Trojan.Win32.Swrort.4.FD, TrojanSwrort.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0648ee5d230adef499107434a4f62525
SHA1: d48eb459b061d4420295891c2f30822a5f13d4fc
SHA256: 37450cf9a93b6e06f9bf10252cd66a3f0604d3be1a4cc48a9b3105070fae1181
SSDeep: 3072:wjcprkEusAuRz9rKslr3GEqACD1Ryy0JeKELJZd:S9SXrJ2EDo1Ryy0cKMZd
Size: 208896 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-12-18 16:31:21
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
DirectX.exe:1460
%original file name%.exe:1504
%original file name%.exe:580
taskkill.exe:1296
The Trojan injects its code into the following process(es):
DirectX.exe:1416
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\DirectX.exe (1281 bytes)
Registry activity
The process DirectX.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process DirectX.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B C5 CC 14 9C D9 62 CC F5 B4 93 4F A1 AE E8 93"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"
The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C7 3E AB AF 06 FA 23 22 8B B8 CD 52 32 97 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Directx.exe" = "d"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process taskkill.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 00 B8 E7 FF E6 DD 27 B8 28 A9 DE 86 84 E5 4F"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
DirectX.exe:1460
%original file name%.exe:1504
%original file name%.exe:580
taskkill.exe:1296 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\DirectX.exe (1281 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: d
Product Version: 1, 0, 0, 1
Legal Copyright: (C) 2011
Legal Trademarks:
Original Filename: d.exe
Internal Name: d
File Version: 1, 0, 0, 1
File Description: d
Comments:
Language: English (United States)
Company Name: Product Name: dProduct Version: 1, 0, 0, 1Legal Copyright: (C) 2011Legal Trademarks: Original Filename: d.exeInternal Name: dFile Version: 1, 0, 0, 1File Description: dComments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 25149 | 28672 | 2.65407 | 355c7954cead664c6cc5a948ea187001 |
.rdata | 32768 | 4575 | 8192 | 1.37478 | 5d76d11b92b0ca55da2ac59c9ea0ddd3 |
.data | 40960 | 9060 | 12288 | 1.59352 | 9f0975d035ba01d7054b63dfc1a547fe |
.idata | 53248 | 4494 | 8192 | 1.81183 | dada91a128ff46a6983d7f7bf3acf50b |
.rsrc | 61440 | 104660 | 106496 | 5.39039 | a8aca6552b9aef852c45a2cb3b97a42e |
.reloc | 167936 | 2289 | 4096 | 2.53629 | 4527fb54b4c9b63d136e67f2af80e4f3 |
.pula | 172032 | 2610 | 4096 | 2.31314 | 7653801c776b34a3aeb4e5dcfc6a6a89 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://checkip.dyndns.com/ | |
hxxp://checkip.dyndns.org/ | 216.146.38.70 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET / HTTP/1.1
Host: checkip.dyndns.org
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 106
<html><head><title>Current IP Check</title></head><body>Current IP Address: 194.242.96.218</body></html>....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
DirectX.exe_1416:
.text
.text
`.data
`.data
.rdata
.rdata
@.bss
@.bss
.idata
.idata
.rsrc
.rsrc
piratedreed.com
piratedreed.com
domains.php
domains.php
API.php
API.php
mask.php
mask.php
194.242.96.218
194.242.96.218
%s%s.RDM
%s%s.RDM
%s*.*
%s*.*
%s%s\
%s%s\
%s%c%c%c%c%c%c
%s%c%c%c%c%c%c
%d.%d.%d
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
%s\system32\wbem\wmic.exe
%s\system32\wbem\wmic.exe
process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"
process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"
process call create "cmd.exe /c vssadmin delete shadows /all /quiet"
process call create "cmd.exe /c vssadmin delete shadows /all /quiet"
%sX
%sX
Software\Microsoft\%s
Software\Microsoft\%s
taskkill /f /im %s
taskkill /f /im %s
del %s /s /q
del %s /s /q
del %s
del %s
aaa.bat
aaa.bat
103.25.202.192
103.25.202.192
92.222.80.28
92.222.80.28
78.138.97.93
78.138.97.93
POST /%s HTTP/1.1
POST /%s HTTP/1.1
Host: %s
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
GET /%s HTTP/1.1
GET /%s HTTP/1.1
%s\%s
%s\%s
advapi32.dll
advapi32.dll
process call create "cmd /c start %s"
process call create "cmd /c start %s"
id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=
id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=
%s&prv=
%s&prv=
id=%s&s=%i
id=%s&s=%i
%s\DirectX.exe
%s\DirectX.exe
%s\directx.exe
%s\directx.exe
id=%s&ip=%s
id=%s&ip=%s
hXXp://%s/ld/?id=%s
hXXp://%s/ld/?id=%s
URL=hXXp://%s/ld/?id=%s
URL=hXXp://%s/ld/?id=%s
YOUR_FILES.url
YOUR_FILES.url
checkip.dyndns.org
checkip.dyndns.org
%s:%u: failed assertion `%s'
%s:%u: failed assertion `%s'
CryptExportKey
CryptExportKey
CryptGenKey
CryptGenKey
CryptImportKey
CryptImportKey
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
ShellExecuteA
ShellExecuteA
GetKeyboardType
GetKeyboardType
ADVAPI32.DLL
ADVAPI32.DLL
DNSAPI.DLL
DNSAPI.DLL
WS2_32.DLL
WS2_32.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
directx.exe
directx.exe
DirectX.exe_1416_rwx_00300000_00100000:
.text
.text
DirectX.exe_1416_rwx_00400000_00834000:
.text
.text
`.data
`.data
.rdata
.rdata
@.bss
@.bss
.idata
.idata
.rsrc
.rsrc
piratedreed.com
piratedreed.com
domains.php
domains.php
API.php
API.php
mask.php
mask.php
194.242.96.218
194.242.96.218
%s%s.RDM
%s%s.RDM
%s*.*
%s*.*
%s%s\
%s%s\
%s%c%c%c%c%c%c
%s%c%c%c%c%c%c
%d.%d.%d
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
%s\system32\wbem\wmic.exe
%s\system32\wbem\wmic.exe
process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"
process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"
process call create "cmd.exe /c vssadmin delete shadows /all /quiet"
process call create "cmd.exe /c vssadmin delete shadows /all /quiet"
%sX
%sX
Software\Microsoft\%s
Software\Microsoft\%s
taskkill /f /im %s
taskkill /f /im %s
del %s /s /q
del %s /s /q
del %s
del %s
aaa.bat
aaa.bat
103.25.202.192
103.25.202.192
92.222.80.28
92.222.80.28
78.138.97.93
78.138.97.93
POST /%s HTTP/1.1
POST /%s HTTP/1.1
Host: %s
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
GET /%s HTTP/1.1
GET /%s HTTP/1.1
%s\%s
%s\%s
advapi32.dll
advapi32.dll
process call create "cmd /c start %s"
process call create "cmd /c start %s"
id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=
id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=
%s&prv=
%s&prv=
id=%s&s=%i
id=%s&s=%i
%s\DirectX.exe
%s\DirectX.exe
%s\directx.exe
%s\directx.exe
id=%s&ip=%s
id=%s&ip=%s
hXXp://%s/ld/?id=%s
hXXp://%s/ld/?id=%s
URL=hXXp://%s/ld/?id=%s
URL=hXXp://%s/ld/?id=%s
YOUR_FILES.url
YOUR_FILES.url
checkip.dyndns.org
checkip.dyndns.org
%s:%u: failed assertion `%s'
%s:%u: failed assertion `%s'
CryptExportKey
CryptExportKey
CryptGenKey
CryptGenKey
CryptImportKey
CryptImportKey
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
ShellExecuteA
ShellExecuteA
GetKeyboardType
GetKeyboardType
ADVAPI32.DLL
ADVAPI32.DLL
DNSAPI.DLL
DNSAPI.DLL
WS2_32.DLL
WS2_32.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
127.0.0.1
127.0.0.1
directx.exe
directx.exe