Gen.Variant.Graftor.141478_87a19c5c71

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

WerFault.exe:2304

The Trojan injects its code into the following process(es):

%original file name%.exe:1704
WerFault.exe:2300

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1704 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tj[1].htm (904 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\52a3b.html (860 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\52818.tmp (701 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5PQTNMMS.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VMIT93X1.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\u.zip (39 bytes)

Registry activity

The process %original file name%.exe:1704 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\87a19c5c71d97be779725d197e92027e_RASMANCS]
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process WerFault.exe:2300 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 01 00 00 00 00 00 00 00 32 77 18 77"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

Dropped PE files

MD5	File path
15042f2a0dc696f5a2430a191c6ca2aa	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\52818.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   WerFault.exe:2304

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1081 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tj[1].htm (904 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\52a3b.html (860 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\52818.tmp (701 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5PQTNMMS.txt (117 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\VMIT93X1.txt (111 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\u.zip (39 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ????
Product Name: ?????? ????
Product Version: 10.10.0.0
Legal Copyright: ??????,????????.
?????:????(www.dgfzba.com)
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 10.10.0.0
File Description: ??????,????????.
Comments: ??????,????????.
Language: English (United States)

Company Name: ????Product Name: ?????? ????Product Version: 10.10.0.0Legal Copyright: ??????,????????.?????:????(www.dgfzba.com)Legal Trademarks: Original Filename: Internal Name: File Version: 10.10.0.0File Description: ??????,????????.Comments: ??????,????????.Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	3409138	3411968	4.44827	74697c6e642765eb7b6b698db1e63e32
.rdata	3416064	6885098	6885376	4.90004	f0cd660717168a5f45e6f007700115ff
.data	10301440	634219	172032	4.09657	ca45312bd1a96b721d496b281d9b175b
.rsrc	10936320	49536	53248	3.76987	7b31e50ff66535633ad33cf122b31cbe

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://dabll.jshgg.net/khd/sevices_860_43057.zip	162.159.208.57
hxxp://www.dgfzba.com/tj.html	43.242.35.138
hxxp://cdct.zhdns.net/9uxz/luokedg/oea.html
hxxp://cdct.zhdns.net/9uxz/luokedg/update.html
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1256908026
hxxp://down.9udn.com/9uxz/luokedg/oea.html	122.228.207.207
hxxp://s95.cnzz.com/stat.php?id=1256908026	1.99.192.16
hxxp://down.9udn.com/9uxz/luokedg/update.html	122.228.207.207
c.cnzz.com	58.215.145.188
z4.cnzz.com	1.122.192.15

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /tj.html HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.dgfzba.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 904

Content-Type: text/html

Last-Modified: Sat, 05 Dec 2015 01:48:22 GMT

Accept-Ranges: bytes

ETag: "077d75ff2ed11:4f7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 25 Jan 2017 23:07:21 GMT

..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head>..<meta http-equiv="Content-Type" content="text/html; charset=gbk">..<title>tj</title>..<style type="text/css">..<!--...STYLE1 {font-size: 18px}...STYLE2 {font-size: x-large}...STYLE3 {font-size: x-large; font-weight: bold; }...STYLE4 {font-size: 35px; font-weight: bold; }...STYLE5 {...font-size: 50px;...font-weight: bold;..}...STYLE6 {font-size: 38px}..-->..</style>..</head>..<body>..<script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? " hXXps://" : " hXXp://");document.write(unescape("t src='" cnzz_protocol "s95.cnzz.com/stat.php?id=1256908026' type='text/javascript'>"));</script></body></html>..

GET /9uxz/luokedg/oea.html HTTP/1.1

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Accept: */*

Accept-Language: zh-cn

Referer: hXXp://down.9udn.com/9uxz/luokedg/oea.html

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 2Pac; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: down.9udn.com

HTTP/1.0 200 OK

Content-Length: 1004

Content-Type: text/html

Last-Modified: Mon, 23 Jan 2017 21:15:17 GMT

Accept-Ranges: bytes

ETag: "9e65ddcbbd75d21:138e"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 26 Jan 2017 06:38:37 GMT

Age: 2898

X-Cache: HIT from cthbezs1

Via: 1.0 cthbezs1 (squid)

Connection: keep-alive

<!--..........11.20..........................................................---hXXp://VVV.dgfzba.com/----......................................0.2........<DT>PHBO</DT>..<HTML></HTML><HTML_open>0</HTML_open>..<HTML_download>hXXp://down.9udn.com/9uxz/忙麓