Gen:Variant.Barys.1492 (B) (Emsisoft), Gen:Variant.Barys.1492 (AdAware), Trojan.Win32.IEDummy.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0ed92f7a9cf66dbc6dbfe972f4092c34
SHA1: 2d3a3fae6b21d1282231f19c81b328155d142a4b
SHA256: 42dcc741ea37321072f5eaab242938cba151b862a066ee32355d389d26b35dce
SSDeep: 1536:eFE1pl6et9zYDkTIbUtfm26OBf8arXy3W47:0EE09YCIbx26OBtM
Size: 57344 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-22 17:37:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1600
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (871 bytes)
Registry activity
The process %original file name%.exe:1600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 B0 66 1E A7 70 7B 0F 47 D8 3E D9 AE 39 82 E8"
[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"NextInstance" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Check_Associations" = "no"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\kmixer\Enum]
"Count" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 871 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.hbwymy.com |
127.0.0.1 | 192.74.251.175 |
127.0.0.1 | runningman.cztv.com |
127.0.0.1 | 119.147.137.96 |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1600
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\etc\hosts (871 bytes)
- Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 77824 | 42496 | 5.53571 | d9de4425831ec7d0b84adbed63d97443 |
.rdata | 81920 | 16384 | 5632 | 5.44427 | 3df34929a175ea57a249be39b52cbd6a |
.data | 98304 | 57344 | 3584 | 5.18342 | 430e8ebd4259a40aaef01c819e88e9c5 |
.aspack | 155648 | 8192 | 4608 | 4.13706 | 2945c1913be5120711260e9a7aa4ba8d |
.adata | 163840 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://cli.netbars.net/ | 103.241.49.78 |
hxxp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 61.142.250.103
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 03 Aug 2015 21:03:54 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
P3P: CP=CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=Utf-8
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cli.netbars.net
Connection: Keep-Alive
HTTP/1.1 302 Object moved
Connection: close
Date: Mon, 03 Aug 2015 21:04:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36
Content-Length: 219
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAAAAASST=IKCJEOHDENBJAPCAMCMLGPAE; path=/
Cache-control: private
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://61.142.250.103/load/redirect.php?site_id=1230&site_md5=1def37a4ddb7397b5ba40a59c7f93a36">here</a>.</body>...
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_1664:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512