Trojan.Agent.CERV_1efbf2304a

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1672

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\1efbf2304affff18e3c27d46f2857f34_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FailedToInstall[1].htm (715 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	748736	749056	5.50177	400afa4952ef65e0f0607ef78a71f7fa
.data	753664	86268	86528	5.52627	b325cf1a4ede1197135d3b33ca98294f
/16	843776	4352	4608	4.44673	78c354605d5f9a836d3b946a302c1859
/24	851968	8448	8704	4.50806	4f226a906aabbbe68035b3dc9fa09baf
.rdata	864256	4352	4608	4.45075	269499be580dee942ff7a6b6e2d8640a
.bss	872448	4608	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	880640	8168	8192	3.91373	448493d1a0f4947b57a0833b8c045ed2
.tls	888832	44	512	0.139696	31f6ae0efbc8665f66a532ed2022ca95
.rsrc	892928	14988	15360	3.5628	231239b870f6086688cb6c581ac8d678

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 226
e51b3190630594e2fc0d539eca76dbe1
0f38c65c3192a568a0f127781c3e1ad3
e3bd26be518ceabd5cb92753e9cb62ea
a968722a5bb17642c70cd94916416062
2982e6344d97dd051041ffb1df962f7a
4db81dd1bc58bc011c24cee917727de5
3ab8386945e5dd57601b123757071cdf
0b2e22a7e3e640c65e22c170d18200af
a042a31a457f2de9db52ba319a92ba28
fa71e68ab4dd87e5914d76aefcce4167
992b6b530dca98ded19afaae9efd2b45
8d1bbaa093d8eed9bf2d670405828f91
9b7bbbcc4f885b2f42feab41d4588e07
3934f7b9d9cedc60006f610ebfde6240
aa47ef9ec47abaf79ef82608f3fc6f05
1629fd0d4d7e163be648c6bd2dff05ce
62837e65e692b8af8460d4496e846336
62aa718f519adac90ae0c713643c874e
d84402f76949a9319a0ccd1d47b49696
a4e32eab780d1610c83087e8427a323d
9da428f0d8eb0e99ab0f2c862a691824
91e4486091aacbd4d0025e54a10a5f5b
39754dd314a177c524a15f785ea29a47
615cfb960d8b8410e19209f191b4dae6
eefeb47f359807ae59a07515d18ace15
c363ec9646738ba53a5eeee47f6a637e

Network Activity

URLs

URL	IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.quaintspokenracketiest.site/index.php	54.243.162.153
hxxp://www.quaintspokenracketiest.site/FailedToInstall.php?reason=8&version=1.1.5.26	54.243.162.153

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps