Gen.Variant.Mikey.53671_a5f67d7258 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3640
AF8.tmp.exe:704
2DB5.tmp.exe:3392

The Trojan injects its code into the following process(es):

2DB5.tmp.exe:3784
mshta.exe:1876

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3640 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)

The process AF8.tmp.exe:704 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)

The process 2DB5.tmp.exe:3784 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (0 bytes)

The process mshta.exe:1876 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (33 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes)

Registry activity

The process %original file name%.exe:3640 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process AF8.tmp.exe:704 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\SecureWebChannel]
"channel" = "UN"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process 2DB5.tmp.exe:3784 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}]
"(Default)" = "ActiveBinderX Control"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\FalconBetaAccount]
"remote_access_client_id" = "3465448718"

[HKCU\Software\BitTorrent\uTorrent]
"OfferProvider" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb]
"(Default)" = ""

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0]
"(Default)" = "ActiveBinderProj Library"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}]
"(Default)" = "FS"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\FS.ActiveBinderX]
"(Default)" = "ActiveBinderX Control"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ToolboxBitmap32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx,1"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCU\Software\BitTorrent\uTorrent]
"OfferViaCAU" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}]
"(Default)" = "IActiveBinderXEvents"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\FS.ActiveBinderX\Clsid]
"(Default)" = "{4E120188-0CAC-468C-B2D9-9D1F079EBC25}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\ProgID]
"(Default)" = "FS.ActiveBinderX"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Control]
"(Default)" = ""

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus]
"(Default)" = "0"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\Verb\0]
"(Default)" = "Properties,0,2"

[HKCR\Interface\{8ACDC97A-ED69-44A0-9FA7-214AB3450F2D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\TypeLib]
"(Default)" = "{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\MiscStatus\1]
"(Default)" = "205201"

[HKCU\Software\BitTorrent\uTorrent]
"OfferName" = ""

[HKCR\Interface\{C936EC34-11FC-4F15-81C3-8AA143BA8E4B}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{4E120188-0CAC-468C-B2D9-9D1F079EBC25}\InprocServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx"

[HKCU\Software\BitTorrent\uTorrent]
"OfferAccepted" = "0"

[HKCR\TypeLib\{C86D85A1-58F7-4E88-993F-F6435AAAAE5F}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\"

The process mshta.exe:1876 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1299588363"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "mshta.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\mshta_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "E0 96 8A CC B9 3F D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5	File path
5fe59fc57869508e1c84812dbd36ce3b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe
abd8436cde5d6d9e93f100696833a432	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe
eaba486ca44ce139b1a6c2520fe61837	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll
eed49c88dba5f2aa10cbd3acf66d899d	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx
abd8436cde5d6d9e93f100696833a432	c:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3640
AF8.tmp.exe:704
2DB5.tmp.exe:3392
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\2DB5.tmp.exe (203151 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\AF8.tmp.exe (14717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Admin Cleaner\Admin Cleaner.exe (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\install.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\pt.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.ocx (998 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\install.1479267018.zip (283430 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\logo_Yandex_RU_UA_vertical.png (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\check_if_cscript_is_working.js (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\uTorrent\settings.dat.new (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SP9GL4YV.txt (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_ping_after_close.js (312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\loading.gif (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\index.hta (617 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\1f91d2d17ea675d4c2c3192e241743f9_88dcd395-b062-45b3-a6cd-79f37c0eba08 (105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\es5-shim.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\BP8T0ROY.txt (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_utorrent.ico (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\index.hta.log (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\br.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\ru.json (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_bittorrent.ico (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\common.js (350 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\fr.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\search_protect.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\common.css (102 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\en.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\utt5041.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\3rdparty\FS.dll (933 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz.png (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\de.json (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\uninstall.hta (575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\uninstall.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_horz_ru.png (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\scripts\initialize.js (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\yandex_browser_setup.bmp (204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\main_icon.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\images\bt_icon_48px.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\styles\installer.css (587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\es.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\i18n\it.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\HYD5706.tmp.1479267018\HTA\shell_scripts\shell_install_offer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\json[1].js (321 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Russian

Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Russian

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	804428	804864	4.03481	155fea8d8fe3d0ecd5d1496f7e6807ae
.rdata	811008	15226	15360	3.72657	7ec49599859d637936160683ed7c4691
.data	827392	19468	5120	2.36152	dca73757d8c69906e7ea30d4a202ef06
.rsrc	847872	1944	2048	3.40613	906292853ebc9065ed2761365638d1c5
.reloc	851968	37846	37888	4.38762	bbca78fffe2008893ae82c0edbdc7037

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50
hxxp://download-new.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/
hxxp://ip-api.com/json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093
hxxp://com-utorrent-prod-bench-290894750.us-east-1.elb.amazonaws.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9
hxxp://download-lb.utorrent.com/endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/	67.215.238.66
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50	107.20.217.71
hxxp://i-50.b-000.xyz.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9	107.20.217.71
router.utorrent.com	82.221.103.244
s3-us-west-2.amazonaws.com	54.231.176.240
router.bittorrent.com	67.215.246.10
api.mediaconfig.net	104.27.181.218
s3.amazonaws.com	54.231.113.200

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 248

{"eventName":"hydra1","action":"packDownloadStarted","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"1"}

HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 16 Nov 2016 03:30:19 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close

{"response_code":200}..

GET /json?callback=jQuery19104680431319236995_1479267031092&_=1479267031093 HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ip-api.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Content-Type: text/javascript; charset=utf-8

Date: Wed, 16 Nov 2016 03:30:41 GMT

Content-Length: 321

jQuery19104680431319236995_1479267031092({"as":"AS31561 PITLINE-AS","city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""});HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Content-Type: text/javascript; charset=utf-8..Date: Wed, 16 Nov 2016 03:30:41 GMT..Content-Length: 321..jQuery19104680431319236995_1479267031092({"as":"AS31561 PITLINE-AS","city":"Kharkiv","country":"Ukraine","countryCode":"UA","isp":"Pitline Ltd","lat":49.9808,"lon":36.2527,"org":"Pitline Ltd","query":"194.242.96.226","region":"63","regionName":"Kharkivs'ka Oblast'","status":"success","timezone":"Europe/Kiev","zip":""});..

GET /endpoint/hydra-ut/os/win7/track/stable/browser/ie/os-region/US/os-lang/en/os-ver/6.1/enc-ver/110339694/ HTTP/1.1

Host: download-lb.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 0

HTTP/1.1 200 OK

Server: nginx/1.6.1

Date: Wed, 16 Nov 2016 03:30:19 GMT

Content-Type: application/octet-stream

Content-Length: 2433394

Connection: close

X-bt-sig: e45628ba9017b03bf753bb594522832bb887f01252f10e491abd62777107f08c164919d4cd2c6a689096026ed96ba079eae046a1f8e849ee260627522f6e3e8187fafc361ac39ee6ea4286bc191fe72d2b04fdc1c1e959967f9b1071bd545a21d57cf685d753e90fe2716cbc373f6111bbc08e80a8ab6dc4e7b7ca1875491d3250a413091460df232811157e8ac94ccc16e27f86e1b2fae06d85134b412bfea212ca232e8d54563d735c41cdc5e9fa04e71e6bc882efe31a3785104a37fe8d1518016cc9816654e2d16f3cfa2c55726e9a0f7547367f873b23eb28f8c00937e6f30a8cd6aa6fdc6170de1da1630830d62b7b81d84ddf630cefcc3727a277846c

Last-Modified: Wed, 26 Oct 2016 01:55:28 0000

Accept-Ranges: none

Content-Disposition: attachment; filename="hta.zip"

X-bt-size: 2433394

Cache-Control: private

X-rl-mx: true

Rule-UUID: de7f6050-4f7c-45cf-a888-37b23152e2e9

Content-MD5: a2929026e7bb88527b8fae3606ec75fa

Expires: Tue, 01 Jan 1980 00:00:00 0000

X-bt-hash: 827ff98342a0f809fee80ea0dd3a701d77d2578d

PK.........[YIF1~ti...i.......index.hta<html>..<head>. <title>Loading...</title>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=9">. <meta http-equiv="MSThemeCompatible" content="yes">.. <script src="scripts/initialize.js"></script>.. <link rel="stylesheet" href="styles/common.css"/>.. ..</head>..<body class="installer_body">. . <div id='loading_img'></div>.</body>..<script src="scripts/common.js"></script>..<script src="scripts/install.js"></script>..</html>.PK.........[YIw[Yy?...?.......uninstall.hta<html>..<head>. <title>Loading...</title>. <meta charset="utf-8">. <meta http-equiv="X-UA-Compatible" content="IE=9">. <meta http-equiv="MSThemeCompatible" content="yes">.. <script src="scripts/initialize.js"></script>.. <link rel="stylesheet" href="styles/common.css"/>... ..</head>..<body class="installer_body">.</body>..<script src="scripts/common.js"></script>...<script src="scripts/uninstall.js"></script

<<< skipped >>>

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 234

{"eventName":"hydra1","action":"begin","type":"i","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"1","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"0"}

HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 16 Nov 2016 03:30:19 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close

{"response_code":200}..

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 261

{"eventName":"hydra1","action":"packDownloadResult","type":"i","result":"1","cau":"0","pv":"","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"2"}

HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 16 Nov 2016 03:30:29 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close

{"response_code":200}..

GET /e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjM3ODQiLCJoIjoibzNlTmlNS0RVQWtSckVMYiIsInYiOiIxMTAzMzk2OTQiLCJiIjo0MjYwNiwiY2wiOiJ1VG9ycmVudCIsImxuZyI6InJ1Iiwib3NhIjoiMzIiLCJzbG5nIjoiZW4iLCJkYiI6IldpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIiLCJkYnYiOiI5LjAiLCJpYnIiOlt7Im5hbWUiOiJGaXJlZm94IiwidmVyc2lvbiI6IjQ5LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiNTQuMCIsImV4ZU5hbWUiOiJjaHJvbWUifSx7Im5hbWUiOiJXaW5kb3dzIEludGVybmV0IEV4cGxvcmVyIiwidmVyc2lvbiI6IjkuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTQuMjQyLjk2LjIyNiIsImNuIjoiVWtyYWluZSIsInBhY2tpZCI6InJ1X3lhbmRleF9pcyJ9 HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: i-50.b-000.xyz.bench.utorrent.com

HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 16 Nov 2016 03:30:42 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: keep-alive

{"response_code":200}..

POST /e?i=50 HTTP/1.1

Host: i-50.b-000.xyz.bench.utorrent.com

User-Agent: Hydra HttpRequest

Connection: close

Content-Length: 270

{"eventName":"hydra1","action":"INFO","type":"i","res":"1916x902","cts":"1479267028","pv":"","cau":"0","cc":"0","bkt1":"0","ssb":"11","v":"110339694","cl":"uTorrent","osv":"6.1","l":"en","pid":"3784","h":"o3eNiMKDUAkRrELb","sid":"o3eNiMKDUAkRrELb1479267018","order":"3"}

HTTP/1.1 200 OK

Content-Type: text/html

Date: Wed, 16 Nov 2016 03:30:29 GMT

Server: nginx

X-Powered-By: PHP/5.4.30

Content-Length: 21

Connection: Close

{"response_code":200}..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3640:

.text

`.rdata

@.data

.rsrc

@.reloc

%s.ef

HKEY

%s %s

%s %d

%s%s%s%s%s

%s near end of file

%s near '%s'

unable to decode byte 0x%x

invalid Unicode '\uX'

invalid Unicode '\uX\uX'

control character 0x%x

duplicate object key

Broken pipe

Inappropriate I/O control operation

Operation not permitted

GetProcessWindowStation

operator

ole32.dll

GetProcessHeap

GetWindowsDirectoryW

GetCPInfo

KERNEL32.dll

WinHttpOpenRequest

WinHttpCloseHandle

WinHttpConnect

WinHttpOpen

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpReadData

WinHttpQueryDataAvailable

WINHTTP.dll

USER32.dll

OLEAUT32.dll

IPHLPAPI.DLL

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

zcÃ

status=IS&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&user_hash=&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_agent=IE&trsrc=1

user_agent=IE&uuid=44add590-e741-f447-b13e-dd9039a59e82&user_os=Win7 32&proc=System,smss.exe,csrss.exe,wininit.exe,csrss.exe,winlogon.exe,services.exe,lsass.exe,lsm.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,svchost.exe,spoolsv.exe,svchost.exe,vmtoolsd.exe,TPAutoConnSvc.exe,taskhost.exe,explorer.exe,svchost.exe,TPAutoConnect.exe,conhost.exe,vmtoolsd.exe,dllhost.exe,SearchIndexer.exe,msdtc.exe,svchost.exe,WmiPrvSE.exe,sandbox_svc.exe,conhost.exe,taskhost.exe,cmd.exe,conhost.exe,tshark.exe,cmd.exe,conhost.exe,Procmon.exe&main=1&v=35.34&nuuid=11b152f39435d677c83fadb989059307&user_hash=&trsrc=1 &aff=trs1&enc=

C:\Users\"%CurrentUserName%"\AppData\Local\Temp

status=%s&uuid=%s&user_os=%s&user_hash=%s&v=%s&nuuid=%s&user_agent=%s&trsrc=%s

kernel32.dll

updater_url

%s.exe

updater_cmd

c:\%original file name%.exe

= =,=2=]=

0 0,020]0

5l6

6{7â‚¬8^8

5#5/555`5

?!?%?)?4?:?

7"7.747_7

4!4%4)43494

:#:/:5:`:

8 809;9-;

>#>'> >/>:>@>

> >,>2>)?4?

3!4-4H4g4}4

? ?$?(?,?0?4?8?@?

7 7$7(7,7

:$:(:,:0:4:8:<:>

;(;/;4;8;

;&

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

Content-Type: application/x-www-form-urlencoded

user_agent=IE&uuid=%hs&user_os=%hs&proc=%s&main=%hs&v=%hs&nuuid=%hs&user_hash=%hs&trsrc=%hs&aff=%hs&enc=%hs

https

hXXps://s3-us-west-2.amazonaws.com/151125/helloworld.exe

api.wiseinstaller.net

4.6.1.4

quia.mp3

mshta.exe_1876:

.text

`.data

.rsrc

@.reloc

clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32

msvcrt.dll

KERNEL32.dll

ADVAPI32.dll

RegCloseKey

RegOpenKeyExA

_amsg_exit

_acmdln

mshta.pdb

name="Microsoft.Windows.InetCore.mshta"

version="5.1.0.0"

Kernel32.dll

2kernel32.dll

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

MSHTA.EXE

Windows

9.00.8112.16421

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps