Gen.Trojan.Heur.MR.cvZaeir6fO_bed2e85383

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

server.exe:980
%original file name%.exe:644

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process server.exe:980 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\system.ini (72 bytes)

The process %original file name%.exe:644 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\7bebte13352740412.jpg (2368 bytes)

Registry activity

The process server.exe:980 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3432392762"
"a1_3" = "369175827"
"a1_4" = "3854877565"

[HKCU\Software\Aas\695404737]
"35845605" = "387"

[HKCU\Software\Aas]
"a1_6" = "1444987664"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a1_2" = "1147964647"
"a3_6" = "59977839"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "8D047AF7229C9B8962BA0482D99D368E2F27DA435BE2A7386A33EDC80BF5E291731E9D01A5491DAF960D9F12BEF04EC6593B061C5B93136EC6BFEC34C08A20B0C1FA17DCC2BD245ECA59601A83B2A1E4EA6D8C1E0D407E7C34901CE485312CA99533EF94DBD09BAC13BC887C7B5FA8BD183F0B60FDAC439D9A828FBE91ABBD7D"

[HKCU\Software\Aas]
"a3_4" = "11991981"

[HKCU\Software\Aas\695404737]
"43014726" = "0A00687474703A2F2F63696B6D61796564656B70617263612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272756365676172726F642E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6362626173696D6576692E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F6272616E64616F656D61746F732E636F6D2E62722F696D616765732F6C6F676F692E67696600687474703A2F2F6361676C617274656B6E696B2E636F6D2F6C6F676F732E67696600687474703A2F2F6268617261746973616E676C692E696E2F6C6F676F692E67696600687474703A2F2F636163732E6F72672E62722F6E6F766F736974652F6C6F676F732E67696600687474703A2F2F62757461636D2E676F2E726F2F6C6F676F732E67696600687474703A2F2F626F7961626174656D6C2E6B31322E74722F696D616765732F6C6F676F732E67696600687474703A2F2F636173627967726F75702E636F6D2F696D616765732F6C6F676F732E676966"

[HKCU\Software\Aas]
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a1_1" = "1313561096"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_4" = "28676484"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCU\Software\Aas]
"a1_5" = "1008453933"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "121"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 09 4B AC F7 42 EB 7D B3 06 22 C8 65 83 F7 01"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_6" = "43012043"
"a2_5" = "35840104"
"a2_4" = "28673033"
"a2_3" = "21510318"
"a2_2" = "14343503"
"a2_1" = "7172588"
"a2_0" = "5517"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_5" = "35845605"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_5" = "52535244"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%]
"server.exe" = "%Program Files%\server.exe:*:Enabled:ipsec"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The process %original file name%.exe:644 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"server.exe" = "server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5	File path
6f7579cefe21cfbc49dd04a63b8e9b67	c:\Program Files\Bifrost\server.exe
6f7579cefe21cfbc49dd04a63b8e9b67	c:\Program Files\server.exe
8dea3996e6b899a61f0c0419a04571cf	c:\%original file name%.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	www.Brenz.pl

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):

   server.exe:980
   %original file name%.exe:644

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:

   %WinDir%\system.ini (72 bytes)
   %Program Files%\7bebte13352740412.jpg (2368 bytes)

5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
   
6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	71390	71680	4.54235	b26d39d2859847255e0be66216bf13bc
.rdata	77824	7173	7680	3.37149	900a9e8d169dca2c262fcf9aaeeb4777
.data	86016	65324	512	2.44253	67da0eee7a0eeddbb8255b277e6a2b2e
.CRT	151552	16	512	0.147711	f37caedd772bbb624d915f04f60d24a0
.rsrc	155648	16384	16384	2.5708	4f2f3f3436481fe4d2bf2c88ff76e6ec

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps