Skip to main content

Trojan.Generic.20013521_3e733861cf


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.20013521 (B) (Emsisoft), Trojan.Generic.20013521 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 3e733861cf8347465a0c4e0be2d4b521

SHA1: bb25e4d6570afc4d0f1123205e202989f0dc553c

SHA256: a679439ed8a2736bd2c286a72d033cc2b6dadb55a7b409e47706faed981cda49

SSDeep: 12288:hoefCqAzDIq3dHnJL3J6VS3CuDTmrIgaUy9heM:hoM6zsqtHnN3uSyuDTmrIgV

Size: 761856 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: Nasofalo

Created at: 2016-10-21 10:25:46

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

tqgb.exe:2772
WScript.exe:1884
src2011.tmp:3204
src2011.exe:3012
1819.exe:2816
rundll32.exe:2060
%original file name%.exe:2948
mm.exe:2928
regsvr32.exe:3384
regsvr32.exe:3208
xPiSs.exe:3932
mmc.exe:3004
guide.exe:2212
guide.exe:3788

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process WScript.exe:1884 makes changes in the file system.


The Trojan deletes the following file(s):

C:\Windows\1819.exe (0 bytes)
C:\Windows\tem.vbs (0 bytes)

The process src2011.tmp:3204 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.d (438 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-FAS25.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-CTDCH.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-MJGBG.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-0VP5H.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\ISTask.dll (687 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-J28MR.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-01FTN.tmp (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\en\is-VBM9M.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-UHB8T.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-NCP50.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-20T3A.tmp (520 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-02OSJ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C4M25.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-TKHO0.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-ILCVQ.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-1I0SD.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jyueservice.exe (208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-KSONF.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-HG2NG.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-CLNBN.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O672V.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-E1EH3.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-4P1TV.tmp (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper. (376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-9SRI3.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-KM7R2.tmp (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-1CE92.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-C6MA6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-FPP5R.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-669ON.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\res\is-UTB4B.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-OJM14.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-HBL2N.tmp (663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-PMUMK.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\en\is-UGJFV.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-42QG3.tmp (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-R6K8A.tmp (88 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-QCFIG.tmp (412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-R4UO6.tmp (13800 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\is-3VJA0.tmp (56 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-AMVGA.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-Q7MA6.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-HJ25S.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-ITCRM.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-6G1GU.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-8NPD8.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-QPVIT.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-2BM18.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-O9BG9.tmp (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-IEEEV.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_locales\zh_CN\is-8BCSI.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-UNSUO.tmp (11168 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-2AIAO.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-4159G.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-I5T5P.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-K372N.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-E0HRH.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-AJCA6.tmp (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-MBJU2.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\chromeNativeClient\is-GF3CF.tmp (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-VGUEH.tmp (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-BFJBC.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\_metadata\is-I1VK9.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-KTQ2I.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\xmlconfig\is-NNO2O.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-G8HVS.tmp (2321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\jychromeex\is-JRQE4.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\is-SIQ7T.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\res\is-IH47N.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\is-N6BD7.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-2SP90.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\resource\DirectUI\is-A29B6.tmp (594 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\int2\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_locales\zh_CN\is-MD2UI.tmp (816 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\extensions\chrome\hohonaplgfolmdaaafoddgbiakognoal\4.0.2_0\_metadata\is-0H4IE.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\is-O0M9S.tmp (2321 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\ISTask.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\RLDataView.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-OMIPG.tmp\_isetup (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\473213\jywebHelper.dll (0 bytes)

The process src2011.exe:3012 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp\src2011.tmp (1423 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-AC6LT.tmp\src2011.tmp (0 bytes)

The process 1819.exe:2816 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Windows\kBqJzF\MIJ.exe (108 bytes)
C:\Windows\Media\McIe.wav (17 bytes)
C:\Windows\Media\Mcfg.wav (1 bytes)
C:\Windows\tem.vbs (169 bytes)
C:\Windows\kBqJzF\BPp.exe (108 bytes)
C:\Windows\pcq.exe (108 bytes)
C:\Windows\onest.txt (1 bytes)
C:\Windows\kBqJzF\LiveUDHelper.dll (1 bytes)
C:\Windows\mcconfig.dat (2 bytes)
C:\Windows\kBqJzF\G57.exe (108 bytes)
C:\Windows\kBqJzF\PTR.exe (108 bytes)
C:\Windows\kBqJzF\xPiSs.exe (218 bytes)
C:\Windows\Media\hd.wav (1 bytes)
C:\Windows\kBqJzF\27e.exe (108 bytes)
C:\Windows\kBqJzF\Dqc.exe (108 bytes)
C:\Windows\kBqJzF\drH.exe (108 bytes)

The process rundll32.exe:2060 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\GameExplorer\{259407C2-8FA0-425C-9A68-FD1873827037}\PlayTasks\0\Play.lnk (756 bytes)










































&with


































































































































































































































































































































































































































































































&locale&clientType&clientVersion
&action
&clientType&clientVersion
&action
&mac&pid&did&mid
&version&source&uuid
&version&source&uuid
&version&source&uuid
&locale&clientType&clientVersion
&clientType&clientVersion
&mac&pid&did&mid
&action

&action

&action

&clientType&clientVersion

<><><><><><><><><><><><><><><><><>

<&<&>&&Iz....g7<<&F.t.V..3..w...4.o.m>&&&>

<<<>>>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

<><><><><><><><><><><><><><><><><><><><><><>

&action

<><><><><><><><><><><><><><><><><><><><><><><><><><>

&mac&pid&did&mid

&mac&pid&did&mid

&action

&action

&<&&J..&><

<><><><><><><><><><><><>

&

<<<>>>

<<

<<<>>>

&locale&clientType&clientVersion

&clientType&clientVersion

&clientType&clientVersion

&version&source&uuid

&version&source&uuid

<<<>>>

&version&source&uuid

&url&url

&action

&action

>

<<<>>>

<><><><><><><>><><><><><><><><><>

<<<>>>

<><><><><><><>><><><><><><><><><>

<<<>>>

<&&&>>&&&<<&&&<

<<<>>>

&mac

&mac

&

&

&

&

&

&

&

&

&

&

&version

&version

&key

&key

<:>

<:>

&:8:

&:8:

&

&

&sentinel

&sentinel

&sentinel

&sentinel