Gen.Variant.Graftor.311803_be458ac03e

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:2936

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2936 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\be458ac03e8a052eb6c6dc4e130de44c_RASMANCS]
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (1448 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (325 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1068 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\828298824EA5549947C17DDABF6871F5_6B5C8B321CA02275A82E95FA81D6DE62 (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (876 bytes)
   C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8059E9A0D314877E40FE93D8CCFB3C69_6AF894A92E6F88B345969E137476EB72 (463 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarBD18.tmp (2712 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\mm_BD57.tmp\log.txt (315 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabBD17.tmp (51 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: www.GameModding.net
Product Name: ModInstall
Product Version: 1.0.0.0
Legal Copyright: www.GameModding.net
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.0.0
File Description: ModInstall 3.0
Comments:
Language: English (United States)

Company Name: www.GameModding.netProduct Name: ModInstallProduct Version: 1.0.0.0Legal Copyright: www.GameModding.netLegal Trademarks: Original Filename: Internal Name: File Version: 3.1.0.0File Description: ModInstall 3.0 Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	2793472	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	2797568	1265664	1263104	5.49643	0f963dff62ce59a79601d7439af4adf0
.rsrc	4063232	77824	74752	2.13349	cb8e70395f39a703d3e200112f50a8fb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 713
d9ef811825b1ee97884ecc253485628d
9706f670385750cc9e55dd675cb8b6ce
ff44f222a0a760bbef58adab93d56ac2
a51af5ff635585379673c594040dd29b
5c5d59dd3f1d56109d9917c805fbdbc5
5c18b4209f1568fa675dd09e5b21be1b
d8160329bf41757fb1dc447b52da182d
f5feb1f087479b09b7192a52328cbd97
8a2ca21f91ed4d7ee1c33f0f1d8fbeee
88c16dacd625d078d60e17d4cc6864d8
f1ac824d74d95d59dfbcdcf950181955
3e51c7a8d0ed04d48e7fd8b66951b596
b64aceb6191eb51a003d4a734c2ed77f
1a7b8804847bbbea66cff40420fa5c13
4d00e484119be896a6924d38ac170da2
f4b36e74bce986ae9cecf7ac18d08382
62d2f84d64acf46a358f4f6d026bb7af
0174ea351a3d87d915332a2323618c44
57d07fa304cfc958f33cf583effd8760
afd1a07be878e472a65b3b7b2d20d6d3
fc15ffba7b8edc332a5e0e684fe52510
2af58ca844ae52c85342ea85d05dd7a1
2b4772ec611456d7b21f861c3232af1e
809143c62ce8e1ac7b6a4d38a54c78d5
5c66d833839123194246dce81ff2d1bd
70f276f4bab4fd118947a9e1c6a2e5a2

Network Activity

URLs

URL	IP
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY
hxxp://e8218.dscb1.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEAdrg7dKqon	172.217.20.174
hxxp://crl.geotrust.com/crls/secureca.crl	23.43.133.163
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=	23.43.139.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCAisW18hq2CY	172.217.20.174
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDsPZHpkl+CK	172.217.20.174
ssl.google-analytics.com	172.217.20.168

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps