Application.Downloader.AKK_6d9315385c

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):No processes have been created.The Application injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2060 makes changes in the file system.

The Application creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\6d9315385c605890a61b227e11001e96_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Application deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\FailedToInstall[1].htm (715 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	613088	613376	5.51487	7b88abd958984beb06b6396e55787664
.data	618496	90364	90624	5.51808	8dd3663bc5218f10562c7309e658798d
.rdata	712704	8704	8704	4.4428	3c1381e19cdf1066bf95ce957baefa68
.bss	724992	2304	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	729088	8092	8192	3.92823	95d9b9c789fd087870f0854c4fe03eca
.tls	737280	44	512	0.142404	162a4c0fae74fb067ab49760f71d0850
.rsrc	741376	14988	15360	3.56282	ff7f2f458fc19a67a6717dcc7191c088

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 180
9c361ca6b9eda3348cc369af78b0b07e
67277d3ff741847b5d7de30ff57f6124
ed2f64e8de2a2544d60d11ee44c13e69
2ab098c9a8fc1e5c92e04b1c74949c67
cbb790dc5fcdbdb2b56dd05ab17d35c8
8897451dba7c63537dfc429feaf1c0c5
d0f8f50da36b34c1fb900f25517773bb
f4cf5ce0d374bcaa1119e8ec2d4e612a
065da0d46033699786b319fd24b5cc5a
bd6f78893b2834bd1aa3cbeec378a967
225749df158133e804f91ec31a4a89d2
c3412494858d1f5ff88316d8757ae2c3
b5cb66038c7ab3339d57bdd669aa2508
cf4589759e5e0ec1d3f6d2f59ce964fc
e7e763f1ac2f684f82488526921aef8f
38b5a8833b53e1b58e6e1a91ae6f1ce9
e50a4bec5e126bec76848459b08bf76b
94f6329721e8ccd7fbebd1249cd4e2c0
fb148d0b28b1f8b986e87887a27c097c
a609792277c73d7a27eeafc0417f4c7b
7e062242248efe9a00dde258dbb3f385
851e37b470374a743b5a16c5a55fc540
bc37425dfb442e28de71613a186ccc14
8bb8d37c1ca5df5c6d59cd699207abe5
1a5194b798f0486aa53a7aa44469337e
8c6169d4df27fc9004272f5be83bc559

Network Activity

URLs

URL	IP
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/FailedToInstall.php?reason=8&version=1.1.5.26
hxxp://www.selfdislikedfarfet.site/FailedToInstall.php?reason=8&version=1.1.5.26	107.20.147.93
hxxp://www.selfdislikedfarfet.site/index.php	107.20.147.93

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps