HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.77871 (B) (Emsisoft), Gen:Variant.Kazy.77871 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3ed026064cd987dd1232fa41b8624675
SHA1: 73a6c876d092534b6b9a16cc9c4f78dd81bef61e
SHA256: 8d289dff36231680b17d4b3dea6338920e988a1f6df43ed538d0978626f9b383
SSDeep: 98304:djC ePxm7iPYQdUl0o3rMbfJhCpUBVI/p0ESM QcgP9VABKrmn:KINQdUlRUfVTgq6cuVMKrm
Size: 4673007 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1988-10-23 22:19:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
2345Explorer_343901_silence.exe:3648
2345_28879_desk.exe:2668
2345Desktop.exe:1748
2345Desktop.exe:3124
2345Desktop.exe:2952
2345Desktop.exe:3344
2345DesktopLoader.exe:2716
2345DesktopLoader.exe:2960
2345DesktopLoader.exe:3116
2345DesktopLoader.exe:2744
2345DesktopLoader.exe:2944
2345DesktopLoader.exe:2708
regsvr32.exe:972
2345DesktopService.exe:3056
2345DesktopService.exe:2984
The Trojan injects its code into the following process(es):
%original file name%.exe:212
Explorer.EXE:932
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 2345Explorer_343901_silence.exe:3648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\modern-header.bmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp\RCWidgetPlugin.dll (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB.tmp (27316 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsdA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjC.tmp (0 bytes)
The process 2345_28879_desk.exe:2668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\2345Soft\2345Desktop\2345DesktopService.exe (1760 bytes)
%Program Files%\2345Soft\2345Desktop\Uninstall.exe (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\FileInfo.dll (5064 bytes)
%Program Files%\2345Soft\2345Desktop\2345Extract.dll (1824 bytes)
%Program Files%\2345Soft\2345Desktop\2345Desktop.exe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss5.tmp (127162 bytes)
%Program Files%\2345Soft\2345Desktop\data\weather_city_list.json (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10\2345DesktopLoader.exe (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (11 bytes)
%Program Files%\2345Soft\2345Desktop\Install.data (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\RCWidgetPlugin.dll (14184 bytes)
%Program Files%\2345Soft\2345Desktop\2345DesktopLoader.exe (197 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\FileInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi6.tmp\RCWidgetPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Temp\2345Desktop\2345Desktop_10\2345DesktopLoader.exe (0 bytes)
The process 2345Desktop.exe:3124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (8028 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data (7120 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~7.tmp (0 bytes)
The process 2345Desktop.exe:2952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (678 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (1536 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data (2312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AnRList_000005[1].block (60 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\AnRList_000005[1].block (0 bytes)
The process 2345Desktop.exe:3344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_detect.json.tmp (23 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_weather.json.tmp (25 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (1024 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_alert.json.tmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\54511[1].json (25 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (1430 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\update\2345Desktop.CheckStat.data (132 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\note.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_weather.json (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RC~9.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_detect.json (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\weather_city_alert.json (0 bytes)
The process %original file name%.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[2].exe (421897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (4545 bytes)
%Program Files%\2345_28879_desk.exe (10592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[1].exe (489298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (1425 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2345_28879_desk[2].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process 2345DesktopLoader.exe:2716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (225 bytes)
The process 2345DesktopLoader.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\2345Soft\2345Desktop\2345Desktop.ini (54 bytes)
The process 2345DesktopLoader.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
| &uId&r&lO | |
>>&CS&<<&s..&:.q.r......&>><>>&>>>&<
<<<>>>
&&>>&>>&><&<<>><>
<<<>>>
<<<>>>
<>><&&<<<&&>&><><<&&><>
<<<>>>
<<<>>>
<><><><><><><><><><><><><><><><><><><>
<<<>>>
&uId&r&lO
<&<&>&&&I..........EQEh8&&W.................P.1....j...&><<&
<<<>>>
>&&<&&&&&<<>><>
<<<>>>
&<&y........eai..<>>><<<&b....&Y.9..M.......a..<><><
<<<>>>
<<<>>>
<&W.......6..u......<>><><>><>&>>
<<<>>>
>>
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><>
<<<>>>
<.li>
<.li>
&
&
&
&
&
&
&
&
&&&&
&&&&
&
&
&m
&m
&N
&N
&&&&&&&&&&
&&&&&&&&&&
&&&
&&&
&F
&F
&
&
&HrW
&HrW
&&
&&
&
&
&
&
&
&
&
&
<.lg5>
<.lg5>
&
&
&
&
&bN
&bN
&
&
&d
&d
&
&
&
&
&H.iY
&H.iY
&
&
<.kur>
<.kur>
&iTXtXML:com.adobe.xmp
&iTXtXML:com.adobe.xmp
&
&
&
&
&
&
&
&
&
&
&
&
&&:9:
&&:9:
<:>
<:>
&r&lO
&r&lO
&tid
&tid
&uId&r&lO
&uId&r&lO
&uId&r&lO
&uId&r&lO
&uId&r&lO
&uId&r&lO
&SKIN_LIB_DIALOG_CHECKBOX_16_NORMAL.PNG
&SKIN_LIB_DIALOG_CHECKBOX_16_NORMAL.PNG
&
&
&
&
&
&
&F
&F
&F
&F
&F
&F
&F
&F