Skip to main content

Trojan.Win32.FlyStudio_1e21f310fb


Trojan.Win32.Reconyc.edbx (Kaspersky), Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1e21f310fba95af8483e85a418010459

SHA1: 07a23b05cd0aba52a77e6c4c407887828ef83e02

SHA256: 9361a5a66f79db7345b02c954ff973d847b8732d61021bdd3288b68777b39900

SSDeep: 196608:VBNK0Jv8EFWZ9w/yOBx2n8cwQNDMtqMyxGJpj:40JvWfSbGPFMt5y

Size: 7524352 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: ??? ??????????

Created at: 2015-02-02 10:58:57

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour Description
EmailWormWorm can send e-mails.


Process activity

The Trojan creates the following process(es):

dwwin.exe:1116

The Trojan injects its code into the following process(es):

%original file name%.exe:832

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process dwwin.exe:1116 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\126624.dmp (195693 bytes)

The process %original file name%.exe:832 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (9606 bytes)
C:\jedata.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\63a5_appcompat.txt (6214 bytes)

Registry activity

The process dwwin.exe:1116 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 98 94 C8 AF C6 97 DA 02 93 46 36 D2 A3 6B B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 01 68 E4 29 6A D5 3D 0A 70 43 0E 1B BC DD 07"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "%original file name%.exe"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"servicer"

"callservicer"

Dropped PE files

MD5 File path
2893f88dead4c5053cc79c31a8e769aec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svchost.exe
114054313070472cd1a6d7d28f7c5002c:\jedata.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:1116

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\126624.dmp (195693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (9606 bytes)
    C:\jedata.dll (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\63a5_appcompat.txt (6214 bytes)

  4. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ???????
Product Name: ???????
Product Version: 1.0.0.0
Legal Copyright: ???????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ???????
Comments: ???????
Language: Russian (Russia)

Company Name: ???????Product Name: ???????Product Version: 1.0.0.0Legal Copyright: ???????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ???????Comments: ???????Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX04096560742400d41d8cd98f00b204e9800998ecf8427e
UPX15611520750796875074565.45795b42975821bf916589d2ccb645455364b
.rsrc1311948816384158724.06625b4e2d79f7f58fc1a77e13d86a30d8cc3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_832:

`.rsrc

`.rsrc

t$(SSh

t$(SSh

|$D.tm

|$D.tm

~%UVW

~%UVW

u$SShe

u$SShe

kernel32.dll

kernel32.dll

user32.dll

user32.dll

SkinH_EL.dll

SkinH_EL.dll

advapi32.dll

advapi32.dll

GdiPlus.dll

GdiPlus.dll

wininet.dll

wininet.dll

WinINet.dll

WinINet.dll

ole32.dll

ole32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

EnumChildWindows

EnumChildWindows

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

InternetOpenUrlA

InternetOpenUrlA

42305932-06E6-47a5-AC79-8BDCDC58DF61

42305932-06E6-47a5-AC79-8BDCDC58DF61

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

WebBrowser

WebBrowser

codycall.exe

codycall.exe

19910601

19910601

Thunder.exe

Thunder.exe

hXXp://guanjia.qq.com

hXXp://guanjia.qq.com

\SkinH_EL.dll

\SkinH_EL.dll

hXXp://VVV.net.cn/static/customercare/yourIP.asp

hXXp://VVV.net.cn/static/customercare/yourIP.asp

\collocation\collocation.ini

\collocation\collocation.ini

hXXp://qcyl2.newsyzk.com/agent/qcyl/call/

hXXp://qcyl2.newsyzk.com/agent/qcyl/call/

hXXp://net.newsyzk.com/agent/soft/call/

hXXp://net.newsyzk.com/agent/soft/call/

335405086

335405086

VVV.newsyzk.com

VVV.newsyzk.com

hXXp://ln721.28ka.com

hXXp://ln721.28ka.com

callservicer.exe

callservicer.exe

callservicer\callservicer.exe

callservicer\callservicer.exe

servicer.exe

servicer.exe

callservicer\servicer.exe

callservicer\servicer.exe

callservicer\svchost.exe

callservicer\svchost.exe

svchost.exe

svchost.exe

.rsrc

.rsrc

.QG1G

.QG1G

.nh

.nh

UVF.Oq

UVF.Oq

xX.ZEA

xX.ZEA

.tI44S

.tI44S

.wBet

.wBet

.PJ8&4

.PJ8&4

k\\%f

k\\%f

%CuHW

%CuHW

F%fpm

F%fpm

\UWSSHh

\UWSSHh

.OXWh

.OXWh

z.XZHhe=]

z.XZHhe=]

x@.pT'j

x@.pT'j

,H.QB

,H.QB

K3%xj(

K3%xj(

=<_4>

=<_4>

A.tCD\

A.tCD\

E@%c

E@%c

6NQz.mG

6NQz.mG

i.MRQ

i.MRQ

v%Si8N

v%Si8N

Wi%F{0

Wi%F{0

AY.KX

AY.KX

{.KAp

{.KAp

.kla4

.kla4

!.Mwqw

!.Mwqw

r.in(

r.in(

%SRQV

%SRQV

!.Fs:n

!.Fs:n

.ksk pCX

.ksk pCX

su.rl

su.rl

&

&

&

&

&

&

&uin

&uin

&

&

&pass

&pass

&loginType&name

&loginType&name

&

&

&R

&R

&y

&y

&Yes

&Yes

&No

&No

&Abort

&Abort

&Retry

&Retry

&Ignore

&Ignore

&All

&All

&oToAll

&oToAll

&YesToAll

&YesToAll

&Help

&Help

&Open

&Open

&Save

&Save

&

&

&

&

&:

&:

&

&

&

&

&

&

&

&

&

&

&&calleeid

&&calleeid

&&password

&&password

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&Cannot

&Cannot

&Field

&Field

&Error

&Error

&

&

&

&

<:>

<:>

&&

&&

&

&

<_4>

<_4>

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&O

&O

&uN

&uN

&

&

&

&

&Obj.Manufacturer&chr&chr

&Obj.Manufacturer&chr&chr

&Obj.Model&chr&chr

&Obj.Model&chr&chr

&Obj.SerialNumber

&Obj.SerialNumber

&Obj.ProcessorId

&Obj.ProcessorId

&Obj.Caption&chr&chr

&Obj.Caption&chr&chr

&Obj.product

&Obj.product

&

&

&

&

&

&

&uin

&uin

&

&

&pass

&pass

&loginType&name

&loginType&name

&

&

&R

&R

&y

&y

&Yes

&Yes

&No

&No

&Abort

&Abort

&Retry

&Retry

&Ignore

&Ignore

&All

&All

&oToAll

&oToAll

&YesToAll

&YesToAll

&Help

&Help

&Open

&Open

&Save

&Save

&

&

&

&

&:

&:

&

&

&

&

&

&

&

&

&

&

&&calleeid

&&calleeid

&&password

&&password

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&

&Cannot

&Cannot

&Field

&Field

&Error

&Error

&

&

&

&

<:>

<:>

&&

&&