Trojan.Win32.Swrort_0648ee5d23

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

DirectX.exe:1460
%original file name%.exe:1504
%original file name%.exe:580
taskkill.exe:1296

The Trojan injects its code into the following process(es):

DirectX.exe:1416

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\DirectX.exe (1281 bytes)

Registry activity

The process DirectX.exe:1460 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process DirectX.exe:1416 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B C5 CC 14 9C D9 62 CC F5 B4 93 4F A1 AE E8 93"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DirectX" = "%WinDir%\DirectX.exe"

The process %original file name%.exe:1504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C7 3E AB AF 06 FA 23 22 8B B8 CD 52 32 97 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Directx.exe" = "d"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:580 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process taskkill.exe:1296 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 00 B8 E7 FF E6 DD 27 B8 28 A9 DE 86 84 E5 4F"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   DirectX.exe:1460
   %original file name%.exe:1504
   %original file name%.exe:580
   taskkill.exe:1296

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %WinDir%\DirectX.exe (1281 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "DirectX" = "%WinDir%\DirectX.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "DirectX" = "%WinDir%\DirectX.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: d
Product Version: 1, 0, 0, 1
Legal Copyright: (C) 2011
Legal Trademarks:
Original Filename: d.exe
Internal Name: d
File Version: 1, 0, 0, 1
File Description: d
Comments:
Language: English (United States)

Company Name: Product Name: dProduct Version: 1, 0, 0, 1Legal Copyright: (C) 2011Legal Trademarks: Original Filename: d.exeInternal Name: dFile Version: 1, 0, 0, 1File Description: dComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	25149	28672	2.65407	355c7954cead664c6cc5a948ea187001
.rdata	32768	4575	8192	1.37478	5d76d11b92b0ca55da2ac59c9ea0ddd3
.data	40960	9060	12288	1.59352	9f0975d035ba01d7054b63dfc1a547fe
.idata	53248	4494	8192	1.81183	dada91a128ff46a6983d7f7bf3acf50b
.rsrc	61440	104660	106496	5.39039	a8aca6552b9aef852c45a2cb3b97a42e
.reloc	167936	2289	4096	2.53629	4527fb54b4c9b63d136e67f2af80e4f3
.pula	172032	2610	4096	2.31314	7653801c776b34a3aeb4e5dcfc6a6a89

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://checkip.dyndns.com/
hxxp://checkip.dyndns.org/	216.146.38.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: checkip.dyndns.org

Content-Type: application/x-www-form-urlencoded

HTTP/1.1 200 OK

Content-Type: text/html

Server: DynDNS-CheckIP/1.0

Connection: close

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 106

<html><head><title>Current IP Check</title></head><body>Current IP Address: 194.242.96.218</body></html>....

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

DirectX.exe_1416:

.text

.text

`.data

`.data

.rdata

.rdata

@.bss

@.bss

.idata

.idata

.rsrc

.rsrc

piratedreed.com

piratedreed.com

domains.php

domains.php

API.php

API.php

mask.php

mask.php

194.242.96.218

194.242.96.218

%s%s.RDM

%s%s.RDM

%s*.*

%s*.*

%s%s\

%s%s\

%s%c%c%c%c%c%c

%s%c%c%c%c%c%c

%d.%d.%d

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

%s\system32\wbem\wmic.exe

%s\system32\wbem\wmic.exe

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

%sX

%sX

Software\Microsoft\%s

Software\Microsoft\%s

taskkill /f /im %s

taskkill /f /im %s

del %s /s /q

del %s /s /q

del %s

del %s

aaa.bat

aaa.bat

103.25.202.192

103.25.202.192

92.222.80.28

92.222.80.28

78.138.97.93

78.138.97.93

POST /%s HTTP/1.1

POST /%s HTTP/1.1

Host: %s

Host: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

GET /%s HTTP/1.1

GET /%s HTTP/1.1

%s\%s

%s\%s

advapi32.dll

advapi32.dll

process call create "cmd /c start %s"

process call create "cmd /c start %s"

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

%s&prv=

%s&prv=

id=%s&s=%i

id=%s&s=%i

%s\DirectX.exe

%s\DirectX.exe

%s\directx.exe

%s\directx.exe

id=%s&ip=%s

id=%s&ip=%s

hXXp://%s/ld/?id=%s

hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

YOUR_FILES.url

YOUR_FILES.url

checkip.dyndns.org

checkip.dyndns.org

%s:%u: failed assertion `%s'

%s:%u: failed assertion `%s'

CryptExportKey

CryptExportKey

CryptGenKey

CryptGenKey

CryptImportKey

CryptImportKey

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

ShellExecuteA

ShellExecuteA

GetKeyboardType

GetKeyboardType

ADVAPI32.DLL

ADVAPI32.DLL

DNSAPI.DLL

DNSAPI.DLL

WS2_32.DLL

WS2_32.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

directx.exe

directx.exe

DirectX.exe_1416_rwx_00300000_00100000:

.text

.text

DirectX.exe_1416_rwx_00400000_00834000:

.text

.text

`.data

`.data

.rdata

.rdata

@.bss

@.bss

.idata

.idata

.rsrc

.rsrc

piratedreed.com

piratedreed.com

domains.php

domains.php

API.php

API.php

mask.php

mask.php

194.242.96.218

194.242.96.218

%s%s.RDM

%s%s.RDM

%s*.*

%s*.*

%s%s\

%s%s\

%s%c%c%c%c%c%c

%s%c%c%c%c%c%c

%d.%d.%d

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

%s\system32\wbem\wmic.exe

%s\system32\wbem\wmic.exe

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c schtasks /create /tn MONITOR1 /tr %s /sc ONSTART /ru SYSTEM"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

process call create "cmd.exe /c vssadmin delete shadows /all /quiet"

%sX

%sX

Software\Microsoft\%s

Software\Microsoft\%s

taskkill /f /im %s

taskkill /f /im %s

del %s /s /q

del %s /s /q

del %s

del %s

aaa.bat

aaa.bat

103.25.202.192

103.25.202.192

92.222.80.28

92.222.80.28

78.138.97.93

78.138.97.93

POST /%s HTTP/1.1

POST /%s HTTP/1.1

Host: %s

Host: %s

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

GET /%s HTTP/1.1

GET /%s HTTP/1.1

%s\%s

%s\%s

advapi32.dll

advapi32.dll

process call create "cmd /c start %s"

process call create "cmd /c start %s"

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

id=%s&apt=%i&os=%s&ip=%s&bits=%s&discs=%s&pub=

%s&prv=

%s&prv=

id=%s&s=%i

id=%s&s=%i

%s\DirectX.exe

%s\DirectX.exe

%s\directx.exe

%s\directx.exe

id=%s&ip=%s

id=%s&ip=%s

hXXp://%s/ld/?id=%s

hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

URL=hXXp://%s/ld/?id=%s

YOUR_FILES.url

YOUR_FILES.url

checkip.dyndns.org

checkip.dyndns.org

%s:%u: failed assertion `%s'

%s:%u: failed assertion `%s'

CryptExportKey

CryptExportKey

CryptGenKey

CryptGenKey

CryptImportKey

CryptImportKey

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegOpenKeyExA

RegOpenKeyExA

GetWindowsDirectoryA

GetWindowsDirectoryA

WinExec

WinExec

ShellExecuteA

ShellExecuteA

GetKeyboardType

GetKeyboardType

ADVAPI32.DLL

ADVAPI32.DLL

DNSAPI.DLL

DNSAPI.DLL

WS2_32.DLL

WS2_32.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

127.0.0.1

127.0.0.1

directx.exe

directx.exe