Trojan.GenericKD.3126638_032557d265 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2964
%original file name%.exe:140
%original file name%.exe:2868
%original file name%.exe:1940
%original file name%.exe:3344
%original file name%.exe:2632
%original file name%.exe:2192
%original file name%.exe:3436
%original file name%.exe:2532
%original file name%.exe:1088

The Trojan injects its code into the following process(es):

%original file name%.exe:1060
%original file name%.exe:348

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1060 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)

The process %original file name%.exe:348 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2964 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 41 08 EC E2 46 67 61 30 0A EF 8E 10 F9 B4 B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:140 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 A6 A3 E7 9E 94 69 51 B9 89 4F 3D 71 58 BC 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2868 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C E5 81 00 17 AE B0 26 D6 92 8C BB 2C 58 7C A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1060 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 1E 61 2D DF 21 27 05 7F 83 01 59 4F 17 51 85"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\032557d265db6b8ff63dd143ff56f431\DEBUG]
"Trace Level"

The process %original file name%.exe:1940 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 1F AE 38 75 F8 EC F7 7B 4C 9D 6C 65 82 D1 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:3344 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 61 AF 8A 5C DF F2 AC 69 B1 8B B0 A7 9D DF 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2632 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 57 26 29 F8 0A 68 38 8D 32 66 13 27 54 F9 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2192 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 59 ED 89 9A 67 7B 2B C1 8E E3 C3 BA B9 C6 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:3436 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 39 B2 7B 87 D4 8E CD 70 8F 9B 8B 11 A9 3D 2E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2532 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 3B BE 7F 10 43 FD 24 FB 7C 8D 03 4B 27 AE CB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1088 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 11 B0 21 6B 1E 1B 7D E7 95 16 62 65 C1 2D C2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:348 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 EC 16 44 C8 34 E2 F5 9C 08 AA F8 AB 9D D4 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe"

Dropped PE files

MD5	File path
aaa698721f488b181bc0f0afc5da126a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp1.tmp
aaa698721f488b181bc0f0afc5da126a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.tmp
aaa698721f488b181bc0f0afc5da126a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp3.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2964
%original file name%.exe:140
%original file name%.exe:2868
%original file name%.exe:1940
%original file name%.exe:3344
%original file name%.exe:2632
%original file name%.exe:2192
%original file name%.exe:3436
%original file name%.exe:2532
%original file name%.exe:1088
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Geo.dat (35 bytes)
%Documents and Settings%\%current user%\Application Data\Imminent\Logs\03-04-2016 (265 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4 (22 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4 (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (12 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB (533 bytes)
%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe (10882 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (117 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Default Folder\svchost.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "%Documents and Settings%\%current user%\Application Data\Restore\vbc.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: CD Projekt Red
Product Name: The Witcher 3
Product Version: 3.0.0
Legal Copyright: Copyright (c) 2012 CD Projekt Red
Legal Trademarks:
Original Filename: fdsfkdlsfksdkf.exe
Internal Name: fdsfkdlsfksdkf.exe
File Version: 3.0.0
File Description: The Witcher 3
Comments: The Witcher 3
Language: English (United States)

Company Name: CD Projekt RedProduct Name: The Witcher 3Product Version: 3.0.0Legal Copyright: Copyright (c) 2012 CD Projekt RedLegal Trademarks: Original Filename: fdsfkdlsfksdkf.exeInternal Name: fdsfkdlsfksdkf.exeFile Version: 3.0.0File Description: The Witcher 3Comments: The Witcher 3Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	598116	602112	4.21618	405552ddc5911d3f058e7a0fa2d1bc55
.rsrc	614400	106632	110592	3.18543	48a36826c5939c2ff1e849dc95bd5e43
.reloc	729088	12	4096	0.011373	62450b79009feb7de610244f5909301a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://e6845.dscb1.akamaiedge.net/sv.crl
hxxp://iptrackeronline.com/
hxxp://sv.symcb.com/sv.crl	23.43.133.163
hxxp://www.iptrackeronline.com/	108.174.156.115
hxxp://s1.symcb.com/pca3-g5.crl	23.43.133.163
crackers.zapto.org	81.30.156.52

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36

Host: VVV.iptrackeronline.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 03 Apr 2016 09:19:42 GMT

Server: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

X-Powered-By: PHP/5.5.30

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

1edd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml">.<head>..<meta name="viewport" content="width=device-width" />..<meta name="google-site-verification" content="CyeqoD4FJhDmQx8oZ3yZY1-4utytwBE97dvSqELW5UQ" />.<meta name="msvalidate.01" content="6F8096A65FE90197E73B42CDE4CC4938" />..<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.<meta http-equiv="Content-Language" content="en-us">.<meta name="description" content="ipTRACKERonline is the Swiss Army Knife of IP Address Tracking. From email header analysis to IP geolocation this is the only IP tracking website to use." />...<meta name="keywords" content="ip tracker, ip tracker online, track ip, email header analysis, email header analyzer, headers, email header analyser, analyze email header, analyze email headers, email header analysis tool, mail header analyzer, e-mail header analyzer, ip track, track ip addresses, email headers, email header, trace ip address, find ip" />...<meta name="historic" content="Geo Location, geomarketing, Geo Marketing, DNS tools, my ip ,ip, address, ,DNS Monitoring, Network Tools, my, what, is, find, get, show, locate, geolocation, change, location, how, do, ip address, proxy, server, anonymous, hide, conceal, stealth, surf, web, anonymizer, anonymize, changer, privacy, geolocation, geolocate

<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: s1.symcb.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "1721969e732bcfdda4d85c16390eba70:1458842597"

Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT

Date: Sun, 03 Apr 2016 09:19:33 GMT

Content-Length: 533

Connection: keep-alive

Content-Type: application/pkix-crl

0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160322000000Z..160630235959Z0...*.H..............2.Z.....J..;.~^.....N.3..g .......'....s.c.5...?.2...Q./#`...y..;.i....?I.{......:5.....|5..b.......,:.H .Y.....nN..;.^..y..d5.....L.;o...l...i...p.......)~..s..<y..#...U4..\.hQJo{QS....p<.X....D.............q$.p....k...I?U....Q2.j>......`..?....I...>.t.#HTTP/1.1 200 OK..Server: Apache..ETag: "1721969e732bcfdda4d85c16390eba70:1458842597"..Last-Modified: Thu, 24 Mar 2016 17:40:05 GMT..Date: Sun, 03 Apr 2016 09:19:33 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..160322000000Z..160630235959Z0...*.H..............2.Z.....J..;.~^.....N.3..g .......'....s.c.5...?.2...Q./#`...y..;.i....?I.{......:5.....|5..b.......,:.H .Y.....nN..;.^..y..d5.....L.;o...l...i...p.......)~..s..<y..#...U4..\.hQJo{QS....p<.X....D.............q$.p....k...I?U....Q2.j>......`..?....I...>.t.#..

<<< skipped >>>

GET /sv.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: sv.symcb.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "f717e180578e12aba5a79158890368b8:1459632799"

Last-Modified: Sat, 02 Apr 2016 21:01:18 GMT

Date: Sun, 03 Apr 2016 09:19:33 GMT

Content-Length: 22563

Connection: keep-alive

Content-Type: application/pkix-crl

0.X.0.W....0...*.H........0.1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network100...U...'Symantec Class 3 SHA256 Code Signing CA..160402210118Z..160416210118Z0.V 0!...M.h .{m.&...C....150827201412Z0!...\..N.....F.E..*..150818144018Z0!...o. .z..%5.O.W....150306094921Z0!.....p...3...!.!....150720000000Z0!.......7.cA...).`...151023214351Z0!....627.*[P.....[...160323133021Z0!....~_..N.W..f.1....150309185437Z0!.......w.....-Z.....150925144610Z0!......)-.5....Y.....150420152841Z0!.... ...E...H] .....150324162430Z0!........pj.B....w...151109044625Z0!....0|..C`.3k....H..151109173817Z0!...A5.j..F.e....o4..150717171629Z0!...z..3vr.I..!.CW...151008143454Z0!...}I...jR.y.....x..150708140159Z0!....!..m.?.AN.......150623233015Z0!.......5.p...x..#...160115164443Z0!....KH..h..1@.M.....160125164123Z0!...........m........150427234712Z0!........6....&N.....151201011214Z0!...up..*..Di...;....151105201340Z0!.....44.41.$...[....160120143003Z0!..../G..g.......x...150306012430Z0!..........y..n"%.\..150615101331Z0!....a....D.....tB...150804133623Z0!...i....U..a:...Ll..150112095207Z0!....!........Z..A...150505104631Z0!.......='.N..c..A...160318172858Z0!...;.u..17Oz."5M.l..160223081528Z0!...As.......l..O....150520202423Z0!...A.{.t5...5.7..|..151203234419Z0!....0{...'..V.S ....150210000000Z0!....xs.._..0D...P...160309172942Z0!.....3..s.S.`..G....151114045946Z0!...H...n...w.(......160317150133Z0!...v.~3} ......;....150907144307Z0!...............h.A..150902053702Z0!.....<.......l.dI...160226094001Z0!...!.@.Rc..e

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1060:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

%dZ?"

(%%D

}.vDl7

M%xP5O

}.gfF

%4S{\

.rT-"d

*8 %S

hE.%D

m.zkPq

J#%CG8,

\j.ns~'

3.37.3

.KDFQ"

.ynn'

5-8.UR~

.Sb[

u$.lR

HS%CN

vV%Ct

.UkSI

.Ff:@

f22.ggw`

s8%S&

uq.bm

kz}{%f>

.NMm.

AI.PW

4cD%u

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

server.exe

Microsoft.VisualBasic

server.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.CodeDom.Compiler

System.ComponentModel

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

1.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

%original file name%.exe_1060_rwx_00400000_00052000:

.text

`.rsrc

@.reloc

lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet

%dZ?"

(%%D

}.vDl7

M%xP5O

}.gfF

%4S{\

.rT-"d

*8 %S

hE.%D

m.zkPq

J#%CG8,

\j.ns~'

3.37.3

.KDFQ"

.ynn'

5-8.UR~

.Sb[

u$.lR

HS%CN

vV%Ct

.UkSI

.Ff:@

f22.ggw`

s8%S&

uq.bm

kz}{%f>

.NMm.

AI.PW

4cD%u

K7`i3.Gs

A|Qd.FUl

(.fsr

v2.0.50727

server.exe

Microsoft.VisualBasic

server.Resources.resources

Microsoft.VisualBasic.ApplicationServices

.ctor

System.CodeDom.Compiler

System.ComponentModel

Microsoft.VisualBasic.Devices

System.Diagnostics

m_MyWebServicesObjectProvider

.cctor

get_WebServices

HelpKeywordAttribute

System.ComponentModel.Design

WebServices

Microsoft.VisualBasic.CompilerServices

MyWebServices

System.Runtime.CompilerServices

System.Runtime.InteropServices

System.Text

SevenZip.Compression.LZMA

System.Resources

System.IO.Compression

System.IO

System.Reflection

GetExecutingAssembly

System.Collections.Generic

8.0.0.0

My.Computer

My.Application

My.User

My.WebServices

4System.Web.Services.Protocols.SoapHttpClientProtocol

1.0.0.0

_CorExeMain

mscoree.dll

data.dat

lzma.dat

%original file name%.exe_1060_rwx_00B90000_0000E000:

:y`.Ayh/Ay

%original file name%.exe_1060_rwx_00BD0000_00005000:

.yXPRV

%original file name%.exe_1060_rwx_675A6000_00003000:

.Qg

*Rg`.Rg|)RgL Rg

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps