Skip to main content

Gen.Variant.MSILPerseus.75041_e798985395


Trojan.Win32.Inject.adqfh (Kaspersky), Gen:Variant.MSILPerseus.75041 (B) (Emsisoft), Gen:Variant.MSILPerseus.75041 (AdAware), HackTool.Win32.PassView.FD, GenericAutorunWorm.YR, HackToolPassView.YR (Lavasoft MAS)Behaviour: Trojan, Worm, HackTool, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: e79898539570c8166b1ad52e7343f45d

SHA1: 201000138cb1d1d49fd5d0d95b280cddfdbbc64b

SHA256: 39119442c4dcbd012ccff4bd80e88362f86e06997c5e0d5b5bb97a2f83528ef6

SSDeep: 12288:KFFcsNFVTn4tLDhJ2hstbIcfI0nx9KFMw/iTExZn8YZU75UBD4mbw1mX8d2DQiWF:cesKhIsmGPnKjiwxWYyiB02sUD

Size: 1057792 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2017-02-16 08:27:15

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
WormAutorunA worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1672
vbc.exe:1812
WipeShadow.exe:3736

The Trojan injects its code into the following process(es):

WipeShadow.exe:1084

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1672 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)

The process vbc.exe:1812 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)

The process WipeShadow.exe:1084 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holdermail.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (0 bytes)

Registry activity

The process %original file name%.exe:1672 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process WipeShadow.exe:1084 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\WipeShadow_RASAPI32]
"FileTracingMask" = "4294901760"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1672
    vbc.exe:1812
    WipeShadow.exe:3736

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\WipeShadow.exe (51982 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp128806599.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\holderwb.txt (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pid.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\pidloc.txt (43 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: VMware, Inc.
Product Name: VMware Workstation
Product Version: 11.1.4 build-3848939
Legal Copyright: Copyright (c) 1998-2016 VMware, Inc.
Legal Trademarks:
Original Filename: vmnat.exe
Internal Name: vmnat
File Version: 11.1.4 build-3848939
File Description: VMware NAT Service
Comments:
Language: English (United States)

Company Name: VMware, Inc.Product Name: VMware WorkstationProduct Version: 11.1.4 build-3848939Legal Copyright: Copyright (c) 1998-2016 VMware, Inc.Legal Trademarks: Original Filename: vmnat.exeInternal Name: vmnatFile Version: 11.1.4 build-3848939File Description: VMware NAT ServiceComments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text81929548689548805.3331331f3d23c86a7ac801ade63013987ee28
.rsrc9666561014521018882.97639091e5c647af93263a97993eb33efe6f7
.reloc1073152125120.070639ca0a9d9c42f11f5525078e9bc468560e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://whatismyipaddress.com/92.122.94.47
smtp.gmail.com64.233.161.108

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps