Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ed12bc41b4fcbb740d38037a94f3dc00
SHA1: 1a63218aec0d622be39c383f3873d0dbd182bdd9
SHA256: 78d98fc6cf2b903dad6b93331d058d63483e998ac9c8e795d0eb82aa3392f01d
SSDeep: 49152:kbpgsHMQxAlD kv15sKcurABjCVopS3JphdLpF8/LdQohO7H0VSsOszv1IEpDP0z:kb3MpL2aAR4opWThdLpFDBUTOsrg
Size: 3545048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:800
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHUVWDQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPURKDEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\212H0NK3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LUBCXUZ\desktop.ini (67 bytes)
Registry activity
The process %original file name%.exe:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCR\ed12bc41b4fcbb740d38037a94f3dc00.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"
[HKCR\ed12bc41b4fcbb740d38037a94f3dc00.DynamicNS]
"(Default)" = "DynamicNS"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "ed12bc41b4fcbb740d38037a94f3dc00.DynamicNS"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 5F 64 DE 4C 34 A6 1A 2F C4 F6 9B 3D DA 47 72"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\ed12bc41b4fcbb740d38037a94f3dc00\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\ed12bc41b4fcbb740d38037a94f3dc00\DEBUG]
"Trace Level"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:800
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GHUVWDQF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WPURKDEF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\212H0NK3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LUBCXUZ\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 3473408 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 3477504 | 2408448 | 2406400 | 5.49942 | 3d1025bb59494a9eac9d491d86443398 |
.rsrc | 5885952 | 24576 | 24576 | 3.62474 | f555a509f9b8e5ecb7c857bb6eb3dd86 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 29
abb662866c5559e38c092dfe1dae7cd6
1d5665f20cc07d87ef9245554482efc9
e0458fed37d41dffb4893dbaaad542d6
6b3c8ceb5bd9a7b18e4912f4e5e5f0d2
11682e137e155bd2132e460769221eae
1003a2ffeb489065dc9e408f74d247cb
3ff549a965747c33969661db946cb88b
8a2c3df4f83a539132d183d993b6efee
8a10f98b98cccff64e5b1461f59c65eb
5c71f535ac6c7d85248432c5a0a6de8e
648e2b931895d300f96b996ef958c594
8fa354a192d6e168f2a98d59d20d6ee5
ff64b0e6b7fd7243413a621a4e72043d
3d8d218041a794ab83b2a15afbd0e7bb
38252e363e94dbbb86a1e762a9aa66a8
864c2df84118cb9ae2585e281c353ff7
bdef14104ab2762ad2ec1902433f49db
f9f7485ee3d6ee0e57fe0de1b0dc546e
738cf718e055a2bda4f3549da8c18f4b
5752dd5d17611567db7590e59c66dcf7
7f838fdf7e8f949b89d63c3ab90f0eca
9f466f3b7a94fad0b985eb522a9e97d1
ce7673151f2ca5d65bebd134a3e06ca5
304dd35d7de255fb182c9afe46223093
5d392ac3776fa43027ede4dfe61f11b3
Network Activity
URLs
URL | IP |
---|---|
hxxp://fplr.biz/ic/flv/flvplayer_setup.msi | 89.207.132.103 |
hxxp://digimatic.biz/pages/displayCore2_russian/typ2-1.html | |
hxxp://digimatic.biz/pages/displayCore2_russian/css/style.css | |
hxxp://digimatic.biz/pages/displayCore2_russian/images/icon1-green.png | |
hxxp://digimatic.biz/pages/displayCore2_russian/images/icon2-green.png | |
hxxp://digimatic.biz/pages/displayCore2_russian/images/icon3-green.png | |
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js | |
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1450374609125&ts=1450374609125&sessionId=MrAtb&rfr=&siteId=9306&aus=3958,1,0 | |
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/layouts/graphic_300x250.js?v=4.4.21 | |
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/b98a8050-44ca-47d3-a90f-84baeae944ba.png | |
hxxp://digimatic.biz/pages/displayCore2_russian/ | |
hxxp://cdn.castplatform.com/images/b98a8050-44ca-47d3-a90f-84baeae944ba.png | 198.232.125.51 |
hxxp://d.castplatform.com/api/vv/1?callback=cb_1450374609125&ts=1450374609125&sessionId=MrAtb&rfr=&siteId=9306&aus=3958,1,0 | 40.127.174.50 |
hxxp://cdn.castplatform.com/layouts/graphic_300x250.js?v=4.4.21 | 198.232.125.51 |
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js | 198.232.125.51 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /ic/flv/flvplayer_setup.msi HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fplr.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Thu, 17 Dec 2015 17:50:14 GMT
Content-Type: application/octet-stream
Content-Length: 3088384
Last-Modified: Tue, 15 Dec 2015 14:09:02 GMT
Connection: keep-alive
Accept-Ranges: bytes
........................>...................0...................................}...............................................s...............................................................Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k.......................................................................................................................................................................................................................................................................h...............A...%........................................................................................... ...!..."...#...$.../...6...'...(...)...*... ...,...-...........0...1...2...3...4...5...9...7...8...=...:...;...<...D...>...?...@...B...C...Q...c...E...F...G...H...I...J...K...L...M...N...O...P...a...`...S...T...U...V...W...X...Y...Z...[...\...]...^..._.......b...d...i...m...e...f...g...o...|...j...k...l...n...p...q.......r...v...s...t...u.......w...x...y...z...{...~...................R.o.o.t. .E.n.t.r.y............................................................................F..............P.................@H.A0C.;;B&F7B.B4FhD&B..................................................................................................0.......@H.A.E.F.A.E(?(E8B.A(H..............................................................................................x...H.........S.u.m.m.a.r.y.I.n.f.o.r.m.a.t.i.o.n...........................(...:..................................................
<<< skipped >>>
GET /api/vv/1?callback=cb_1450374609125&ts=1450374609125&sessionId=MrAtb&rfr=&siteId=9306&aus=3958,1,0 HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 1330
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
X-Country: UA
P3P: CP='NON UNI COM NAV STA OUR IND'
Set-Cookie: cuuid=f4aa4719-a5fe-4509-afa2-872aa2e6612d; expires=Wed, 17 Dec 2025 17:50:16 GMT; domain=d.castplatform.com; path=/
Date: Thu, 17 Dec 2015 17:50:15 GMT
cb_1450374609125 && cb_1450374609125({"zones":[{"id":3958,"status":200,"enabled":true,"template":"Graphic_300x250","data":[{"title":"Windows PC Repair","description":"Scan your PC for Windows errors with 1 click to diagnose and Repair damages!","button":"Download Now","company":"Reimage","rating":0.0,"clk":"cln4ERws0BLswzaixv1SCRdsOaEvRE3SYfSw2XMSk1Z_Ge69-m_HK8eylRbqK-JSwD4lwXUEv_bOM5yvDCioVG78YeT-K4R7lv73qOb3BTFRmI8FybMXu-8Znyq9duGoo7Z8aiP39EkVCM5YZIHrBirx0m_ZVLhbzzdD2KEfZoR5C9oBiLEG2DqlZ8dXydB46xhP0By16sbORVMxNWmjgxmkyN9jLQljQOgnNSiar7qHshGNsAvljH55xQX9P_d0An9oz2QwNnwNgRnE-k66qPU8S2GgA42YoU5KsgQgWZKo4oZ3VYFtC8pXIipPkoLYOZV50YI6lqH3mgYOiTBfiozgJ5MxJDYbR_DWtS9adLdxI53fA_Fm3vcqp4ieaezDuS2HCnzBWvnlsBLJpD2WlxU4LzR8ft7Jqqs_r0wlt3b-ZQGBCRke5T_el0A7Oo7reviqW3Zyr_EME0IlLiZBG5xbyJz-ALPFSli03NZldfyrFEEgxMpdIg8M0Ye1pajKOAE-xR4d2Jde_15e1uf8BAFR-Zm9iSFnOag0A6yxd0ZqcxhUjUIOmn7M8To7PgqEqydnxtrCy87A2sm1UVwdeA9dcISTvW8Lj00KSS6y4MA","width":300,"height":250,"cUrl":"hXXp://d.castplatform.com/api/c/1?clk=%clk%","vUrls":["hXXp://d.castplatform.com/api/vp/1?clk=%clk%"],"category":null,"assets":[{"assetDisplayType":2,"width":96,"height":96,"url":"//cdn.castplatform.com/images/b98a8050-44ca-47d3-a90f-84baeae944ba.png","javascript":"","clickTagVar":""}]}],"styles":null,"settings":{"adUnitTitle":""},"displayType":"Size"}],"ts":210});..
<<< skipped >>>
GET /pages/displayCore2_russian/images/icon1-green.png HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 17 Dec 2015 17:47:51 GMT
Content-Type: image/png
Content-Length: 3392
Last-Modified: Thu, 12 Jun 2014 09:04:00 GMT
Connection: keep-alive
ETag: "53996d00-d40"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].
<<< skipped >>>
GET /pages/displayCore2_russian/images/icon3-green.png HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 17 Dec 2015 17:47:51 GMT
Content-Type: image/png
Content-Length: 1519
Last-Modified: Thu, 12 Jun 2014 09:06:00 GMT
Connection: keep-alive
ETag: "53996d78-5ef"
Accept-Ranges: bytes
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d
<<< skipped >>>
GET /pages/displayCore2_russian/typ2-1.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 17 Dec 2015 17:47:51 GMT
Content-Type: text/html
Last-Modified: Thu, 25 Jun 2015 13:31:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"558c0294-8c3"
Content-Encoding: gzip
37d.............V.n.0......f..& ..ARit.@..........18N.;..!.q....B.A.......7.8i........9>?.w...................c..{.k&.Db..8.D:F"..k..2..q...7...!7..rI8x.0.Rr.....<.....t.K....(..bV..f..L..T2R..1.......;..r.........B...>!...I.1\!.Lk..(.m....C.7.K.........4.h..h..Z.a.:1!....,............`...%l.QS../.O......H}Q}..7....G.W?...d*....r.$..hH.....u...{......m..v..9r.b;..Y.F......O...X`(Dul0.V.....W...H......j.M....%h..C.:...52:I..7...P..`q..y..CY........D..h..XA^.i.A"v...p".E.J...5#.1.f....D..8..B.y.....b..6.....X....3`.....D..O..4k....^.W..O....J.t..:c.n.vb..........*.U..h...W......'.....Zur.di...\.G...6.5...-j.....u..O.K.!..\;AP?]......r......V.Q"....Wy=.Bb...d4.....;..V}k......7../....h.......z.t...............0....6.....h........W..f.p1.....L.yD....r.vV.R;......-...|....{....K..H.....o...tH....:..V.AX.Ko..Pn>...x.....>s.}<...........L....4K...{&."...O.W.Sl.-...$....{$O8...8..Y....%.........0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 17 Dec 2015 17:47:51 GMT..Content-Type: text/html..Last-Modified: Thu, 25 Jun 2015 13:31:00 GMT..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..ETag: W/"558c0294-8c3"..Content-Encoding: gzip..37d.............V.n.0......f..& ..ARit.@..........18N.;..!.q....B.A.......7.8i........9>?.w...................c..{.k&.Db..8.D:F"..k..2..q...7...!7..rI8x.0.Rr.....<.....t.K....(..bV..f..L..T2R..1.......;..r.........B...>!...I.1\!.Lk..(.m....C.7.K.........4.h..h..Z.a.:1!....,............`...%l.QS../.O......H}Q}..7....G.W?...d*....r.$..hH
<<< skipped >>>
GET /pages/displayCore2_russian/css/style.css HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 17 Dec 2015 17:47:51 GMT
Content-Type: text/css
Last-Modified: Mon, 16 Jun 2014 11:19:00 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
ETag: W/"539ed2a4-71e"
Content-Encoding: gzip
291.............U.n.0.}._a...R..$...mv.....X1...$...;6..K.u.)....3.D".\.UAe....o...I......TvJ../!....... .).....em. Y.f....A...}AH.]u.%'`Y.BR.YP.R.geS.2...T Q...dH.. ..N.... .N.m.@..KT....5n:.6....S.l....e99..$.=G]*D..... g.JT..mdv.={A.<h...%.%..8.TF\..i....JC......D....)&...N...D...%.s.....I..HD.c&ES&.a........o`.....a?.l.........e...........)DB...W.I-8K0.........@-uC h..is..:@.m&......T.eZl1......{[.6........1.IS....Btd..q.m`...]c...z....N$. ..&|h.!4J.i.C.j7...........oc..@......o.........X.....M.=R...S&yp..7.-.w.m..j%......&...u....j4v~..~9.FgP.:......N...........p.q....%...gh.rA1....6.......2.....x!...v.|.FF...l.h.....yP...B$x..%Y..Mu.....;..q.........0......
GET /pages/displayCore2_russian/images/icon2-green.png HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Content-Type: image/png
Date: Thu, 17 Dec 2015 17:47:51 GMT
Accept-Ranges: bytes
ETag: "53996d3c-ec6"
Connection: Keep-Alive
Last-Modified: Thu, 12 Jun 2014 09:05:00 GMT
Content-Length: 3782
.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....
<<< skipped >>>
GET /pages/displayCore2_russian/ HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: digimatic.biz
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 17 Dec 2015 17:47:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Encoding: gzip
114...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....OLI.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@.....%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..l".K......E@S.......f/...^f.0..zg..........9s}}9.*2.....I.-.....~...........0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 17 Dec 2015 17:47:52 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..Content-Encoding: gzip..114...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....OLI.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@.....%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..l".K......E@S.......f/...^f.0..zg..........9s}}9.*2.....I.-.....~...........0..
GET /scripts/1/adnl.min.js HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 17 Dec 2015 17:50:16 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 58113
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: IBo0vCqPGPsUb0vcuIAybQ==
Last-Modified: Tue, 24 Nov 2015 12:28:55 GMT
ETag: 0x8D2F4CAD19F569E
X-Node: cdn1
Server: NetDNA-cache/2.2
X-Cache: HIT
// CAST Delivery Agent v4.4.21 #12:28.!function(global,undefined){Array.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===undefined||null===this)throw new TypeError('"this" is null or not defined');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t=0),0>t&&(t =n,0>t&&(t=0));n>t;t )if(this[t]===e)return t;return-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.stringify=function(e){if("[object Array]"===Object.prototype.toString.call(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a; a)n.push(this.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object"==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.stringify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' e '"':e},window.JSON.parse=function(text,reviver){function walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)Object.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?i[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(text)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\s*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof reviver?walk({"":j},""):j
<<< skipped >>>
GET /layouts/graphic_300x250.js?v=4.4.21 HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 17 Dec 2015 17:50:16 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 2972
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: KiIZm6dlzklWp1p98ApFMQ==
Last-Modified: Tue, 24 Nov 2015 12:29:19 GMT
ETag: 0x8D2F4CAE05A5088
X-Node: cdn1
Server: NetDNA-cache/2.2
X-Cache: HIT
cb_layout({transformer:{name:["Graphic_300x250"],mainLayout:"graphic_300_250_combo",subLayouts:["graphic_300_250_single_inner"]},addZoneTypes:function(e,a){a.graphic_layout={family:"layout_base",style:a.layout_base.style ".namespace{overflow:hidden;background:#fff;border-top:solid 30px #39393a;border-bottom:solid 1px #f6f6f6}.namespace .slots{background-color:#f9f9f9;overflow:hidden}.namespace .ca-sec-title{color:#fff;font-weight:400;line-height:30px;margin:0;font-size:12px;position:absolute;padding-left:10px;top:0}",template:'<div class="header ca-sec-title cstm-title">{{adunit_title|default:we_recommend}}</div><div class="slots cstm-bg"></div>'},a.graphic_inner=e.extend({},a.inner_base,{style:a.inner_base.style ".namespace{display:block;overflow:hidden;position:relative;margin:0;border-bottom:solid 1px #3d3c3d;border-right:solid 1px #3d3c3d;border-left:solid 1px #3d3c3d}.namespace h1,.namespace h2,.namespace h3,.namespace h4,.namespace h5,.namespace p{margin:0}.namespace a{right:14px;bottom:12px;color:#2bb22f;font-size:12px;font-weight:700}.namespace a.download_now_placeholder{text-decoration:none}.namespace img{position:absolute;border:0}.namespace .ca-title{font-weight:700;color:#4d4d4d;margin:0;height:auto}.namespace .ca-company{color:#768797;font-weight:400;font-size:14px;line-height:24px}.namespace .ca-description{color:#5d5d5d;font-size:14px}.namespace .ca-stars-rating{margin-top:12px}.namespace .download_now{position:absolute;top:auto;right:auto;left:12px;bottom:9px}.namespace i
<<< skipped >>>
GET /images/b98a8050-44ca-47d3-a90f-84baeae944ba.png HTTP/1.1
Accept: */*
Referer: hXXp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.castplatform.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Thu, 17 Dec 2015 17:50:16 GMT
Content-Type: image/png; charset=utf-8
Content-Length: 7110
Connection: keep-alive
Vary: Accept-Encoding
Content-MD5: 1re2WOPD13XMUhsZQ/aVnQ==
Last-Modified: Mon, 01 Dec 2014 08:57:30 GMT
ETag: 0x8D1DB5BF912EA70
X-Node: cdn2
Server: NetDNA-cache/2.2
X-Cache: HIT
.PNG........IHDR...d...d.............tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c014 79.156797, 2014/08/20-09:53:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:54521e55-5d95-f641-bd02-1debd9140b99" xmpMM:DocumentID="xmp.did:DB3131DC67F411E4BD5C9DDCF794BEBF" xmpMM:InstanceID="xmp.iid:DB3131DB67F411E4BD5C9DDCF794BEBF" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:454f16d2-6936-2d42-9506-3d0d11430d68" stRef:documentID="adobe:docid:photoshop:5a9b7aaf-67f2-11e4-bbad-96f2a7f5e123"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..6.....IDATx..\Ys..u.{{.}.......I..(J..;[.I*v^.......=.N.T.\I9.......)...l.`.f.....7.... ...$.$.....3.}..w....I....)..t...``...iB.......k...d..........X....n8p.....5@........n8@..Y.d...`.........P..b(.!.SB.B..... Q..<....*t..-#j.....u......*D...3.HY.B25.J...l,..U....m%8.p.ku{....Zui....=A('.q....?.D.F.e.s..4.KVU..r.U......w..`..J_;wn6....a...{.|...j.)N6..\.N..U.....&'.......#....Q.=.Y..T._...x.u.. ........vv>[]......7c....^..B#K..k.cs..F(.I.K...~.dg}.3g<.yw.....x~(gZ*A(FM....{BPB.3...q.
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
iexplore.exe_892:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512