Virus.Win32.Parite_2c14e1f89e

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

%original file name%.exe:856

The Virus injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:856 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:856 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AF E6 0B 04 CB 41 6A 88 8D E5 24 4F 39 1D 5E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
685f1cbd4af30a1d0c25f252d399a666	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\uda1.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:856
   

2. Delete the original Virus file.
   
3. Delete or disinfect the following files created/modified by the Virus:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WT2N852Z\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YTW81N8N\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\uda1.tmp (11010 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0HKR9E6W\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CLQV4DMV\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	112949	113152	4.47183	25192e76b437af7ef9f76b2e67c7afd8
.rdata	118784	16794	16896	3.67682	01910cd90af9f21fc88833252edeec91
.data	139264	13060	5120	2.44354	ab4e5e7bbda75911e401e9674c910700
.rsrc	155648	436	512	3.5438	f6ab0bea429a6127369ecee73cd00d8c
.reloc	159744	7118	7168	3.16281	7cabc193f9f8173aa0177b29475e55fc
.qnk	167936	4096	1536	4.90604	cba7310ebc9949c44f3880a9c4d77b75

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/	174.129.23.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 148

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5482\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 148

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5504\",\"utm_addition\":\"&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com

Content-Length: 161

Cache-Control: no-cache

{"data":"{\"channel_id\":\"\",\"event_event_id\":\"5483\",\"utm_addition\":\"reason=2&cmd=&v=37\",\"guid\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

Content-Type: application/json; charset=utf-8

Date: Sun, 21 Feb 2016 08:56:12 GMT

Content-Length: 15

Connection: keep-alive

{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Sun, 21 Feb 2016 08:56:12 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..

Map

The Virus connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1572_rwx_01EA1000_00071000:

UDPSockError

UDPSockError

NMUDP

NMUDP

Errmsg

Errmsg

Port

Port

TNMUDP

TNMUDP

RemotePort

RemotePort

LocalPort

LocalPort

ReportLevelLk

ReportLevelLk

0.0.0.0

0.0.0.0

%d.%d.%d.%d

%d.%d.%d.%d

AutoHotkeys

AutoHotkeys

:].tJ

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation,0

EInvalidGraphicOperation

EInvalidGraphicOperation

KeyPreview,

KeyPreview,

WindowState

WindowState

OnKeyDown

OnKeyDown

OnKeyPressdz

OnKeyPressdz

OnKeyUp

OnKeyUp

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

TDragOperation

TDragOperation

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

crSQLWait

crSQLWait

%s (%s)

%s (%s)

IMM32.DLL

IMM32.DLL

EInvalidOperation

EInvalidOperation

%s[%d]

%s[%d]

%s_%d

%s_%d

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

kernel32.dll

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

explorer.exe

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

*.TMP

Kernel32.dll

Kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

readbook.exe

readbook.exe

rundll32.exe

rundll32.exe

*.exe

*.exe

*.scr

*.scr

UdpT

UdpT

UdpOnDataReceived

UdpOnDataReceived

xxtype.cpp

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Inappropriate I/O control operation

Broken pipe

Broken pipe

Operation not permitted

Operation not permitted

%H:%M:%S

%H:%M:%S

%m/%d/%y

%m/%d/%y

%A, %B %d, %Y

%A, %B %d, %Y