TrojanDownloader.Win32.Moure_f345268e8b – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

ExternalApp.exe:380
%original file name%.exe:308
DownLoadDlg.exe:580
minidownload.exe:928
regsvr32.exe:524
regsvr32.exe:652
regsvr32.exe:332
UpdateService.exe:868
UpdateService.exe:632
XLDownloadCom.exe:2044

The Trojan-Downloader injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process ExternalApp.exe:380 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SogouDownLoad\download\MiniTPFw.exe (1633 bytes)
%Program Files%\SogouDownLoad\download\MiniThunderPlatform.exe (7951 bytes)
%Program Files%\SogouDownLoad\npdownload.dll (8160 bytes)
%Program Files%\SogouDownLoad\download\id.dat (40 bytes)
%Program Files%\SogouDownLoad\XLDownloadCom.exe (3626 bytes)
%Program Files%\SogouDownLoad\DlgHandler.dll (7893 bytes)
%Program Files%\SogouDownLoad\download\zlib1.dll (3170 bytes)
%Program Files%\SogouDownLoad\IEHint64.dll (13023 bytes)
%Program Files%\SogouDownLoad\download\ThunderFW.exe (3053 bytes)
%Program Files%\SogouDownLoad\download\atl71.dll (2201 bytes)
%Program Files%\SogouDownLoad\download\msvcp71.dll (10930 bytes)
%Program Files%\SogouDownLoad\IEHint.dll (7872 bytes)
%Program Files%\SogouDownLoad\download\dl_peer_id.dll (2910 bytes)
%Program Files%\SogouDownLoad\XLDownloadComPS.dll (2017 bytes)
%Program Files%\SogouDownLoad\download\download_engine.dll (75696 bytes)
%Program Files%\SogouDownLoad\npdownload64.dll (10293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (11 bytes)
%Program Files%\SogouDownLoad\update\UpdateService.exe (7197 bytes)
%Program Files%\SogouDownLoad\xldl.dll (9424 bytes)
%Program Files%\SogouDownLoad\CommonState.dll (1348 bytes)
%Program Files%\SogouDownLoad\download\msvcr71.dll (12773 bytes)
%Program Files%\SogouDownLoad\uninst.exe (794 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\minidownload.exe (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

The process DownLoadDlg.exe:580 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\SogouDownLoad\tmp\ExternalApp.exe (75500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe (255698 bytes)

The process minidownload.exe:928 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\SogouDownLoad\html\images\progressbar.png (285 bytes)
%Program Files%\SogouDownLoad\html\config.ini (116 bytes)
%Program Files%\SogouDownLoad\html\js\actions.js (8 bytes)
%Program Files%\SogouDownLoad\html\js\swfobject.js (10 bytes)
%Program Files%\SogouDownLoad\DownLoadDlg.exe (17625 bytes)
%Program Files%\SogouDownLoad\html\images\check.png (295 bytes)
%Program Files%\SogouDownLoad\html\images\btn_spr.gif (3 bytes)
%Program Files%\SogouDownLoad\crash\ExceptionReport.exe (3644 bytes)
%Program Files%\SogouDownLoad\html\css\down.css (2 bytes)
%Program Files%\SogouDownLoad\html\images\error2.png (738 bytes)
%Program Files%\SogouDownLoad\html\repair.html (1 bytes)
%Program Files%\SogouDownLoad\html\images\img_exe.gif (657 bytes)
%Program Files%\SogouDownLoad\html\images\dlico1.png (348 bytes)
%Program Files%\SogouDownLoad\html\images\error.png (1 bytes)
%Program Files%\SogouDownLoad\html\images\rocket2.swf (5 bytes)
%Program Files%\SogouDownLoad\html\settings.html (3 bytes)
%Program Files%\SogouDownLoad\html\images\ico_close.gif (1 bytes)
%Program Files%\SogouDownLoad\html\js\jquery-1.11.2.min.js (2644 bytes)
%Program Files%\SogouDownLoad\html\images\warning.png (263 bytes)
%Program Files%\SogouDownLoad\html\images\ico_t.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\ico_spr.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\btns.png (931 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg1.png (1568 bytes)
%Program Files%\SogouDownLoad\html\images\rocket1.swf (5 bytes)
%Program Files%\SogouDownLoad\html\images\dlbg.png (26 bytes)
%Program Files%\SogouDownLoad\html\images\ico_min.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\dlico.png (646 bytes)
%Program Files%\SogouDownLoad\html\css\downloader.css (8 bytes)
%Program Files%\SogouDownLoad\html\download.html (7 bytes)
%Program Files%\SogouDownLoad\html\images\bg_line.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\attention.png (567 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg2.png (20 bytes)
%Program Files%\SogouDownLoad\html\images\ico_set.gif (1 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)

The process regsvr32.exe:332 makes changes in the file system.

The Trojan-Downloader creates and/or writes to the following file(s):

%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (268 bytes)

Registry activity

The process ExternalApp.exe:380 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 AC 50 45 4B 63 37 2A BE 06 5D 42 0C 7E F7 F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SogouDownload]
"DisplayVersion" = "2.0.7.17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SogouDownload]
"Publisher" = "Sogou.com"
"DisplayIcon" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"
"DisplayName" = "ÃƒÆ’Ã¢â‚¬Â¹ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹Ãƒâ€šÃ‚Â·Ãƒâ€šÃ‚Â¸ÃƒÆ’Ã…Â¸ÃƒÆ’Ã¢â‚¬Â¹ÃƒÆ’Ã¢â€žÂ¢ÃƒÆ’Ã‚ÂÃƒÆ’Ã¢â‚¬Å¡ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã‹Å“ÃƒÆ’Ã¢â‚¬â€œÃƒÆ’Ã‚ÂºÃƒÆ’Ã…Â ÃƒÆ’Ã¢â‚¬â€œ"
"UninstallString" = "%Program Files%\SogouDownLoad\uninst.exe"

The process %original file name%.exe:308 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\SogouDownLoad]
"DownLoadDlg.exe" = "ÃƒÂ¦Ã‚ÂÃ…â€œÃƒÂ§Ã¢â‚¬Â¹Ã¢â‚¬â€ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 E6 87 E4 67 AC DC 42 C1 D4 EB 71 24 57 9D A2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"unc" = "x400443_18"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process DownLoadDlg.exe:580 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}]
"AppName" = "DownLoadDlg.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}\LocalServer32]
"(Default)" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"Version" = "2.0.7.17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"HWID" = "43 9C 2B FF A1 3F 3A 49 4B 96 9E 2E F7 6D 66 0B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"InstallPath" = "%Program Files%\SogouDownLoad"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}]
"AppPath" = "%Program Files%\SogouDownLoad"
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"DownLoadDlgPath" = "%Program Files%\SogouDownLoad\DownLoadDlg.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SogouComponents\DOWNLOAD]
"InstallTime" = "1449884347"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 C4 C7 00 03 15 15 69 F3 17 F1 75 0B 9C 0F F1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process minidownload.exe:928 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 42 85 B3 9D 7D A6 E8 81 94 51 1C 38 30 A3 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:524 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 0B EA 43 3A 97 3E 6A 9F A6 8E 04 F7 D5 05 56"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32]
"(Default)" = "{B411DAF2-77C4-4478-8477-5826A4147AE9}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "IXLDownloadInterface"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}\InProcServer32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadComPS.dll"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\NumMethods]
"(Default)" = "14"

[HKCR\CLSID\{B411DAF2-77C4-4478-8477-5826A4147AE9}\InProcServer32]
"ThreadingModel" = "Both"

The process regsvr32.exe:652 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 02 50 66 91 71 F7 C3 80 D8 62 64 63 4B C7 7F"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\IEHint.dll"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\TypeLib]
"(Default)" = "{459CB386-4301-448D-A1DA-8751857E980B}"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}]
"(Default)" = "IEHintBHO Class"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0]
"(Default)" = "IEHintLib"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib]
"(Default)" = "{459CB386-4301-448D-A1DA-8751857E980B}"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}]
"(Default)" = "IIEHintBHO"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32]
"(Default)" = "%Program Files%\SogouDownLoad\IEHint.dll"

[HKCR\TypeLib\{459CB386-4301-448D-A1DA-8751857E980B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{98D5DD5D-0742-4CC1-A0AB-7251C40DB020}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{548F20C0-F980-4912-9190-1127D22D883D}\TypeLib]
"Version" = "1.0"

The process regsvr32.exe:332 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}]
"(Default)" = "IGameDownload"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Descripton" = "ÃƒÂ¦Ã‚ÂÃ…â€œÃƒÂ§Ã¢â‚¬Â¹Ã¢â‚¬â€ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¦Ã…Â½Ã‚Â§ÃƒÂ¤Ã‚Â»Ã‚Â¶"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Path" = "%Program Files%\SogouDownLoad\npdownload.dll"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
"1" = "ÃƒÂ¦Ã‚ÂÃ…â€œÃƒÂ§Ã¢â‚¬Â¹Ã¢â‚¬â€ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã…Â Ã‚Â©ÃƒÂ¦Ã¢â‚¬Â°Ã¢â‚¬Â¹"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}]
"(Default)" = "DownLoadBHO Class"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"ProductName" = "ÃƒÂ¦Ã‚ÂÃ…â€œÃƒÂ§Ã¢â‚¬Â¹Ã¢â‚¬â€ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã…Â Ã‚Â©ÃƒÂ¦Ã¢â‚¬Â°Ã¢â‚¬Â¹"

[HKLM\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
"1" = "ÃƒÂ¦Ã‚ÂÃ…â€œÃƒÂ§Ã¢â‚¬Â¹Ã¢â‚¬â€ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã…Â Ã‚Â©ÃƒÂ¦Ã¢â‚¬Â°Ã¢â‚¬Â¹"

[HKCR\Interface\{6D89601E-1736-40FB-A3A5-84A376F286D0}]
"(Default)" = "IDownLoadBHO"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{64608416-BAFE-43A2-91C4-324C6CA4EF52}\TypeLib]
"(Default)" = "{13D91BAE-B37C-41C3-AE86-463E53990546}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC C4 75 EB AD 40 28 C5 98 EE 4F 64 22 E6 9D 15"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"Version" = "2.0.7.17"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0]
"(Default)" = "SogouDownLoadLib"

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\npdownload.dll"

[HKLM\SOFTWARE\MozillaPlugins\@sogou.com/SGDownloadPlugin]
"vendor" = "Sogou.com Inc."

[HKCR\TypeLib\{13D91BAE-B37C-41C3-AE86-463E53990546}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{D1871D0A-4929-4A3C-AAE5-684235E62244}\InprocServer32]
"(Default)" = "%Program Files%\SogouDownLoad\npdownload.dll"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google\Chrome\EnabledPlugins]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine\SOFTWARE\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{23E93FD9-91D3-4938-801C-CC7E42F71511}Machine]

The process UpdateService.exe:868 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 97 59 8D FE 71 39 A2 CF 08 38 84 B4 41 7A 52"

The process UpdateService.exe:632 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 54 23 CA B1 D4 90 02 C3 79 05 75 10 C6 A6 26"

The process XLDownloadCom.exe:2044 makes changes in the system registry.

The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 50 E8 12 E1 86 F3 D7 76 9A 26 37 4A 34 01 BD"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0]
"(Default)" = "XLDownloadComLib"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\0\win32]
"(Default)" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\LocalServer32]
"ServerExecutable" = "%Program Files%\SogouDownLoad\XLDownloadCom.exe"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}]
"(Default)" = "IXLDownloadInterface"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}\TypeLib]
"(Default)" = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{35489C47-0C7C-48D8-8000-0FB159BAF406}]
"(Default)" = "XLDownloadInterface Class"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\TypeLib]
"(Default)" = "{2D85F656-2970-437F-BA8A-C6F95B86EE0D}"

[HKCR\Interface\{B411DAF2-77C4-4478-8477-5826A4147AE9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{2D85F656-2970-437F-BA8A-C6F95B86EE0D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SogouDownLoad"

Dropped PE files

MD5	File path
6cbba6bbb04d0d4768303dd45dfe2b4b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\minidownload.exe
417ebf03104be280cf0ae2e2b203dc9f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe
26f9a20018601b6d14b4f1cc4bca34e4	c:\Program Files\SogouDownLoad\CommonState.dll
b049863244370b8fd391385c3234981a	c:\Program Files\SogouDownLoad\DlgHandler.dll
e929bc10dec4f605d964afb6b27b7a49	c:\Program Files\SogouDownLoad\DownLoadDlg.exe
0d22d7c73d7d7593e8b729571b38facb	c:\Program Files\SogouDownLoad\IEHint.dll
0b4a6d56e15f08edac96332f09489e73	c:\Program Files\SogouDownLoad\IEHint64.dll
bcd846642eb52e78ed3c360e848ce8a8	c:\Program Files\SogouDownLoad\XLDownloadCom.exe
3bc8251badd8e1db42f29cce71decebc	c:\Program Files\SogouDownLoad\XLDownloadComPS.dll
ba7121a86dbffafc97e1b8c11c17e199	c:\Program Files\SogouDownLoad\crash\ExceptionReport.exe
58bb62e88687791ad2ea5d8d6e3fe18b	c:\Program Files\SogouDownLoad\download\MiniTPFw.exe
e2e9483568dc53f68be0b80c34fe27fb	c:\Program Files\SogouDownLoad\download\MiniThunderPlatform.exe
f0372ff8a6148498b19e04203dbb9e69	c:\Program Files\SogouDownLoad\download\ThunderFW.exe
79cb6457c81ada9eb7f2087ce799aaa7	c:\Program Files\SogouDownLoad\download\atl71.dll
dba9a19752b52943a0850a7e19ac600a	c:\Program Files\SogouDownLoad\download\dl_peer_id.dll
1a87ff238df9ea26e76b56f34e18402c	c:\Program Files\SogouDownLoad\download\download_engine.dll
a94dc60a90efd7a35c36d971e3ee7470	c:\Program Files\SogouDownLoad\download\msvcp71.dll
ca2f560921b7b8be1cf555a5a18d54c3	c:\Program Files\SogouDownLoad\download\msvcr71.dll
89f6488524eaa3e5a66c5f34f3b92405	c:\Program Files\SogouDownLoad\download\zlib1.dll
1e973c20ec29fb85193b471d8ea414c4	c:\Program Files\SogouDownLoad\npdownload.dll
f7fcb594f73e58e4e5dd0a61427a4b98	c:\Program Files\SogouDownLoad\npdownload64.dll
417ebf03104be280cf0ae2e2b203dc9f	c:\Program Files\SogouDownLoad\tmp\ExternalApp.exe
ac7961994bf62dcf1399664c1bcdf180	c:\Program Files\SogouDownLoad\uninst.exe
aa276dd9a44a45003311cc891fb71d2e	c:\Program Files\SogouDownLoad\update\UpdateService.exe
208662418974bca6faab5c0ca6f7debf	c:\Program Files\SogouDownLoad\xldl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
ExternalApp.exe:380
%original file name%.exe:308
DownLoadDlg.exe:580
minidownload.exe:928
regsvr32.exe:524
regsvr32.exe:652
regsvr32.exe:332
UpdateService.exe:868
UpdateService.exe:632
XLDownloadCom.exe:2044
Delete the original Trojan-Downloader file.
Delete or disinfect the following files created/modified by the Trojan-Downloader:
%Program Files%\SogouDownLoad\download\MiniTPFw.exe (1633 bytes)
%Program Files%\SogouDownLoad\download\MiniThunderPlatform.exe (7951 bytes)
%Program Files%\SogouDownLoad\npdownload.dll (8160 bytes)
%Program Files%\SogouDownLoad\download\id.dat (40 bytes)
%Program Files%\SogouDownLoad\XLDownloadCom.exe (3626 bytes)
%Program Files%\SogouDownLoad\DlgHandler.dll (7893 bytes)
%Program Files%\SogouDownLoad\download\zlib1.dll (3170 bytes)
%Program Files%\SogouDownLoad\IEHint64.dll (13023 bytes)
%Program Files%\SogouDownLoad\download\ThunderFW.exe (3053 bytes)
%Program Files%\SogouDownLoad\download\atl71.dll (2201 bytes)
%Program Files%\SogouDownLoad\download\msvcp71.dll (10930 bytes)
%Program Files%\SogouDownLoad\IEHint.dll (7872 bytes)
%Program Files%\SogouDownLoad\download\dl_peer_id.dll (2910 bytes)
%Program Files%\SogouDownLoad\XLDownloadComPS.dll (2017 bytes)
%Program Files%\SogouDownLoad\download\download_engine.dll (75696 bytes)
%Program Files%\SogouDownLoad\npdownload64.dll (10293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh3.tmp\System.dll (11 bytes)
%Program Files%\SogouDownLoad\update\UpdateService.exe (7197 bytes)
%Program Files%\SogouDownLoad\xldl.dll (9424 bytes)
%Program Files%\SogouDownLoad\CommonState.dll (1348 bytes)
%Program Files%\SogouDownLoad\download\msvcr71.dll (12773 bytes)
%Program Files%\SogouDownLoad\uninst.exe (794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\minidownload.exe (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\SogouDownLoad\tmp\ExternalApp.exe (75500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ExternalApp[1].exe (255698 bytes)
%Program Files%\SogouDownLoad\html\images\progressbar.png (285 bytes)
%Program Files%\SogouDownLoad\html\config.ini (116 bytes)
%Program Files%\SogouDownLoad\html\js\actions.js (8 bytes)
%Program Files%\SogouDownLoad\html\js\swfobject.js (10 bytes)
%Program Files%\SogouDownLoad\DownLoadDlg.exe (17625 bytes)
%Program Files%\SogouDownLoad\html\images\check.png (295 bytes)
%Program Files%\SogouDownLoad\html\images\btn_spr.gif (3 bytes)
%Program Files%\SogouDownLoad\crash\ExceptionReport.exe (3644 bytes)
%Program Files%\SogouDownLoad\html\css\down.css (2 bytes)
%Program Files%\SogouDownLoad\html\images\error2.png (738 bytes)
%Program Files%\SogouDownLoad\html\repair.html (1 bytes)
%Program Files%\SogouDownLoad\html\images\img_exe.gif (657 bytes)
%Program Files%\SogouDownLoad\html\images\dlico1.png (348 bytes)
%Program Files%\SogouDownLoad\html\images\error.png (1 bytes)
%Program Files%\SogouDownLoad\html\images\rocket2.swf (5 bytes)
%Program Files%\SogouDownLoad\html\settings.html (3 bytes)
%Program Files%\SogouDownLoad\html\images\ico_close.gif (1 bytes)
%Program Files%\SogouDownLoad\html\js\jquery-1.11.2.min.js (2644 bytes)
%Program Files%\SogouDownLoad\html\images\warning.png (263 bytes)
%Program Files%\SogouDownLoad\html\images\ico_t.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\ico_spr.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\btns.png (931 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg1.png (1568 bytes)
%Program Files%\SogouDownLoad\html\images\rocket1.swf (5 bytes)
%Program Files%\SogouDownLoad\html\images\dlbg.png (26 bytes)
%Program Files%\SogouDownLoad\html\images\ico_min.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\dlico.png (646 bytes)
%Program Files%\SogouDownLoad\html\css\downloader.css (8 bytes)
%Program Files%\SogouDownLoad\html\download.html (7 bytes)
%Program Files%\SogouDownLoad\html\images\bg_line.gif (1 bytes)
%Program Files%\SogouDownLoad\html\images\attention.png (567 bytes)
%Program Files%\SogouDownLoad\html\images\errorbg2.png (20 bytes)
%Program Files%\SogouDownLoad\html\images\ico_set.gif (1 bytes)
%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (268 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Sogou.com Inc.
Product Name: ????????
Product Version: 2.0.7.15
Legal Copyright: (c) 2014 Sogou.com Inc. All rights reserved.
Legal Trademarks:
Original Filename: MiniDownLoad.exe
Internal Name: MiniDownLoad.exe
File Version: 2.0.7.15
File Description: ???????????
Comments:
Language: Language Neutral

Company Name: Sogou.com Inc.Product Name: ????????Product Version: 2.0.7.15Legal Copyright: (c) 2014 Sogou.com Inc. All rights reserved.Legal Trademarks: Original Filename: MiniDownLoad.exeInternal Name: MiniDownLoad.exeFile Version: 2.0.7.15File Description: ???????????Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	176648	177152	4.59917	a1197834f5edc49c1f8768314973d1c5
.rdata	184320	30250	30720	3.3603	7e9fdd92a3073141288e3384e1d143c6
.data	217088	16828	7168	2.70014	412c08ce393932c01b2515e7e1e6500b
.rsrc	237568	690196	690688	5.14722	96ad49f163b8480b7a3d475c06093354
.reloc	929792	14054	14336	3.27004	6e6a7754782fe1d765b28e6665cce063

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ctc.ping.sogou.com/pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338
hxxp://sogou.dl.ourdvs.com/externalapp/ExternalApp.exe
hxxp://ping.t.sogou.com/pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338	106.120.188.191
hxxp://yze.t.sogou.com/externalapp/ExternalApp.exe	220.243.235.72
yz.app.sogou.com	36.110.147.36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /externalapp/ExternalApp.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: yze.t.sogou.com

Connection: Keep-Alive

HTTP/1.0 200 OK

Date: Tue, 24 Nov 2015 07:26:58 GMT

Content-Type: application/octet-stream

ETag: "-580955497"

Accept-Ranges: bytes

Last-Modified: Tue, 24 Nov 2015 04:28:51 GMT

Content-Length: 2554872

Server: WS CDN Server

Age: 1534313

Via: 1.0 jn241:88 (Cdn Cache Server V2.0), 1.0 shb72:8101 (Cdn Cache Server V2.0)

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................@........'......................................s..........(n............&..............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc...(n.......p...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<< skipped >>>

GET /pingd?srctype=sogoudownload&gid=gVMH-W4-eABbBFUKZSRC2N0000o30f--&unc=x400443_18&t=52&keynum=9452&rand=1449884338 HTTP/1.1

User-Agent: HttpRequest

Host: ping.t.sogou.com

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 12 Dec 2015 01:38:51 GMT

Content-Type: application/octet-stream

Content-Length: 0

Connection: keep-alive

Map

The Trojan-Downloader connects to the servers at the folowing location(s):

Strings from Dumps

DownLoadDlg.exe_580:

.text

`.rdata

@.data

.rsrc

@.reloc

8%u/P

SSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

F%D,3

portuguese-brazilian

operator

GetProcessWindowStation

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

CCooperationDlg::~CCooperationDlg

[function], Call %s()

CCooperationDlg::Run

CCooperationDlg::CheckAndCreateUIDlg

CCooperationDlg::ShowAndForeground

CCooperationDlg::OnClose

CCooperationDlg::ExternalProc_OnLoad

CCooperationDlg::ExternalProc_InstallCooperation

CCooperationDlg::ExternalProc_CancelInstallCooperation

CWebBrowserDlg::Init

Content-Type: application/x-www-form-urlencoded

CDowndLoadDlg::ExternalProc_OpenUrl

CWebBrowserDlg::Init

CCooperation::Run

CCooperation::IsBind

CCooperation::Exit

CCooperation::Init

appcheckurl

appcheckreporturl

iconurl

CHttpDownload::Download

CHttpDownload::Start

CHttpDownload::Pause

CHttpDownload::ThreadProcForHttpDownload

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

CWebBrowserDlg::Init

X;

%s>

%s="%s"

%s='%s'

version="%s"

encoding="%s"

standalone="%s"

CThreadHttpRequest::HttpDownloadToBuffer

CThreadHttpRequest::HttpRequestRelocLocationUrl

CThreadHttpRequest::HttpRequestFileSize

CThreadHttpRequest::ThreadProc

CReport::~CReport

URLDownloadToFileW

DeleteUrlCacheEntryW

URLDownloadToCacheFileW

%%X

%s[%u], %s

System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

%s\Connection

D:\codes\VS2010\SogouDownLoad-trunk\Src\DownLoadDlg\Release\DownLoadDlg.pdb

KERNEL32.dll

USER32.dll

GDI32.dll

RegOpenKeyExW

RegCloseKey

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

dbghelp.dll

imagehlp.dll

GdiplusShutdown

gdiplus.dll

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

HttpAddRequestHeadersW

InternetCrackUrlW

WININET.dll

VERSION.dll

PSAPI.DLL

NetWkstaTransportEnum

NETAPI32.dll

GetProcessHeap

GetCPInfo

RegOpenKeyW

RegOpenKeyExA

SHEnumKeyExW

PeekNamedPipe

zcÃ

.?AV?$CDialogImpl@VCCooperationDlg@@VCWindow@ATL@@@ATL@@

.?AV?$CWebBrowserDlg@VCCooperationDlg@@@@

.?AVCCooperationDlg@@

.?AV?$CComObject@VCWebBrowserBase@@@ATL@@

.?AUIHTMLOMWindowServices@@

.?AV?$CComCoClass@VCWebBrowser@@$1?GUID_NULL@@3U_GUID@@B@ATL@@

.?AV?$CWindowImpl@VCWebBrowser@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@

.?AVCWebBrowser@@

.?AVCWebBrowserBase@@

.?AV?$CWebBrowserDlg@VCDowndLoadDlg@@@@

.?AVCCooperation@@

.?AVCHttpDownloadBindStatusCallback@@

.?AVCHttpDownload@@

.?AV?$CWebBrowserDlg@VCRePairDlg@@@@

.?AV?$CWebBrowserDlg@VCSettingDlg@@@@

.?AVCHttpRequest@@

.?AV?$CThreadQueue@UtagReportData@@@@

.?AVCReport@@

.?AVCDebugMsg@@

.?AVCUrlParser@@

%Program Files%\SogouDownLoad\DownLoadDlg.exe

%sogsc

;)

2,2

9#9'9-969;9@9

1$1(1,1014181

2(2/24282

2&3,3034383

?!?%?)?-?1?5?9?

= =$=(=,=0=4=8=

nKERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

1.0.0.0

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

gSOFTWARE\SogouComponents\DOWNLOAD\COOPERATION\

bindtype=%s&bindname=%s&weight=%d&scheme=%s&uistatus=%u

bindtype=%s&bindname=%s&weight=%d&scheme=%s

cooperationsoft.exe

%s\%s

keyandfile

keyandpath

@HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&dbn=%s&dbv=%s&rand=%d

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

http\shell\open\command

hXXp://xiazai.sogou.com/hd/log.js?srctype=sogoudownload&t=%d&gid=%s&unc=%s

&rand=%d

{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}

Cooperation

install_cooperation

cancel_install_cooperation

@download.html

DlgHandler.dll

\config.ini

report

openurl

%s\%s(%d)%s

%s\%s.td

cooperation

errortype=%d

/select, %s\%s

softurl

windowsname

mutex_cooperation

hXXp://xz.sogou.com/handleUserIdDb?userid=%s&downloadtype=%s&unc=%s&pcid=%s

%d/%d/%d d:d:d

Module %d

Image Base: 0xx Image Size: 0xx

Checksum: 0xx Time Stamp: 0xx

File Size: %-10d File Time: %s

Company: %s

Product: %s

FileDesc: %s

FileVer: %d.%d.%d.%d

ProdVer: %d.%d.%d.%d

IE Browser Version: %s.

SogouDownload Version: %s.

HWID: %s.

Error occurred at %s.

%s, run by %s.

Operating system: %s (%s).

%d processor(s), type %d.

%d%% memory in use.

%d MBytes physical memory.

%d MBytes physical memory free.

%d MBytes paging file.

%d MBytes paging file free.

%d MBytes user address space.

%d MBytes user address space free.

a Float Denormal Operand

a Float Invalid Operation

0xx:

EDI: 0xx ESI: 0xx EAX: 0xx

EBX: 0xx ECX: 0xx EDX: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

EFlags: 0xx ESP: 0xx SegSs: 0xx

ERRORLOG.TXT

Error creating exception report

SogouDownload caused %s (0xx)

in module %s at x:x.

%s location x caused an access violation.

===== [end of %s] =====

CRASH.DMP

ExceptionReport.exe

%s\%s.url

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

ExternalApp.exe

hXXp://yze.t.sogou.com/externalapp/ExternalApp.exe

%s\uninst.exe

hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload_regioncontrol&v=1.0.0.0

hXXp://xz.sogou.com/handleUserIdDb256?userid=%s&downloadtype=%s&unc=%s&pcid=%s

showNewMsgTip%d

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

nparam=%s

Advapi32.dll

hXXp://yz.app.sogou.com/tuiguang?downloadtype=%s&pcid=%s

repair.html

\html\repair.html

\html\config.ini

Asettings.html

Web Host

HttpDownload

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; {D9D54F49-E51C-445e-92F2-1EE3C2313240})

image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*

"%s" %s

HttpRequest

HTTP/1.0

Content-Length: %d

hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&gid=%s&unc=%s

%s&t=%d&servicestate=%d&rand=%d

%s&t=%d&rand=%d

%s&t=%d&%s&rand=%d

BUrlMon.dll

Wininet.dll

CommonState.dll

%d.%d.%d.%d

\StringFileInfo\xx\%s

Mutex_DebugMsg2

IsSendDebugMsg

SOFTWARE\DebugMsg

Kernel32.dll

[sogou][%s]

Bunknown Windows version

%u.%u.%u

Windows 95

Windows 95 SP1

Windows 95 OSR2

Windows 98

Windows 98 SP1

Windows 98 SE

Windows ME

Windows NT 3.51

Windows NT 4

Windows 2000

Windows XP

Windows 2003 Server

Windows CE

\Global.db

C\\.\PhysicalDrive%d

\\.\Scsi%d:

\iphlpapi.dll

IProfile.ini

hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload_repair&unc=x400443_18&guid=%s&v=%s&t=%d

Setup.exe

hXXp://t.sogou.com/update_platform/done.php?v=%s&appname=sogoudownload_repair&state=1

TempExe.exe

Sogou.com Inc.

2.0.7.15

DownLoadDlg.exe

UpdateService.exe_868:

.text

`.rdata

@.data

.rsrc

PSSSSSSh

PSSSSSSh!

8-H6}G6)67Z

JPi.lP

SHELL32.dll

KERNEL32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

VERSION.dll

WS2_32.dll

MSVCRT.dll

_acmdln

USER32.dll

ole32.dll

OLEAUT32.dll

GetWindowsDirectoryA

GetProcessHeap

RegOpenKeyExW

RegOpenKeyA

RegSetKeySecurity

RegCreateKeyA

RegCreateKeyExA

USBDT.dll

[%s Update Service]register success.

"%s" /Service

UpdateService.exe

[%s Update Service]register fail 3.

[%s Update Service]register fail 2.

[%s Update Service]register fail 1.

Mutex_{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}

[%s Update Service]start register.

"%s" /Restart

[%s Update Service]wait %d minutes.

[%s Update Service]start service.

NUL=%s

wininit.ini

%s\Temp\

%s=%s

EXPLORER.EXE

IEXPLORE.EXE

%d%c%d

AllocateAndInitializeSid error %u

"%s" %s

Dbghelp.dll

Kernel32.dll

user32.dll

hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&rand=%d

hXXp://ping.t.sogou.com/pingd?srctype=sogoudownload&t=%d&gid=%s&unc=%s&%s&rand=%d

dbn=%s&dbv=%s

hXXp://t.sogou.com/update_platform/done.php?v=%s&appname=sogoudownload&state=1

Mddddd

1.0.0.0

CommonState.dll

%d.%d.%d.%d

%s_Classes\%s\%s

%s\%s

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

%s_Classes\%s

http\shell\open\command

explorer.exe

%%X

%%x

Wininet.dll

UrlMon.dll

{4A79E46E-5A01-4abb-BCC1-F96D06AEE085}

[UpateDir:%s].

[%s Update Service]start update.

Setup.exe

[%s Update Service]update success.

[%s Update Service]new version: %s, local version: %s.

%s\%s%s

Profile.ini

hXXp://t.sogou.com/update_platform/update.php?appname=sogoudownload&unc=%s&guid=%s&v=%s&t=%d

[m_szLocalProfile:%s].

HotPatch.exe

Userenv.dll

iexplore.exe

\StringFileInfo\xx\%s

Update.ini

file%d

%s PID=%d

.bak.exe

wintrust.dll

2.5.4.3

CertCloseStore

CryptMsgClose

CertFreeCertificateContext

CertFindRDNAttr

CertRDNValueToStrA

CertCreateCertificateContext

CryptMsgGetParam

crypt32.dll

1.2.840.113549.1.9.5

CryptDecodeObject failed with %x

1.2.840.113549.1.9.6

rundll32.exe

%s,Rundll32

%s,Rundll32 E

%s,Rundll32 I

%s,Rundll32 R

Rundll32.exe %s,Rundll32 R

CLSID\%s\InprocServer32

CLSID\%s

DlgHandler.dll

%s\DownLoadDlg.exe

S%c%cR

%s*.sys

ATÃŸT%d%d.dat

FT%uD

FT%uH

AT%uFT%u

%Program Files%\TENCENT\SSPlus\SData.dat

PendingFileRenameOperations

advapi32.dll

Sogou.com Inc.

2.0.7.17

UpdateServise.exe

wuauclt.exe_1064:

.text

`.data

.rsrc

@.reloc

wuauclt.pdb

GetProcessHeap

KERNEL32.dll

_wcmdln

_amsg_exit

msvcrt.dll

ntdll.dll

ole32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

USER32.dll

OLEAUT32.dll

SHLWAPI.dll

zcÃ

version="6.0.0.0"

name="Microsoft.Windows.windowsupdate.wuauclt"

true

name="Microsoft.Windows.Common-Controls"

publicKeyToken="6595b64144ccf1df"

wuaueng.dll

Error: 0xx. wuauclt handler: failed to spawn COM server

Error: 0xx. wuauclt handler: failed to load wuaueng

/ReportNow

/ShowWindowsUpdate

/CloseWindowsUpdate

wuauclt.exe failed to get proc address for UI export object with error %#lx

Failed to load %s with error %X

wucltui.dll

wucltux.dll

call RunAUClientUI on wucltui.dll/wucltux.dll

Ntdll.dll

WuSqm %ls session datapoint (id:%d) is incremented with dword %d.

wuauclt.exe is exiting with code 0xX

wuauclt.exe launched with command line %s

kernel32.dll

WUWeb

Report

7.6.7600.256

Global\WindowsUpdateTracingMutex

WindowsUpdate.log

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Windows

shell32.dll

%s: %s [

%s: %s

%s\%s

= Module: %s

= Module:

= Process: %s

= Process:

=========== Logging initialized (build: %s, tz: %s) ===========

wups2.dll

wups.dll

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\

%hs %ls page "%ls", hr=%X

Microsoft.WindowsUpdate

wupdmgr.exe

Failed to cocreate IShellWindows, error = 0xlX

Failed to obtain window doc for window %d, error = 0xlX

Failed to obtain folder view for window %d, error = 0xlX

Failed to obtain folder IPersist for window %d, error = 0xlX

Window %d is NOT a WU window

Done enumerating windows

Quit for window %d failed: 0xlX

Window %d is a WU window. Attempting to close

Failed to obtain class ID for window %d, error = 0xlX

Got NULL disp interface for window %d

Got %d instead of VT_DISPATCH for window %d

Failed to obtain IWebBrowserApp for window %d, error = 0xlX

Failed to enumerate window %d, error = 0xlX

Found %d explorer windows

Closing WU explorer windows

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData

WUAppNotificationWindows

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\

%chdhd

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps