Gen:Variant.Delf.46 (B) (Emsisoft), Gen:Variant.Delf.46 (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 325b3c3183c271e07740049318aa1cf5
SHA1: 1db8ae6e9f66eafb71c5c3ab964d44105cac9b59
SHA256: d9c8a4bb9df8586c304a7f708dec2c2260d888bc2f1c58ff3e1673d2e9bc8b3c
SSDeep: 12288:AjjjDB mpViHsiHxhb4drgVSGZlUntVH5kRGV7pzhP9C:Aj31RiTHfy0VdInDKotL
Size: 637952 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
unpack200.exe:620
unpack200.exe:1656
unpack200.exe:464
unpack200.exe:1844
unpack200.exe:240
unpack200.exe:1100
unpack200.exe:348
jrewin.exe:1724
%original file name%.exe:188
zipper.exe:1492
zipper.exe:1648
zipper.exe:276
zipper.exe:1844
MsiExec.exe:644
MsiExec.exe:1888
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process unpack200.exe:620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:1656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:1844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:1100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process unpack200.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The Trojan deletes the following file(s):
The process jrewin.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AU70VGSF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZAC1W5FL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0\jre1.6.0.msi (841444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FH28BNV1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3B6CLKER\desktop.ini (67 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jrewin.exe (96837 bytes)
The process zipper.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process zipper.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process zipper.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process zipper.exe:1844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process MsiExec.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\java_install_reg.log (521 bytes)
%System%\javacpl.cpl (601 bytes)
%System%\javaws.exe (673 bytes)
%System%\javaw.exe (673 bytes)
%System%\java.exe (673 bytes)
Registry activity
The process jrewin.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"PostStatusUrl" = "https://sjremetrics.java.com/b/ss//6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"Country" = "UA"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 8A 4E 9B E4 12 A9 7E F6 6A F3 DD 8C 3C E9 6F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\JavaSoft]
"InstallStatus"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 A0 E7 A2 8A C4 C7 2A 11 EE 72 19 57 B8 8C DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"jrewin.exe" = "jrewin"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process MsiExec.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}]
"(Default)" = "Java Plug-in 1.6.0"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"Installer" = "MSICD"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in 1.6.0"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InstalledVersion]
"(Default)" = "1.6.0.0"
[HKLM\SOFTWARE\JavaSoft\Java Update\Policy]
"EnableJavaUpdate" = "1"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"Installer" = "MSICD"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"RuntimeLib" = "%Program Files%\Java\jre1.6.0\bin\client\jvm.dll"
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"(Default)" = "Java Runtime Environment 1.6.0"
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in 1.6.0_18"
[HKLM\SOFTWARE\JavaSoft\Java Web Start\1.6.0]
"home" = "%Program Files%\Java\jre6\bin"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"MicroVersion" = "0"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\npjpi160_18.dll"
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"MicroVersion" = "0"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab"
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\jarfile\shell\open\command]
"(Default)" = "%Program Files%\Java\jre6\bin\javaw.exe -jar %1 %*"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Runtime Environment 1.6.0"
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"(Default)" = "Java Runtime Environment 1.6.0"
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"UseJava2IExplorer" = "0"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}]
"Installer" = "MSICD"
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\npjpi160_18.dll"
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
"(Default)" = "SSVHelper Class"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
"INF" = ""
[HKCR\JavaPlugin.FamilyVersionSupport\CLSID]
"(Default)" = "{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre1.6.0\bin\npjpi160.dll"
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
"(Default)" = "Java Plug-in 1.6.0_18"
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1]
"(Default)" = "2449"
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
"(Default)" = "0"
[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
"INF" = ""
[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"JavaHome" = "%Program Files%\Java\jre1.6.0"
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
"(Default)" = "2449"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D A2 C2 B6 DD 41 71 D3 78 68 AB BD BA CD B9 4B"
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}]
"(Default)" = "Java Plug-in"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment]
"currentVersion" = "1.6"
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"JavaHome" = "%Program Files%\Java\jre6"
[HKCR\.jar]
"(Default)" = "jarfile"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion]
"(Default)" = "1.6.0.18"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0]
"JavaHome" = "%Program Files%\Java\jre1.6.0"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
"RuntimeLib" = "%Program Files%\Java\jre6\bin\client\jvm.dll"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBB}]
"(Default)" = "Java Plug-in 1.6.0"
[HKCR\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion]
"(Default)" = "1.6.0.18"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
"INF" = ""
[HKCR\JavaPlugin.160\CLSID]
"(Default)" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}"
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\jarfile]
"(Default)" = "Executable Jar File"
[HKCR\JavaPlugin\CLSID]
"(Default)" = "{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}"
[HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InprocServer32]
"(Default)" = "%Program Files%\Java\jre6\bin\ssv.dll"
[HKLM\SOFTWARE\JavaSoft\Java Plug-in\1.6.0]
"HideSystemTrayIcon" = "0"
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_18]
"JavaHome" = "%Program Files%\Java\jre6"
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
"CodeBase" = "http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Java\jre6\bin\jusched.exe"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
"NoExplorer" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKCR\JavaPlugin\CLSID]
[HKCR\jarfile\shell]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKCR\JavaPlugin.FamilyVersionSupport]
[HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\1.6]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKCR\.jar]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InstalledVersion]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\Contains]
[HKCR\jarfile\shell\open\command]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\InstalledVersion]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\Contains]
[HKCR\JavaPlugin.FamilyVersionSupport\CLSID]
[HKCR\jarfile]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\InprocServer32]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
[HKCR\jarfile\shell\open]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32]
[HKCR\CLSID\{CAFEEFAC-0015-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}]
[HKCR\CLSID\{CAFEEFAC-0016-0000-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\JavaPlugin]
[HKCR\CLSID\{CAFEEFAC-0014-0002-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\MiscStatus\1]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
[HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\MiscStatus\1]
[HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\JavaSoft\Java Update\Policy]
"EnableAutoUpdateCheck"
The process MsiExec.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 C2 A8 3A 7A 28 70 FD 2C 24 90 4A 80 3A CA E2"
Dropped PE files
| MD5 | File path |
|---|---|
| d5ce41326e6d3676951a9401f8321123 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\jrewin.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
unpack200.exe:620
unpack200.exe:1656
unpack200.exe:464
unpack200.exe:1844
unpack200.exe:240
unpack200.exe:1100
unpack200.exe:348
jrewin.exe:1724
%original file name%.exe:188
zipper.exe:1492
zipper.exe:1648
zipper.exe:276
zipper.exe:1844
MsiExec.exe:644
MsiExec.exe:1888 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AU70VGSF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZAC1W5FL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\jre1.6.0\jre1.6.0.msi (841444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FH28BNV1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3B6CLKER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jrewin.exe (96837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\java_install_reg.log (521 bytes)
%System%\javacpl.cpl (601 bytes)
%System%\javaws.exe (673 bytes)
%System%\javaw.exe (673 bytes)
%System%\java.exe (673 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Program Files%\Java\jre6\bin\jusched.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 535664 | 536064 | 4.52621 | 0a6ebfa5c2591935bd137387c263954e |
| DATA | 540672 | 9704 | 9728 | 3.39505 | 7db792f66e1903cf80f2941380ad4ae5 |
| BSS | 552960 | 3901 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 557056 | 8952 | 9216 | 3.44595 | 3db7d5e85eb5d2cf9fde46ab9853401b |
| .tls | 569344 | 16 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 573440 | 24 | 512 | 0.139033 | c0a809db29b08ac69f1358b16f30b57f |
| .reloc | 577536 | 37576 | 37888 | 4.5978 | f53fd06129c39d129bafb2624c72679b |
| .rsrc | 618496 | 43520 | 43520 | 3.9201 | 64b3a634f87e04b411d90ae9353d920a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www-legacy.oraclegha.com/update/1.6.0/1.6.0-b105.xml | |
| hxxp://a1799.d.akamai.net/update/1.6.0/1.6.0-b105.xml | |
| hxxp://javadl-esd.sun.com/update/1.6.0/1.6.0-b105.xml | 194.146.191.107 |
| hxxp://java.sun.com/update/1.6.0/1.6.0-b105.xml | 156.151.59.19 |
| hxxp://sistemas.anatel.gov.br/Downloads/jrewin.bin | 187.32.41.70 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /update/1.6.0/1.6.0-b105.xml HTTP/1.1
User-Agent: jupdate
Host: java.sun.com
Connection: Keep-Alive
HTTP/1.0 301 Moved Permanently
Location: hXXp://javadl-esd.sun.com/update/1.6.0/1.6.0-b105.xml
Server: BigIP
Connection: close
Content-Length: 0
GET /update/1.6.0/1.6.0-b105.xml HTTP/1.1
User-Agent: jupdate
Connection: Keep-Alive
Host: javadl-esd.sun.com
HTTP/1.1 200 OK
Server: Apache
ETag: "8ca1bb3f5a1862ddace6feade35b1fa6:1433102659"
Last-Modified: Sun, 31 May 2015 19:58:57 GMT
Accept-Ranges: bytes
Content-Length: 1295
Content-Typ
GET /Downloads/jrewin.bin HTTP/1.1
Content-Type: text/html
Host: sistemas.anatel.gov.br
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)
HTTP/1.1 200 OK
Content-Length: 13170312
Content-Type: application/octet-stream
Last-Modified: Tue, 16 Jan 2007 12:16:24 GMT
Accept-Ranges: bytes
ETag: "09c99236839c71:522b"
No cache: <meta http-equiv="pragma"content="no-cache">
X-Powered-By: ASP.NET
Date: Mon, 03 Aug 2015 00:36:05 GMT
Set-Cookie: BIGipServerpool_sistemas_anatel_http=4076867756.20480.0000; path=/
Set-Cookie: bbbbbbbbbbbbbbb=HDHMNMADAAAAAAAAJLOFFBAAAAAAAAAAEADAMHOFDIOFAAAADAAAELLFMLLFAAAA; HttpOnly
Set-Cookie: TS012c9f63=01dfc394f04beb2fb58041dac041e9ca4641d7b179a1649c4a536f3b36b465efe0cbcbd0f1203a7d2eb52a9b965295d04ee5f0c25a5b1caaff626a50a02651713c75ab28b0; Path=/
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................G...............G...........V...........(...............Rich....................PE..L...`vmE.............................T............@.................................9.......................................(...x....@..P...............................................................H............................................text...R........................... ..`.rdata...,.......0..................@..@.data...|........ ..................@....rsrc...P....@.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):