Trojan.Win32.Reconyc.fhkt (Kaspersky), Trojan.GenericKD.3126638 (B) (Emsisoft), Trojan.GenericKD.3126638 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 032557d265db6b8ff63dd143ff56f431
SHA1: 111695ad75fb86fc3b46d153e95fc986ae8789ab
SHA256: a163af1a1ac0a0f254c2dd7815d16b69b70b2b96a464fb24234014a8fcf043d7
SSDeep: 12288:sveGRx nqZ5K4XNIECwWqKRUO8k6AQPe UkxogdrGUjpO o: x nqHTaEu2uSxzrGK6
Size: 733912 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Risomuri
Created at: 2016-03-26 08:13:13
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2964
%original file name%.exe:140
%original file name%.exe:2868
%original file name%.exe:1940
%original file name%.exe:3344
%original file name%.exe:2632
%original file name%.exe:2192
%original file name%.exe:3436
%original file name%.exe:2532
%original file name%.exe:1088
The Trojan injects its code into the following process(es):
%original file name%.exe:1060
%original file name%.exe:348
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
Registry activity
The process %original file name%.exe:2964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 41 08 EC E2 46 67 61 30 0A EF 8E 10 F9 B4 B4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A6 A3 E7 9E 94 69 51 B9 89 4F 3D 71 58 BC 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C E5 81 00 17 AE B0 26 D6 92 8C BB 2C 58 7C A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 1E 61 2D DF 21 27 05 7F 83 01 59 4F 17 51 85"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level"
The process %original file name%.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 1F AE 38 75 F8 EC F7 7B 4C 9D 6C 65 82 D1 1B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 61 AF 8A 5C DF F2 AC 69 B1 8B B0 A7 9D DF 1B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 57 26 29 F8 0A 68 38 8D 32 66 13 27 54 F9 03"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 59 ED 89 9A 67 7B 2B C1 8E E3 C3 BA B9 C6 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 39 B2 7B 87 D4 8E CD 70 8F 9B 8B 11 A9 3D 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 3B BE 7F 10 43 FD 24 FB 7C 8D 03 4B 27 AE CB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 11 B0 21 6B 1E 1B 7D E7 95 16 62 65 C1 2D C2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 EC 16 44 C8 34 E2 F5 9C 08 AA F8 AB 9D D4 A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe"
Dropped PE files
MD5 | File path |
---|---|
aaa698721f488b181bc0f0afc5da126a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp1.tmp |
aaa698721f488b181bc0f0afc5da126a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.tmp |
aaa698721f488b181bc0f0afc5da126a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp3.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2964
%original file name%.exe:140
%original file name%.exe:2868
%original file name%.exe:1940
%original file name%.exe:3344
%original file name%.exe:2632
%original file name%.exe:2192
%original file name%.exe:3436
%original file name%.exe:2532
%original file name%.exe:1088 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: CD Projekt Red
Product Name: The Witcher 3
Product Version: 3.0.0
Legal Copyright: Copyright (c) 2012 CD Projekt Red
Legal Trademarks:
Original Filename: fdsfkdlsfksdkf.exe
Internal Name: fdsfkdlsfksdkf.exe
File Version: 3.0.0
File Description: The Witcher 3
Comments: The Witcher 3
Language: English (United States)
Company Name: CD Projekt RedProduct Name: The Witcher 3Product Version: 3.0.0Legal Copyright: Copyright (c) 2012 CD Projekt RedLegal Trademarks: Original Filename: fdsfkdlsfksdkf.exeInternal Name: fdsfkdlsfksdkf.exeFile Version: 3.0.0File Description: The Witcher 3Comments: The Witcher 3Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 598116 | 602112 | 4.21618 | 405552ddc5911d3f058e7a0fa2d1bc55 |
.rsrc | 614400 | 106632 | 110592 | 3.18543 | 48a36826c5939c2ff1e849dc95bd5e43 |
.reloc | 729088 | 12 | 4096 | 0.011373 | 62450b79009feb7de610244f5909301a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl | |
hxxp://e6845.dscb1.akamaiedge.net/sv.crl | |
hxxp://iptrackeronline.com/ | |
hxxp://sv.symcb.com/sv.crl | 23.43.133.163 |
hxxp://www.iptrackeronline.com/ | 108.174.156.115 |
hxxp://s1.symcb.com/pca3-g5.crl | 23.43.133.163 |
crackers.zapto.org | 81.30.156.52 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Host: VVV.iptrackeronline.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 03 Apr 2016 09:19:42 GMT
Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.5.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
1edd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml">.<head>..<meta name="viewport" content="width=device-width" />..<meta name="google-site-verification" content="CyeqoD4FJhDmQx8oZ3yZY1-4utytwBE97dvSqELW5UQ" />.<meta name="msvalidate.01" content="6F8096A65FE90197E73B42CDE4CC4938" />..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.<meta http-equiv="Content-Language" content="en-us">.<meta name="description" content="ipTRACKERonline is the Swiss Army Knife of IP Address Tracking. From email header analysis to IP geolocation this is the only IP tracking website to use." />...<meta name="keywords" content="ip tracker, ip tracker online, track ip, email header analysis, email header analyzer, headers, email header analyser, analyze email header, analyze email headers, email header analysis tool, mail header analyzer, e-mail header analyzer, ip track, track ip addresses, email headers, email header, trace ip address, find ip" />...<meta name="historic" content="Geo Location, geomarketing, Geo Marketing, DNS tools, my ip ,ip, address, ,DNS Monitoring, Network Tools, my, what, is, find, get, show, locate, geolocation, change, location, how, do, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: s1.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "1721969e732bcfdda4d85c16390eba70:1458842597"
Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT
Date: Sun, 03 Apr 2016 09:19:33 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160322000000Z..160630235959Z0...*.H..............2.Z.....J..;.~^.....N.3..g .......'....s.c.5...?.2...Q./#`...y..;.i....?I.{......:5.....|5..b.......,:.H .Y.....nN..;.^..y..d5.....L.;o...l...i...p.......)~..s..<y..#...U4..\.hQJo{QS....p<.X....D.............q$.p....k...I?U....Q2.j>......`..?....I...>.t.#HTTP/1.1 200 OK..Server: Apache..ETag: "1721969e732bcfdda4d85c16390eba70:1458842597"..Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT..Date: Sun, 03 Apr 2016 09:19:33 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160322000000Z..160630235959Z0...*.H..............2.Z.....J..;.~^.....N.3..g .......'....s.c.5...?.2...Q./#`...y..;.i....?I.{......:5.....|5..b.......,:.H .Y.....nN..;.^..y..d5.....L.;o...l...i...p.......)~..s..<y..#...U4..\.hQJo{QS....p<.X....D.............q$.p....k...I?U....Q2.j>......`..?....I...>.t.#..
<<< skipped >>>
GET /sv.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: sv.symcb.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "f717e180578e12aba5a79158890368b8:1459632799"
Last-Modified: Sat, 02 Apr 2016 21:01:18 GMT
Date: Sun, 03 Apr 2016 09:19:33 GMT
Content-Length: 22563
Connection: keep-alive
Content-Type: application/pkix-crl
0.X.0.W....0...*.H........0.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network100...U...'Symantec Class 3 SHA256 Code Signing CA..160402210118Z..160416210118Z0.V 0!...M.h .{m.&...C....150827201412Z0!...\..N.....F.E..*..150818144018Z0!...o. .z..%5.O.W....150306094921Z0!.....p...3...!.!....150720000000Z0!.......7.cA...).`...151023214351Z0!....627.*[P.....[...160323133021Z0!....~_..N.W..f.1....150309185437Z0!.......w.....-Z.....150925144610Z0!......)-.5....Y.....150420152841Z0!.... ...E...H] .....150324162430Z0!........pj.B....w...151109044625Z0!....0|..C`.3k....H..151109173817Z0!...A5.j..F.e....o4..150717171629Z0!...z..3vr.I..!.CW...151008143454Z0!...}I...jR.y.....x..150708140159Z0!....!..m.?.AN.......150623233015Z0!.......5.p...x..#...160115164443Z0!....KH..h..1@.M.....160125164123Z0!...........m........150427234712Z0!........6....&N.....151201011214Z0!...up..*..Di...;....151105201340Z0!.....44.41.$...[....160120143003Z0!..../G..g.......x...150306012430Z0!..........y..n"%.\..150615101331Z0!....a....D.....tB...150804133623Z0!...i....U..a:...Ll..150112095207Z0!....!........Z..A...150505104631Z0!.......='.N..c..A...160318172858Z0!...;.u..17Oz."5M.l..160223081528Z0!...As.......l..O....150520202423Z0!...A.{.t5...5.7..|..151203234419Z0!....0{...'..V.S ....150210000000Z0!....xs.._..0D...P...160309172942Z0!.....3..s.S.`..G....151114045946Z0!...H...n...w.(......160317150133Z0!...v.~3} ......;....150907144307Z0!...............h.A..150902053702Z0!.....<.......l.dI...160226094001Z0!...!.@.Rc..e
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1060:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
%dZ?"
%dZ?"
(%%D
(%%D
}.vDl7
}.vDl7
M%xP5O
M%xP5O
}.gfF
}.gfF
%4S{\
%4S{\
.rT-"d
.rT-"d
*8 %S
*8 %S
hE.%D
hE.%D
m.zkPq
m.zkPq
J#%CG8,
J#%CG8,
\j.ns~'
\j.ns~'
3.37.3
3.37.3
.KDFQ"
.KDFQ"
.ynn'
.ynn'
5-8.UR~
5-8.UR~
.Sb[
.Sb[
u$.lR
u$.lR
HS%CN
HS%CN
vV%Ct
vV%Ct
.UkSI
.UkSI
.Ff:@
.Ff:@
f22.ggw`
f22.ggw`
s8%S&
s8%S&
uq.bm
uq.bm
kz}{%f>
kz}{%f>
.NMm.
.NMm.
AI.PW
AI.PW
4cD%u
4cD%u
K7`i3.Gs
K7`i3.Gs
A|Qd.FUl
A|Qd.FUl
(.fsr
(.fsr
v2.0.50727
v2.0.50727
server.exe
server.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
server.Resources.resources
server.Resources.resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.CodeDom.Compiler
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Diagnostics
System.Diagnostics
m_MyWebServicesObjectProvider
m_MyWebServicesObjectProvider
.cctor
.cctor
get_WebServices
get_WebServices
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
WebServices
WebServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Text
System.Text
SevenZip.Compression.LZMA
SevenZip.Compression.LZMA
System.Resources
System.Resources
System.IO.Compression
System.IO.Compression
System.IO
System.IO
System.Reflection
System.Reflection
GetExecutingAssembly
GetExecutingAssembly
System.Collections.Generic
System.Collections.Generic
8.0.0.0
8.0.0.0
My.Computer
My.Computer
My.Application
My.Application
My.User
My.User
My.WebServices
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
1.0.0.0
1.0.0.0
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
data.dat
data.dat
lzma.dat
lzma.dat
%original file name%.exe_1060_rwx_00400000_00052000:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
%dZ?"
%dZ?"
(%%D
(%%D
}.vDl7
}.vDl7
M%xP5O
M%xP5O
}.gfF
}.gfF
%4S{\
%4S{\
.rT-"d
.rT-"d
*8 %S
*8 %S
hE.%D
hE.%D
m.zkPq
m.zkPq
J#%CG8,
J#%CG8,
\j.ns~'
\j.ns~'
3.37.3
3.37.3
.KDFQ"
.KDFQ"
.ynn'
.ynn'
5-8.UR~
5-8.UR~
.Sb[
.Sb[
u$.lR
u$.lR
HS%CN
HS%CN
vV%Ct
vV%Ct
.UkSI
.UkSI
.Ff:@
.Ff:@
f22.ggw`
f22.ggw`
s8%S&
s8%S&
uq.bm
uq.bm
kz}{%f>
kz}{%f>
.NMm.
.NMm.
AI.PW
AI.PW
4cD%u
4cD%u
K7`i3.Gs
K7`i3.Gs
A|Qd.FUl
A|Qd.FUl
(.fsr
(.fsr
v2.0.50727
v2.0.50727
server.exe
server.exe
Microsoft.VisualBasic
Microsoft.VisualBasic
server.Resources.resources
server.Resources.resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
.ctor
.ctor
System.CodeDom.Compiler
System.CodeDom.Compiler
System.ComponentModel
System.ComponentModel
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
System.Diagnostics
System.Diagnostics
m_MyWebServicesObjectProvider
m_MyWebServicesObjectProvider
.cctor
.cctor
get_WebServices
get_WebServices
HelpKeywordAttribute
HelpKeywordAttribute
System.ComponentModel.Design
System.ComponentModel.Design
WebServices
WebServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
MyWebServices
MyWebServices
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Runtime.InteropServices
System.Text
System.Text
SevenZip.Compression.LZMA
SevenZip.Compression.LZMA
System.Resources
System.Resources
System.IO.Compression
System.IO.Compression
System.IO
System.IO
System.Reflection
System.Reflection
GetExecutingAssembly
GetExecutingAssembly
System.Collections.Generic
System.Collections.Generic
8.0.0.0
8.0.0.0
My.Computer
My.Computer
My.Application
My.Application
My.User
My.User
My.WebServices
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
1.0.0.0
1.0.0.0
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
data.dat
data.dat
lzma.dat
lzma.dat
%original file name%.exe_1060_rwx_00B90000_0000E000:
:y`.Ayh/Ay
:y`.Ayh/Ay
%original file name%.exe_1060_rwx_00BD0000_00005000:
.yXPRV
.yXPRV
%original file name%.exe_1060_rwx_675A6000_00003000:
.Qg
.Qg
*Rg`.Rg|)RgL Rg
*Rg`.Rg|)RgL Rg