Trojan.Microfake.D_dea7613863

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1236
imeumw.exe:468
hrl1.tmp:1164

The Trojan injects its code into the following process(es):

Explorer.EXE:880

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process regsvr32.exe:1236 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)

The process imeumw.exe:468 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\buc3.tmp (11010 bytes)

The process hrl1.tmp:1164 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
%System%\imeumw.exe (1281 bytes)

Registry activity

The process regsvr32.exe:1236 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E F5 30 FB 21 81 1F D9 CE 65 4A 5B F4 EB 8E A1"

The process hrl1.tmp:1164 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 59 0E 2F 1D 89 B0 E9 67 7B 83 5F 6C 64 B9 40"

Dropped PE files

MD5	File path
f025f5466d22ce260c3e082b55f8b8fc	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG
685f1cbd4af30a1d0c25f252d399a666	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsb2.tmp
685f1cbd4af30a1d0c25f252d399a666	c:\WINDOWS\Temp\buc3.tmp
f025f5466d22ce260c3e082b55f8b8fc	c:\WINDOWS\system32\imeumw.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.Brenz.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   regsvr32.exe:1236
   imeumw.exe:468
   hrl1.tmp:1164
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temp\hrl1.tmp (243 bytes)
   %WinDir%\Temp\buc3.tmp (11010 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (11010 bytes)
   %System%\imeumw.exe (1281 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	2860	3072	3.84485	c9b6b9fbded3d4764666702b145428d1
.rdata	8192	2505	2560	3.36056	6951ee1a0ff3a7f5a44727b4713506a3
.data	12288	672	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	16384	243832	244224	5.43004	5d3bfa9fbbf2ca636128322fe0e26c69
.reloc	262144	494	512	3.52939	cfa8d04dd000bb30ab126902176ed40d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

regsvr32.exe_1236:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

ADVAPI32.dll

ADVAPI32.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

ole32.dll

ole32.dll

regsvr32.pdb

regsvr32.pdb

_wcmdln

_wcmdln

RegCloseKey

RegCloseKey

RegOpenKeyExW

RegOpenKeyExW

Excessive # of DLL's on cmdline

Excessive # of DLL's on cmdline

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

REGSVR32.EXE

REGSVR32.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Usage: regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Call DllInstall passing it an optional [cmdline]; when used with /u calls dll uninstall

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

Unrecognized flag: %1"Extra argument on command line: This command is only valid when an OLE Custom Control project is open.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

LoadLibrary("%1") failed - ,%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

%1 does not appear to be a .DLL or .OCX file.V%1 was loaded, but the %2 entry point was not found.

OleUninitialize failed.["%1" is not an executable file and no registration

OleUninitialize failed.["%1" is not an executable file and no registration

Explorer.EXE_880_rwx_01F71000_00071000:

UDPSockError

UDPSockError

NMUDP

NMUDP

Errmsg

Errmsg

Port

Port

TNMUDP

TNMUDP

RemotePort

RemotePort

LocalPort

LocalPort

ReportLevelLk

ReportLevelLk

0.0.0.0

0.0.0.0

%d.%d.%d.%d

%d.%d.%d.%d

AutoHotkeys

AutoHotkeys

:].tJ

:].tJ

EInvalidGraphicOperation,0

EInvalidGraphicOperation,0

EInvalidGraphicOperation

EInvalidGraphicOperation

KeyPreview,

KeyPreview,

WindowState

WindowState

OnKeyDown

OnKeyDown

OnKeyPressdz

OnKeyPressdz

OnKeyUp

OnKeyUp

ssHotTrack

ssHotTrack

TWindowState

TWindowState

poProportional

poProportional

TWMKey

TWMKey

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

vcltest3.dll

TDragOperation

TDragOperation

TKeyEvent

TKeyEvent

TKeyPressEvent

TKeyPressEvent

crSQLWait

crSQLWait

%s (%s)

%s (%s)

IMM32.DLL

IMM32.DLL

EInvalidOperation

EInvalidOperation

%s[%d]

%s[%d]

%s_%d

%s_%d

USER32.DLL

USER32.DLL

comctl32.dll

comctl32.dll

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

kernel32.dll

kernel32.dll

Portions Copyright (c) 1983,99 Borland

Portions Copyright (c) 1983,99 Borland

explorer.exe

explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer

Software\Microsoft\Windows\CurrentVersion\Explorer

*.TMP

*.TMP

Kernel32.dll

Kernel32.dll

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

readbook.exe

readbook.exe

rundll32.exe

rundll32.exe

*.exe

*.exe

*.scr

*.scr

UdpT

UdpT

UdpOnDataReceived

UdpOnDataReceived

xxtype.cpp

xxtype.cpp

derv->tpClass.tpcFlags & CF_HAS_BASES

derv->tpClass.tpcFlags & CF_HAS_BASES

Inappropriate I/O control operation

Inappropriate I/O control operation

Broken pipe

Broken pipe

Operation not permitted

Operation not permitted

%H:%M:%S

%H:%M:%S

%m/%d/%y

%m/%d/%y

%A, %B %d, %Y

%A, %B %d, %Y