Trojan.Win32.Inject.adqfh (Kaspersky), Gen:Variant.MSILPerseus.75041 (B) (Emsisoft), Gen:Variant.MSILPerseus.75041 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: e79898539570c8166b1ad52e7343f45d
SHA1: 201000138cb1d1d49fd5d0d95b280cddfdbbc64b
SHA256: 39119442c4dcbd012ccff4bd80e88362f86e06997c5e0d5b5bb97a2f83528ef6
SSDeep: 12288:KFFcsNFVTn4tLDhJ2hstbIcfI0nx9KFMw/iTExZn8YZU75UBD4mbw1mX8d2DQiWF:cesKhIsmGPnKjiwxWYyiB02sUD
Size: 1057792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-16 08:27:15
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1672
vbc.exe:1812
WipeShadow.exe:3736
The Trojan injects its code into the following process(es):
WipeShadow.exe:1084
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)
The process vbc.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
The process WipeShadow.exe:1084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)
Registry activity
The process %original file name%.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process WipeShadow.exe:1084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileTracingMask" = "4294901760"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1672
vbc.exe:1812
WipeShadow.exe:3736 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: VMware, Inc.
Product Name: VMware Workstation
Product Version: 11.1.4 build-3848939
Legal Copyright: Copyright (c) 1998-2016 VMware, Inc.
Legal Trademarks:
Original Filename: vmnat.exe
Internal Name: vmnat
File Version: 11.1.4 build-3848939
File Description: VMware NAT Service
Comments:
Language: English (United States)
Company Name: VMware, Inc.Product Name: VMware WorkstationProduct Version: 11.1.4 build-3848939Legal Copyright: Copyright (c) 1998-2016 VMware, Inc.Legal Trademarks: Original Filename: vmnat.exeInternal Name: vmnatFile Version: 11.1.4 build-3848939File Description: VMware NAT ServiceComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 954868 | 954880 | 5.33313 | 31f3d23c86a7ac801ade63013987ee28 |
.rsrc | 966656 | 101452 | 101888 | 2.97639 | 091e5c647af93263a97993eb33efe6f7 |
.reloc | 1073152 | 12 | 512 | 0.070639 | ca0a9d9c42f11f5525078e9bc468560e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://whatismyipaddress.com/ | 92.122.94.47 |
smtp.gmail.com | 64.233.161.108 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):