HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Gen:Variant.FAkeAlert.105 (AdAware), SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan, Worm, EmailWorm, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2d06772ece8ae1e51e85a752f9f36691
SHA1: 77ea523921d6783f77c3eb42a77ab20eec7b8e32
SHA256: 40cd28400de9d22a70f174a75f497f64055c94a92cf9bdf445fef76190b66cd9
SSDeep: 49152:4W3aS7lUDuaC7d2h8vBuGPea1dQWDct0KRvKsIYAzcuRjdg7:4WqClmrh8wG2a1dQWDct0 vpIYAz35g
Size: 2376704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-11-29 03:06:16
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1908
The Trojan injects its code into the following process(es):
DllHost.exe:2600
KYJ.exe:1780
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Untitled.png (37 bytes)
C:\ProgramData\VMFPQD\KYJ.01 (81 bytes)
C:\ProgramData\VMFPQD\KYJ.00 (2 bytes)
C:\ProgramData\VMFPQD\KYJ.exe (148 bytes)
C:\ProgramData\VMFPQD\KYJ.02 (55 bytes)
The process KYJ.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\ProgramData\VMFPQD\KYJ.01 (81 bytes)
C:\ProgramData\VMFPQD\KYJ.02 (57 bytes)
Registry activity
The process DllHost.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "DllHost.exe"
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF" = "01 00 00 00 00 00 00 00 9A 42 3E 4C 38 A4 D2 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process KYJ.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KYJ Start" = "C:\ProgramData\VMFPQD\KYJ.exe"
Dropped PE files
MD5 | File path |
---|---|
677892e571baed3b0cd45034d1d2b526 | c:\ProgramData\VMFPQD\KYJ.01 |
c97340758a8cc51c7d8e4e7a948e8034 | c:\ProgramData\VMFPQD\KYJ.02 |
38748d0c113190d91f055c411a673fc9 | c:\ProgramData\VMFPQD\KYJ.exe |
677892e571baed3b0cd45034d1d2b526 | c:\Users\All Users\VMFPQD\KYJ.01 |
c97340758a8cc51c7d8e4e7a948e8034 | c:\Users\All Users\VMFPQD\KYJ.02 |
38748d0c113190d91f055c411a673fc9 | c:\Users\All Users\VMFPQD\KYJ.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1908
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Untitled.png (37 bytes)
C:\ProgramData\VMFPQD\KYJ.01 (81 bytes)
C:\ProgramData\VMFPQD\KYJ.00 (2 bytes)
C:\ProgramData\VMFPQD\KYJ.exe (148 bytes)
C:\ProgramData\VMFPQD\KYJ.02 (55 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KYJ Start" = "C:\ProgramData\VMFPQD\KYJ.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 39780 | 39936 | 4.43265 | eedbd97577efee705799e5088d631754 |
.rdata | 45056 | 9024 | 9216 | 3.80362 | e90f05f88c415780d3f266cca5fc7161 |
.data | 57344 | 8032 | 3584 | 1.58914 | 5929457daefb2fbd1c5231b40b14c60e |
.rsrc | 65536 | 2317628 | 2317824 | 5.32031 | 064b5f6b6a687f980dd90fa9855172f7 |
.reloc | 2383872 | 4734 | 5120 | 2.50755 | 9365d91ef544c8a55cfdf3c3e67a58cc |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):