HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.2529275 (B) (Emsisoft), Trojan.GenericKD.2529275 (AdAware), Trojan-Banker.Win32.Banker.FD, Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Banker, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c367f53b571ea3563e6eba42a2ecf524
SHA1: 26e580fc6798012d24a98e23c175ac759fa9bbb2
SHA256: e8ba3f809f1ca121baf3f6c9fed93aa3393f53b2bc845134b25984b7730a23e5
SSDeep: 12288:WA2 cLCbr2GOkD3kp2SyITvjJ7/bEEfrsO47g/Wx:B21Cbr5OkDSuITLJAenl/W
Size: 621568 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-01 08:37:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
setup_30032.exe:1604
-2100_1_ss.exe:1776
JSZS.exe:552
The Trojan injects its code into the following process(es):
copy%original file name%.exe:560
%original file name%.exe:772
JSZS.exe:1860
Mutexes
The following mutexes were created/opened:
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003RasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexShimCacheMutex
File activity
The process setup_30032.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\anote\Alarm.wav (13 bytes)
%Program Files%\anote\anote.exe (36078 bytes)
%Program Files%\anote\about.jpg (9 bytes)
%Program Files%\anote\uninstall.exe (2392 bytes)
%Program Files%\anote\Language\chinese.ini (2 bytes)
&<&&
<<<>>>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>“”“”<><>“”“”“”“”<><><><
<<<>>>
<><><><><><><><><><><><><><>
&&>>>>
<<<>>>
<<<>>>
<
<<<>>>
&
&
&
&
&s
&s
&Cannot
&Cannot
&Cannot
&Cannot
&Error
&Error
&
&
&
&
&s
&s
&Cannot
&Cannot
&Cannot
&Cannot
&Error
&Error
<.fg>
<.fg>
&mianid
&mianid
&DeviceID
&DeviceID
&id
&id
&keyword
&keyword
&appver&userid&softid&signcode&imie&mac&phonenumber&imsi
&appver&userid&softid&signcode&imie&mac&phonenumber&imsi
&appver&userid&advid&styleid&signcode&imie&mac&phonenumber&imsi
&appver&userid&advid&styleid&signcode&imie&mac&phonenumber&imsi
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&
&V&&&Cannot&Error&mac&k&