HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Kazy.563854 (B) (Emsisoft), Gen:Variant.Kazy.563854 (AdAware), Bancos.YR, ZeroAccess.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 79d968e0ce11dd53d7cd00c190ecbda3
SHA1: 3a3e5c0df23129d6e0634d1730387927556f6156
SHA256: 2de772ac1be5c1b059af3192205f8ca371d6187f214c4544e94fc15b15aa2af2
SSDeep: 49152:FsfWSMkEGu jwuCELr5iaEzn1bIbuD4qym4rJnmvsW4fa4QlaOChkMIZ7UxLq:OfmkC ISKd5mmvFsNgfYLq
Size: 3101184 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-07 11:53:36
Analyzed on: WindowsXP SP3 32-bit
Summary: Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
cscript.exe:308
cscript.exe:1948
cscript.exe:1268
cscript.exe:1340
cscript.exe:1336
cscript.exe:1364
cscript.exe:1924
cscript.exe:1952
cscript.exe:1016
cscript.exe:1368
%original file name%.exe:1092
%original file name%.exe:1980
%original file name%.exe:228
%original file name%.exe:244
%original file name%.exe:1768
%original file name%.exe:808
%original file name%.exe:488
%original file name%.exe:188
%original file name%.exe:1912
%original file name%.exe:1760
%original file name%.exe:492
The Trojan injects its code into the following process(es):
fGAwoYMM.exe:1936
reIEcoQI.exe:1488
NesIMIQs.exe:2000
NesIMIQs.exe:820
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process fGAwoYMM.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
The process %original file name%.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewEUggY.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (0 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fcwgQkYo.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (0 bytes)
The process %original file name%.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKcAQQAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (0 bytes)
The process %original file name%.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOYoossA.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (0 bytes)
The process %original file name%.exe:808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QyQUEoYI.bat (112 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (0 bytes)
The process %original file name%.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (24578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMUQIUck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jEAUUokM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (0 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7905 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YecwkIUw.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7929 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (0 bytes)
The process %original file name%.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKIQAEIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (0 bytes)
The process %original file name%.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\mAUAAMEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (0 bytes)
The process %original file name%.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JkUwgwMQ.bat (112 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (0 bytes)
Registry activity
The process cscript.exe:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 67 BD 63 01 65 D8 E1 11 0E 49 46 1A 95 3B 47"
The process cscript.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 B6 61 07 DA F0 18 4B 58 00 E0 60 2D A5 2A 7D"
The process cscript.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 17 95 97 E6 95 65 30 5A AA 2C 22 62 6D 0C B2"
The process cscript.exe:1340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD ED 12 E0 9C 11 21 DE 79 D1 F8 ED 1F 2E 6E C6"
The process cscript.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B3 18 FB 11 3B 1D D3 4D 8E D9 67 A8 B8 54 A4"
The process cscript.exe:1364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 35 D4 73 ED A2 CE 0B 79 01 3B 99 58 71 48 D9"
The process cscript.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F C7 92 59 67 A5 68 26 BB 90 08 1A 03 CE 13 0C"
The process cscript.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 F3 C0 F3 38 A9 9C 5F 2E 01 57 25 EE 61 94 A5"
The process cscript.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 20 E9 2F 59 DC FA C5 4A B3 72 D9 68 44 D7 2F"
The process cscript.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 32 3D F1 32 C6 F5 03 01 97 FD 3E 78 50 8A 17"
The process fGAwoYMM.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 72 4E 8C B3 B1 84 12 9E BF AD AF EA B2 80 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The process reIEcoQI.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 B0 A8 E0 52 DD 24 62 B8 73 AF 1F D7 34 65 F8"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process NesIMIQs.exe:2000 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 65 84 92 BA FB 26 72 1F 80 04 8E 5C 72 82 AB"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process NesIMIQs.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 67 5F C4 7F 5C F3 A9 8D D9 92 F9 14 06 C4 26"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 9B 49 14 72 F7 BD DF 8B 73 00 F2 6A 27 55 6D"
The process %original file name%.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 BF 50 88 4C E1 19 17 49 1B 68 0A C3 16 60 2C"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 25 6E 43 DF 7F EC 28 49 3A 4F 65 8E 7E A1 2F"
The process %original file name%.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 3F 3A 68 4E CA 3F 32 ED 18 18 BD 2A D5 E7 B2"
The process %original file name%.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 9C 30 80 44 ED 1E 09 5A 87 95 41 68 28 10 5A"
The process %original file name%.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 4C 78 50 FF B8 DE AF 8B 3B 6D FA FB 25 33 47"
The process %original file name%.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 4B 27 38 C6 1F 74 46 D6 1E 79 EE 10 14 BD 31"
The process %original file name%.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C CA 47 C6 91 12 F8 AE 9C 1E 24 57 A2 1F 27 D7"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe,"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"
The process %original file name%.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 75 FA 11 27 9E EF 80 18 71 7A D3 3B E9 39 60"
The process %original file name%.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 FB 25 BB C3 3C D1 05 EC EA 14 D5 96 37 B1 0A"
The process %original file name%.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 D3 A6 A2 24 27 C0 C0 44 E5 E9 59 3B 9A 85 D9"
Dropped PE files
| MD5 | File path |
|---|---|
| c90ae6d96ae6f2764a61863fdc761990 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe |
| a8cae74117f87b42de530ae35fc9bd08 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe |
| 11e9c5a8149487e7c5cd733fd89140cf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe |
| e0cd41d079435842dc854b31edca01cf | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe |
| ad603b137bc184269629e44a1d3c0617 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe |
| 47b561ea08b827f5157e70cb336a76f4 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe |
| 6d3be859a073c9919ebf26a43ea84254 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe |
| d66c2928f520298afc09d873dac2cf84 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe |
| 7caf3c95d42f3abfaad20a3d0ec129c3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe |
| fbd58375d8eab11c9eda6161daeeeb76 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe |
| 364ef27fda6fb9ef1ac4960c34575237 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe |
| ae5cad5ff7ca1675053cac58b629cd03 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe |
| 5e6e683e19ee5532422c963a9e94da0b | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe |
| 2a1b8a6ee1a22fcd8247d1c67d13de43 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe |
| cc71bf46cd897274a7be24763d5036a3 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe |
| c18dd3ca8988a9a98a748e0b0474f530 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe |
| ed58015ca7fd41e32097b9f69cb6d57a | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe |
| b3500ce0d0f730fa78ac0a8b25147b65 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe |
| aafd92c60e143ccfa58f04c428ac7625 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe |
| 71e8f13638afe1e757a9461c517414cb | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe |
| 830dfb57c28a421cb82492ab90a0de0d | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe |
| 776549bf44fac52998e740b2151803ec | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe |
| 15208c831782ffd183dc6cbda4cb5240 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe |
| c818bba899f886f7ef2b0576746ff638 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe |
| cff109567dbd24eaa0cedf62279a3204 | c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe |
| be157d9a477008b6c1ec3c7e21d31028 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe |
| dba54957e5ff9695699a864e93d17138 | c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe |
| 830cbbdd3ec147f950382b8eee7f26d1 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe |
| aa601218da3dbe5be58cbbb9a5559322 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe |
| f143e41e6b49d2e7aa25fcc404fe9e47 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe |
| fc47fdd9280c137fa224da65eb82b9e6 | c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe |
| aa481d84a8ecb76abfb6ddc5f9c3f15f | c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe |
| bcbb36c92746f037db97af144fe01802 | c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe |
| e3a26ef2d4045a7cd4eec38841581cc2 | c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe |
| 5671404965d34fca0da22b30817a6b6f | c:\Perl\eg\IEExamples\ie_animated.gif.exe |
| 774bf80c5fc85b508e778fa8a4f11ea1 | c:\Perl\eg\IEExamples\psbwlogo.gif.exe |
| 3f6fc019800b5ff777e6a4feb92db573 | c:\Perl\eg\aspSamples\ASbanner.gif.exe |
| 48c262d657ea5fefa7dfca596b7be255 | c:\Perl\eg\aspSamples\Main_Banner.gif.exe |
| ffbc6e2860cfae23553acfe7c09a275f | c:\Perl\eg\aspSamples\psbwlogo.gif.exe |
| a19fdfc0cb905f066ceb4d52cf5cf073 | c:\Perl\html\images\AS_logo.gif.exe |
| 0bd77af5c1f874535f84cc7267f66cee | c:\Perl\html\images\PerlCritic_run.png.exe |
| 206a786acd3aa3096049af5640c05340 | c:\Perl\html\images\aslogo.gif.exe |
| 2b1f9763f4a54489ef5731485690f3c7 | c:\Perl\html\images\ppm_gui.png.exe |
| c087eaad01b029bfad6d1b13934a41ca | c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe |
| ca81773800bcac2460de4cc51e4659d8 | c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe |
| 5959b9448c3ace5c8e2cb404dd8139b9 | c:\Perl\lib\Devel\NYTProf\js\asc.png.exe |
| c57cd8484db30259ac6b39dc8a10db8a | c:\Perl\lib\Devel\NYTProf\js\bg.png.exe |
| c3d2793b1d207a52fbd39451e4805f1e | c:\Perl\lib\Devel\NYTProf\js\desc.png.exe |
| 1eddce72256fda590ad56438d0b74edf | c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe |
| ce3ccf97c8a4a7023217ecf5950703db | c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe |
| 2d96b1e729f043d0e0e7eb665e6d969c | c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe |
| 8290990f796f3095080c0d9cea52f7c3 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe |
| 41f9390a8ce5e0f97ec265b45d354611 | c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe |
| eb78a589630bd6904ac8c4e3f2fe3583 | c:\Perl\lib\Mozilla\CA\cacert.pem.exe |
| 99459b939a4ce07566851706e94e6d0a | c:\totalcmd\TCMADMIN.EXE.exe |
| a65ec9cf1d0f22b1f91d3fb38e953a00 | c:\totalcmd\TCMDX32.EXE.exe |
| 8332a4e74ab6bb1d4ec8fe5ef15260aa | c:\totalcmd\TCUNINST.EXE.exe |
| 14b56e9ff565f3fa6543a019a88163bb | c:\totalcmd\TOTALCMD.EXE.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
cscript.exe:308
cscript.exe:1948
cscript.exe:1268
cscript.exe:1340
cscript.exe:1336
cscript.exe:1364
cscript.exe:1924
cscript.exe:1952
cscript.exe:1016
cscript.exe:1368
%original file name%.exe:1092
%original file name%.exe:1980
%original file name%.exe:228
%original file name%.exe:244
%original file name%.exe:1768
%original file name%.exe:808
%original file name%.exe:488
%original file name%.exe:188
%original file name%.exe:1912
%original file name%.exe:1760
%original file name%.exe:492 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (11518 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (7385 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (35505 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (7385 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (7433 bytes)
C:\totalcmd\TCUNINST.EXE.exe (7385 bytes)
C:\totalcmd\TcUsbRun.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (7433 bytes)
C:\totalcmd\TCMDX32.EXE.exe (7433 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (7971 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (10177 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (7385 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OUIYoAAY.bat (4 bytes)
C:\79d968e0ce11dd53d7cd00c190ecbda3 (12289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QewEUggY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mkckAEAQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fcwgQkYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKcAQQAU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lkkUUswI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmgQwUsY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOYoossA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yicAccUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QyQUEoYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xUgUYQMY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yMUQIUck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jEAUUokM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qwIAkYQw.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (7905 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (7857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YecwkIUw.bat (112 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (7929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ickwowks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jKIQAEIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aSQcYkIU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mAUAAMEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEccIEYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oSUkQMoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JkUwgwMQ.bat (112 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe," - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 3096576 | 3094016 | 5.52995 | b112711f2e531b745c86416fcc97d4c5 |
| .rdata | 3100672 | 4096 | 512 | 1.27152 | 9cefed5e5bd362bd8160aa3154a70ed9 |
| .data | 3104768 | 3 | 512 | 0.042395 | 48ea7cf0c3eae42953cca5d7768ab661 |
| .rsrc | 3108864 | 4444 | 4608 | 3.23525 | b7d8131698f7481a2f125f8eb5da7b32 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):