Trojan.VIZ.Gen.1_a4c9d15c7b

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1200
geixsa.exe:1856

The Trojan injects its code into the following process(es):

Explorer.EXE:1572

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1200 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Ajato\geixsa.exe (1738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FJC1EA4.bat (173 bytes)

The process geixsa.exe:1856 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NTUSER.DAT.LOG (2400 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (1436 bytes)

Registry activity

The process %original file name%.exe:1200 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E E9 50 62 12 0B 89 71 B5 6F 80 ED 3E 16 C7 FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process geixsa.exe:1856 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 C6 73 7C 47 30 61 C6 6D 15 03 27 85 27 AA 2E"

[HKCU\Software\Microsoft\Puvomob]
"1j650d10" = "mdAMnwU/3pOAI5Zf6/XKJg=="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5	File path
4aa1f7ae598fcdef2503c71b72872865	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Ajato\geixsa.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestExA
HttpSendRequestW
InternetReadFileExA
InternetWriteFile
InternetWriteFileExA
InternetQueryDataAvailable
HttpQueryInfoW
HttpSendRequestExW
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle

The Trojan installs the following user-mode hooks in CRYPT32.dll:

PFXImportCertStore

The Trojan installs the following user-mode hooks in USER32.dll:

GetClipboardData
TranslateMessage

The Trojan installs the following user-mode hooks in Secur32.dll:

DecryptMessage
SealMessage
DeleteSecurityContext

The Trojan installs the following user-mode hooks in WS2_32.dll:

WSAGetOverlappedResult
WSASend
recv
gethostbyname
WSARecv
send
closesocket
freeaddrinfo
getaddrinfo
GetAddrInfoW

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtCreateThread

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1200
   geixsa.exe:1856
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Application Data\Ajato\geixsa.exe (1738 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\FJC1EA4.bat (173 bytes)
   %Documents and Settings%\%current user%\NTUSER.DAT.LOG (2400 bytes)
   

5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	16128	11264	3.35632	7cb335bbbf798f4ec0e1702ef73ba6c9
.data	20480	20480	2560	1.42008	0f1895e76230055bcaf92f75a2b71893
.rdata	40960	294943	295936	5.51909	b964b0e2db42250b315ae3f6cb5f131a
.adata	339968	2848	3072	0	d2a70550489de356a2cd6bfc40711204

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Explorer.EXE_1572_rwx_01EA0000_00049000:

.text

.text

`.data

`.data

.reloc

.reloc

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

0123456789

0123456789

6$7,747

6$7,747

gdiplus.dll

gdiplus.dll

GdiplusShutdown

GdiplusShutdown

userenv.dll

userenv.dll

del "%s"

del "%s"

if exist "%s" goto d

if exist "%s" goto d

del /F "%s"

del /F "%s"

HTTP/1.1

HTTP/1.1

RegDeleteKeyExW

RegDeleteKeyExW

>.-0298,>9;{

>.-0298,>9;{

OlzhjkeYLbzlh`t

OlzhjkeYLbzlh`t

7* 37 0&0

7* 37 0&0

* 13.701.

* 13.701.

REPORT

REPORT

hXXp://VVV.google.com/

hXXp://VVV.google.com/

hXXp://VVV.bing.com/

hXXp://VVV.bing.com/

t.Ht$HHt

t.Ht$HHt

m9.td

m9.td

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetKeyboardState

GetKeyboardState

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

CryptGetKeyParam

CryptGetKeyParam

CryptImportKey

CryptImportKey

CryptDestroyKey

CryptDestroyKey

RegCreateKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegDeleteKeyW

RegDeleteKeyW

RegOpenKeyExW

RegOpenKeyExW

RegFlushKey

RegFlushKey

RegEnumKeyExW

RegEnumKeyExW

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

PathIsURLW

PathIsURLW

UrlUnescapeA

UrlUnescapeA

SHLWAPI.dll

SHLWAPI.dll

ShellExecuteW

ShellExecuteW

SHELL32.dll

SHELL32.dll

Secur32.dll

Secur32.dll

ole32.dll

ole32.dll

GDI32.dll

GDI32.dll

WS2_32.dll

WS2_32.dll

CertDeleteCertificateFromStore

CertDeleteCertificateFromStore

CertOpenSystemStoreW

CertOpenSystemStoreW

CertCloseStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCertificatesInStore

CertDuplicateCertificateContext

CertDuplicateCertificateContext

PFXExportCertStoreEx

PFXExportCertStoreEx

PFXImportCertStore

PFXImportCertStore

CRYPT32.dll

CRYPT32.dll

HttpSendRequestExA

HttpSendRequestExA

HttpQueryInfoA

HttpQueryInfoA

InternetCrackUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpOpenRequestA

HttpEndRequestA

HttpEndRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

WININET.dll

WININET.dll

OLEAUT32.dll

OLEAUT32.dll

NETAPI32.dll

NETAPI32.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

VERSION.dll

VERSION.dll

msvcrt.dll

msvcrt.dll

zcÁ

zcÁ

9$9,949

9$9,949

3#3(343{3

3#3(343{3

\StringFileInfo\xx\%s

\StringFileInfo\xx\%s

launchpadshell.exe

launchpadshell.exe

dirclt32.exe

dirclt32.exe

wtng.exe

wtng.exe

prologue.exe

prologue.exe

pcsws.exe

pcsws.exe

fdmaster.exe

fdmaster.exe

kernel32.dll

kernel32.dll

"%s" %s

"%s" %s

/c "%s"

/c "%s"

c.tmp

c.tmp

Wadvapi32.dll

Wadvapi32.dll

shell32.dll

shell32.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\%s

urlmon.dll

urlmon.dll

cabinet.dll

cabinet.dll

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

%Documents and Settings%\%current user%\Local Settings\Application Data

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}

Global\{3D6E1BE3-083C-4088-F013-F140DE00D252}