HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20060411 (B) (Emsisoft), Trojan.Generic.20060411 (AdAware)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 8c7149b7530269fbb535ca64da117aa6
SHA1: 207504f848cbe2417ae0ea2861aa77e464d61add
SHA256: 054be15a9a88e508b1c1f6e6a6d5efe40e89e2e1d8e90ed2e9a770fd81c6a365
SSDeep: 3072:3fT417fq5TPO qPBGiYSY/kX/FV6lh96qP/RQ9IAkwUXQheofMMyM6MOBAw95adb:vT417fCqPQifYMAv96qP/RQiAkwgQheC
Size: 193536 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-12-19 23:30:18
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1652
The Trojan injects its code into the following process(es):
%original file name%.exe:3656
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
No files have been created.
Registry activity
The process %original file name%.exe:3656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"client" = "c:\%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1652
- Delete the original Trojan file.
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"client" = "c:\%original file name%.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: File
Product Name: File
Product Version: 1.0.0.0
Legal Copyright: File
Legal Trademarks: File
Original Filename: File.exe
Internal Name: File.exe
File Version: 1.0.0.0
File Description: File
Comments: File
Language: English (United States)
Company Name: FileProduct Name: FileProduct Version: 1.0.0.0Legal Copyright: FileLegal Trademarks: FileOriginal Filename: File.exeInternal Name: File.exeFile Version: 1.0.0.0File Description: FileComments: FileLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 191300 | 191488 | 4.43228 | 6393fc6a43b56251f8462f8d3ffde074 |
.reloc | 204800 | 12 | 512 | 0.056519 | ba0a61df8d833715db3d10b6202cfa9f |
.rsrc | 212992 | 852 | 1024 | 1.82251 | 23df5d9b1127c879498395f91f4c2d3e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hohoangpmy.ddns.net |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3656:
.text
.text
`.reloc
`.reloc
v2.0.50727
v2.0.50727
System.Runtime.CompilerServices
System.Runtime.CompilerServices
.ctor
.ctor
System.Diagnostics
System.Diagnostics
System.Threading
System.Threading
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Windows.Forms
System.Windows.Forms
get_ExecutablePath
get_ExecutablePath
Microsoft.VisualBasic
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
System.CodeDom.Compiler
System.CodeDom.Compiler
Operators
Operators
Microsoft.Win32
Microsoft.Win32
RegistryKey
RegistryKey
OpenSubKey
OpenSubKey
System.Reflection
System.Reflection
System.IO
System.IO
System.Net.Sockets
System.Net.Sockets
TcpClient
TcpClient
System.Globalization
System.Globalization
System.Net
System.Net
System.Text
System.Text
System.Management
System.Management
System.Collections.Generic
System.Collections.Generic
System.IO.Compression
System.IO.Compression
Nuclear Explosion.exe
Nuclear Explosion.exe
avicap32.dll
avicap32.dll
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
Ports
Ports
.cctor
.cctor
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
hohoangpmy.ddns.net,
hohoangpmy.ddns.net,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\
HKEY_CURRENT_USER\SOFTWARE\
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
%original file name%.exe_3656_rwx_00400000_00008000:
.text
.text
`.reloc
`.reloc
v2.0.50727
v2.0.50727
System.Runtime.CompilerServices
System.Runtime.CompilerServices
.ctor
.ctor
System.Diagnostics
System.Diagnostics
System.Threading
System.Threading
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Windows.Forms
System.Windows.Forms
get_ExecutablePath
get_ExecutablePath
Microsoft.VisualBasic
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
System.CodeDom.Compiler
System.CodeDom.Compiler
Operators
Operators
Microsoft.Win32
Microsoft.Win32
RegistryKey
RegistryKey
OpenSubKey
OpenSubKey
System.Reflection
System.Reflection
System.IO
System.IO
System.Net.Sockets
System.Net.Sockets
TcpClient
TcpClient
System.Globalization
System.Globalization
System.Net
System.Net
System.Text
System.Text
System.Management
System.Management
System.Collections.Generic
System.Collections.Generic
System.IO.Compression
System.IO.Compression
Nuclear Explosion.exe
Nuclear Explosion.exe
avicap32.dll
avicap32.dll
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
Ports
Ports
.cctor
.cctor
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
hohoangpmy.ddns.net,
hohoangpmy.ddns.net,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\
HKEY_CURRENT_USER\SOFTWARE\
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0