Susp_Dropper (Kaspersky), MemScan:Trojan.Injector.CLM (B) (Emsisoft), MemScan:Trojan.Injector.CLM (AdAware), Backdoor.Win32.Kelihos.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 28ef820be5e14a8830aa78a8f8bd7cb0
SHA1: b55fa6de5c2f78e9d6401898085086a8d9f8686c
SHA256: c7106c03d60f416962fcc301e02e0b234e20746ee31e5bcdc97573ccd8d6ff5e
SSDeep: 1536:0n0NunCY WMleaQQ7YdhWL2uy5OhVJQUVlGWEVd6Gqv1/2xTrCR0vDt4PmqIJyZJ:0n0NFp93cdgLZyghzBBE2GqvVKZm
Size: 122880 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-13 12:00:26
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The MemScan creates the following process(es):
%original file name%.exe:3676
temp1289952996.exe:2860
temp1289952996.exe:2428
temp1289952996.exe:3920
temp1289952996.exe:1084
temp1289952996.exe:3900
temp1289952996.exe:2732
temp1289952996.exe:3804
temp1289952996.exe:980
temp1289952996.exe:3556
temp1289952996.exe:2968
temp1289952996.exe:2840
temp1289952996.exe:3416
temp1289952996.exe:1924
temp1289952996.exe:1584
temp1289952996.exe:1908
temp1289952996.exe:1928
temp1289952996.exe:3040
temp1289952996.exe:1904
temp1289952996.exe:3552
temp1289952996.exe:3292
temp1289952996.exe:2308
temp1289952996.exe:1816
temp1289952996.exe:3368
temp1289952996.exe:1424
temp1289952996.exe:1980
temp1289952996.exe:540
temp1289952996.exe:772
temp1289952996.exe:2564
temp1289952996.exe:1548
temp1289952996.exe:3572
temp1289952996.exe:1256
temp1289952996.exe:2268
temp1289952996.exe:2132
temp1289952996.exe:3480
temp1289952996.exe:2684
temp1289952996.exe:2020
temp1289952996.exe:1528
temp1289952996.exe:760
temp1289952996.exe:320
temp1289952996.exe:3812
temp1289952996.exe:1388
temp1289952996.exe:3272
temp1289952996.exe:2768
temp1289952996.exe:2600
temp1289952996.exe:1452
temp1289952996.exe:2524
temp1289952996.exe:3588
temp1289952996.exe:2468
temp1289952996.exe:2760
temp1289952996.exe:2644
temp1289952996.exe:2856
temp1289952996.exe:3096
temp1289952996.exe:3524
temp1289952996.exe:1956
temp1289952996.exe:1936
temp1289952996.exe:2164
temp1289952996.exe:3408
temp1289952996.exe:100
temp1289952996.exe:3052
temp1289952996.exe:3404
temp1289952996.exe:1804
temp1289952996.exe:3508
temp1289952996.exe:3428
temp1289952996.exe:3540
temp1289952996.exe:1540
temp1289952996.exe:1656
temp1289952996.exe:3460
temp1289952996.exe:2316
temp1289952996.exe:2680
temp1289952996.exe:1720
temp1289952996.exe:3468
temp1289952996.exe:1536
temp1289952996.exe:2180
temp1289952996.exe:2752
temp1289952996.exe:1100
temp1289952996.exe:2300
temp1289952996.exe:3984
temp1289952996.exe:3848
temp1289952996.exe:1872
temp1289952996.exe:1660
INJF037.tmp:572
The MemScan injects its code into the following process(es):
temp1289952996.exe:3320
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3676 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp (119 bytes)
The process temp1289952996.exe:3320 makes changes in the file system.
The MemScan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp.exe (0 bytes)
The process INJF037.tmp:572 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe (50 bytes)
Registry activity
The process %original file name%.exe:3676 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\"%CurrentUserName%"\AppData\Local\Temp]
"INJF037.tmp" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp:*:enabled:@shell32.dll,-1"
The process temp1289952996.exe:3320 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"SizeCompletedValid" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="
[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"PersistentLocalizedName" = "CB 80 F9 7F 7A 43 FA A7 28 80 00 11 E4 BC 45 6C"
[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"LineLoadedQuick" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="
[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"RecordModifiedMax" = "DPnltW7Y12UXz e2h9aYuPmpZyGUMxYjENnY/r7xsifzCXm6O1Ke4khccejrnjLiWg=="
[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"ActiveModifiedTheme" = "CB 80 F9 7F 87 62 E5 04 56 A7 FC 05 41 AA 5A FD"
[HKCU\Software\Microsoft\MediaPlayer\Preferences]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 99 01"
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"DefaultCompressedRecord" = "CB 80 F9 7F 73 33 AC 12 80 A4 D6 3F 4E 2C BA 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"InfoPlayedCurrent" = "00 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the MemScan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkSaver" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| bbd21b75dc94c90bd950e126a2cd51c5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp |
| dbb6df3329bd5a720e68a44ad3be80aa | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3676
temp1289952996.exe:2860
temp1289952996.exe:2428
temp1289952996.exe:3920
temp1289952996.exe:1084
temp1289952996.exe:3900
temp1289952996.exe:2732
temp1289952996.exe:3804
temp1289952996.exe:980
temp1289952996.exe:3556
temp1289952996.exe:2968
temp1289952996.exe:2840
temp1289952996.exe:3416
temp1289952996.exe:1924
temp1289952996.exe:1584
temp1289952996.exe:1908
temp1289952996.exe:1928
temp1289952996.exe:3040
temp1289952996.exe:1904
temp1289952996.exe:3552
temp1289952996.exe:3292
temp1289952996.exe:2308
temp1289952996.exe:1816
temp1289952996.exe:3368
temp1289952996.exe:1424
temp1289952996.exe:1980
temp1289952996.exe:540
temp1289952996.exe:772
temp1289952996.exe:2564
temp1289952996.exe:1548
temp1289952996.exe:3572
temp1289952996.exe:1256
temp1289952996.exe:2268
temp1289952996.exe:2132
temp1289952996.exe:3480
temp1289952996.exe:2684
temp1289952996.exe:2020
temp1289952996.exe:1528
temp1289952996.exe:760
temp1289952996.exe:320
temp1289952996.exe:3812
temp1289952996.exe:1388
temp1289952996.exe:3272
temp1289952996.exe:2768
temp1289952996.exe:2600
temp1289952996.exe:1452
temp1289952996.exe:2524
temp1289952996.exe:3588
temp1289952996.exe:2468
temp1289952996.exe:2760
temp1289952996.exe:2644
temp1289952996.exe:2856
temp1289952996.exe:3096
temp1289952996.exe:3524
temp1289952996.exe:1956
temp1289952996.exe:1936
temp1289952996.exe:2164
temp1289952996.exe:3408
temp1289952996.exe:100
temp1289952996.exe:3052
temp1289952996.exe:3404
temp1289952996.exe:1804
temp1289952996.exe:3508
temp1289952996.exe:3428
temp1289952996.exe:3540
temp1289952996.exe:1540
temp1289952996.exe:1656
temp1289952996.exe:3460
temp1289952996.exe:2316
temp1289952996.exe:2680
temp1289952996.exe:1720
temp1289952996.exe:3468
temp1289952996.exe:1536
temp1289952996.exe:2180
temp1289952996.exe:2752
temp1289952996.exe:1100
temp1289952996.exe:2300
temp1289952996.exe:3984
temp1289952996.exe:3848
temp1289952996.exe:1872
temp1289952996.exe:1660
INJF037.tmp:572 - Delete the original MemScan file.
- Delete or disinfect the following files created/modified by the MemScan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\INJF037.tmp (119 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe (50 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkSaver" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp1289952996.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 804 | 1024 | 3.05041 | de948b51237c19ee3ce1a38f9481ff4e |
| .rdata | 8192 | 680 | 1024 | 2.38568 | 92b75229156b31a066c178492656bf80 |
| .data | 12288 | 856 | 512 | 2.36913 | fef61e5a6c859efbecae7afec6b7aa43 |
| .rsrc | 16384 | 119240 | 119296 | 4.51548 | 07f90f3e486edbdb71342c944598ad23 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://194.165.16.66/questio.exe | |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The MemScan connects to the servers at the folowing location(s):