Gen.Variant.Barys.1492_0ed92f7a9c

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1600

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1600 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\etc\hosts (871 bytes)

Registry activity

The process %original file name%.exe:1600 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 B0 66 1E A7 70 7B 0F 47 D8 3E D9 AE 39 82 E8"

[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"NextInstance" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Check_Associations" = "no"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"Count" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 871 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.hbwymy.com
127.0.0.1	192.74.251.175
127.0.0.1	runningman.cztv.com
127.0.0.1	119.147.137.96

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1600

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %System%\drivers\etc\hosts (871 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	77824	42496	5.53571	d9de4425831ec7d0b84adbed63d97443
.rdata	81920	16384	5632	5.44427	3df34929a175ea57a249be39b52cbd6a
.data	98304	57344	3584	5.18342	430e8ebd4259a40aaef01c819e88e9c5
.aspack	155648	8192	4608	4.13706	2945c1913be5120711260e9a7aa4ba8d
.adata	163840	4096	0	0	d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://cli.netbars.net/	103.241.49.78
hxxp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 61.142.250.103

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 03 Aug 2015 21:03:54 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.1.6

P3P: CP=CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 0

Connection: close

Content-Type: text/html; charset=Utf-8

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cli.netbars.net

Connection: Keep-Alive

HTTP/1.1 302 Object moved

Connection: close

Date: Mon, 03 Aug 2015 21:04:19 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Location: hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36

Content-Length: 219

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAAAAASST=IKCJEOHDENBJAPCAMCMLGPAE; path=/

Cache-control: private

<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36">here</a>.</body>...

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

iexplore.exe_1664:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512