Trojan.NSIS.StartPage.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: ef6d2e8148e99c80940770cb36116c46
SHA1: 46696a509a6d2bf5e72aa109ae7d220f0514d9f8
SHA256: e650808ba04d652f8f0cfc97138afa3ddb383bc789b9423fe1d4f8c3639ba84f
SSDeep: 393216:Ul0d3iPa0YRvQaitgdgas12vpy6YqNBNDOXK858ZP7:woG8vQa8SgX1IpyqhO685QP7
Size: 13159896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-12-04 15:55:11
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mscorsvw.exe:1912
svhost.exe:440
%original file name%.exe:1664
06.scr:404
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process svhost.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\sysdrv32.sys (392 bytes)
The process %original file name%.exe:1664 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7E.tmp (0 bytes)
The process 06.scr:404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\system\svhost.exe (46100 bytes)
Registry activity
The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"
The process svhost.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 F5 B9 DE EA C2 12 8A FE BE 71 24 62 B7 D2 77"
The process %original file name%.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 0B 7D CE 73 1E FE 7F 6E 95 94 7F EB 16 7E F0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 06.scr:404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 F8 4F DD 14 B4 95 B4 63 87 77 15 F5 89 E4 9C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL]
"(Default)" = "Service"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\NetworkService\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\NetworkService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL]
"(Default)" = "Service"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 5dd4110c9b6099c0d7dff7dfde849ad4 | c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\49YV01QJ\x[1] |
| 5dd4110c9b6099c0d7dff7dfde849ad4 | c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JHZV9TF5\x[1] |
| 5dd4110c9b6099c0d7dff7dfde849ad4 | c:\WINDOWS\system32\06.scr |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mscorsvw.exe:1912
svhost.exe:440
%original file name%.exe:1664
06.scr:404 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\drivers\sysdrv32.sys (392 bytes)
%WinDir%\system\svhost.exe (46100 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WSVCHO" = "%WinDir%\system\svhost.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Ntbldqemvaxp & co.
Product Name: Id-Gmkvldejfjzlm
Product Version:
Legal Copyright: Copyright Dwfunfiwberc
Legal Trademarks: Gmkvldejfjzlm is a trademark of Eqxpthqkbbnc
Original Filename:
Internal Name:
File Version: 25.1.1.25
File Description: Mnlatwdy
Comments: comment on Oewcvwtgdqmdj
Language: Language Neutral
Company Name: Ntbldqemvaxp & co.Product Name: Id-GmkvldejfjzlmProduct Version: Legal Copyright: Copyright DwfunfiwbercLegal Trademarks: Gmkvldejfjzlm is a trademark of EqxpthqkbbncOriginal Filename: Internal Name: File Version: 25.1.1.25File Description: MnlatwdyComments: comment on OewcvwtgdqmdjLanguage: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34108 | 34304 | 4.20918 | ffc08f10ee3a1b9d790572b3a46488b5 |
| .data | 40960 | 144 | 512 | 0.831186 | 28f29d4150b83e7faae233a71c5cab15 |
| .rdata | 45056 | 9272 | 9728 | 3.95241 | f652035f54b3a74c89f7bb1cb907d4d2 |
| .bss | 57344 | 297092 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 356352 | 4868 | 5120 | 3.6057 | 0d5c3df1017a50cd5a6baab82c884d87 |
| .ndata | 364544 | 688128 | 8192 | 0 | 0829f71740aab1ab98b33eae21dee122 |
| .rsrc | 1052672 | 3400 | 3584 | 2.94887 | 91e004f8cc73e6a0357bd203965b2d05 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| a.vspcord.com | 195.22.26.252 |
| ilo.brenz.pl | 148.81.111.121 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1664:
.text
.text
0`.data
0`.data
.rdata
.rdata
0@.bss
0@.bss
.idata
.idata
.ndata
.ndata
.rsrc
.rsrc
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
*?|/":
*?|/":
%s=%s
%s=%s
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
>-"-*-&-6
>-"-*-&-6
.aJFKx
.aJFKx
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
GetWindowsDirectoryA
GetWindowsDirectoryA
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
ExitWindowsEx
ExitWindowsEx
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.DLL
COMCTL32.DLL
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
ole32.dll
ole32.dll
SHELL32.DLL
SHELL32.DLL
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj7E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj7E.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Laban answered and said unto J
Laban answered and said unto J
25.1.1.25
25.1.1.25
81.scr_3472:
%Xw;=~
%Xw;=~
.COU$L7
.COU$L7
KERNEL32.DLL
KERNEL32.DLL
4 5. /."/6"7
4 5. /."/6"7
: ;"?
: ;"?
!9I%f
!9I%f
.uL2/
.uL2/
p/j/%c
p/j/%c
81.scr_3472_rwx_299F5000_00001000:
KERNEL32.DLL
KERNEL32.DLL
81.scr_3472_rwx_299F9000_00009000:
)KERNEL32.dll
)KERNEL32.dll
)USER32.dll
)USER32.dll
)ADVAPI32.dll
)ADVAPI32.dll
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
)SHELL32.dll
)SHELL32.dll
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
)WSOCK32.dll
)WSOCK32.dll
)MPR.dll
)MPR.dll
)SHLWAPI.dll
)SHLWAPI.dll
)RPCRT4.dll
)RPCRT4.dll
)COMCTL32.dll
)COMCTL32.dll
)ntdll.dll
)ntdll.dll
)MSVCRT.dll
)MSVCRT.dll
_acmdln
_acmdln
EPSShSS
EPSShSS
81.scr_3472_rwx_29A07000_00006000:
sysdrv32.sys
sysdrv32.sys
\sysdrv32.sys
\sysdrv32.sys
Windows for Workgroups 3.1a
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 5.0
Windows 2000 2195
Windows 2000 2195
HTTP/1.0 200 OK
HTTP/1.0 200 OK
Content-Type: %s
Content-Type: %s
Date: %s %s GMT
Date: %s %s GMT
Last-Modified: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Expires: %s %s GMT
Portuguese
Portuguese
\\%s\%s
\\%s\%s
onQhurlmT
onQhurlmT
PRIVMSG
PRIVMSG
s.start
s.start
s.stop
s.stop
%s %s
%s %s
%s\%s
%s\%s
dnsapi.dll
dnsapi.dll
-;58
-;58
Windows NT Remote Printers
Windows NT Remote Printers
Impresoras remotas Windows NT
Impresoras remotas Windows NT
Impresoras remotas de Windows NT
Impresoras remotas de Windows NT
Stampanti remote di Windows NT
Stampanti remote di Windows NT
Imprimantes distantes pour Windows NT
Imprimantes distantes pour Windows NT
Impr. remotas Windows NT
Impr. remotas Windows NT
Impressoras remotas do Windows NT
Impressoras remotas do Windows NT
Imp. remotas do Windows NT
Imp. remotas do Windows NT
81.scr_3472_rwx_29AA4000_0050A000:
x"Å’
x"Å’
81.scr_3472_rwx_29FB5000_00007000:
4 5. /."/6"7
4 5. /."/6"7
: ;"?
: ;"?