Gen.Variant.Midie.6956_0046b07a55 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

@AE1.tmp.exe:1856
%original file name%.exe:264

The Trojan injects its code into the following process(es):

%original file name%.exe:2000

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process @AE1.tmp.exe:1856 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (238392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (448824 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

Registry activity

The process @AE1.tmp.exe:1856 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 31 77 A5 63 5B 2C FD 41 FF 58 57 C0 32 F1 39"

The process %original file name%.exe:2000 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F9 F4 66 5D 4A 3B 27 5A C8 87 03 FB 47 35 63"

Dropped PE files

MD5	File path
fe03cb7be5dcde81f82aeefcba68d773	c:\%original file name%.exe
db3bc1bd98028636fd692569219db3eb	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\Messenger\Extension\WdExt.exe
2ccc474eb85ceaa3e1fa1726580a3e5a	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Temp\mydll.dll
496a6fba564240ce1512e7553f72ad87	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\@AE1.tmp.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.Brenz.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
@AE1.tmp.exe:1856
%original file name%.exe:264
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Temp\mydll.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe (238392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (448824 bytes)
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Iswise
Product Name: ????
Product Version: 8.01.0022
Legal Copyright:
Legal Trademarks:
Original Filename: Request_Service.exe
Internal Name: Request_Service
File Version: 8.01.0022
File Description:
Comments:
Language: Language Neutral

Company Name: IswiseProduct Name: ????Product Version: 8.01.0022Legal Copyright: Legal Trademarks: Original Filename: Request_Service.exeInternal Name: Request_ServiceFile Version: 8.01.0022File Description: Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2108	2560	3.76997	6dbb11cce72cc16b887018dd4c34d252
.rdata	8192	1478	1536	3.36814	838666d924e8b6e9dfc84f930bd16733
.data	12288	348160	512	0.377955	7d6dcdf3bcb22dca4957ddb77c1c8cbf
.rsrc	360448	32768	32768	5.15929	b601eceaf8ddd492a58ff7f1460d2711

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_2000:

.text

`.data

.rsrc

MSVBVM60.DLL

VB5!6&vb6chs.dll

.cSysTray

LayoutURL

todg7.ocx

TrueOleDBGrid70.TDBGrid

MSCOMCTL.OCX

MSComctlLib.StatusBar

MSWINSCK.OCX

MSWinsockLib.Winsock

comctl32.ocx

ComctlLib.StatusBar

MSCOMCT2.OCX

MSComCtl2.DTPicker

crystl32.ocx

Crystal.CrystalReport

CrystalReport

frmLogin

CmdPassWord

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

cmdCancel

gC:\Windows\system32\COMCTL32.oca

nC:\Windows\system32\MSWINSCK.oca

TxtServerPort

cmdOK

Pass_Encode

Pass_Decode

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

keybd_event

GetKeyState

MapVirtualKeyA

user32.dll

GetKeyboardState

advapi32.dll

RegOpenKeyA

shell32.dll

ShellExecuteA

VBA6.DLL

C:\Windows\system32\MSCOMCT2.oca

C:\Windows\system32\mscomctl.oca

/R%Program Files%\Microsoft Visual Studio\VB98\todg7.oca

CmdSetPrn

C:\Windows\system32\msvbvm60.dll\3

winmm.dll

FC:\Windows\system32\stdole2.tlb

ServerPort

MsgBL

ADVAPI32.DLL

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK zecgxutc

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 VVV.Brenz.pl

#

KERNEL32.DLL

windowsupdate

drweb

9368265E-85FE-11d1-8BE3-0000F8754DA1

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

e651A8940-87C5-11d1-8BE3-0000F8754DA1

Login

EFSQL

SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='

server_port

ALTER TABLE dbo.Logs ADD ID int NOT NULL IDENTITY (1, 1),AppVersion varchar(20) NULL

insert into Logs (LoginTime,UserCode,Operate,AppVersion,CmptName) Values ('

update Logs set logouttime=getdate() where LoginTime='

Password=

Provider=SQLOLEDB.1;Trusted Connection=no;

Select Roles.HouTai,Roles.RoleId FROM Users INNER JOIN Roles ON Users.RoleID = Roles.RoleId

Where Users.Usercode='

ALTER TABLE dbo.Prices ADD Deliver_Enabled bit NULL

ALTER TABLE dbo.Center_Orders ADD DeliverID int NULL

ALTER TABLE dbo.Center_Orders ADD CONSTRAINT DF_Center_Orders_DeliverID DEFAULT 0 FOR DeliverID

CREATE TABLE dbo.DeliverList(

ALTER TABLE dbo.Request_Service ADD CPTime datetime NULL,CPRequest bit NULL

ALTER TABLE dbo.Request_Service ADD CONSTRAINT DF_Request_Service_CPRequest DEFAULT 0 FOR CPRequest

ALTER TABLE dbo.Request_Service ADD OrderID int NULL,DeliverTime datetime NULL

ALTER TABLE dbo.Request_Service ADD Deliver_PlayTimes int NULL,Deliver_PlayVoiceTime datetime NULL

ALTER TABLE dbo.Request_Service ADD PrintTimes int NULL

SELECT password,ChineseName,RoleID,OwnerPwd FROM Users where Availability=1 and UserCode='

\sys.ini

PrinterPort

or Prices.PriceType=

Or Prices.PriceID Is Null )

And (Request_Service.PriceID'' or Request_Service.Remark'')

\Report\Request.rpt

And isnull(Request_Service.CPRequest,0)=0

Case When Request_Service.DeliverTime '' or IsNull(Prices.Deliver_Enabled,0)=0 Then Null Else

\wave\Pause.wav

SELECT Request_Service.*,Case When Request_Service.Affirm_ModiTime Is Null Then 0 Else 1 End as AffirmBL

,Case When Request_Service.SortGroup>0 Then Request_Service.SortGroup Else Request_Service.ID End As SortNo

,Case When Request_Service.PrintTimes Is Null Then 0 Else Request_Service.PrintTimes End as PrintCount

Datediff(s,Request_Service.Request_ModiTime,GetDate()) as SendSecond,Prices.PriceType, Prices.PriceName

FROM Request_Service LEFT OUTER JOIN Prices ON Request_Service.PriceId = Prices.PriceID

SELECT Request_Service.ID,Request_Service.HouseCode,Request_Service.Request_ModiTime,Request_Service.SortGroup

And IsNull(Request_Service.HouseCode,'')'' And Request_Service.Affirm_ModiTime Is Null

And (Request_Service.PlayVoiceTime

,GetDate()) or Request_Service.PlayVoiceTime Is Null)

And IsNull(Request_Service.PlayTimes, 0)

Select Distinct Request_Service.HouseCode,Request_Service.PriceID,Request_Service.ReMark,Request_Service.ItemNum

\Wave\RINGIN.WAV

\wave\10.wav

{Request_Service.PrintNo}=

ALTER TABLE dbo.Request_Service ADD PlayTimes int NULL

CREATE TABLE dbo.PricesType (

ALTER TABLE dbo.Request_Service ADD SortGroup int NULL

ALTER TABLE dbo.Request_Service ADD PlayVoiceTime datetime NULL

SELECT Request_Service.*,Prices.PriceName

And CPTime Is Null And IsNull(CPRequest,0)=0 And Request_Service.HouseCode'' Order by Request_Service.HouseCode

&Password:

8.01.0022

Request_Service.exe

%original file name%.exe_2000_rwx_00459000_00007000:

ADVAPI32.DLL

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

ilo.brenz.pl

ant.trenz.pl

NICK zecgxutc

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 VVV.Brenz.pl

#

KERNEL32.DLL

windowsupdate

drweb

%original file name%.exe_2000_rwx_00D20000_00008000:

ADVAPI32.DLL

DSTAMP %ddd

\USERINIT.EXE

%s:*:enabled:@shell32.dll,-1

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Qoyilo.brenz.pl

ant.trenz.pl

NICK osgcgrzj

SFC.DLL

SFC_OS.DLL

USER32.DLL

SHLWAPI.DLL

WSOCK32.DLL

WININET.DLL

%.6x . . :%c%.8x%x %s

JOIN

127.0.0.1 VVV.Brenz.pl

#

KERNEL32.DLL

windowsupdate

drweb

\??\%System%\winlogon.exe:*:enabled:@shell32.dll,-1

UNC\192.168.50.163\SANDBOXOUTPUT\2016-08-14\0046B07A550C79F4FAC1BD6E99B598B8\DUMPS\0046B07A550C79F4FAC1BD6E99B598B8.EXE_2000_RWX_00459000_00007000.DMP

C:\PERL\BIN\PERL.EXE

C1BD6E99B598B8.EXE

imqwjs.com

xruqot.com

csunym.com

lgqcll.com

yinyyw.com

colqla.com

ocnutu.com

jswxci.com

ebasnl.com

uvrzea.com

odiuag.com

aejwaz.com

nkqlqf.com

agkkxg.com

xyofce.com

smpcjz.com

iicpdi.com

mgyaaq.com

aajpne.com

vwytja.com

fwicii.com

iuksau.com

fitsvj.com

svavqk.com

aphrhk.com

wxzqtv.com

jlhuki.com

llnixs.com

uxgmhe.com

fyhjuy.com

qkoaui.com

ogpdit.com

dwuhya.com

sfbdvl.com

ivjepu.com

yaaodl.com

unkejf.com

kjbaxs.com

ybvsps.com

uegjzv.com

uvzgcj.com

huials.com

lejeuz.com

eiqfoq.com

tyoiya.com

szeyuq.com

glxuui.com

yxakex.com

mwpkvq.com

eslifu.com

onlees.com

yfhval.com

vouuos.com

cbbiyd.com

jamzaf.com

yshuak.com

yoyymq.com

brryye.com

xyaiuo.com

vgtoks.com

aorjfb.com

exsinu.com

zhreow.com

zrrene.com

uxeyjr.com

ipgyfe.com

qpikkx.com

vkoiea.com

iacxaz.com

luzhsb.com

ytpufi.com

judzog.com

evlsue.com

uqckre.com

pcsvla.com

bywerz.com

wnxxjo.com

toblcr.com

oivoqo.com

ihtvyy.com

ouaqbd.com

vbbgmo.com

pgznad.com

doukyi.com

fsilzy.com

yeanui.com

kxyoom.com

riizik.com

zheoio.com

yvmimg.com

vpjjyf.com

mryjkc.com

hjiiyp.com

anarry.com

fazgvi.com

moczdu.com

niggmp.com

ikoyqo.com

niuiep.com

vreead.com

WdExt.exe_216:

.text

`.rdata

@.data

.rsrc

jmWjcj.jejljgWWjgj.jwjwjw

jmWjcj.jtjfWjsWjrjcjijmj.jejtjajdjpjujsjwWjdjnjijw

jljdj.jtf

user32.dll

KERNEL32.dll

USER32.dll

ADVAPI32.dll

iphlpapi.dll

VERSION.dll

WS2_32.dll

GetProcessHeap

GetCPInfo

/i %d

/u %d

Incorrect key length

Empty key

zcÃ

*`%u'

J.iNF

#j'%cu

.COTI$GQt

]%1sFH

.zD'(p

kernel32.dll

%s%s%s

TTL: %d (initial:%d)

-> IP: %s/%s %s

-> MAC: X-X-X-X-X-X

Adapter: %s

OS: %s (language:0x%X)

UserName: %s

ComputerName: %s

Time(UTC): %s

%Y/%m/%d %H:%M:%S

(build %d)

Windows 2000

Windows XP

Web Edition

Windows Server 2003,

Windows XP Professional x64 Edition

Windows Home Server

Windows Storage Server 2003

Windows Server 2003 R2,

Web Server Edition

Windows Server 2008 R2

Windows 7

Windows Server 2008

Windows Vista

Cfailed to open %s

%Documents and Settings%\%current user%\Application Data\Microsoft\Messenger\Extension\WdExt.exe

iexplore.exe;ieuser.exe;firefox.exe;chrome.exe;msimn.exe;outlook.exe;winmail.exe;wlmail.exe;msnmsgr.exe;yahoomessenger.exe;PTF.exe;

Windows Defender Extension

6.1.7600.16385

WdExt.exe

Windows

Operating System

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps