Trojan.Win32.Inject.acakz (Kaspersky), Gen:Trojan.Heur.@BWbrDFZ6chbh (B) (Emsisoft), Gen:Trojan.Heur.@BWbrDFZ6chbh (AdAware), Trojan.Win32.Swrort.3.FD, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bc5ae6bb52956d8da7f7af3cdbf14683
SHA1: f538ce86b89702f9b778ee76607177bd7b802d2c
SHA256: a61a9d0ba14890b9459b2e9a2869d63ffdcbe2ce931fe45c9ef94a8eed692be0
SSDeep: 98304:A9hVm8Tf4RCjIW/qfUEoviVbwEEMweSgdpGJpuand026lf3SjhOyi:AX08TfkCjb/PxLEhyLph36lfSYyi
Size: 4839936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-16 19:40:46
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wbmoney.exe:1256
wbmoney.exe:2052
wbmoney.exe:3752
wbmoney.exe:3460
%original file name%.exe:2604
setmss.exe:644
setmss.exe:3440
LLVier.exe:472
LLVier.exe:1612
LLVier.exe:3352
The Trojan injects its code into the following process(es):
setmss.exe:3368
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process wbmoney.exe:3752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016112620161127\index.dat (16 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5BEJ4YJ\flowtips[1].htm (2862 bytes)
The process %original file name%.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Fonts\win\LLVier.exe (424 bytes)
C:\Windows\wbmoney.exe (614 bytes)
C:\Windows\LLViewer.exe (2 bytes)
C:\Windows\Fonts\win\setmss.exe (2 bytes)
C:\Windows\updatezb.exe (196 bytes)
C:\Windows\Fonts\win\TTHB.bat (5 bytes)
C:\Windows\TbViewer.exe (3 bytes)
C:\Windows\Config.ini (155 bytes)
C:\ .bat (113 bytes)
C:\Windows\Fonts\win\TB.bat (223 bytes)
C:\Windows\Alexa.dll (1 bytes)
The process setmss.exe:3368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_0_ttbrowser.exe[1].zip (1133516 bytes)
C:\Windows\Fonts\win\1_0_ttbrowser.exe.zip (950255 bytes)
C:\Windows\Fonts\win\update.txt (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\update_stworker[1].txt (166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\ttll\vest3368\Cookies\R2QLPNUL.txt (116 bytes)
The Trojan deletes the following file(s):
C:\Windows\Fonts\win\update.txt (0 bytes)
The process setmss.exe:644 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\Cookies (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\Cache (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644 (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest644\History (0 bytes)
The process setmss.exe:3440 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440 (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\Cookies (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\History (0 bytes)
C:\Windows\System32\config\systemprofile\AppData\Local\ttll\vest3440\Cache (0 bytes)
The process LLVier.exe:3352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Fonts\win\browser\QtCore4.dll (77238 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\1_0_QtGui4.dll[1].zip (264629 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XDZVB81J.txt (113 bytes)
C:\Windows\Fonts\win\1_0_browser.exe.zip (29536 bytes)
C:\Windows\Fonts\win\LLVier.exe (15168 bytes)
C:\Windows\Fonts\win\1_0_QtGui4.dll.zip (227889 bytes)
C:\Windows\Fonts\win\browser\browser.exe (10136 bytes)
C:\Windows\Fonts\win\update.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\1_0_browser.exe[1].zip (35992 bytes)
<><><><><><><><><><><><><><><><><><><><><><>
<><><><><><><><><><><><><><><><><><><><><><>
&><><<<><>>><<<<<<&R<<><>><<<>&
<<<>>>
&&T>>>><><<>&><>>>
<<<>>>
&><<<<&<&><>>>&<<><<
<<<>>>
><<&z..0...6..W.<&<&<<&&><&&><<&<>>
<<<>>>
<<>&&&_.><>&<><&c...Q.<<><
<<<>>>
&<<>
&><>&>>&f..A..m...S..drV......c.....y..35>>&>>
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><>
<&ISYr.c..I.<&Q&&&&<>&<>><>>
<<<>>>
<><><><><><><><><><><>
<<<>>>
<><><><><><><><><><><>
<<<>>>
&ip
&ip
&key&num
&key&num
&mode
&mode
&hostid&clntid&ver&isclnt&r
&hostid&clntid&ver&isclnt&r
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&ip
&ip
&search-bton&event_submit_do_new_search_auction&_input_charset&topSearch&atype&searchfrom&action&from&ttid
&search-bton&event_submit_do_new_search_auction&_input_charset&topSearch&atype&searchfrom&action&from&ttid
&keyword&catelogyList
&keyword&catelogyList
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&key&num
&key&num
&hostid&clntid&ver&isclnt&r
&hostid&clntid&ver&isclnt&r
&mode
&mode
&
&
&
&
&
&
&
&
&uin
&uin