Gen:Variant.Zusy.199421 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), BackDoor.Bladabindi.13678 (DrWeb), Gen:Variant.Zusy.199421 (B) (Emsisoft), Artemis!97AC9FE88D1F (McAfee), Trojan.Gen.2 (Symantec), Trojan-Downloader.Win32.Autohk (Ikarus), Gen:Variant.Zusy.199421 (FSecure), Win32/DH{Ow?} (AVG), Win32:Malware-gen (Avast), Gen:Variant.Zusy.199421 (AdAware), Trojan.MSIL.Bladabindi.FD, GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Worm, WormAutorun, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 97ac9fe88d1f649dd19fede6ade1fc09
SHA1: 7de351b8e0d53e1d04c9658d706006b12b68d827
SHA256: 1e6d931c2371c48f85adc591c5793159304056c01fd459a537c46cfe29462dca
SSDeep: 6144:sbbs8miuWxBn061wjr36UIU yoTiKVpwCbC/ry7YOTD0zoL69 rOV4bXWCH:MgrTMn061M36RUOTvpwpNO/0zoL6UrOi
Size: 348160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: DriverPack
Created at: 2016-01-16 08:27:22
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2936
The Trojan injects its code into the following process(es):
svchost.exe:1784
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)
Registry activity
The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2936
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe (2105 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Aj7IlyiqVj3xkitP" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\%original file name%.exe" - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.23.00
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.23.00
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.1.23.00Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.23.00File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.MPRESS1 | 4096 | 925696 | 335872 | 5.54477 | 77107171c39e07e95efeb6fc4e3ebd6f |
.MPRESS2 | 929792 | 3656 | 4096 | 3.887 | 1b348d1b2fe61a513f7e48b729678eb3 |
.rsrc | 933888 | 7560 | 7680 | 3.77508 | 66f1091e31786183f208c9c000f92d88 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
svchost.exe_1784:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
v2.0.50727
DRSTUB.exe
DRSTUB.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
System.Windows.Forms
System.Windows.Forms
System.Drawing
System.Drawing
avicap32.dll
avicap32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
DRSTUB.Resources.resources
DRSTUB.Resources.resources
DRSTUB.My
DRSTUB.My
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.Diagnostics
System.Diagnostics
System.ComponentModel
System.ComponentModel
System.CodeDom.Compiler
System.CodeDom.Compiler
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
.cctor
.cctor
get_WebServices
get_WebServices
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.IO
System.IO
System.Net.Sockets
System.Net.Sockets
RegistryKey
RegistryKey
Microsoft.Win32
Microsoft.Win32
Operators
Operators
GetKey
GetKey
System.Collections
System.Collections
ProcessWindowStyle
ProcessWindowStyle
WebClient
WebClient
System.Net
System.Net
System.Threading
System.Threading
CopyPixelOperation
CopyPixelOperation
System.Drawing.Imaging
System.Drawing.Imaging
System.Reflection
System.Reflection
TcpClient
TcpClient
System.Text
System.Text
System.IO.Compression
System.IO.Compression
System.Collections.Generic
System.Collections.Generic
OperatingSystem
OperatingSystem
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
get_ExecutablePath
get_ExecutablePath
wolf_usb_exe
wolf_usb_exe
GetKeyboardLayout
GetKeyboardLayout
GetAsyncKeyState
GetAsyncKeyState
vKey
vKey
MapVirtualKey
MapVirtualKey
GetKeyboardState
GetKeyboardState
lpKeyState
lpKeyState
Keys
Keys
wVirtKey
wVirtKey
Keyboard
Keyboard
GetExecutingAssembly
GetExecutingAssembly
OpenSubKey
OpenSubKey
DRSTUB.My.Resources
DRSTUB.My.Resources
System.Globalization
System.Globalization
System.Resources
System.Resources
System.Configuration
System.Configuration
8.0.0.0
8.0.0.0
My.WebServices
My.WebServices
My.User
My.User
My.Application
My.Application
My.Computer
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
11.0.0.0
My.Settings
My.Settings
1.0.0.0
1.0.0.0
$721aff54-84bf-4dd4-9947-d32d266b77f6
$721aff54-84bf-4dd4-9947-d32d266b77f6
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
If you want to change the Windows User Account Control level replace the
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
requestedExecutionLevel node with one of the following.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
compatibility then delete the requestedExecutionLevel node.
compatibility then delete the requestedExecutionLevel node.
Windows will automatically select the most compatible environment.-->
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
cmd.exe
cmd.exe
UseShellExecute
UseShellExecute
WindowStyle
WindowStyle
GetSubKeyNames
GetSubKeyNames
CreateSubKey
CreateSubKey
DeleteSubKeyTree
DeleteSubKeyTree
DeleteSubKey
DeleteSubKey
cmd.exe /k ping 0 & del "
cmd.exe /k ping 0 & del "
Windows
Windows
autorun.inf
autorun.inf
install.exe
install.exe
%System%\dllcache
%System%\dllcache
%System%\dllcache\recycled.exe
%System%\dllcache\recycled.exe
%System%\dllcache\myporn.scr
%System%\dllcache\myporn.scr
%System%\dllcache\doc.pif
%System%\dllcache\doc.pif
C:\windows\system32\drivers\svchost.exe
C:\windows\system32\drivers\svchost.exe
ShellExecute=install.exe
ShellExecute=install.exe
shell\open\command=install.exe
shell\open\command=install.exe
shell\explore\command=install.exe
shell\explore\command=install.exe
shell\Open\command=install.exe
shell\Open\command=install.exe
C:\windows\system32\winlogon.scr
C:\windows\system32\winlogon.scr
desktop.ini
desktop.ini
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
0.7.1
0.7.1
Prozone.exe
Prozone.exe
127.0.0.1
127.0.0.1
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
??/??/??
??/??/??
ShiftKeyDown
ShiftKeyDown
WScript.Shell
WScript.Shell
&explorer /root,"Ã%
&explorer /root,"Ã%
DRSTUB.Resources
DRSTUB.Resources
svchost.exe_1784_rwx_00400000_00014000:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
v2.0.50727
v2.0.50727
DRSTUB.exe
DRSTUB.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
System.Windows.Forms
System.Windows.Forms
System.Drawing
System.Drawing
avicap32.dll
avicap32.dll
user32.dll
user32.dll
kernel32.dll
kernel32.dll
DRSTUB.Resources.resources
DRSTUB.Resources.resources
DRSTUB.My
DRSTUB.My
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.Diagnostics
System.Diagnostics
System.ComponentModel
System.ComponentModel
System.CodeDom.Compiler
System.CodeDom.Compiler
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
.cctor
.cctor
get_WebServices
get_WebServices
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.IO
System.IO
System.Net.Sockets
System.Net.Sockets
RegistryKey
RegistryKey
Microsoft.Win32
Microsoft.Win32
Operators
Operators
GetKey
GetKey
System.Collections
System.Collections
ProcessWindowStyle
ProcessWindowStyle
WebClient
WebClient
System.Net
System.Net
System.Threading
System.Threading
CopyPixelOperation
CopyPixelOperation
System.Drawing.Imaging
System.Drawing.Imaging
System.Reflection
System.Reflection
TcpClient
TcpClient
System.Text
System.Text
System.IO.Compression
System.IO.Compression
System.Collections.Generic
System.Collections.Generic
OperatingSystem
OperatingSystem
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
get_ExecutablePath
get_ExecutablePath
wolf_usb_exe
wolf_usb_exe
GetKeyboardLayout
GetKeyboardLayout
GetAsyncKeyState
GetAsyncKeyState
vKey
vKey
MapVirtualKey
MapVirtualKey
GetKeyboardState
GetKeyboardState
lpKeyState
lpKeyState
Keys
Keys
wVirtKey
wVirtKey
Keyboard
Keyboard
GetExecutingAssembly
GetExecutingAssembly
OpenSubKey
OpenSubKey
DRSTUB.My.Resources
DRSTUB.My.Resources
System.Globalization
System.Globalization
System.Resources
System.Resources
System.Configuration
System.Configuration
8.0.0.0
8.0.0.0
My.WebServices
My.WebServices
My.User
My.User
My.Application
My.Application
My.Computer
My.Computer
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
3System.Resources.Tools.StronglyTypedResourceBuilder
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
11.0.0.0
My.Settings
My.Settings
1.0.0.0
1.0.0.0
$721aff54-84bf-4dd4-9947-d32d266b77f6
$721aff54-84bf-4dd4-9947-d32d266b77f6
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
If you want to change the Windows User Account Control level replace the
If you want to change the Windows User Account Control level replace the
requestedExecutionLevel node with one of the following.
requestedExecutionLevel node with one of the following.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
Specifying requestedExecutionLevel node will disable file and registry virtualization.
compatibility then delete the requestedExecutionLevel node.
compatibility then delete the requestedExecutionLevel node.
Windows will automatically select the most compatible environment.-->
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
cmd.exe
cmd.exe
UseShellExecute
UseShellExecute
WindowStyle
WindowStyle
GetSubKeyNames
GetSubKeyNames
CreateSubKey
CreateSubKey
DeleteSubKeyTree
DeleteSubKeyTree
DeleteSubKey
DeleteSubKey
cmd.exe /k ping 0 & del "
cmd.exe /k ping 0 & del "
Windows
Windows
autorun.inf
autorun.inf
install.exe
install.exe
%System%\dllcache
%System%\dllcache
%System%\dllcache\recycled.exe
%System%\dllcache\recycled.exe
%System%\dllcache\myporn.scr
%System%\dllcache\myporn.scr
%System%\dllcache\doc.pif
%System%\dllcache\doc.pif
C:\windows\system32\drivers\svchost.exe
C:\windows\system32\drivers\svchost.exe
ShellExecute=install.exe
ShellExecute=install.exe
shell\open\command=install.exe
shell\open\command=install.exe
shell\explore\command=install.exe
shell\explore\command=install.exe
shell\Open\command=install.exe
shell\Open\command=install.exe
C:\windows\system32\winlogon.scr
C:\windows\system32\winlogon.scr
desktop.ini
desktop.ini
[.ShellClassInfo]
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
0.7.1
0.7.1
Prozone.exe
Prozone.exe
127.0.0.1
127.0.0.1
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
??/??/??
??/??/??
ShiftKeyDown
ShiftKeyDown
WScript.Shell
WScript.Shell
&explorer /root,"Ã%
&explorer /root,"Ã%
DRSTUB.Resources
DRSTUB.Resources