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe (1428 bytes)
C:\totalcmd\NOCLOSE.EXE (1764 bytes)
%System%\Serverx.exe (1504347 bytes)
%Program Files%\Outlook Express\wabmig.exe (1236 bytes)
%Program Files%\Common Files\Microsoft Shared\Speech\sapisvr.exe (692 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn2.exe (996 bytes)
%Program Files%\NetMeeting\conf.exe (108 bytes)
%Program Files%\Common Files\Java\Java Update\jaucheck.exe (1300 bytes)
%Program Files%\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe (110 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwrmind.exe (116 bytes)
%Program Files%\NetMeeting\cb32.exe (1540 bytes)
%Program Files%\Outlook Express\setup50.exe (1252 bytes)
%Program Files%\Common Files\Adobe\Updater6\ADOBE_UPDATER.EXE (1046 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\AcroRd32.exe (1236 bytes)
%Program Files%\Internet Explorer\iedw.exe (1684 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\ADOBECOLLABSYNC.EXE (340 bytes)
%Program Files%\Outlook Express\wab.exe (980 bytes)
%Program Files%\NetMeeting\wb32.exe (1540 bytes)
C:\totalcmd\NOCLOSE64.EXE (1220 bytes)
%Program Files%\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (532 bytes)
%Program Files%\Microsoft Office\Office14\PPTVIEW.EXE (1840 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\AdobeARM.exe (708 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ACROBATUPDATER.EXE (356 bytes)
C:\totalcmd\TCMDX64.EXE (1252 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\LOGTRANSPORT2.EXE (1060 bytes)
%Program Files%\Movie Maker\moviemk.exe (1156 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwconn1.exe (1876 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Eula.exe (1556 bytes)
C:\totalcmd\TCUNIN64.EXE (1908 bytes)
%Program Files%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A93000000001}\Setup.exe (1044 bytes)
C:\totalcmd\TCMADMIN.EXE (1940 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\A3DUTILITY.EXE (596 bytes)
%Program Files%\Common Files\Adobe\ARM\1.0\ADOBEARMHELPER.EXE (1924 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\PDFPREVHNDLRSHIM.EXE (340 bytes)
C:\totalcmd\TCMDX32.EXE (1684 bytes)
%Program Files%\Common Files\Microsoft Shared\MSInfo\msinfo32.exe (692 bytes)
%Program Files%\Outlook Express\msimn.exe (1652 bytes)
C:\totalcmd\TcUsbRun.exe (1764 bytes)
%Program Files%\Internet Explorer\Connection Wizard\icwtutor.exe (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (1316 bytes)
C:\totalcmd\TCMADM64.EXE (356 bytes)
C:\totalcmd\TOTALCMD.EXE (1592 bytes)
%Program Files%\WinPcap\UNINSTALL.EXE (1552 bytes)
%Program Files%\Internet Explorer\Connection Wizard\isignup.exe (1732 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Serverx" = "%System%\Serverx.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.