Skip to main content

Trojan.Generic.20060411_8c7149b753


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20060411 (B) (Emsisoft), Trojan.Generic.20060411 (AdAware)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 8c7149b7530269fbb535ca64da117aa6

SHA1: 207504f848cbe2417ae0ea2861aa77e464d61add

SHA256: 054be15a9a88e508b1c1f6e6a6d5efe40e89e2e1d8e90ed2e9a770fd81c6a365

SSDeep: 3072:3fT417fq5TPO qPBGiYSY/kX/FV6lh96qP/RQ9IAkwUXQheofMMyM6MOBAw95adb:vT417fCqPQifYMAv96qP/RQiAkwgQheC

Size: 193536 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2016-12-19 23:30:18

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1652

The Trojan injects its code into the following process(es):

%original file name%.exe:3656

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

No files have been created.

Registry activity

The process %original file name%.exe:3656 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:


To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"client" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1652

  2. Delete the original Trojan file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "client" = "c:\%original file name%.exe"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: File
Product Name: File
Product Version: 1.0.0.0
Legal Copyright: File
Legal Trademarks: File
Original Filename: File.exe
Internal Name: File.exe
File Version: 1.0.0.0
File Description: File
Comments: File
Language: English (United States)

Company Name: FileProduct Name: FileProduct Version: 1.0.0.0Legal Copyright: FileLegal Trademarks: FileOriginal Filename: File.exeInternal Name: File.exeFile Version: 1.0.0.0File Description: FileComments: FileLanguage: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81921913001914884.432286393fc6a43b56251f8462f8d3ffde074
.reloc204800125120.056519ba0a61df8d833715db3d10b6202cfa9f
.rsrc21299285210241.8225123df5d9b1127c879498395f91f4c2d3e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hohoangpmy.ddns.net

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3656:

.text

.text

`.reloc

`.reloc

v2.0.50727

v2.0.50727

System.Runtime.CompilerServices

System.Runtime.CompilerServices

.ctor

.ctor

System.Diagnostics

System.Diagnostics

System.Threading

System.Threading

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

System.Windows.Forms

System.Windows.Forms

get_ExecutablePath

get_ExecutablePath

Microsoft.VisualBasic

Microsoft.VisualBasic

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.CodeDom.Compiler

System.CodeDom.Compiler

Operators

Operators

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Reflection

System.Reflection

System.IO

System.IO

System.Net.Sockets

System.Net.Sockets

TcpClient

TcpClient

System.Globalization

System.Globalization

System.Net

System.Net

System.Text

System.Text

System.Management

System.Management

System.Collections.Generic

System.Collections.Generic

System.IO.Compression

System.IO.Compression

Nuclear Explosion.exe

Nuclear Explosion.exe

avicap32.dll

avicap32.dll

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

Ports

Ports

.cctor

.cctor

_CorExeMain

_CorExeMain

mscoree.dll

mscoree.dll

hohoangpmy.ddns.net,

hohoangpmy.ddns.net,

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\

HKEY_CURRENT_USER\SOFTWARE\

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0

%original file name%.exe_3656_rwx_00400000_00008000:

.text

.text

`.reloc

`.reloc

v2.0.50727

v2.0.50727

System.Runtime.CompilerServices

System.Runtime.CompilerServices

.ctor

.ctor

System.Diagnostics

System.Diagnostics

System.Threading

System.Threading

Microsoft.VisualBasic.Devices

Microsoft.VisualBasic.Devices

System.Windows.Forms

System.Windows.Forms

get_ExecutablePath

get_ExecutablePath

Microsoft.VisualBasic

Microsoft.VisualBasic

Microsoft.VisualBasic.CompilerServices

Microsoft.VisualBasic.CompilerServices

System.CodeDom.Compiler

System.CodeDom.Compiler

Operators

Operators

Microsoft.Win32

Microsoft.Win32

RegistryKey

RegistryKey

OpenSubKey

OpenSubKey

System.Reflection

System.Reflection

System.IO

System.IO

System.Net.Sockets

System.Net.Sockets

TcpClient

TcpClient

System.Globalization

System.Globalization

System.Net

System.Net

System.Text

System.Text

System.Management

System.Management

System.Collections.Generic

System.Collections.Generic

System.IO.Compression

System.IO.Compression

Nuclear Explosion.exe

Nuclear Explosion.exe

avicap32.dll

avicap32.dll

kernel32.dll

kernel32.dll

ntdll.dll

ntdll.dll

Ports

Ports

.cctor

.cctor

_CorExeMain

_CorExeMain

mscoree.dll

mscoree.dll

hohoangpmy.ddns.net,

hohoangpmy.ddns.net,

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\

HKEY_CURRENT_USER\SOFTWARE\

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0