Trojan.Generic.11720688_b7c53c4300 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1756

The Trojan injects its code into the following process(es):

MENDES~1.EXE:1772

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process %original file name%.exe:1756 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PBBR.exe (3286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MENDES~1.EXE (13304 bytes)

Registry activity

The process MENDES~1.EXE:1772 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 45 C0 4A 95 77 D4 9D 24 52 EF D6 5D 6B DB D1"

[HKCU\MendesDowns[www.MendesDowns.blogspot.com]]
"C-INJECTOR-1.1" = ""

The process %original file name%.exe:1756 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D D8 7E 80 3B 34 12 8E C3 15 3F CC 94 54 7E 1C"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Dropped PE files

MD5	File path
7f0ed174dbf5456a17323cce1a7a16b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\MENDES~1.EXE
9086552c724729a761cfad23b371a091	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\PBBR.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1756
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PBBR.exe (3286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\MENDES~1.EXE (13304 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

Company Name: Microsoft CorporationProduct Name: Internet ExplorerProduct Version: 11.00.9600.16428Legal Copyright: (c) Microsoft Corporation. All rights reserved.Legal Trademarks: Original Filename: WEXTRACT.EXE .MUIInternal Name: Wextract File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)File Description: Win32 Cabinet Self-Extractor Comments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	26060	26112	4.42567	e9bf1a1e456a9a811b1b86e6602e3636
.data	32768	6796	1024	2.20139	317f8a934ee443eee01c2a315bde9ca1
.idata	40960	4216	4608	3.49941	d8675ba112ef922c6057a02546757a1a
.rsrc	49152	454047	454144	5.46165	f2665e742d33a9f359a1f226a8da638f
.reloc	503808	5038	5120	2.58043	83de2f9b2c95be6fea06bced7e8a058e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1756:

.text

`.data

.idata

@.rsrc

@.reloc

Invalid parameter passed to C runtime function.

advapi32.dll

setupx.dll

setupapi.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

ADMQCMD

USRQCMD

FINISHMSG

IXPd.TMP

msdownld.tmp

TMP4351$.TMP

wextract.pdb

PSSSSSSh

SSSh

PSSShp

PSShp

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

Command.com /c %s

rundll32.exe %s,InstallHinfSection %s 128 %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s /D:%s

PendingFileRenameOperations

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

RegCreateKeyExA

RegOpenKeyExA

RegQueryInfoKeyA

RegCloseKey

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

_amsg_exit

_acmdln

msvcrt.dll

COMCTL32.dll

Cabinet.dll

VERSION.dll

MENDES~1.EXE

PBBR.exe

d.HvZg

2`.IM

.pD4TE

Mm).qA_

Wk.RWXb

.qcQ;

l.vEj

u%FQ,z`

5,t.xE

:%fz?

y.DW`

}\5j.jLQY

xz2b/%Uq

f2:*%x#

=.ITV

.gQ^z

.ejLC.

5>u.Cw

v.vNP[u

{.UFFx

\|.%D

.ZiDB

83x-%s

:V.hOv

-W6L%S

^9.hE

Jb%0sR

CMd:h

X.Kkn

i%U4RS

]%F X

q.Ay&

-%SL&e2

.wcE*3

zH'Q%7X

F&;Us.pm

f4%C@_

-%PhF.Vb>

L.jms

cn8%F-

mK%3SN

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Kernel32.dll

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.ÃŠn not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.OFalha ao obter informa

o em disco de: %s.

Mensagem do sistema: %s..Um recurso necess

o pode ser encontrado.#Tem certeza de que deseja cancelar?

o do sistema operacional.'Falha do pedido de aloca

O arquivo de gabinete (.cab) n

vel encontrar uma unidade com %s KB de espa

o.NPasta inv

lida. Certifique-se de que a pasta existe e de que permite grava

o.ZEspecifique uma pasta com um nome de caminho totalmente qualificado ou clique em Cancelar.

!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

o da pasta.QN

logo do navegador.RN

vel carregar Shell32.dll, necess

)Erro ao criar o processo . Causa: %s7N

suporte para o tamanho do cluster deste sistema..Um recurso necess

rio parece estar corrompido.IA instala

o requer o Windows 95 ou o Windows NT 4.0 beta 2 ou posterior.

Erro ao carregar %smFalha de GetProcAddress() na fun

o '%s'. Poss

o incorreta de advpack.dll est

sendo usada.>O Windows 95 ou o Windows NT

vel criar a pasta '%s'

precisa de %s KB de espa

o livre na unidade %s.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

$Erro ao recuperar a pasta do Windows

*Desligamento do NT: erro OpenProcessToken./Desligamento do NT: erro AdjustTokenPrivileges.'Desligamento do NT: erro ExitWindowsEx.

o em disco insuficiente para arquivo de permuta) ou arquivo de gabinete (.cab) corrompido._As informa

es de volume da unidade (%s) n

Mensagem do sistema: %s.

o e tente novamente.pO programa de instala

/C: -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

pia do pacote '%s' j

sendo executada no sistema. Deseja executar outra c

vel encontrar o arquivo: %s.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

xito quando executadas por um administrador.

(A pasta '%s' n

sendo executada no sistema. Apenas uma c

pia pode ser executada de cada vez.PO pacote '%s' n

o do Windows que est

sendo executada.FO pacote '%s' n

o do arquivo: %s do sistema.

11.00.9600.16428 (winblue_gdr.131013-1700)

WEXTRACT.EXE .MUI

11.00.9600.16428

MENDES~1.EXE_1772:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

windows

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

OnKeyDown

OnKeyPressd

OnKeyUp

UhV%C

Uh

RICHED32.DLL

PasswordChar

ssHorizontal

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

tagMSG

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Vh8%F

vcltest3.dll

User32.dll

1.2.3

Portable Network Graphics

ole32.dll

olepro32.dll

OnActionExecute

opexeP

MendesDowns[VVV.MendesDowns.blogspot.com]

em execu

Mendes DLL Injector * CMD *

VVV.MendesDowns.blogspot.com

sendo executado no Momento!!!

NomeDoProcesso.exe

hXXp://mendesdowns.blogspot.com

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

RegFlushKey

RegCreateKeyExA

GetCPInfo

version.dll

gdi32.dll

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

winspool.drv

shell32.dll

ShellExecuteA

comdlg32.dll

VVV.mendesfiles.blogspot.com

0&0.060^0

5 6m6U6s6z6

= =$=(=,=0=4=8=

: ;';];|;

;#;';=;`;

52666:6@6

2&3*3.363

0(1,10141

? ?$?2?:?

5"5-525=5

333333333333333333

33333833

3333339

3333333333333338

:*"*"$3338

3333333

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

' .:: VVV.MendesDowns.blogspot.com ::.

Font.Charset

Font.Color

Font.Height

Font.Name

Font.Style

Icon.Data

Picture.Data

fKa/-Au}

&.moUB

Procurar por Execut

Lines.Strings

opexe

Arquivos Execut

veis [ *.exe ]|*.exe

!Arquivos tipo DLL [ *.dll ]|*.dll

Mendes CMD

Processo.exe

OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters

OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s

UThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.

Description: BThe "Portable Network Graphics" image contains an invalid palette.

The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.

This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.

There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.

No help keyword specified.jThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corrupted

/Menu '%s' is already being used by another form

Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Unable to insert a line Clipboard does not support Icons

Text exceeds memo capacity.There is no default printer currently selected

%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active*A control cannot have itself as its parent

Invalid operation on TOleGraphic

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Failed to get data for '%s'

Failed to set data for '%s'

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid data type for '%s' List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

1.1.0.0

1.0.0.0

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps